The Board is accountable for Governance, Risk Management and Internal Control. As Chief Executive of the Board, I have responsibility for maintaining appropriate governance structures and procedures as well as a sound system of internal control that supports the achievement of the organisation's policies, aims and objectives, whilst safeguarding the public funds and the organisation's assets for which I am personally responsible. These are carried out in accordance with the responsibilities assigned by the Accountable Officer of NHS Wales.

The annual report outlines the different ways the organisation has worked internally and with partners during 2022/23. It explains arrangements for ensuring standards of governance are maintained, risks identified and mitigated, and assurance has been sought and provided. Where necessary additional information is provided in the Governance Statement (GS), however the intention has been to reduce duplication where possible. It is therefore necessary to review other sections in the Annual Report alongside this Governance Statement.

This Governance Statement explains the composition and organisation of DHCW’s governance structures and how they support the achievement of our objectives. The background to DHCW, its functions and plans are set out in the Performance Report.

The Board sits at the top of our internal governance and assurance system. It sets strategic objectives, monitors progress, agrees actions to achieve these objectives and ensures appropriate controls are in place and working properly. The Board also takes assurance from its committees, assessments against professional standards and regulatory frameworks.

The Remuneration and Terms of Service Committee is a private Committee of the Board, in addition the singular advisory group, the Local Partnership Forum (LPF) is currently private, but to commit to openness and transparency, a highlight report from both meetings is shared at each Public Board meeting.

The reporting period for this Annual Governance Statement is primarily focussed on the financial year 1 April 2022 to 31 March 2023.

During 2022/23, the Health and Social Care Committee and the Public Accounts and Public Administration Committee agreed to work together to scrutinize DHCW. The terms of reference and evidence collated by the Committees were published, in addition we attended an oral session on 26 October 2022.

DHCW also supported the Equality and Social Justice Committee one day inquiry on data justice and the use of personal data on the NHS. DHCW Representatives attended the inquiry on 27 March 2023.

To co-ordinate Emergency Planning and Business Continuity within DHCW, a new post of Emergency Planning Lead was developed and recruited into during 2022.

Internally, the DHCW Business Continuity Planning Group (BCPG) has continued to work with all departments to establish Departmental Business Continuity Plans to support the overarching DHCW Business Continuity Plan and to evaluate and mitigate identifiable risks on National and Regional Risk Registers and self-assessed risks that may impact DHCW.

The IT Systems Resilience Programme has been established within DHCW to record and report business assurance and compliance for Digital Resilience documentation and testing.

Since operating in business continuity mode during the response to the Covid-19 Pandemic, DHCW has continued its collaborative approach to business continuity and emergency planning through the active membership of Planning groups:

• The Welsh Health Emergency Planning Advisory Group.
• Welsh Health and Social Services Planning Group.

DHCW has raised the application of the Civil Contingencies Act to DHCW activities with Welsh Government with the aim of a legally binding inclusion into the national emergency planning forums i.e., LRFs, under the Civil Contingencies Act.

The Board has been constituted to comply with the Digital Health and Care Wales (Membership and Procedure) Regulations 2020. In addition to responsibilities and accountabilities set out in terms and conditions of appointment, Independent Members have worked with the Chair to agree their Board Champion roles. A detailed Board Champion Annual Report was shared at our Board Meeting in January 2023.

The Board is made up of Independent Members and Executive Directors.

Throughout the year, a number of changes took place, in collaboration with the Public Bodies Unit in Welsh Government. Marilyn Bryan Jones, Independent Member, was appointed in July 2022, and Alistair Klaas Neill, Independent Member, was appointed in August 2022.

At the start of the year, there were two vacancies as outlined in the Executive structure proposal presented by the Chief Executive Officer. The Executive Director of Operations, a voting member of the Board, and the Director of Primary, Community, and Mental Health Digital Services, a non-voting member of the Board.

Sam Hall was appointed the Director of Primary, Community, and Mental Health Digital Services in August 2022 to start in November 2022. This position has a standing invitation to Board meetings where they can contribute to discussions; however, it does not have voting rights as this position is not an Executive Director.

Sam Lloyd was appointed the Executive Director of Operations in September 2022 to start in January. Gareth Davis was appointed as Interim Executive Director of Operations in April 2022; this interim arrangement ceased on 17 October 2022, with Carwyn Lloyd-Jones appointed as Interim Executive Director of Operations from 17 October 2022 to 15 January 2023.

During 2022/23, Board development and briefing sessions took place that included a focus on the following elements of governance:

In January 2023, the Board became fully established with a full complement of executive and independent members. We recognised that the Board had not had the opportunity to engage in a Board Development Programme as a full Board, as a result, work was carried out in 2022-23 to tender for an organisation to partner with DHCW to provide a Board Development programme bespoke to the DHCW Board and our needs, building on the good work in establishing robust governance systems and processes and the focus of the work being on leadership, and the people side of governance development.

DHCW partnered with Deloitte as our Board Development partner and Board held the following workshops with Deloitte during the later part of the year:

• Feedback from Board OD Diagnostic Phase including 360 appraisals
• Business Chemistry – Board Members Styles and Preferences
• Effective Scrutiny and Challenge

We are looking forward to continuing this work in 2023-24.

Full membership of the Board is outlined in Appendix 1. Below is a summary of the Board and Committee structure. This is reflective of the proposed structure in the DHCW model standing orders. There was no instruction from the Welsh Government or proposals by the Board to introduce further Committees or advisory groups during 2022/23

DHCW’s Board system of internal control is designed to manage risk to a reasonable level rather than to eliminate all risks, this has been articulated in DHCW’s risk appetite statement. It can therefore only provide reasonable and not absolute assurances of effectiveness.

The system of internal control is based on an ongoing process designed to identify and prioritise risks to the achievement of the policies, aims and objectives. It also evaluates the likelihood of those risks being realised and the impact should they be realised, and to manage them efficiently, effectively, and economically. The system of internal control has been in place for the year ended 31 March 2023 and up to the date of approval of the annual report and accounts.

The Board Assurance Framework was reviewed and approved by the Board in May 2022. The Board Assurance Framework identifies all the key controls and lines of assurance to be reported to the Board. Our Board Assurance Framework annual reporting cycle can be seen below.

We use the BAF system and process to monitor, seek assurance and ensure that shortfalls are addressed through the scrutiny of the Board and its Committees. Oversight of our Corporate Risk Register system is provided through the scrutiny and monitoring of the Board and its Committees.

Key controls are defined as those controls and systems in place to assist in securing the delivery of the Board’s strategic objective. The effectiveness of the system of internal control is assessed by our internal and external auditors.

The Chief Executive/Accountable Officer has overall responsibility for the management of risk but the SHA’s lead for risk is the Board Secretary. This means leading on the design, development and implementation of the Risks Management and Board Assurance Framework Strategy and Board Assurance Framework.

DHCW’s risk appetite statement, set out below, describes DHCW’s approach to risk management and the risks it is prepared to accept or tolerate in the pursuit of its strategic goals:

DHCW’s risk appetite considers its capacity for risk, which is the amount of risk it is willing to accept in pursuit of its objectives having regard to its financial and other resources, before a breach in statutory obligations and duties occurs.

The risk tolerance gives guidance regarding escalation for risks across its activities, the below infographic provides details on the risk domains identified and agreed by the DHCW Board, associate appetite, tolerance levels and sets the expectation of the Board regarding the number of key controls when reviewing Corporate Risks in those categories in the Board Assurance Report.

During the COVID-19 recovery period and subsequent economic crisis the financial risk profile of DHCW has seen a significant increase in risks identified that have the potential to impact our achievement of objectives and deliverables across the last year and potential to impact greatly on our achievement of objectives in the next financial period. These range from core funding for services to staffing levels, we have also identified further considerations in our Service Level agreements and cross charging across Health Bodies for live services that require further development in line with our ever-evolving digital environment to ensure our products and services provide quality, assurance, and safety to the Consumer organisations and wider public.

A competitive workplace market along with evolving hybrid working options have also posed a risk to the organisation across the last 12 months and will continue to do so for the foreseeable future. Our workforce team have provided mitigation to this by increasing their network of resources and adapting our hybrid working policy to enable engagement with resources outside of our immediate community, further work is required to ensure we have a rich and diverse knowledge and skillset amongst our workforce and continue to develop the talent pool currently in place.

During 2022-23 there has been an increased risk and threat of Cyber-attack. Whereas an organisation we recognise this will be a long-term risk and emerging threats will continue to increase in intensity and intelligence; we have as an organisation undertaken extensive evaluation of our current risks, key controls and assurances to identify a significant Service Improvement Plan offering assurance and protection to both our organisation and also the wider NHS Wales Domain.

Overall risk performance has met expectations over the last 12 months with the revised risk management policy becoming embedded across the organisation and aligned with our Board Assurance Framework.

Significant progress has been made in embedding the Risk Management and Board Assurance Framework Strategy (the ‘Strategy’) during 2022/23.

The Strategy, policy, and associate policies and procedures have been communicated across the organisation with training provided. New processes have been rolled out to all staff and data cleansing activities have greatly improved data quality regarding our risk profile position.

A new internal risk management page has been developed to assist staff in positive risk management, quick guides are available alongside the policies and procedures to enable staff to be more pragmatic in scoring and proactive with the management of their risks in accordance with policy. Staff are more empowered to identify risks in a clear and consistent manner and escalate where appropriate for decision making and mitigation. Risk registers are available to staff through this secure mechanism for openness, transparency and allowing a collaborative approach to risk identification and management.

All risks are fully aligned to our strategic missions and clearly mapped against their primary risk domain and dependencies. In depth risk reviews have assisted in the identification of risks that are not DHCW’s to own or mitigate and work has been underway through the Governance structures and Clinical risk reviews to identify and share these risks for correct ownership and accountability. As a direct result of this DHCW’s risk profile is now becoming more streamlined and accurate allowing the focus on critical risks and identification of emerging risks to the organisation.