Annual Governance Statement

Under the Joint Escalation and Intervention Arrangements, the Welsh Government meets with Audit Wales and Healthcare Inspectorate Wales (the Tripartite Group) twice a year to assess each Health Board, Trust, and Special Health Authority. These assessments are informed by a wide range of data and intelligence sources to identify any emerging concerns.

The Welsh Government Oversight and Escalation Framework – NHS Wales Organisations defines five escalation levels:

• Routine arrangements
• Area of concern
• Enhanced monitoring
• Targeted intervention
• Special measures

Since its establishment in April 2021, DHCW has operated at level 1 – routine monitoring. However, on 11 March 2025, DHCW was escalated to level 3 – enhanced monitoring. This change relates to the ‘performance and outcomes’ domain, specifically the delivery of major national programmes.

The escalation followed ongoing challenges in meeting delivery timelines and maintaining pace across key national priorities. In response, the Welsh Government has set out a series of areas for DHCW to address and has clearly communicated the expectations for improvement.

DHCW’s regular performance meetings with the Welsh Government—including Joint Executive Team (JET) and Integrated Quality, Planning and Delivery Group (IQPD) sessions—will now place added focus on major programmes and closely track milestones set out in the escalation improvement plan.

The Welsh Government will also agree with DHCW on the ongoing frequency of support, intervention, and monitoring activities. Internally, DHCW’s Programmes Delivery Committee will oversee the implementation of the escalation improvement plan and provide regular updates to the SHA Board on progress.

In accordance with the Public Bodies (Admissions to Meetings) Act 1960, and as part of DHCW’s commitment to openness and transparency, we have adopted several measures to ensure public accessibility and engagement:

• Live streaming and recording our Public Board meetings, with recordings published to our website within 5 working days.
• Recording our Committee meetings and posting them to our website within 5 working days.
• Advising stakeholders of our intention to hold Board and Committee meetings 10 days in advance.
• Sharing meeting papers with members 7 days before meetings and publishing public papers to our website at the same time.
• Actively promoting public Board and Committee meetings through social media channels, encouraging stakeholder attendance and sharing meeting highlights.
• Providing highlight reports for all Committee and Advisory Group meetings (covering both public and private agenda items) to the Board and publishing these reports on our website.
• Although the Remuneration and Terms of Service Committee and the Local Partnership Forum (LPF) are private, a highlight report from both meetings is shared at each Public Board meeting to support transparency.

This Annual Governance Statement primarily covers the reporting period from 1 April 2024 to 31 March 2025.

DHCW’s standing orders are designed to translate the statutory requirements set out in the DHCW (Establishment and Constitution) Order 2020 into day-to-day operating practice. Together with the adoption of a scheme of matters reserved to the Board, a scheme of delegation to officers and others, and standing financial instructions, they provide the regulatory framework for the business conduct of DHCW and define its ‘ways of working’. These documents, along with a range of corporate policies including the Board-approved Standards of Behaviour Policy, form the Governance Framework.

The Board reviewed and approved DHCW’s standing orders in March 2025. It also received an update on DHCW’s compliance with standing orders during 2024‑25 in March 2025. There have been no variations to DHCW standing orders during 2024-25.

The command structure was not activated during 2024/25.

In line with DHCW’s standing orders and scheme of delegation, the following policies were approved by the Board and its Committees during 2024/25:

• POL-CG-019 – Waste Management Policy
• POL-POD-002 – Shared Parental Leave Policy
• POL-CG-009 – Standards of Behaviour
• POL-OSD-005 – Backup Policy
• DHCW-POL-32 – Fire Safety Policy
• POL-QRC-001 – Quality Policy
• POL-DHCW-001 – Integrated Management Systems Policy
• POL-SMS-004 – Problem Management Policy
• POL-SMS-005 – Incident Management Policy
• POL-SMS-003 – Change Enablement Policy
• DHCW-POL-46 – Business Continuity Management Policy
• POL-NWIS-013 – Patching Policy
• POL-IG-006 – Access to Information Policy
• POL-SMS-010 – Availability Management Policy
• DHCW-POL-5 – Service Level Target Policy
• CS-POL-5 – Acceptable Use Policy
• NEW – NHS Wales Password Policy
• DHCW-POL-8 – Service Level Management Policy
• DHCW-POL-25 – Request Fulfilment Policy
• POL-OSD-007 – Cryptographic Policy
• POL-CG-006 – Control of Contractors

The NHS needs to plan for and respond to a wide range of emergency incidences that could affect health or patient care. Although DHCW is not formally named in the Civil Contingencies Act 2004 as a categorised “Responder”, the Welsh Government has recognised the importance of DHCW’s role in emergency and business continuity planning on a pan-Wales basis. As a result, the Welsh Government has formally included DHCW within the new Wales Resilience Framework and instructed DHCW to act as a Category 1 Responder until such time as DHCW can be legally included in the Civil Contingencies Act as it applies to Wales.

DHCW has continued its collaborative approach to business continuity and emergency planning through active membership of the following planning groups:

• The Welsh Health Emergency Planning Advisory Group
• Welsh Health and Social Services System Resilience and Planning Group

DHCW also attends four Welsh Local Resilience Forums. This participation helps meet the requirement to collaborate, plan, share information and jointly exercise resilience plans on a multi-agency basis.

The Board has been constituted to comply with the Digital Health and Care Wales (Membership and Procedure) Regulations 2020.

In addition to responsibilities and accountabilities set out in terms and conditions of appointment, Independent Members have worked with the Chair to agree their Board Champion roles. A detailed Board Champion Annual Report was shared at our Board Meeting in March 2025.

The Board is made up of Independent Members and Executive Directors.

During 2024/25, Board development and briefing sessions took place that included a focus on the following elements of governance:

• Risk Appetite and Board Assurance Framework
• Review of SHA Board Decisions
• Transformation incorporating Product Approach
• Digital Workforce Development
• National Target Architecture / EHR Update
• Stakeholder Engagement – Independent Review Feedback
• Cloud Adoption
• Data, Digital and Technology (DDaT) Governance Review
• Benefits Realisation
• Performance Management Framework
• Implications of the Welsh Government Draft Budget
• INPS
• Dental Access Portal
• IMTP 2025/26 – 2027/28
• Workforce Race Equality Standard
• Digital by Design (Learning from Audit Wales Report)
• Agor yr Drws
• Public Digital (External)
• DHCW | Swansea Bay University Health Board Clinical Site Visit

Full membership of the Board is outlined in Appendix 1. Below is a summary of the Board and Committee structure, which reflects the proposed structure in the DHCW model standing orders.

The Board provides leadership and direction to the organisation and has a key role in ensuring sound governance arrangements are in place. It also promotes an open culture and high standards when conducting its work. Together, Board members share corporate responsibility for all decisions and play a key role in monitoring organisational performance.

All Board meetings during 2024/25 were appropriately constituted with a quorum. Key business and risk matters considered by the Board during the year are outlined in this statement. Further information is available in the meeting papers on our our website.

The Board has four committees: the Audit and Assurance Committee, Remuneration and Terms of Service Committee, Digital Governance and Safety Committee, and the Programmes Delivery Committee.

These committees are chaired by the Chair or Independent Members of the Board and have key roles in governance and assurance, decision making, scrutiny, and risk assessment. Each committee provides assurance and key issues reports to every Board meeting, contributing to the Board’s overall assessment of assurance and oversight of the delivery of objectives.

The Board is responsible for reviewing the committee structure and does so annually through its review of standing orders. It will consider whether any changes are needed during 2025/26 in line with the governance framework and the priorities set out in the Integrated Medium-Term Plan.

DHCW is committed to openness and transparency in how it conducts its committee business. The Board and its committees aim to conduct as much business as possible in open sessions, with public papers published on the DHCW website. Closed sessions are held only where the business is confidential in nature, such as commercially sensitive matters, personal issues, or early-stage plans.

Annual Committee and Advisory Group Reports provide an overview of activity during the year and are available at the links below:

• Audit and Assurance Committee
• Digital Governance and Safety Committee
• Programmes Delivery Committee
• Remuneration & Terms of Service Committee
• Local Partnership Forum

An important Committee of the Board in relation to this Annual Governance Statement is the Audit and Assurance Committee. The Committee keeps under review the design and adequacy of DHCW’s governance and assurance arrangements and its system of internal control.

During 2024/25, key issues considered by the Audit and Assurance Committee relating to the overall governance of the organisation included:

• Revisiting its terms of reference, which will be kept under regular review
• Approving the Internal Audit Plan for 2024/25 and keeping under review the resulting Internal Audit Reports, noting key areas of risk and tracking the management responses made to improve systems and organisational policies
• Ensuring effective financial systems and controls procedures are in place
• Monitoring the risk management systems
• Monitoring standards of behaviour, including declarations of interests, gifts, hospitality, and sponsorship
• Developing arrangements to work with Audit Wales (AW), and considering the 2024 Structured Assessment and Audit Wales’s 2025–26 Audit Plan
• Monitoring progress on the development of the Welsh Language Scheme for DHCW
• Approving and reviewing DHCW’s Legislative Assurance Framework
• Developing and endorsing new policies, strategies, and frameworks in support of good governance and appropriate control

The Remuneration and Terms of Service Committee considers and recommends salaries, pay awards and terms and conditions of employment for the Executive Team and other key senior staff. During 2024/25 key issues considered by the Remuneration and Terms of Service Committee included:

• Performance of Executive Directors against individual objectives
• Executive Team structure
• Ratification of Executive Team posts

The Digital Governance and Safety Committee advises and assures the Board with regard to the quality and integrity, safety, security and appropriate use of information and data to support health and care delivery and service improvement and the provision of high-quality digital health and care. Key issues considered by the Committee in 2024/2025 relating to their remit included:

• Revisiting its terms of reference, which will be kept under regular review
• Cyber Security arrangements
• Incident review and organisational learning
• Information Governance
• Information Services Assurance
• Informatics Assurance
• Research and Innovation Assurance
• Technical Design Assurance

The Programmes Delivery Committee advises and assures the Board with regard to how programmes are delivered, in particular that they have regular and proper governance, have robust control processes and reporting, and are demonstrating good planning, management and delivery.

The Committee will also provide assurance to the Board on the delivery of programmes as a portfolio, prioritised allocation of resources, programmes impact on wider DHCW delivery, and transition of programmes activity to live services which are sustainable in the longer term. Key issues considered by the Committee in 2024/2025 relating to their remit included:

• Refining and agreeing the Committee terms of reference which will be kept under regular review
• Programmes Assurance
• Portfolio Assurance
• Governance (including reviewing which programmes are in scope of the Committee)

The Board and Committees of the Board undertook a self-assessment for 2024/25 between January and March 2025. The findings were discussed at the relevant committee meeting and reported to the SHA Board.

The Audit and Assurance Committee questionnaire was based on the Audit Committee Handbook and circulated to Committee members and attendees.

The SHA Board, Digital Governance and Safety Committee, Programmes Delivery Committee Remuneration and Terms of Service Committee and Local Partnership Forum questionnaires were based on the composition, establishment and duties, then Board, Committee, and Advisory Group leadership and support questions of the Audit and Assurance Committee.

Appendix 1 outlines the membership and attendance of the Board and its Committees for the period 1 April 2024 to 31 March 2025. Members undertake a range of other activities on behalf of the Board, including Board Development and Briefing Sessions, and a range of internal and external meetings.

Any proposed changes to the structure and membership of Board Committees require Board approval. The Audit and Assurance Committee, Digital Governance and Safety Committee, and Programmes Delivery Committee have considered their own terms of reference and recommended changes to the Board.

The Board will ensure that terms of reference for each committee are reviewed annually to ensure the work of committees clearly reflects any governance requirements, changes to delegation arrangements or areas of responsibility. All committees and advisory groups of the Board have developed annual reports of their business and activities, which were received and noted in March 2025.

The lead officers are included in Appendix 2 and the schedule of Board and Committee meetings for 2024/2025 is provided in Appendix 3.

DHCW’s Board system of internal control is designed to manage risk to a reasonable level rather than to eliminate all risks; this has been articulated in DHCW’s risk appetite statement. It can therefore only provide reasonable and not absolute assurances of effectiveness.

The system of internal control is based on an ongoing process designed to identify and prioritise risks to the achievement of the policies, aims, and objectives. It also evaluates the likelihood of those risks being realised and the impact should they be realised, and to manage them efficiently, effectively, and economically.

The system of internal control has been in place for the year ended 31 March 2025 and up to the date of approval of the annual report and accounts.

The Board Assurance Framework was reviewed and approved by the Board in May 2024. The Board Assurance Framework identifies all the key controls and lines of assurance to be reported to the Board. Our Board Assurance Framework annual reporting cycle can be seen below.

We use the BAF system and process to monitor, seek assurance and ensure that shortfalls are addressed through the scrutiny of the Board and its Committees. Oversight of our Corporate Risk Register system is provided through the scrutiny and monitoring of the Board and its Committees.

Key controls are defined as those controls and systems in place to assist in securing the delivery of the Board’s strategic objectives. The effectiveness of the system of internal control is assessed by our internal and external auditors.

The Chief Executive/Accountable Officer has overall responsibility for the management of risk but the SHA’s lead for risk is the Director of Corporate Affairs | Board Secretary. This means leading on the design, development and implementation of the Risk Management and Board Assurance Framework.

DHCW’s risk appetite statement, set out below, describes DHCW’s approach to risk management and the risks it is prepared to accept or tolerate in the pursuit of its strategic goals:

• DHCW must take risks to achieve its strategic aims and deliver beneficial outcomes to stakeholders.
• Risks will be taken in a considered and controlled manner.
• Exposure to risks will be kept to a level of impact deemed acceptable by the Board.
• The acceptable level may vary from time to time and will therefore be subject to at least annual review and revision.
• Any risk outside our agreed appetite may be accepted and will be subject to a governance process to ensure visibility and management.

Some particular risks above the agreed risk appetite may be accepted because:

• The likelihood of them occurring is deemed to be sufficiently low.
• They have the potential to enable realisation of considerable reward/benefit.
• They are considered too costly to control given other priorities.
• The cost of controlling them would be greater than the cost of the impact should they arise.
• There is only a short period of exposure to them.
• Mitigating action is required by an external party.

DHCW’s risk appetite considers its capacity for risk, which is the amount of risk it is willing to accept in pursuit of its objectives having regard to its financial and other resources, before a breach in statutory obligations and duties occurs.

The risk tolerance gives guidance regarding escalation for risks across its activities. The infographic below provides details on the risk domains identified and agreed by the DHCW Board, associated appetite, tolerance levels, and sets the expectation of the Board regarding the number of key controls when reviewing Corporate Risks in those categories in the Board Assurance Report.

During 2024/25, due to the economic crisis, the financial risk profile of DHCW has seen a significant increase in risks identified that have the potential to impact our achievement of objectives and deliverables across the last year and potentially impact greatly on our achievement of objectives in the next financial period. These range from investment for digital developments to staffing levels.

A lack of sustainable funding model for DHCW, particularly relating to programmes funded via the Digital Investment Priorities fund, has posed a risk to the organisation across the last 12 months, which has subsequently posed a risk to staffing levels. Our Finance and People and Organisational Development teams have provided mitigation by engaging continuously with Welsh Government and working to ensure we continue to develop our workforce skillset and talent pool currently in place.

During 2024-25, there has been a significant increased risk and threat of Cyber-attack. As an organisation, we recognise this will be a long-term risk and emerging threats will continue to increase in intensity and intelligence; we have undertaken extensive evaluation of our current risks, key controls, and assurances to identify a significant Service Improvement Plan offering assurance and protection to both our organisation and the wider NHS Wales Domain.

During 2024-25, DHCW has been subject to the realisation of a lack of wider NHS Service understanding of its core functions by which the organisation accesses and uses patient data. Gaps in a common understanding and consistent underpinning policy direction have meant that a sound legal basis for the collection, processing, and dissemination of Welsh resident data has not been easy to establish. This poses an increasing risk to the organisation and a direct impact on DHCW Strategic Programmes.

The Board sees active and integrated risk management as key elements of all aspects of our functions and responsibilities to support the successful delivery of our business. The Board and its Committees identify and monitor risks within the organisation.

Risks are escalated to the Board as appropriate. At an operational level, Executive Directors are responsible for regularly reviewing their Directorate Risk Registers and for ensuring that effective controls and action plans are in place and progress is monitored.

The framework includes strategy-to-operational tools and provides the working context for staff regarding the management of risk—from identification and scoring through to monitoring.

Overall risk performance has met expectations over the last 12 months, with our risk management policy becoming embedded across the organisation and aligned with our Board Assurance Framework.

Ongoing progress has been made in embedding the management framework during 2024/25. The framework, policy, and associated procedures have been communicated across the organisation with training provided. New processes have been rolled out to all staff and data cleansing activities have greatly improved the quality of our risk data.

We have an internal risk management page to assist staff in positive risk management. Quick guides are available alongside policies and procedures to enable staff to score risks more pragmatically and proactively manage them in accordance with the policy. Staff are now more empowered to identify risks in a clear and consistent manner and escalate where appropriate for decision-making and mitigation.

Risk registers and a live Risk Dashboard are available to staff through a secure internal system to promote openness, transparency, and a collaborative approach to risk identification and management.

All risks are fully aligned to our strategic missions and clearly mapped against their primary risk domain and dependencies. In-depth risk reviews have helped identify risks that are not DHCW’s to own or mitigate. Work has been underway through the Governance structures and Clinical Risk Reviews to identify and transfer these risks for correct ownership and accountability.

As a result, DHCW’s risk profile is becoming more streamlined and accurate—allowing focused attention on critical and emerging risks to the organisation.

To ensure appropriate focus on our corporate-level risks as of March 2025, our Board Committees periodically undertake deep dives into specific areas. During 2024/25, the following deep dives were held:

An analysis of corporate risks including the movement in corporate risks since the establishment of DHCW, from October 2023 to September 2024, was undertaken during the year and presented to our Board in November 2024.

NHS Wales organisations are not required to comply with all elements of the Corporate Governance Code for central government departments. However, this governance statement provides an assessment of how DHCW complies with the main principles of the code as they relate to an NHS public sector organisation.

DHCW applies the spirit of the code effectively, operating openly and in line with its principles. While not all reporting elements are detailed within this governance statement, they are provided within the wider Annual Report.

DHCW undertakes an annual assessment of its compliance with the Corporate Governance Code. The outcome of the latest assessment was reported to the SHA Board in March 2025, and there were no reported departures from the code.

DHCW’s risk management framework is materially compliant with the Orange Book: Management of Risk principles, adjusted to reflect the organisation’s size, structure and operational needs. There have been no reported departures from the Orange Book.

The Orange Book can be accessed here.

DHCW is committed to fostering a culture of openness that supports and encourages staff to raise concerns in a safe and respectful environment.

During 2024–25, there were four Raising Concerns cases. All were managed through appropriate processes and reported to the Audit & Assurance Committee.

The NHS Wales Staff Survey results for DHCW show:

• 91.3% of staff would feel secure raising concerns about unethical behaviour.
• 84.8% are confident DHCW would address concerns.
• 84.8% feel safe to speak up about anything that concerns them in DHCW.

Quality and Duty of Candour

DHCW came under the Duty of Quality and Duty of Candour in April 2023, in accordance with the Health and Social Care (Quality and Engagement) (Wales) Act 2020.

In line with these duties, DHCW has produced its first Duty of Quality Annual Report and Duty of Candour Annual Report, outlining its compliance and commitment to delivering high-quality, transparent healthcare services.

The Duty of Quality is actively embedded within DHCW’s operations, following its introduction in April 2023 under the Health and Social Care (Quality and Engagement) (Wales) Act 2020. DHCW has demonstrated its commitment to this duty by producing its first Duty of Quality Annual Report, outlining its compliance and progress. This initiative reflects DHCW’s focus on maintaining high standards of care and ensuring continuous improvement across its services, aligning closely with the principles set out in the Act.

As a Special Health Authority Digital Health and Care Wales (DHCW) has a statutory obligation to have in place the knowledge, processes, and procedures to appropriately implement and manage the Duty of Candour.

To ensure this all incidents are reviewed and actioned by the Patient Safety team (where required in conjunction with the Corporate Governance team), and any escalation, subsequent review of reports and learning from events is managed by the Incident Review & Learning Group (IRLG) and in turn this group reports to the Digital Safety & Governance Committee, allowing for robust levels of assurance that the Duty is appropriately and effectively implemented.