The HSE’s corporate risk register has needed to constantly evolve to account for different stages of the Covid-19 pandemic. David Lynch reports
The HSE’s corporate risk register (CRR) has been described as the “key organisational document”, which allows the Executive’s board and executive management team (EMT) “to review and assess the HSE’s response to risk”. Reviewed quarterly, it comes as no surprise that the pandemic has featured heavily within the CRR over the past two years.
In January 2020, prior to the first official case of the virus in Ireland, the EMT first added Covid-19 to its list of risks and brought it to the attention of the HSE board. In August 2020, the Medical Independent (MI) reported that almost a quarter of the risk areas on the CRR were “new” and directly related to Covid-19.
At the time, out of the 26 risks on the register, six areas directly related to the virus were marked “new”. These included integrated testing and contact tracing; “restoration of core health service activity while retaining surge capacity for [Covid-19]”; and risks related to “Covid-19 critical supplies and equipment”, including personal protective equipment (PPE).
However, in recent months with the emergence of the Omicron variant, the roll-out of the vaccine booster campaign and the recent easing of restrictions, there has been much discussion at HSE meetings about changes needed in the CRR to reflect the new reality.
In November, the HSE audit and risk committee noted that the EMT held a dedicated risk workshop in September, at which “the ongoing profile of risks currently on the register together with new risks were considered”. Work was continuing on “refreshing of the corporate risk register”, noted the minutes.
Also in November, the HSE safety and quality committee heard that the Covid-19-related risks on the risk register “are more dynamic and the risk profile has changed since the Q3 review was undertaken with the recent surge in infections”.
The most recent edition of the CRR provided to MI is the 2021 third quarter version approved by the EMT in October 2021. This has 27 risks in total; 17 are categorised as red risks and a further 10 as orange.
The HSE has previously told this paper that it “recognises the importance of adopting a proactive approach to the management of risk to support both the achievement of objectives and compliance with governance requirements”.
“A key feature of managing risk in everyday practice relates to recognising the risks relating to the HSE and having in place the systems and processes to reduce the risk of these occurring or if they do, to minimise their impact.”
The majority of the CRR’s 27 risks now reference the impact of the pandemic as part of their ‘risk description’. Some of the red risk topics impacted by Covid include: Integrated testing and contact tracing; restoration of core health service activity while retaining surge capacity for Covid-19; public health capacity, capacity access, and demand; and cyber security, ICT systems, and infrastructure.
With the ongoing talks between the medical representative bodies, the HSE, and the Department of Health on the future Sláintecare consultant contract, “workforce and recruitment” remains a red risk on the most recent CRR. The detailed description of this risk notes, “the current shortage of critical staff, in particular clinical staff who have the required skills and professional qualifications and the high reliance on agency staff.”
This particular risk description also highlights “consultants not on the specialist division register” and “challenges relating to the recruitment and retention of medical, clinical, and other critical workforce grades”. This section further notes the “limited access” to childcare for health service staff, as well as Covid-19-related “absence increase” leading to a reduced workforce.
Unsurprisingly, considering the major impact of the cyberattack on the HSE last year, “cyber security and ICT systems and infrastructure” is one of the red risks that remains on the CRR. Indeed it has the joint highest risk rating on the CRR.
According to the CRR, there “is a risk that inadequate cyber security controls and/or the inability of the HSE to rapidly invest in and implement modern ICT and specialised medical device dependent services will result in serious clinical errors and patient harm if the health service cannot provide urgent, time critical services related to lack of access to critical clinical systems and information”.
The other highest rate risk on the CRR is “capacity access and demand”. According to the document, there is a risk of poorer outcomes “for patients and service users due to the insufficient capacity across community and acute services, which has been impacted by Covid-19, the cyberattack, changing demand patterns for scheduled and unscheduled care”.
Beyond the current 27 risks, MI understands that other potential additions have been considered in recent months.
In March last year, we reported that a number of “new risks” were being considered as possible additions to the CRR, including vaccine roll-out, a “second pandemic”, data protection, and climate change.
At its December 2020 meeting, the audit and risk committee discussed the risk of a “second pandemic”, noting that “this risk has been raised by the board and committees on a number of occasions”.
“While there are a number of Covid risks on the CRR, this is a separate and independent risk in terms of probability (eg, emergence of a second pandemic of a different origin).”
This topic was again raised by the audit and risk committee at its November 2021 meeting. According to the minutes, the committee noted that the proposed risk assessment of another pandemic’s impact on the health service “has been outstanding since September 2020 and as such requested that it be completed as a matter of priority, given the emergence of another pandemic is an independent event from the handling of the current virus”.
Also last November, the HSE safety and quality committee heard that a new “pandemic risk assessment” remained outstanding. This assessment will focus on the “risk of another” pandemic.
MI asked the HSE for a progress report on this assessment, but no response had been received by the time of going to press.
In August 2020, MI reported that the position of HSE Chief Risk Officer (CRO) remained vacant and that the Executive had failed to find a suitable candidate for the new position prior to the pandemic. The HSE said then that it planned a further search later in 2020.
The need for a CRO arose in 2019 following changes in the HSE’s organisational structure at a corporate level and the appointment of the board. In response, the Executive conducted a review of risk management. One of the central recommendations in the review’s report was the need for the appointment of a dedicated CRO. The recruitment process, which ended in January 2020, “did not identify a suitable candidate.”
However, this newspaper has been told that the position of CRO was filled from within the HSE towards the end of last year.
“Under the code of practice for the governance of State bodies, one of the key elements of the board’s oversight of risk management includes appointing a CRO or empowering a suitable management alternative and providing for a direct reporting line to the board to identify, measure, and manage risk and promote a risk management culture in the organisation,” the Executive spokesperson told MI.
“In this context and following consideration by the audit and risk committee, the CEO recommended that the National Director [for] Governance and Risk [Mr Patrick Lynch] be nominated as the HSE’s CRO. This recommendation was approved by the HSE board in October 2021.”
The spokesperson said that a recruitment process for the “head of the enterprise risk function” has concluded. A successful candidate has accepted the role and “it is proceeding through the contracting process”. The new occupant of this position will report directly to the CRO.
“Given the necessity for the CRO to have full, relevant knowledge of the current risk environment, the CEO has also decided that the CRO should be a member of a number of core management processes including the national performance oversight group, the national crisis management team and other processes as required,” the HSE spokesperson said.