NHS Risk Management and Organising Requirements

Transcription

1 Standards for providers Security management Standards for providers 2015/16: Fraud, bribery and corruption Click here for index page

2 Standards for providers : Security management Version number Publication date Changes made /02/ /03/2015 Minor amendments made to text Standards for providers : Security management 2

3 Contents Chapters Page Introduction The NHS Standard Contract How to complete the organisation crime profile Questions in the organisation crime profile Overview of the standards The quality assurance programme Detailed explanation of the standards Appendices Quick links to standards in Chapter 7 Please click on the links below to go to the detailed explanation for each standard. Strategic Governance Key Principle 1 Inform and Involve Key Principle 2 Prevent and Deter Key Principle 3 Hold to Account Standard 1.1 Standard 2.1 Standard 3.1 Standard 4.1 Standard 1.2 Standard 2.2 Standard 3.2 Standard 4.2 Standard 1.3 Standard 2.3 Standard 3.3 Standard 4.3 Standard 1.4 Standard 2.4 Standard 3.4 Standard 4.4 Standard 1.5 Standard 2.5 Standard 3.5 Standard 2.6 Standard 3.6 Standard 2.7 Standard 3.7 Standard 3.8 Standard 3.9 Standard 3.10 Standard 3.11 Standard 3.12 Standard 3.13 Standard 3.14 Standards for providers : Security management 3

4 1 Introduction 1.1 This document aims to provide information to providers of NHS services on the anti-fraud and security management clauses in the NHS Standard Contract, and explain what providers need to do to comply with them. 1.2 NHS Protect leads on work to identify and tackle crime across the health service. The aim is to protect NHS staff and resources from activities that would otherwise undermine their effectiveness and their ability to meet the needs of patients and professionals. Ultimately, this helps to ensure the proper use of valuable NHS resources and a safer, more secure environment in which to deliver and receive care. 1.3 NHS Protect has five high-level organisational aims. These are: To provide national leadership for all NHS anti-crime work by applying an approach that is strategic, co-ordinated, intelligence-led and evidence based. arrangements. The clauses take a risk based approach, requiring providers to carry out a risk assessment, using a toolkit provided by NHS Protect, and follow the applicable standards. Further explanation of the NHS Standard Contract is provided in chapter 2 of this document. 1.5 Within one month of the NHS Standard Contract coming into effect, providers must complete the organisation crime profile provided by NHS Protect, unless they are small providers. A small provider is defined in the NHS Standard Contract General Conditions as a provider whose aggregate income for the relevant contract year in respect of services provided to any NHS commissioners and commissioned under any contract based on the NHS Standard Contract is not expected to exceed 200,000. Further information about completion of the organisation crime profile is provided in chapter 3. To work in partnership with the Department of Health, commissioners and providers, as well as our key stakeholders, such as the police, CPS and local authorities to coordinate the delivery of our work and to take action against those who commit offences against the NHS. To establish a safe and secure physical environment that has systems and policies in place to protect NHS staff from violence, harassment and abuse; safeguard NHS property and assets from theft, misappropriation, or criminal damage; and protect resources from fraud, bribery and corruption. To lead, within a clear professional and ethical framework, investigations into serious, organised and/or complex financial irregularities and losses which give rise to suspicions of fraud, bribery or corruption. To quality assure the delivery of anti-crime work with stakeholders to ensure the highest standard is consistently applied. 1.4 The NHS Standard Contract includes mandatory clauses that require providers of NHS services to put in place and maintain appropriate counter fraud and security management Standards for providers : Security management 4

5 2 The NHS Standard Contract 2.1 The NHS Standard Contract is published by NHS England. The version is available from The contract should be used by Clinical Commissioning Groups (CCGs) and NHS England when commissioning NHS funded services including acute, ambulance, care home, community-based, high secure and mental health and learning disability services. CCGs must also use the NHS Standard Contract for all community-based services provided by GPs, pharmacies and optometrists that have been previously commissioned as Local Enhanced Services. 2.2 The counter fraud and security management clauses are set out in Service Condition 24 and place the follow obligations on providers of NHS services: Service Condition 24.1 requires all providers to put in place and maintain appropriate counter fraud and security management arrangements. Service Condition 24.2 requires all providers (except small providers) to complete an organisation crime profile within one month of the contract commencement date, using a toolkit provided by NHS Protect and in accordance with NHS Protect guidance. Service Condition 24.3 requires providers (except small providers) to take the necessary action to meet the standards set by NHS Protect at the level indicated by the organisation crime profile. Service Condition 24.6 requires the provider to report any suspected fraud or corruption involving a service user or NHS funds to the LCFS of the relevant NHS body and NHS Protect. Any suspected security incident or breach involving staff who deliver NHS funded services or involving NHS resources must be reported to the LSMS of the relevant NHS body, to NHS Protect and to the LSMS of the Co-ordinating Commissioner. Service Condition 24.7 requires the provider, on the request of the Department of Health, NHS England, NHS Protect or the coordinating commissioner to ensure that NHS Protect or any LCFS or LSMS appointed by a commissioner is given access within five operational days to property, premises, information and staff for the purpose of detecting and investigating cases of fraud and corruption and security incidents and breaches. 2.3 The organisation crime profile referenced in Service Condition 24.2 can be accessed from Guidance on how to complete the organisation crime profile is set out in chapter 3, while an explanation of each of the questions is provided in chapter The standards referenced in Service Condition 24.3 are explained in chapters 5 and 7. Service Condition 24.4 requires the provider to allow, if requested by the co-ordinating commissioner or NHS Protect, a person duly authorised to act on behalf of NHS Protect or on behalf of any commissioner to review, in line with the appropriate standards, security management and counter fraud arrangements put in place by the provider.. Service Condition 24.5 requires the provider to implement any modifications to its counter fraud and security management arrangements required by a person referred to in Service Condition 24.4 within such timescales as that person may reasonably require. Standards for providers : Security management 5

6 3 How to complete the organisation crime profile 3.1 The organisation crime profile divides organisations into three broad categories, based on their size, their financial and patient interactions and the risks they face as a result of them. Categories are an indicator of the scale and type of activity a provider should be undertaking in order to combat crime against it and in order to safeguard patients, staff, funds and other assets. They are not intended as detailed measures of local risk, or as indicators of the quality of the anti-crime activity already undertaken. 3.2 The organisation crime profile is made up of three parts. The first part requires general information. The second part requires information relating to violence, security preparedness, theft and criminal damage. The third part requires information relating to economic crime, including fraud, bribery and corruption. Providers need to complete all three parts of the profile. 3.3 The organisation crime profile is available at The chief executive of the provider should determine the most appropriate person to complete the organisation crime profile. This may be the nominated anti-fraud, bribery and corruption specialist or security management specialist. In any event, the person completing the assessment is likely to need to obtain information from the nominated anti-fraud, bribery and corruption specialist or security management specialist, as well as more general information about the organisation from departments such as human resources and finance. to do so will result in the provider being in breach of their obligations under Service Condition 24 of the standard contract. 3.7 Upon completion of the profile, the organisation s category will be displayed. This will be a category 1, 2 or A category 1 organisation is likely to have high value NHS contracts, a high number of staff, high-value NHS assets and large numbers of patient interactions. A category 3 organisation is likely to have low contract values, a small number of staff and small numbers of patient interactions. 3.9 The category an organisation is allocated to will determine which NHS Protect standards it must comply with. NHS Protect has produced specific standards for security management. These are set out in chapters 5 and 7 below. Standards for countering fraud, bribery and corruption are provided in a separate document, which is also available at The completed organisation crime profile must be passed on to the commissioner and a copy submitted directly to orgcrimeprofile@nhsprotect. gsi.gov.uk. Queries should also be sent to this address, clearly indicating in the subject line that it is a query and not a completed assessment. The responsible person within commissioning bodies will differ, but in the first instance we would suggest the profile is forwarded to the provider s contract manager. 3.5 The profile is made up of a series of questions, designed to identify the organisation s risks in relation to crime. All of the questions on each of the three worksheets must be answered, either by using the drop down boxes to select an appropriate response or by entering text into the relevant cell. Failure to do so will result in the provider not receiving a category rating and not being compliant with the process. 3.6 All providers, with the exception of small providers as defined in the NHS Standard Contract General Conditions, must complete the organisation crime profile. Failure Standards for providers : Security management 6

7 4 Questions in the organisation crime profile 4.1 This chapter provides an overview of the questions included in the organisation crime profile and an explanation of what is required and where the information can be obtained from. Section 1: General 1a. Name of the organisation completing this organisation crime profile Please insert the full name of the organisation in the field provided. 1b. Organisation code This is the NHS code allocated to organisations by the Organisation Data Service providing a unique identifier. Further information on these codes is available from the Health and Social Care Information Centre. The codes can be obtained by downloading the relevant data files available from hscic.gov.uk/data/ods/datadownloads 2. National or local organisation Please indicate whether the organisation provides NHS services on a national or local basis. 3. Organisation/provider type For this question, please select an organisation type from the drop down list provided. If your organisation type is not on the drop down list provided, please enter it in the box provided. 4. Type of service(s) This sets out the many different types of services that are governed by the Care Quality Commission s regulations. Respondents will be required to identify which category or categories they fall into by identifying the services they provide. Further details on the service types are available at service-types. Please select yes or no for each type of service from the drop down lists. It is possible to select yes for more than one service type from the options in the drop down list. 5. How many Clinical Commissioning Groups (or other NHS bodies) is this organisational crime profile being submitted to? The completed organisation crime profile should be submitted to every CCG (or other NHS body) the organisation holds a contract with. For multilateral contracts, it should be returned to the lead or co-ordinating commissioner. This should be counted as one commissioner for the purposes of this question. 6. What is the headcount employed (including contracted staff) by the organisation? For this question, the answer should be selected from the options in the drop down list. Include all staff employed to provide NHS services, including agency staff. 7. What is the percentage of total NHS funding as a proportion of the organisation s overall budget? Some organisations are funded by a number of sources. This question seeks to ascertain the level of NHS funding an organisation receives, as a percentage of its overall budget. For this question, the answer should be selected from the options in the drop down list. 8. How many NHS patient attendances did the organisation record in the last financial year? This refers to the number of outpatient appointments an organisation has recorded. Organisations routinely collect this data for commissioners, and it is published by Hospital Episode Statistics (HES) online at hscic.gov.uk/article/2021/website-search?q=title% 3a+%22hospital+outpatient+activity%22&sort=Mo st+recent&size=10&page=1&area=both#top. Ideally the organisation should provide the figures for the last financial year. However, if these are not readily available, the data as most recently published by HES is acceptable. If the organisation has merged with another healthcare provider since their most recent figures were published, a best estimate should be provided. For this question, the answer should be selected Standards for providers : Security management 7

8 from the options in the drop down list. 9. How many NHS patient episodes did the organisation record in the last financial year? This refers to the number of admitted patient care and inpatient treatment episodes an organisation has recorded. Organisations routinely collect this data for commissioners, and it is published by Hospital Episode Statistics (HES) online at talogue?q=title%3a%22hospital+episode+statisti cs%2c+admitted+patient+care+-+england%22&ar ea=&size=10&sort=relevance. Ideally the organisation should provide the figures for the last financial year. However, if these are not readily available, the data as most recently published by HES is acceptable. If the organisation has merged with another healthcare provider since their most recent figures were published, a best estimate should be provided. For this question, the answer should be selected from the options in the drop down list. Section 2: Security management 10. Does your organisation provide out of hours services? By out of hours we are referring to services provided outside of your normal service provision, usually considered to be Monday to Friday 9am-5pm. 11. How many sites do you provide services from? This refers to the number of locations/premises NHS services are provided from. 12. What is the total number of reported staff assaults involving physical contact your organisation has received between1 April 2013 and 31 March 2014? Physical contact is defined as the intentional application of force against the person of another, without lawful justification, resulting in physical injury or personal discomfort.if your organisation has an organisation code and this has been entered under question 1b, the response to question 12 will automatically be populated using data from the last violence against staff collection exercise. If the organisation does not have a code, the answer should be selected from the options in the drop down list. 13. How many incidents of violence and aggression were RIDDOR reportable between1 April 2013 and 31 March 2014? RIDDOR (from the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995) involves the reporting to the Health and Safety Executive of all accidents and injuries at work which involve an employee being incapacitated for 7 days or more (not including the day the accident happened). Incapacitation means that the worker is absent or unable to do work they would reasonably be expected to do as part of their normal duties. 14. How many serious untoward incidents of violence and aggression did your organisation have reported between 1 April 2013 and 31 March 2014? Generally speaking, a serious untoward incident (SUI) is something out of the ordinary or unexpected with the potential to cause serious harm, and/or which is likely to attract public and media interest, that occurs on NHS premises or in the provision of an NHS commissioned service. An incident may fall under this definition if it involves a high number of patients, if there is a question of poor clinical or management judgement, if a service has failed, if a patient has died under unusual circumstances, or if there is a perception that any of these has occurred. SUIs do not relate exclusively to clinical issues. This question is concerned with recording SUIs which stem from acts of violence and aggression only. 15. How many other security related incidents did your organisation have reported between 1 April 2013 and 31 March 2014? These include thefts of NHS assets or patient property, criminal damage and any other security related incident. 16. How many other security related incidents were serious untoward incidents between 1 April 2013 and 31 March 2014? A security related incident may have consequences that make it an SUI (for more on SUIs, see under question 14 above). Security related SUIs include serious acts of violence that result in a death, thefts of critical assets or incidents that have a serious impact on the ability of the organisation to deliver its core functions. Standards for providers : Security management 8

9 17. What is the total financial value of your NHS capital assets? By NHS capital assets we are referring to the items of equipment which are recorded on either the Capital Asset Register or the Inventory Register. The Capital Accounting Manual, as issued by the Department of Health, must be considered when determining the minimum data set for the Capital Asset Register. 18. What has been the total financial loss to the organisation through theft and criminal damage to NHS premises and property in the last 12 months (excluding any involving a natural disaster)? This refers to the financial loss to the organisation as recorded. Section 3: Fraud, bribery and corruption 19. What is the total combined annual value of NHS Standard Contracts and NHS funding from all clinical commissioning groups and other types of NHS bodies? Some organisations will hold contracts with multiple clinical commissioning groups to provide NHS services. For this question, the total combined financial value for all contracts held with clinical commissioning groups and other types of NHS bodies should be provided. The answer should be selected from the options in the drop down list. 20. Please list the names of clinical commissioning groups and NHS bodies the contracts are held with (for multilateral contracts, please name only the lead commissioner). For this question, please list the clinical commissioning groups and other NHS bodies by which the organisation is contracted to provide NHS services. For multilateral contracts, please name only the lead or co-ordinating commissioner. If the list is extensive, please include it on a separate Microsoft Excel worksheet or Word document. 21. What is the value of NHS funds that are allocated to payroll? Please indicate the value of NHS funds that are allocated to payroll. This should also include funds that are used to pay for agency staff to deliver NHS services. Many organisations publish this information in their annual reports and accounts. Ideally, data from the last financial year should be included. However, if this is not readily available, the most recently collated data is acceptable. For this question, the answer should be selected from the options in the drop down list. 22. How many procurement exercises are undertaken directly by the organisation in excess of Official Journal of the European Union limits annually? Under European Union legislation, all public sector tenders that are valued above a certain financial threshold must be published in the Official Journal of the European Union (OJEU). In response to this question, please state how many procurement exercises the organisation has carried out that are above the OJEU limits. Ideally this should be for the last financial year, but if the figures are not readily available, please use the last year for which data is available. The numerical value should be entered in the box provided. Details of the current OJEU limits are available at What is the total value of procurement exercises undertaken directly by the organisation in excess of Official Journal of the European Union limits annually? Following on from question 22 above, please provide the total value of the procurement exercises carried out by the organisation that were in excess of OJEU limits. The financial value should be entered in the box provided. 24. How many procurement exercises are undertaken by external providers on behalf of the organisation in excess of Official Journal of the European Union limits annually? This question is similar to question 22 above, but refers to procurement exercises that are carried out on the organisation s behalf by an external provider. Details of the current Official Journal of the European Union limits are available at The numerical value should be entered in the box provided. Standards for providers : Security management 9

10 25. What is the total value of procurement exercises undertaken by external providers on behalf of the organisation in excess of Official Journal of the European Union limits annually? Following on from question 24 above, please provide the total value of the procurement exercises carried out by an external provider on behalf of the organisation that were in excess of OJEU limits. Please insert the financial value in the box provided. 26. What is the organisations threshold above which quotations or formal tenders must be obtained? Organisations have a financial threshold which determines when formal competitive quotations and tenders must be obtained. This will usually be set out in Standing Financial Instructions, Standing Orders and the Scheme of Delegation. Please insert the financial value in the box provided. 27. How many procurement exercises were carried out above that level, but below Official Journal of the European Union limits, annually? Please state how many procurement exercises were carried out above the financial value provided in question 26 above, but below OJEU limits. Please insert the numerical value in the box provided. 28. What is the total value of procurement exercises undertaken in excess of the organisation s formal quotation and tender threshold limit, but below Official Journal of the European Union limits, annually? Following on from question 27 above, please indicate the value of procurement exercises undertaken that are above the threshold specified, but below OJEU limits. Please insert the financial value in the box provided. 29. How many invoices does the organisation process annually (if processing has been outsourced to an external provider, please state how many are processed by them on the organisation s behalf)? Many organisations publish this information in their annual reports and accounts under the Better Payment Practice Code. Ideally, data from the last financial year should be included. However, if this is not readily available, the most recently collated data is acceptable. For this question, the answer should be selected from the options in the drop down list. 30. What is the value of the invoices processed annually (if processing has been outsourced to an external provider, please state the value of invoices processed by them on the organisation s behalf)? The financial value of invoices processed is also published by many organisations in their annual reports and accounts under the Better Payment Practice Code. Ideally, data from the last financial year should be included. However, if this is not readily available, the most recently collated data is acceptable. For this question, the answer should be selected from the options in the drop down list. 31. Are invoices processed internally or outsourced to an external provider? Please indicate whether invoices are processed internally at the organisation, or whether this function is outsourced to an external provider. For this question, the answer should be selected from the drop down list. 32. How many fraud, bribery and corruption allegations involving NHS funds has the organisation received in the last financial year? Please insert the number of allegations of fraud, bribery and/or corruption received by the organisation in the last financial year in the box provided. 33. How many fraud, bribery and corruption allegations involving NHS funds developed into full cases and were investigated by the organisation within the last financial year? Please insert the number of investigation cases conducted by the organisation in the last financial year in the box provided. 34. What is the value of the organisation s known NHS losses as a result of fraud, bribery and corruption within the last financial year? Please insert the total value of losses identified from allegations received and investigations Standards for providers : Security management 10

11 conducted in the last financial year in the box provided. 35. What is the value of the organisation s NHS recoveries as a result of fraud, bribery and corruption investigations conducted within the last financial year? Please insert the total value of recoveries made from formal criminal and civil proceedings as well as voluntary repayments, recharges, off-sets and salary repayments resulting from allegations received and investigations conducted for the period requested in the box provided. Standards for providers : Security management 11

12 5 Overview of the standards Introduction 5.1 NHS Protect is committed to raising the standards of security management within the NHS and has developed a national strategy and a series of security standards for providers, which follow a risk based approach to providing a safe and secure environment for patients, staff and visitors and to protecting NHS property and assets. 5.2 Anyone working in the NHS, receiving NHS treatment or visiting NHS premises has the right to feel safe and secure from violence and abuse, both physical and verbal. Funds and assets belonging to the NHS or used to provide NHS services should also be kept safe and secure at all times. A failure to do so can have a major impact on patient and staff welfare and the standard of care patients receive from the NHS. highlight the risks and consequences of crime against the NHS. Prevent and Deter. This section sets out the requirements in relation to discouraging individuals who may be tempted to commit crimes against the NHS and ensuring that opportunities for crime to occur are minimised. Hold to Account. This section sets out the requirements in relation to detecting and investigating crime, prosecuting those who have committed crimes and seeking redress. 5.5 The current standards apply to providers who upon completion of the organisational crime profile (see chapters 3 and 4 above) have been assigned to a category 1 or 2. Standards for security management 5.3 The standards in this document have been developed to support NHS providers in ensuring they have appropriate security management arrangements in place within their organisation, to protect staff and patients and to ensure NHS assets are kept safe and secure. They will assist providers in implementing key aspects of security management, identifying areas requiring improvement and developing their own plans for improvements. It is the responsibility of the organisation as a whole to ensure it meets the required standards, though one or more departments, business units or individuals may be responsible for implementing a specific standard. 5.4 The security management standards are set out in detail in chapter 7 of this document and there are four key sections that follow NHS Protect s strategy: Strategic Governance. This section sets out the standards in relation to the organisation s strategic governance arrangements. The aim is to ensure that anti-crime measures are embedded at all levels across the organisation. Inform and Involve. This section sets out the requirements in relation to raising awareness of crime risks against the NHS and working with NHS staff, stakeholders and the public to Standards for providers : Security management 12

13 Strategic Governance 1.1 A member of the executive board or equivalent body is responsible for overseeing and providing strategic management and support for all security management work within the organisation. 1.2 The organisation employs or contracts a qualified, accredited and nominated security specialist(s) to oversee and undertake the delivery of the full range of security management work. 1.3 The organisation allocates resources and investment to security management in line with its identified risks. 1.4 The organisation reports annually to its executive board, or equivalent body, on how it has met the standards set by NHS Protect in relation to security management, and its local priorities as identified in its work plan. 1.5 The organisation has a security management strategy aligned to NHS Protect s strategy. The strategy has been approved by the executive board or equivalent body and is reviewed, evaluated and updated as required. Key Principle 1: Inform and Involve 2.1 The organisation undertakes risk assessments in relation to: a) protecting NHS staff and patients b) security of premises c) protecting property and assets d) security preparedness and resilience. The organisation develops inclusive policies to mitigate identified risks relating to the above (a-d), and can demonstrate implementation of these policies. The policies are monitored, reviewed and communicated across the organisation. 2.2 The organisation develops and maintains effective relationships and partnerships with local and regional anti-crime groups and agencies to help protect NHS staff, premises, property and assets. 2.3 The organisation has an ongoing programme of work to raise awareness of security measures and security management in order to create a pro-security culture among all staff. As part of this, the organisation participates in all national and local publicity initiatives, as required by NHS Protect, to improve security awareness. This programme of work will be reviewed, evaluated and updated as appropriate to ensure that it is effective. 2.4 The organisation ensures that security is a key criterion for any new build projects, or in the modification and alteration (e.g. refurbishment or refitting) of existing premises. The organisation demonstrates effective communication between risk management, capital projects management, estates, security management and external stakeholders to discuss security weaknesses and to agree a response. 2.5 All staff know how to report a violent incident, theft, criminal damage or security breach. Their knowledge and understanding in this area is regularly checked and improvements in staff training are made where necessary. 2.6 All staff who have been a victim of a violent incident have access to support services if required. 2.7 (Pilot standard) The organisation uses the Security Incident Reporting System (SIRS) to record details of physical assaults against staff in a systematic and comprehensive manner. This process is reviewed, evaluated and improvements are made where necessary. Standards for providers : Security management 13

14 Key Principle 2: Prevent and Deter 3.1 The organisation risk assesses job roles and undertakes training needs analyses for all employees, contractors and volunteers whose work brings them into contact with NHS patients and members of the public. As a result, the appropriate level of training on prevention of violence and aggression is delivered to them in accordance with NHS Protect s guidance on conflict resolution training and the prevention and management of clinically related challenging behaviour. The training is monitored, reviewed and evaluated for effectiveness. 3.2 The organisation assesses the risks to its lone workers, including the risk of violence. It takes steps to avoid or control the risks and these measures are regularly and soundly monitored, reviewed and evaluated for their effectiveness. 3.3 The organisation distributes national and regional NHS Protect alerts to relevant staff and action is taken to raise awareness of security risks and incidents. The process is controlled, monitored, reviewed and evaluated. 3.4 The organisation has arrangements in place to manage access and control the movement of people within its premises, buildings and any associated grounds. 3.5 The organisation has systems in place to protect all its assets from the point of procurement to the point of decommissioning or disposal. 3.6 The organisation operates a corporate asset register for assets worth 5,000 or more. 3.7 The organisation has departmental asset registers and records for business critical assets worth less than 5, The organisation has clear policies and procedures in place for the security of medicines and controlled drugs. 3.9 Staff and patients have access to safe and secure facilities for the storage of their personal property The organisation records all security related incidents affecting staff, property and assets in a comprehensive and systematic manner. Records made inform security management priorities and the development of security policies The organisation takes a risk-based approach to identifying and protecting its critical assets and infrastructure. This is included in the organisation s policies and procedures In the event of increased security threats, the organisation is able to increase its security resources and responses The organisation has suitable lockdown arrangements for each of its sites, or for specific buildings or areas Where applicable, the organisation has clear policies and procedures to prevent a potential child or infant abduction, and they are regularly tested, monitored and reviewed. Key Principle 3: Hold to Account 4.1 The organisation is committed to applying all appropriate sanctions against those responsible for security related incidents. 4.2 The organisation has arrangements in place to ensure that allegations of security related incidents are investigated in a timely and proportionate manner and these arrangements are monitored, reviewed and evaluated. Standards for providers : Security management 14

15 4.3 Where appropriate, the organisation publicises sanctions successfully applied in cases relating to: a) unnecessary access to premises; b) assaults on NHS staff; c) breaching the security of NHS premises and property; d) acts of theft and criminal damage. 4.4 The organisation has a clear policy on the recovery of financial losses incurred due to security related incidents, and can demonstrate its effectiveness. Standards for providers : Security management 15

16 6 The quality assurance programme Overview 6.1 NHS Protect provides national leadership for all NHS anti-crime work and is responsible for strategic and operational matters in relation to security management and anti-fraud work in the NHS. A key part of this function and one of NHS Protect s five strategic aims is to quality assure the delivery of anti-crime work with stakeholders to ensure that the highest standards are consistently applied. 6.2 The aim of the NHS anti-crime quality assurance programme is to ensure that quality requirements are fulfilled. This will be done through systematic measurement, comparison with standards, monitoring of processes and a continuous loop of feedback. 6.3 Using the security management standards set out in this document, NHS Protect will support organisations through regular benchmarking, compliance testing, evaluation of effectiveness, value for money indicators and extensive dissemination of effective practice. The quality assurance programme also enables the analysis of trends and patterns in performance in relation to each standard for each organisation type. This will assist in providing comprehensive and focused support to organisations. 6.4 Additionally, NHS Protect will provide robust assurance to stakeholders, including participating organisations, NHS England and the Department of Health (DH). Using our strong links with regulators such as the Care Quality Commission (CQC), Health and Safety Executive (HSE) and Monitor, we will share information about the standards of anti-crime work to eliminate duplication of effort for providers. 6.5 Quality assurance of anti-crime work has been shown to drive up standards and NHS Protect has developed a flexible, responsive and transparent process which will be provided through monitored action plans. This will ensure that the anti-crime work carried out mitigates both national and local identified risks. 6.6 This section provides guidance on the quality assurance programme and should be used in conjunction with other relevant instructions and guidance that have been issued to support security management work. These documents include: The NHS Standard Contract The organisational crime profile (see chapters 3 and 4 above) NHS Protect standards for providers - security management (as outlined in chapter 7 below) The NHS Security Management Manual The document Conflict Resolution Training: implementing the learning aims and outcomes Meeting needs and reducing distress: Guidance for the prevention and management of clinically related challenging behaviour in NHS settings 6.7 This list is not exhaustive and additional guidance can always be sought from NHS Protect if required. Security management quality assurance programme 6.8 The NHS Protect quality assurance programme comprises two main processes: assurance and assessment. Both are closely linked to the security management standards set out in this document. 6.9 The assurance process includes an annual self review against the standards, which is conducted by organisations and submitted to NHS Protect. The assessment process is conducted by NHS Protect s Quality and Compliance team in partnership with the organisation. Assurance and the self review tool 6.10 The self review tool (SRT) enables the organisation to produce a summary of the security management work conducted over the previous twelve months. Organisations are required to complete the SRT annually and return it to NHS Protect. The SRT also covers the key areas of activity outlined in the standards Upon completion, the SRT provides a red, amber or green (RAG) level for each of the key areas and an overall RAG level. Further Standards for providers : Security management 16

17 details of the red, amber and green levels are outlined in paragraph Organisations should use the SRT in conjunction with their work planning. They can use it to review the progress made against the work plan developed at the beginning of the year. The SRT can also assist them in identifying risk areas and formulating objectives and tasks as they develop the work plan for the following financial year. Organisations can also use the SRT to monitor their compliance with the requirements of the standards throughout the year. Assessment 6.13 The assessment process is a means of evaluating an organisation s effectiveness in dealing with the security management risks it faces. The process is designed to be flexible, transparent and responsive to locally and nationally identified security management risks and related areas of effective practice. Where required, we shall share the effective practice we find and / or provide organisations with an action plan to support them in mitigating their risks If an organisation, in the judgement of the Quality and Compliance team, requires an assessment, one of four types of assessment will be carried out: full, focused, thematic or triggered. Full assessment 6.15 A full assessment would normally be used when an organisation s security management arrangements are identified as at significant risk. Such an organisation may demonstrate some or all of the following areas of concern (the list is not exhaustive): The red, amber or green level provided in the SRT is not supported by comments made in the SRT. Security management provision is lacking or inadequate. There are recommendations from previous assessments that have not been addressed. There is no evidence of a risk-based approach to security management work. The organisation is new or has started to provide significant additional services, and no previous history of effective security management work exists. There are significant gaps in NHS Protectrequired activity across key areas of activity or NHS Protect priority areas. An Area Security Management Specialist raises significant concerns. The member of the executive board responsible for overseeing security management work raises concerns regarding the quality of the local security management service received. A regulator such as the HSE or CQC raises concerns regarding the quality of the service received A full assessment is carried out on all the NHS Protect key areas of activity as outlined in the standards. Focused assessment 6.17 A focused assessment is undertaken in cases where an organisation either demonstrates a risk in a specific area of security management activity or has demonstrated effective practice in one or more, areas. A focused assessment is conducted on one or at most two of the key areas of activity, for example Strategic Governance or Inform and Involve A focused assessment might be conducted with organisations demonstrating some or all of the following characteristics: The red, amber or green level provided in the SRT is not supported by comments made in the relevant section of the SRT. There is a lack of evidence of measurable outcomes from the work conducted to mitigate risk. An Area Security Management Specialist raises concerns. There are gaps in one of the key areas of activity, for example Hold to Account. There is demonstrable effective practice, which can be used to assist other organisations. Thematic assessment 6.19 A thematic assessment applies to a number of organisations and may be conducted regionally or across organisations of a similar type Driven primarily by NHS Protect and DH priority areas, thematic assessments focus on Standards for providers : Security management 17

18 compliance and the identification of effective practice, or on areas of concern identified by the Quality and Compliance team. New NHS Protect guidance, after a reasonable period given for it to be embedded in organisations, may be followed-up by a thematic assessment Thematic assessments are likely to focus on a fairly specific part of the standards, possibly only one standard rather than the whole of a key area. Triggered assessments 6.22 Some organisations will not be selected for a full, focused or thematic assessment when the annual assurance is received. However, at any stage during the year organisations may be selected for a triggered assessment. Triggered assessments are driven by emerging risk, normally of a serious nature, which may have come to the attention of the Quality and Compliance team through Senior Quality and Compliance Inspector (SQCI) liaison with other parts of NHS Protect such as the Area Security Management Specialists. Reasons for a triggered assessment may include, but are not limited to, the following: A significant and adverse change in security management provision. A significant failure to manage organisational security management risks. An on-going lack of engagement with NHS Protect s anti-crime strategy. A lack of positive and proactive engagement with NHS Protect staff over a significant period, with a failure to improve after this has been highlighted. An ongoing failure to action recommendations from NHS Protect assessments, in spite of support and assistance offered If the organisation is selected for a triggered assessment, this may be either a focused, full or thematic assessment Following a full, focused or thematic assessment, whether triggered or not, the organisation is provided with a written report which provides advice and guidance on driving up the quality and value for money of its security management work. The intended outcome is improved standards, measured by future self review and annual reports and assessments Other quality assurance and compliance activities, in addition to assessments, may also take place to support and develop security management work at NHS organisations. These could include one-to-one meetings with key personnel, meetings with audit committees and developmental workshops The purpose of the security management quality assurance programme is to be constructive and supportive. The assurance and assessment processes do not focus solely on non-compliance with the standards; they also highlight compliance, outcomes achieved and effective practice where it is found. Where standards are not being met, the SQCIs will, in conjunction with other parts of NHS Protect, provide advice, support and assistance to organisations in order to help them improve performance. Assessment process 6.27 If an organisation is selected for assessment, at least four weeks notice will be given of any site visit. The SQCI conducting the assessment will notify the organisation of the proposed dates for the assessment and will indicate the type of assessment and the areas that will be reviewed. The organisation will be asked to name a specific contact to make the arrangements for the site visit At this stage it is likely that the SQCI will request information from the organisation in relation to the proposed areas of enquiry. This information enables the SQCI to formulate relevant questions before the assessment meeting and it helps in the review of evidence collected during the site visit. It is essential that any information requested is received by the SQCI within the deadline given. Failure to provide this information or the provision of late information is likely to extend the site visit and may have an impact on organisational compliance with standard During the site visit, the SQCI will wish to speak to the nominated security management specialist about the security management work carried out at the organisation. Depending on the area of enquiry and the type of assessment conducted, the SQCI may also wish to speak to the Security Management Director, the non-executive director with responsibility for security management and other key staff. The organisation will be informed of this and given timely notice to make arrangements for these interviews to take place. Standards for providers : Security management 18

19 6.30 Following the interviews and any additional request for materials, the SQCI will draft a series of recommendations for the organisations to action, as well as highlighting areas of effective practice. The ratings and recommendations will be discussed at a closing meeting, which ideally will be on the same day as the assessment visit or very shortly afterwards. It is expected that the recommendations and proposed actions can be agreed at this stage A finalised report will follow the site visit within four weeks. The report will outline the findings of the site visit in full and will include the recommendations discussed and agreed at the closing meeting. Within another four weeks the organisation will be expected to complete an action plan for the recommendations and return it to the SQCI At this point, the process will be complete for most organisations. However, some may have a review assessment, between nine and twelve months following the original assessment process. This is an integral part of the process for full assessments and may also be done for focused assessments in some cases. The review assessment should only focus on the recommendations made at the previous assessment, unless there are significant matters that have arisen in the meantime As indicated above, discussion and liaison are an essential part of the assessment process. Organisations and staff members have a number of opportunities to discuss the assessment process and the recommendations, including during the assessment itself, at the closing meeting and as part of ongoing liaison. For this reason, there is no formal appeal procedure. However, if the organisation is dissatisfied with any aspect of the assessment process, the matter may be raised in the first instance with the Quality and Compliance Lead (Security Management). Performance levels 6.34 As a result of both assurance and assessment processes, organisations will be rated as being at the level of red, amber or green depending on how well they have performed against NHS Protect requirements. The benefits of this for organisations include: A clear snapshot of organisational progress against each of the standards. An overall level, which will assist with benchmarking against other organisations in similar groups or sectors. The ability to monitor and measure ongoing improvement. A means of assurance for DH and NHS England The definitions for each performance level are listed below. NON-COMPLIANCE with the standard: RED. A risk has been identified but no action has been taken to mitigate it, or the action taken is insufficient in scope. COMPLIANCE with the standard but little or no impact of work undertaken: AMBER. A risk has been identified and action has been taken to mitigate it. There is evidence of compliance through outputs. However, the effectiveness of work undertaken has not yet been evaluated or there is no reduction of the risk. There is therefore little or no evidence of outcomes. OUTCOMES demonstrating impact of work undertaken: GREEN. A risk has been identified, work has been carried out and the effectiveness of this work has been measured. The risk has been mitigated or significant progress has been made in mitigating the risk. Outcomes are therefore present Organisations which fulfil the requirements of a standard and can provide evidence of this through evaluation can determine performance to be green for that standard. Organisations which can provide evidence of activity carried out, but cannot yet demonstrate that the activity has been assessed for effectiveness will determine performance to be amber for that standard. Organisations which have carried out no activity or do not have evidence of sufficient activity will need to determine performance at the red level. The level reached for each standard contributes to an overall level for the relevant key area of activity as well as an organisational level for achievement against all of the standards. Identifying and mitigating risks 6.37 Organisations should adopt a risk-based approach when determining the amount of resources required to achieve the highest performance level for each standard. Organisations vary in size and needs and a risk-based approach ensures that appropriate Standards for providers : Security management 19