Skip to main content

In a previous role I spent my days understanding, and talking, about governance, risk and compliance (GRC) in healthcare. It was like an unofficial apprenticeship and I was fortunate enough to spend time with some of those leading the thinking in this area at that time. These were people like: Dr John Bullivant, Andrew Corbett Nolan and Eileen Walsh, as well as many others working in boards or sub board to manage assurance.

Over the past seven years my path has taken me in a different direction to one more focused on workforce. While workforce and quality governance are intrinsically linked, it is with some trepidation that I find myself writing this blog on a train following an invitation to contribute to a discussion on mechanised assurance with both John and Andrew later today. What will have changed? Aren’t organisations already doing this perfectly by now? Is the conversation really as relevant today as it was fifteen years ago?


I’ll say up front, I have always been in awe of innovation in the NHS. I know this isn’t the commonly articulated view outside of healthcare but I see individuals, teams, organisations and indeed the NHS as a whole adopting new technologies, new processes and new ways of working each week. Innovation sometimes gets caught up in the narrative of change management for obvious reasons. How well the NHS and the system are responding to new models of care and new challenges such as integrated care organisations demonstrate innovation in spades. Innovation demands reliable assurance.


Good assurance lives and dies by what the workforce does day in, day out. Ours is a human service and the workforce, as well documented, is under pressure. People behave differently under pressure. Policies are short circuited; risk increased. Furthermore assurance is as much about culture as it is the committees and processes that support it and that the NHS Staff Survey highlighted that 18 per cent of NHS staff responding identified as having experienced harassment or bullying from colleagues should give us cause for real concern.

Where rota gaps are the norm and wards regularly juggle risk around staffing (whether total number, skill mix or percentage of agency to NHS staff), it is essential that there are robust assurance mechanisms in place. This entails an understanding of well-articulated and evidence-based risk appetite to having automated methods of control and exception reporting and visibility from point of care to board.

Regulation and arm’s length bodies

Regulation is more sophisticated than it was back in the days of star ratings when my journey began, and there is arguably more of it. I’m a fan of regulation and believe it can help drive improvement as well as safeguard the public and services. However, today NHS organisations spend a significant amount of time responding to regulators and arm’s-length bodies. The risk is that it is the activity of responding, or preparing to respond, that is mistaken by some organisations as the assurance in and of itself. The best organisations assure themselves first and then provide assurance to these bodies as a by-product.

Data rich and not information savvy

We are still awash with data. While initiatives like the model hospital are making some tangible improvements when it comes to how data is viewed and used, we still don’t have a sophisticated enough method of providing data narratives that reduces the risks of natural post-rationalisation. Again this is vital given the workforce pressure and impact on culture.

The next wave of disruptive technology is upon us

As a technologist, I naturally love innovation; but I’m not naive. As mentioned, it carries inherent risk and combined with the financial constraints in the service it demands solid assurance….as well as a philosophy of ‘learn fast die faster’.

The NHS will, and is already, leading the march on use of new and game changing technologies like artificial intelligence. From an assurance perspective we will be able to embed controls in a way we have not been able to until now. However, if this is done without due care and attention we will simply hard code poorly considered risk. We will get more from artificial intelligence and machine learning if we have a learning culture, one that is self-effacing, and nurtured through line of sight from strategic objectives, risk and controls.

When assurance is done well it is a basis for improvement and innovation. It provides the vital anchor to allow NHS staff to care, innovate and flourish. So, it may be some years since I was immersed in GRC, but on reflection I think it is probably more relevant than it has been for many years. Not just because of the financial position that most organisations find themselves in, but because of the way the NHS and its workforce is changing and  how technology is developing.

About the round-table

The round-table was organised by The Good Governance Institute as part of the a joint project with Allocate that explores the benefits of mechanising assurance in healthcare. Register here to receive  a copy of the report when published.