Annual report and accounts 2021/22

The corporate governance report provides an explanation of how the organisation is governed, how this supports our objectives, and how we make sure that there is a sound system of internal control allowing us to deliver our purpose and role.

Directors' report

CQC's Board

The Board has key roles that are set out in legislation and in our framework agreement with the Department of Health and Social Care (DHSC). These are reflected in our corporate governance framework and other related governance documents. There have been no significant departures from the processes set out in these documents during the year.

Our unitary Board is made up of our Chair and up to 14 Board members, the majority of whom must be non-executive members. The composition of the Board as at 31 March, excluding the Chair, was 7 non-executive members, 1 associate non-executive member, our Chief Executive (who is also the Accounting Officer), our 3 Chief Inspectors, and our Chief Operating Officer. One of our non-executive directors (Mark Saxton) acts as the Senior Independent Director.

Peter Wyman's term of appointment as Chair came to an end on 31 March 2022. Ian Dilks was appointed as the new Chair and took up the role on 1 April 2022. Belinda Black took up her appointment as non-executive director from 1 May 2021. Our Chief Inspector of Hospitals, Ted Baker, retired from his role on 27 April 2022. Dr Sean O' Kelly was appointed as the new Chief Inspector of Hospitals and took up his role on 20 June 2022. Interim arrangements were put in place to manage internal and external arrangements prior to him starting.

There have been a number of further changes to our Board membership since the reporting date. Mark Saxton retired from his role as Non-Executive Director and Senior Independent Director on 28 February 2023 and was replaced as Senior Independent Director by Mark Chambers. Robert Francis KC also retired from his role as Non-Executive Director on 15 November 2022. Sally Cheshire resigned as Non-Executive Director on 31 December 2022, and Rosie Benneyworth, our Chief Inspector of Primary Medical Services and Integrated Care, and Kirsty Shaw, our Chief Operating Officer, resigned on 31 July 2022 and 31 August 2022 respectively. Dr Sean O' Kelly's remit as Chief Inspector of Hospitals was expanded to include Primary Medical Services from 1 August 2022. Kate Terroni took up the dual role of Chief Operating Officer and Chief Inspector of Adult Social Care on 1 August 2022 on an interim basis.

A Board effectiveness review was conducted in October 2021 and a report containing the conclusions and recommendations was presented to the public session of our Board meeting in December 2021. The report was published on our website at the same time. In light of the changes in Board membership referred to above, it was agreed to consider the report's recommendations more fully after the appointment of the new Chair. This has now been done and a number of changes to governance arrangements are likely to result which will be communicated once finalised. These will reflect the continuing development of CQC and the environment in which we operate but will not affect the strategy approved by the Board.

Biographies of all our Board members and their declarations of interest are shown on our website: https://www.cqc.org.uk/about-us/meet-our-team/our-board

The Board carries out a range of business in line with its main responsibilities, which are to:

• provide strategic leadership to CQC and approve the organisation's strategic direction
• set and address the culture, values and behaviours of the organisation
• assess how CQC is performing against its stated objectives and public commitments.

During the pandemic, the Board has continued to meet in line with government guidelines. This means that, of the 11 meetings during the year, 5 took place in person and 6 were online. The Board meets both in public and private session throughout the year and the public sessions, both online and in-person, have been recorded and are available to view on our website following each meeting. Our public sessions were live streamed as well as being recorded.

At each of its meetings, the Board receives performance data setting out our current performance and financial position, and details of activity to address where performance is under business plan targets. The Board has the opportunity to scrutinise and discuss the data during these meetings. The Board also receives monthly reports on our ongoing Transformation programme and has had the opportunity to look in more detail at specific areas of the programme through the Audit and Corporate Governance Sub-Committee on Transformation. At each meeting, the Board receives reports on information and cyber security risk and there have been no significant incidents to report over the course of the year. Papers and data which are received by the Board to support decision making are generally of a good standard, but we continue to keep this under review.

The Board has continued its commitment to achieving levels of governance that we would expect of providers when assessing whether they are well-led. It has done this by providing oversight and challenge on key issues. Over the year, this has included: continued oversight of our ongoing response to the pandemic, including updates to our regulatory approach as a result of pandemic-related developments; and oversight of our financial and business planning and the seeking of assurance around related controls, directly in the Board and through the scrutiny of the Audit and Corporate Governance Committee (ACGC).

Figure 1: Board and committee membership and attendance up to 31 March 2022

Statement of Accounting Officer's responsibilities

Under the Health and Social Care Act 2008, the Secretary of State for Health and Social Care has directed CQC to prepare for each financial year a statement of accounts in the form and on the basis set out in the Accounts Direction. The accounts are prepared on an accruals basis and must give a true and fair view of the state of affairs of CQC and of its net resource outturn, application of resources, changes in taxpayers' equity and cash flows for the financial year. This Report and Accounts were prepared on time for publication in 2022, but have been delayed due to delays in the audit of local authorities and their pension schemes, which is beyond our control and also affects other organisations. I have reviewed the information contained in the report and accounts, which has been updated to ensure it remains current and relevant.

In preparing the accounts, the Accounting Officer is required to comply with the requirements of the Government Financial Reporting Manual (FReM) and in particular to:

• observe the Accounts Direction issued by the Secretary of State for Health and Social Care, including the relevant accounting and disclosure requirements, and apply suitable accounting policies on a consistent basis
• make judgements and estimates on a reasonable basis
• state whether applicable accounting standards as set out in the FReM have been followed, and disclose and explain any material departures in the financial statements, and
• prepare the financial statements on a going concern basis.

The Secretary of State for Health and Social Care has appointed the Chief Executive as the Accounting Officer of CQC. My responsibilities as Accounting Officer, including responsibility for the propriety and regularity of public funds and assets vested in CQC, and for keeping proper records, are set out in Managing Public Money, published by HM Treasury.

As Accounting Officer, I can confirm that:

• There is no relevant audit information of which CQC's auditors are unaware.
• I have taken all steps I ought to have taken to make myself aware of any relevant audit information and to establish that CQC's auditors are aware of that information.
• The annual report and accounts as a whole are fair, balanced and understandable.
• I take personal responsibility for the annual report and accounts and the judgements required for determining that it is fair, balanced and understandable.

Governance statement

CQC's governance framework and structures

We have a corporate governance framework that describes the governance arrangements of the organisation and how they help make sure that our leadership, direction and control enables long-term success. This is a public document and is available on our website. The following figure shows our governance structure.

Risk management

Our framework

We see the effective management of risks to the delivery of our purpose (enterprise or corporate risk) as critical to our assurance and governance. The following risk management responsibilities and systems of internal control have been in place for the year under review and up to the date of approval of the annual report and accounts. Our corporate risk framework covers the identification and management of risks to the delivery of our purpose, strategy and business plan. We use the 3 lines of defence model in managing, monitoring and independently assuring risk. We reviewed and agreed our tolerance statement which defines the key types of risk we face, and the appropriate tolerances for each. We maintain a strategic and high-level corporate risk register of the risks that the Board and our Executive team have identified, and this is regularly reviewed and monitored. Risk reporting occurs at various levels across CQC and ensures appropriate escalation and mitigation of risks at all times. DHSC reviews the risk register as part of a quarterly budget and assurance meeting and at a quarterly accountability meeting, where CQC's finance position and performance delivery are also discussed.

Our risk framework and guidance supporting it defines risk responsibilities in the organisation as follows:

The framework and guidance set out the 6 steps of risk management:

Step 1: Risk identification and assessment

Step 2: Risk analysis

Step 3: Risk tolerance

Step 4: Risk control

Step 5: Risk action

Step 6: Risk management and reporting.

It clarifies our risk escalation process:

CQC risk escalation process

The diagram below outlines CQC's risk escalation process through risk management levels.

While we made improvements in our corporate risk management processes during the year – rolling out updated training for managers and an associated risk handbook – we are putting in place an action plan for further work in response to comments from the ACGC and RGC and recent internal audit recommendations:

Linking to the Board effectiveness review, further work will encompass implementing updates to the corporate risk register following a horizon scanning review of the risks that CQC faces, linked to our refreshed business plan; and a clearer articulation of the risk appetite of the organisation – with the Board invited to set appetite and tolerance for each risk in the corporate register. We will be setting out clearly the underpinning risks for each risk in the corporate register, risk controls, and how they are measured, together with new reporting arrangements to the Board and sub-committees covering risk. We will also explore introducing a software package to support our risk management; and the resourcing and skills requirements for roles across CQC that support the risk management process.   

Risks we managed in 2021/22

During the second year of the pandemic we have continued to review our risks and have planned for and managed both COVID-19 and non–COVID-19 risks, including:

• new inspection priorities, pausing inspection in some sectors and supporting regulatory activity in Adult Social Care and Registration (infection prevention and control; and work that supports increasing capacity in Adult Social Care). This was prompted by the Omicron wave – but caused capacity challenges where we needed to maintain strong monitoring and oversight of the sectors to ensure risks were not missed and we intervened when appropriate to do so
• adapting our regulatory model to the pace of change in the health and social care sector, for instance the focus on integrated care and place, and changes in care pathways with accelerated changes triggered by the COVID-19 response
• financial pressures causing a deterioration in quality of adult social care services, making it more difficult for CQC to deliver its purpose to ensure quality of care for people 
• the potential challenges for wellbeing of our own people with a focus on change, engagement and wellbeing
• delivering a challenging change programme
• access to the right data, at the right time, of the right quality; and developing systems that support access, use and sharing of data
• information and cyber security risks – particularly in the light of the Ukraine conflict. As the majority of our IT services are 'cloud' based, we benefit from the security that Microsoft provides for these services and their heightened response to the Ukraine/Russia conflict. We have an ongoing cyber security programme that has delivered numerous infrastructure security hardening improvements very recently, and we have ensured all our devices have antivirus and antimalware coverage and are patched effectively. We also responded effectively to various zero-day alerts and published vulnerabilities in relation to software and we fed back accordingly to NHSX. We continue to raise general awareness of cyber security across CQC
• funding – our spending review outcome means a potential 2% reduction to our GIA funding, a reduced capital allocation and no funding for any of our spending review bids.

Management assurance

CQC has a management assurance framework that has been designed to seek assurance from all parts of the organisation that internal controls are working effectively and to identify areas of concern.

There are 6 management assurance areas:

1. Performance planning and risk

2. Financial management systems and controls

3. People management and development

4. Information and evidence management

5. Continuous improvement

6. Governance and decision-making.

We carried out assessments against standards in the framework in October 2021 and February 2022, and across all the standards the average score was 81% at February 2022 against 79% in March 2021.

During 2022/23, we plan to strengthen our management assurance process further – in particular, to look at the number of standards and how closely each of them support measurement and improvement of our risk controls. Our aim is that the standards should be manageable in number and are those that can effectively be used to assess our response to risk.

Management controls and responding to the challenges of the pandemic

We continued to use our established mechanisms for swift decision-making and we adapted our regulatory approach in the light of the continuation of the pandemic. This included reviewing and communicating fresh organisational priorities.

As set out in the performance report, we continued to ensure people were effectively supported. This included through risk assessments, PPE provision, testing for COVID-19, support to temporary home working as well as gradual office re-opening, and support for wellbeing from managers and colleagues.

Other use of management controls

We have 1 Freedom to Speak Up Guardian as at May 2022. However, at various points during 2021/22, we had up to 3. Our guardians were supported by around 62 Speak Up Ambassadors.

CQC views the role of Freedom to Speak Up as there being an open culture where staff can raise comments and concerns with their managers and feel listened to. The majority of colleagues that ask for help from a guardian or ambassador do so because they need help and support with their concerns about their line manager and/or values and behaviours within CQC. During 2021/22, there were 69 recorded approaches to guardians or ambassadors for support. With the exception of 2 cases, all of these resulted in ambassadors supporting staff to access the right policy and procedure within CQC so their concerns could be looked into and addressed. There were 2 cases that progressed into a formal investigation. Neither case was upheld. However, there were some learning points that were highlighted from these investigations which were fed back to the individuals concerned.

During 2021/22, we focused on learning from the concerns raised as well as bringing clarity to colleagues about the role of the Freedom to Speak Up Guardian Office and how we work alongside HR colleagues. We have continued to advertise the importance of feeling able to speak up and encourage colleagues to undertake the training available from the National Guardian's office. We also took on the role of carrying out 'exit' interviews for colleagues leaving CQC. This is in the hope that colleagues will be able to feel comfortable to give a true account of why they are leaving to someone impartial. In turn, this will allow the organisation to recognise any trends and work towards improvement. Our focus for 2022/23 is to refresh the role of our ambassadors and provide an enhanced offer of support for our colleagues, which includes mental health first aid and signposting to various policies and procedures.

Security

Information and cyber security are important areas of focus at CQC. Like previous years, there has been ongoing improvement work throughout 2021/22, as we strive to improve our resiliency to an evolving cyber threat landscape.

Security incident analysis and response has continued throughout 2021/22 and is reported to CQC's senior information risk owner (SIRO) and the ACGC. During 2021/22, 445 security incidents were reported, investigated and managed through to closure. This is an increase on previous years, with 294 incidents occurring in 2020/21. This increase in numbers can be explained by  an increase in the scope and the method of reporting. These figures are taken from the security incidents raised via an app 'ServiceNow' over the last 2 years and the increase shows the increased use of reporting via this platform (which we were only starting to use during 2020/21).

The vast majority of these incidents were low risk, reported for information only. They did not contain any personal information and posed no risk to the organisation, or any individuals involved in the incident. There were 9 high-risk incidents; 7 were data breaches involving sensitive information. However, all were resolved swiftly with no impact to the data subject, so did not require reporting to the Information Commissioner's Officer (ICO). The other 2 incidents related to critical vulnerabilities discovered in our systems that were identified by our security operations centre. These vulnerabilities were addressed as soon as we were made aware of them and CQC and our IT supplier LittleFish performed all relevant mitigation (updates, patches and so on) to remediate the risk of them.

We continue to liaise with the DHSC, NHS England & Improvement, NHS Digital and the Information Commissioner's Office on matters of information security and privacy. We did not have any data security breaches that we were required to report to the ICO in 2021/22.

In the area of counter-fraud, the number of allegations of fraud received during 2021/22 has continued to be very low, with 9 cases reported and investigated. Those cases contained allegations against members of CQC staff of bribery and/or corruption or conflict of interest in the performance of their duties. Following thorough investigation, no allegation was substantiated.

Conclusion

• Our internal controls again stood up well to the continuation of the pandemic. Where required we adapted our approach but ensured that we did not compromise our internal controls.
• Our management assurance assessment process remains an essential method for gaining assurance and facilitating improvement in key areas of management responsibility. While some useful improvements have been identified by internal audit, the process shows we have confidence in our management practice. Our assessments this year have identified areas we need to improve on and there are plans in place in directorates to make these improvements. 
• We are also clear that our corporate risk arrangements, while improved over the year, need further development in the coming year in a number of areas – including: governance and reporting arrangements; how we better link our performance measurement and management assurance work into our management of risk and internal controls monitoring; and how we align risks from the corporate level through to directorate and team level.

Head of Internal Audit Opinion

Generally satisfactory with some improvements required. Governance, risk management and control in relation to business-critical areas is generally satisfactory. However, there are some areas of weakness and/or non-compliance in the framework of governance, risk management and control which potentially put the achievement of objectives at risk. Some improvements are required in those areas to enhance the adequacy and/or effectiveness of the framework of governance, risk management and control.

Basis of opinion

My opinion is based on:

• all audits undertaken during the year
• results of our follow up of the implementation of agreed actions by management
• the breadth of the programme, which has incorporated reviews of Strategy and Transformation Programmes; Registration; Care Provider Monitoring Approach; IT Assets; IT Cloud Consumption; Core Financial processes including Payroll and Capital Accounting; Whistle-blowing processes; and Cyber Security
• the overall commitment of resource to internal audit has been aligned to the agreed budget, but no other limitations have been placed on the scope or resources of internal audit
• internal audit continues to receive the support of management and staff, with there being a willingness to accept recommendations and take action to realise improvements where such opportunities are identified. No significant recommendations have not been accepted by management.

We would like to take this opportunity to thank CQC's staff, for their cooperation and assistance provided during the year.

Scope of report

This report outlines the internal audit work we have carried out for the year ended 31 March 2022.

Purpose of the annual opinion

The Public Sector Internal Audit Standards require the Head of Internal Audit to provide an annual opinion, based upon and limited to the work performed, on the overall adequacy and effectiveness of the organisation's framework of governance, risk management and control (i.e. the organisation's system of internal control). This is achieved through a risk-based plan of work, agreed with management and approved by the Audit and Corporate Governance Committee (ACGC), which should provide a reasonable level of assurance, subject to the inherent limitations. The opinion does not imply that Internal Audit has reviewed all risks relating to the organisation.

We are satisfied that sufficient internal audit work has been undertaken to allow an opinion to be given as to the adequacy and effectiveness of governance, risk management and control. In giving this opinion, it should be noted that assurance can never be absolute. The most that the internal audit service can provide is reasonable assurance that there are no major weaknesses in the system of internal control.

Conformance with the code of ethics and internal audit

We have a firm wide internal audit methodology which is aligned to the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing and public sector internal audit standards.

Key factors

The key factors that contributed to our opinion are summarised as follows:

Governance and risk management

Management had redesigned the controls self-assessment framework in the prior year. This process has continued to develop and mature in line with the quality improvement process initiated in FY21, including expectations regarding the standards, challenge process, as well as the data collation protocols. From our attendance at the challenge panel, we observed a good level of engagement. It is clear that there was considerably less discussion held in this review period concerning understanding and interpreting the standards and evidence required. The focus has now shifted to the completeness and appropriateness of evidence as intended.

We have identified a number of opportunities to help strengthen the process. The audit of risk management confirmed that all routines to oversight the corporate risk profile were evidenced as having taken place during the period, with all relevant documents centrally collated enabling ease of retrieval and review. From our review of the design of the overarching risk management framework, key elements were largely in place. However, we did identify some key components that we would expect that were missing and highlighted opportunities to strengthen existing elements of the framework. We also identified findings that had been previously highlighted in the last Risk Management audit conducted in March 2018, which indicates that the framework may not be maturing and continuing to develop as expected. In our view, the level of resource with specific and dedicated risk management skills and responsibilities for the development and oversight of the framework is limited in context to the size and scale of CQC activity. We did note that the responsibilities for oversight of the Corporate Risk Profile is shared between the Regulatory Governance Committee and the ACGC. The expectations of how these Committees should work together to ensure the complete risk profile is adequately oversighted and assured was not clearly outlined within the Corporate Governance Framework itself, making it difficult to understand the lines of accountability. We acknowledge that this matter is being considered at the time of writing.

Internal control

We completed reviews of 15 areas and processes during the year, each of which has considered aspects of internal control. No reports were rated critical risk, 1 was rated high risk, 7 medium risk, 3 low risk, and 4 were not rated, with 1 yet to be finalised. These resulted in 1 high, 33 medium and 10 low risk findings to help improve or address weaknesses in the design of controls and/or operating effectiveness. A further 17 observations were noted within rated audit reviews.

Transformation and change programmes

CQC has embarked on a complex, multi-year transformation programme that has the potential to fundamentally change CQC as an organisation. In 2020/21, we undertook 2 baseline maturity assessments of the programme governance and risk arrangements, from which a number of actions for improvement were identified. In 2021/22, we revisited our assessment by following up on progress made with the action plan. This evidenced improving maturity in the programme governance and risk management baseline. We also completed 2 advisory reviews relating to the strategy and profile of transformation programmes which resulted in 17 observations being shared with Management. The key observations highlighted from our advisory reviews were as follows:

1. that programmes are being delivered alongside BAU pressures and increasingly, as responsibilities transfer for implementation, by BAU resources;
2. whilst an agile approach has many benefits, it also creates ongoing uncertainty, notably in respect of future roles and redundancies, benefits realisation and the ability to communicate clearly about expected future changes, and
3. scale and complexity of the programmes still creates a level of risk, including coordinating the overall programme, managing programme interdependencies and addressing resource capacity challenges.

Jane Forbes
Head of Internal Audit

Accounting Officer's conclusion

In May 2021, we launched our new strategy for the changing world of health and social care which set out our ambitions under the themes of: people and communities; smarter regulation; safety through learning; and accelerating improvement. Our regulatory and organisational transformation has continued and we have made progress in developing the technology that will underpin our move to becoming a modern, forward-thinking and insight-led regulator. Our internal auditor's work has incorporated reviews which has supported us in developing this work and our ambitions. The reviews have identified many examples of good practice. Where recommendations and suggestions have been made, we have worked to implement these and to look at how they can assist our learning in the future.

We continue to ensure that robust mechanisms are in place to assess risk and compliance, with regular review at the Board and the ACGC.

The Head of Internal Audit has provided an annual opinion providing satisfactory assurance that there are adequate and effective systems of governance, risk management and control. We note that improvements are suggested in some areas to enhance the adequacy and/or effectiveness of the framework of governance, risk management and control and these will be implemented.  

I agree with their conclusion.

CQC has complied with HM Treasury's Corporate Governance in Central Government Department's Code of Good Practice to the extent that they apply to a non-departmental public body. 

I conclude that CQC's governance and assurance processes have supported me in discharging my role as Accounting Officer. I am not aware of any significant internal control problems in 2021 to 2022. Work will continue to maintain and strengthen the assurance and overall internal control environment in CQC.