Accountability report

The HRA was formed in 2011, and later in accordance with the provisions of the Care Act 2014, the HRA was established as an executive non-departmental public body (NDPB) sponsored by the Department of Health and Social Care (DHSC) on 1 January 2015.

Our relationship with the DHSC, acting on behalf of the Secretary of State, is regulated by a Framework Agreement. This sets out the respective roles and responsibilities of each organisation, the shared principles that underpin our relationship and the arrangements for ensuring that the department is able to fulfil its responsibilities as sponsor and in relation to accountability.

The Framework Agreement also explains our governance arrangements, how we are accountable for our performance and how DHSC measures our performance without being involved in our day-to-day decision-making.

The DHSC’s Science, Research and Evidence Directorate acts as our sponsor and provides assurance to the department’s Permanent Secretary and the Secretary of State that we’re meeting our obligations.

We’re governed by a Board that is our corporate decision-making body. It is made up of five non-executive directors and three executive directors. Three non-voting directors also attend the Board. We are committed to openness and transparency with Board meetings held in public, and papers and minutes available on our website.

The HRA maintains a formal register of Board members’ interests as set out in the Code of Accountability for the NHS. Board members are asked to confirm any declarations of interest at each Board meeting and at any time that changes take place. This includes any interests in relation to specific items on a Board agenda.

Board members are also asked to declare any spouse / partner interests. The register, showing current declarations made by the Board, is updated on a regular basis and made available to the public on our website.

The accounts have been prepared according to accounts direction of the Secretary of State, with approval of HM Treasury. The accounts have been audited by the Comptroller and Auditor General under the Care Act 2014 at the cost of £43,000.

The audit certificate can be found here.

Under the Care Act 2014, Section 109 (Schedule 7, paragraph 20) the Secretary of State has directed the HRA to prepare a financial statement of accounts for each year in the form and on the basis set out in the Accounts Direction.

The accounts are prepared on an accruals basis and must give a true and fair view of the state of affairs of the HRA and of its income and expenditure, statement of financial position and cash flows for the financial year.

In preparing the accounts, the Accounting Officer is required to comply with the requirements of the Government Financial Reporting Manual issued by HM Treasury and in particular to:

• observe the Accounts Direction issued by the Secretary of State, with the approval of HM Treasury, including the relevant accounting and disclosure requirements and apply suitable accounting policies on a consistent basis
• make judgements and estimates on a reasonable basis
• state whether applicable accounting standards as set out in the Government Financial Reporting Manual have been followed and disclose and explain any material departures in the accounts
• prepare the accounts on a going concern basis
• confirm that the annual report and accounts as a whole is fair, balanced and understandable
• confirm that the Accounting Officer takes personal responsibility for the annual report and accounts and the judgments required for determining that it is fair, balanced and understandable.

The Accounting Officer of the DHSC has designated the HRA Chief Executive as Accounting Officer of the HRA. The responsibilities of an Accounting Officer, including responsibility for the propriety and regularity of the public finances, for which the Accounting Officer is answerable, for keeping proper records and for safeguarding the HRA’s assets, are set out in Managing Public Money published by the HM Treasury. As far as the Chief Executive is aware, there is no relevant audit information of which the entity’s auditors are unaware and the Chief Executive has taken all the steps that they ought to have taken to make them aware of any relevant audit information and to establish that the entity’s auditors are aware of that information.

This governance statement sets out the framework utilised by the HRA to regulate its activities and to ensure delivery of its functions and objectives. In addition to setting out the governance structure, it outlines;

• the way in which performance is managed and reviewed
• the risk management processes
• the process for setting directors’ remuneration.

The HRA complies with the requirements of HM Treasury Corporate Governance in Central Government Departments: Code of Good Practice (2017) insofar as they relate to public bodies.

The Accounting Officer has responsibility for maintaining a sound system of internal control that supports the achievement of the HRA’s policies, aims and objectives, whilst safeguarding public funds and its assets for which the Accounting Officer is personally responsible, in accordance with the responsibilities assigned in HM Treasury: Managing Public Money. The Accounting Officer is accountable for the discharge of functions to the Authority’s Board and ensuring appropriate arrangements are in place for the appropriate discharge of all statutory functions attached to the HRA.

The Accounting Officer is also accountable to the Secretary of State at the DHSC. This line of accountability is managed through a Framework Agreement between the DHSC and the HRA, an Annual Accountability Review with the Minister through quarterly reviews with officials at the DHSC, and close working on a day-to-day basis between HRA staff and those in the DHSC Sponsor Branch.

A board effectiveness review internally facilitated including a questionnaire based on the Financial Reporting Council guidance for Boards and Board Committees was conducted in January 2022 and discussed at the Board seminar. The findings from the review were fundamentally positive, concluding that the Board has open and honest communication, with appropriate consideration of relevant matters with robust challenge by both the non-executive directors and executive directors.

The Board reviews performance at each meeting. The strategic performance report provides the Board with an overview of the status of the HRA Business Plan 2021/22 deliverables as well as management information relating to these objectives, such as strategic risks, and developments in the external environment.

The Board considers both strategic and operational risk, their mitigation and management, regularly. This year our strategic risk register was redeveloped and refreshed following an extensive piece of work to consider the risks of the organisation with input from Board members and the Audit and Risk Committee. The Board also considers potential future risks and ensures these are captured on the register with the mitigations detailed appropriately and the strategic and reputational impacts discussed fully. The system of risk management can only manage it to a reasonable level and not completely eliminate risk.

Declaration of interests are declared and formally recorded, and all Board members’ expenses are published.

The Board has two sub-committees; the Audit and Risk Committee and the Pay and Remuneration Committee.

The HRA Audit and Risk Committee has continued to deliver its role to advise the HRA’s Accounting Officer and the HRA Board on risk management, corporate governance and assurance arrangements in the HRA.

The HRA Audit and Risk Committee has met five times in the year to 31 March 2022. The Committee membership attendance over the period was:

• Richard Cooper (Chair, NED), (5/5)
• Professor Andrew George (NED), (5/5)
• Neelam Patel (NED), (3/4)
• Marc Taylor (Audit and Risk Committee independent member), (5/5)
• Maurice Goddard (Audit and Risk Committee independent member), (2/2) (joined September 2021; left May 2022)

In addition, individuals from the HRA and Government Internal Audit Agency, were invited and regularly attended the Committee. The National Audit Office and KPMG, as external auditors for the HRA, also attended each meeting.

This year, the Audit and Risk Committee reviewed and approved the annual report and accounts for 2020/21 as well as reviewing the HRA corporate and strategic risk registers on a quarterly basis, the internal and external audit reports, corporate gift and hospitality reports, single tender actions and loss and compensation reports.

New developments this year that the committee reviewed and supported include:

• a refresh to the HRA’s strategic risk register and risk appetite statement which will provide clarity to HRA staff and other stakeholders regarding how key risks will be managed by the HRA
• a review of the HRA’s fraud position
• approval of the HRA’s information governance annual report which provides assurance that information governance issues and risks are being managed effectively
• a review of the Cabinet Office accessibility audit of the HRA website
• a discussion on the sector wide risks with the potential to affect the health and research community which allowed the Committee to consider what impact these risks may have on the HRA and whether the management of these risks by the HRA was appropriate
• a discussion on the HRA’s sustainability strategy which will support future plans to embed sustainability across the HRA
• a discussion on the impact of the International Financial Reporting Standard (IRFS) 16 (accounting for leases) on the HRA.

The Audit and Risk Committee also undertakes regular ‘deep dives’ into specific areas to better understand the issues affecting the HRA. The Committee undertook the following ‘deep dives’ during this reporting period:

• the potential impact of the comprehensive spending review on the HRA
• complaints, third party complaints, whistleblowing and raising concerns received by the HRA and how these are handled.

The Audit and Risk Committee reviewed its effectiveness in February 2022 with a Committee discussion, based on the five good practice principles from the HM Treasury Audit and Risk Assurance Committee Handbook. The Committee has agreed to alternate each year between completing a questionnaire based on the above principles individual and having a Committee discussion.

The findings were largely positive with open and transparent discussions held, and constructive challenges made, with members having a good understanding of the objectives, priorities and risks of the organisation.

The membership of the Pay and Remuneration Committee is made up of the Chair and NEDs. The business conducted by the Pay and Remuneration Committee over the period includes:

• advising the Board about appropriate remuneration and terms of service for the Chief Executive and any directors on Executive and Senior Managers pay arrangements. This is to ensure they are fairly rewarded for their contribution and includes:
• all aspects of salary (including any performance-related elements/bonuses)
• provisions for other benefits, including pensions
• arrangements for termination of employment and other contractual terms
• proper calculation and scrutiny of termination payments taking into account national guidance as well as advising on and overseeing appropriate contractual arrangements for such staff
• consideration of the requirements, including review of job descriptions, for executive director recruitment.

The committee met four times in the reporting period to deliver its functions. The Chief Executive is normally invited to attend the committee unless discussions relate to the remuneration and terms of services of the Chief Executive.

The Executive Committee is the senior executive decision-making body responsible for managing our business within agreed objectives, resources and according to the HRA / DHSC Framework Agreement and standing orders. The Executive Committee is accountable to the Chief Executive.

It is responsible for ensuring an effective bridge from executive to Board business and the formulation of HRA strategy.

The Executive Committee has delegated responsibility to the individual directors for the management of day-to-day corporate business, and to the Portfolio Delivery Group for the management of key programmes and projects. These are within agreed objectives, resources and according to the HRA / DHSC Framework Agreement and standing orders.

We aim to maximise the impact our operations have within our resources. By doing this we aim to manage risks at all levels from strategic level to the operational / project levels without stopping innovation, including projects delivered by partner organisations.

This requires considering a full cross section of risks to the organisation including; reputational risks, financial risks, organisational risks, health and safety risks and risks to the achievement of the organisation’s objectives. The Audit and Risk Committee reviewed a refreshed risk appetite statement in February 2022 which, will be considered for approval at the May 2022 Board meeting.

The HRA strategic risk register captures the high-level significant risks which could impact on the delivery of the HRA’s strategic objectives. This is reviewed at each Audit and Risk Committee and regularly at the Board. A snapshot of the strategic risks is included with the HRA’s strategic performance report. Also, each directorate, and individual governance teams and programme boards hold their own risk registers and review these on a regular basis. Any significant risks are subsequently escalated to the leadership team for discussion and further escalation to the Board, Audit and Risk Committee and DHSC sponsor team as required.

A risk engagement framework has been developed this year to further support the risk culture of the organisation. Teams and Directorates regularly review risks and the engagement framework will support the identification of risks as part of the business planning process but also throughout the year. The engagement framework will also share the risk appetite from the Board with staff and look at what assurance is in place to address key risks affecting the organisation. The risk engagement framework will also ensure there is appropriate risk related training of staff and the sharing of feedback and good practice throughout the year.

In addressing issues relating to risk, we seek to be as transparent and open as possible and identify and address those areas where there is a need for improvement in the risk management processes and / or controls and contingencies.

The Audit and Risk Committee reviews and ensures that systems are in place to ensure effective risk management. The internal audit function forms part of the review process and provides assurance on the risk management process and advises the Audit and Risk Committee accordingly.

We consider the requirements and coverage of the best practice guide The Aqua Book produced by the working group set up following the Macpherson recommendations, as well as direct discussions with the modelling oversight committee within DHSC. With the endorsement of that committee, we have confirmed that we do not operate any business-critical models. We have sought separate views on our broader quality assurance processes and to the extent they are able to comment, the modelling oversight committee has observed that the processes appear thorough and well developed. We are therefore fully compliant with the Macpherson recommendations.

The Information Governance Steering Group (IGSG) is a formal sub-committee of the Executive Committee. Its purpose is to coordinate, supervise and direct the work of others to ensure we maintain a coordinated approach to information governance. It meets four times a year and implements organisational and managerial structures that support proper consideration of information governance issues to sustain continual improvement.

Data security risks are managed and monitored within the overall risk management framework, the HMG Security Policy Framework, overseen by the information governance lead and IGSG to ensure security threats are followed up and appropriately managed. We are committed to the 10 steps to cyber security and the National Data Guardian’s Data Security Standards. No data security incidents have been reported to the ICO during the year. The HRA has created additional roles to support its cyber resilience, notably a Security Architect position and Cyber Security Lead. A new monitoring report is now received by IGSG, the Cyber Security Assurance Report, which provides assurance that cyber security controls are sufficient to prevent current and future information security threats.

All information assets and associated systems are identified and included in an Information Asset Register and are subject to annual information asset assessments. These assessments inform the Corporate and Information Risk Registers and help ensure we conform to data protection legislation. We have also completed the Data Security and Protection Toolkit this year and met all mandatory requirements.

As Accounting Officer, I have responsibility for reviewing the effectiveness of the system of internal control, which has been in place for the period 1 April 2021 to 31 March 2022, and up to the date of approval of the annual report and accounts, in accordance with HM Treasury guidance.

The Executive Committee, which I lead, reviews and monitors progress with other management groups providing input as required. These include Recruitment Panel and management groups specifically for the information systems we provide, and major programmes or steering groups for significant projects.

Senior managers who have responsibility for the development and maintenance of the system of internal control provide me with assurance. The assurance framework itself provides me with evidence that the effectiveness of controls that manage the risks to the organisation achieving its principal objectives have been reviewed and this aspect of the Authority’s activities has been subject to external review.

Our business plan for 2021/22 has been developed and approved by the Board which sets out our clear purpose and business objectives.

Our controls assurance and risk management processes are closely aligned to the twin objectives of maintaining ongoing activities and managing significant transformation issues.

Reports are provided to the Board on a quarterly basis on achievements and progress against the objectives and plans, and this report includes risks and controls in place to mitigate them.

The effectiveness of the system of internal control has been, and continues to be, subject to review by our internal auditors who, in liaison with our management, plan and carry out a programme of work. This work has been approved by the Audit and Risk Committee which external audit attends, to review the design and operation of the systems of internal control.

If weaknesses are identified, these are reported to the Audit and Risk Committee and an action plan agreed with management to implement the recommendations agreed as part of this process. During the year, no sigificant internal control matters were identified.

The Head of Internal Audit provides me with an opinion, in accordance with Public Sector Internal Audit Standards, on the overall adequacy and effectiveness of the HRA’s risk management, control and governance processes.

As an employer with staff entitled to membership of the NHS Pension Scheme, control measures are in place to ensure all employer obligations contained within the scheme regulations are complied with. This includes ensuring that deductions from salary, employer contributions and payments into the scheme are in accordance with the scheme rules and that member pension scheme records are accurately updated in accordance with the timescales detailed in regulations.

Remuneration and staff report

Remuneration Policy

The Chair and Non-Executive Director Board members are remunerated in line with DHSC guidance that applies to all NHS bodies. Details of the senior managers’ remuneration, given in the following tables, with one exception, is set and reviewed in line with the DHSC guidance Pay Framework for Executive and Senior Managers (ESM) in Arms’ Length Bodies. Senior managers employed under the ESM framework are under stated contracts of employment on terms and conditions as set out by NHS Employers. Pay for one Executive Director employed and contained in the report is set and reviewed in line with Agenda for Change terms and conditions. All those contained in the senior managers’ remuneration table below are subject to annual appraisals on their performance.

Remuneration and Pension for Directors (subject to audit):