The HSCIC will ensure that it deals with the risks that it faces in an appropriate manner, according to best practice in corporate governance, and develop a risk management strategy in accordance with the Treasury guidance Management of Risk: Principles and Concepts11. It will adopt and implement policies and practices to safeguard itself against fraud and theft, in line with HM Treasury guidance12. It should also take all reasonable steps to appraise the financial standing of any firm or other body with which it intends to enter into a contract or to give grant or grant-in-aid.
The HSCIC will develop a reporting process to assure each meeting of its board, which will meet at least six times a year in public, of financial and operational performance against the HSCIC business plan. This assurance report will include information on risks and how they are being managed in accordance with the Treasury guidance mentioned above. The information prepared will be shared with the Department to enable the Department to assure itself on risk management. The HSCIC and the Department will agree a process and trigger points for the escalation of risks to the DH Audit and Risk Committee (ARC), where those risks will have a potentially significant impact on the HSCIC, DH or the wider system that requires a co-ordinated response.
The HSCIC will have effective and tested business continuity management (BCM) arrangements in place to be able to respond to disruption to business and to recover time-critical functions where necessary. In line with Cabinet Office guidelines, the BCM system should aim to comply with ISO 22301 Societal Security – Business Continuity Management Systems.
Risks to the wider system that arise from the HSCIC's operations, identified by HSCIC, DH or another body, will be flagged in the formal quarterly accountability meetings chaired by the SDS. Such risks may also be flagged by the HSCIC's Board and escalated to the DH ARC for consideration It is the responsibility of the HSCIC and its sponsor to keep each other informed of significant risks to, or arising from, the operations of the HSCIC within the wider system.