Risk assessment framework and reporting manual for independent sector providers of NHS services

About NHS England

On 1 July 2022, under the Health and Social Care Act 2022, Monitor was abolished, and NHS England (previously the NHS Commissioning Board) formally assumed its regulatory responsibilities and powers.

This document concerns the statutory responsibilities of NHS England for licensing and monitoring certain independent sector providers of NHS services.

Independent sector providers of NHS services must hold an NHS provider licence (unless exempt) and must comply with its conditions.

Independent sector providers may additionally be subject to the continuity of services (CoS) conditions in Section 5 of the licence if they are:

  • designated by their commissioners as providers of commissioner requested services (CRS)
  • identified as a ‘hard to replace’ provider by NHS England.

Application of the CoS conditions means providers are subject to NHS England’s financial and quality governance oversight as set out in this document. This oversight aims to:

  • reduce the risk that key NHS services may not be able to continue due to financial or quality stress
  • reduce the impact on patients if such issues do arise, including insolvency of an independent sector provider.

About this document

This risk assessment framework and reporting manual for independent sector providers of NHS services (henceforth the ‘IPRAF’) sets out NHS England’s overall approach to regulating licensed independent sector providers of NHS-funded services. This approach is designed to identify signs of financial and quality stress in providers early enough for appropriate action to be taken to protect continuity of key NHS services.

This document would supersede the previous IPRAF published in December 2020 and incorporates the updates being formally consulted on.

Changes to the previous version

This document reflects two material changes to the regulatory environment since December 2020:

  1. The abolition of Monitor and NHS England’s assumption of its regulatory role with regard to independent sector providers of NHS-funded services.
  2. Revisions to the NHS provider licence, which place new quality governance requirements on providers subject to the CoS conditions in the licence.

By implementing these updates, NHS England’s primary aim is to improve its monitoring approach and increase the scope of its oversight to encompass situations where the governance/oversight of quality of care at an independent sector provider raises concern for the sustainability of the services it provides. NHS England intends to use this updated approach to:

  • act where there is evidence that poor quality governance puts access to key NHS services at risk, including in some cases using powers under CoS6 to mandate that support is received
  • work closely with the Care Quality Commission (CQC) to share information and ensure our separate roles complement and do not duplicate each other, as far as possible
  • take a more holistic view of providers, as financial and quality issues are often inter-related.

How this document is structured

This document has eight parts:

  1. An introduction to the regulatory and oversight system, explaining NHS England’s responsibilities and powers for licensing and monitoring independent sector providers.
  2. The risk assessment framework for providers that are subject to the CoS conditions – this sets out NHS England’s overall approach to monitoring financial risk and quality governance.
  3. Detail on how NHS England will assess financial risk at providers that are subject to the CoS conditions.
  4. Detail on how NHS England will assess quality governance and quality stress at providers that are subject to the CoS conditions.
  5. Information on what needs to be reported by exception to NHS England and what other formal notifications may also be required by some providers.
  6. How NHS England will monitor providers subject to the CoS conditions that are themselves part of a larger group structure.
  7. A summary of annual reporting requirements for all licensed independent providers including NHS-controlled providers regulated under this framework.
  8. How NHS England – as statutory commissioner and regulator – will handle commercially sensitive information.

Principles guiding the regulatory approach

Under this updated IPRAF, NHS England continues to be guided by the regulatory principles originally set out by Monitor in April 2014. It remains committed to a regulatory approach for independent sector providers that is:

  • patient-focused
    • where issues are identified at licence holders, NHS England will be guided by the interests of patients in assessing the risks and the need for action.
  • evidence-based
    • NHS England will base its actions on the available and relevant evidence.
  • proportionate
    • NHS England will ensure that its actions address solely the material risks identified so that it does not over-reach its regulatory remit.
  • transparent
    • NHS England will strive to communicate clearly and openly to licence holders, commissioners and other stakeholders the reasons for any actions it takes in delivering the right outcomes for patients, commissioners and other stakeholders.
  • co-operative
    • NHS England will work with other regulators and organisations and, to avoid duplication, will take their conclusions into account when deciding its regulatory approach wherever this is possible and appropriate.

NHS England’s intention remains to use as straightforward a framework as possible and to focus its resources on the providers of greatest concern in a proportionate fashion. It expects that this framework will only apply to a subset of licensed independent sector providers of NHS services – those that provide services that NHS England has determined to be ‘hard to replace’ and/or services designated as commissioner requested.

Part 1: Introduction to NHS England’s regulatory and oversight system for independent sector providers

The Health and Social Care Act 2012 (the 2012 Act) gave Monitor the role of sector regulator for healthcare in England with a number of new responsibilities and powers. These changes to regulation included the introduction of an NHS provider licence for NHS foundation trusts from 1 April 2013 and other eligible NHS service providers from
1 April 2014.

All providers of NHS services (unless exempt under the Exemptions Regulations) are required to hold a licence and comply with its conditions. Please refer to:

Having assumed Monitor’s role under the Health and Social Care Act 2022 (the 2022 Act), NHS England has inherited Monitor’s powers in relation to the provider licence and now monitors providers’ compliance with the licence conditions.

Providers subject to the CoS licence conditions

Among NHS England’s statutory duties is the assessment of risk to the continued provision of services via the CoS licence conditions. These conditions apply to two types of providers, namely:

Providers of commissioner-requested services (CRS) as designated by commissioners

  • CRS are any services that commissioners have formally designated as needing the protection of the CoS conditions stated in Section 5 of the NHS provider licence. These are services that would need to remain in their area if a provider were to get into difficulty because:
    • there is no alternative provider close enough
    • and/or removing them would increase health inequalities
    • and/or removing them would make dependent services unviable.

Please refer to guidance on how commissioners can designate services as CRS.

Providers of NHS services identified as ‘hard to replace’ by NHS England

  • In some cases, a provider’s services may be of sufficient scale or complexity nationally or regionally that NHS England considers that their unavailability – due to the provider’s insolvency or quality issues – would impact on patients. As per the consultation on the provider licence, this is now the second mechanism by which NHS England can determine that the CoS conditions should apply to a licensee.

This IPRAF sets out how NHS England oversees these providers through an oversight system that is designed to:

  • identify any signs a provider is getting into financial difficulty early enough for all concerned to take steps to safeguard the provision of services
  • allow us to respond in some cases to signs that a provider’s standard of governance of quality is risking the suspension or termination of services, notwithstanding the role of commissioners in assuring the quality of the services they purchase
  • be proportionate: NHS England does not want its risk reporting requirements to discourage providers from moving into new NHS services, expanding or innovating their existing NHS services to benefit patients, or continuing to treat NHS patients.

Regulatory approach to providers subject to the CoS service licence conditions

As well as having a statutory duty to assess risk to the continued delivery of services, NHS England also has powers to support the ongoing delivery of these services through enforcement of the CoS conditions stated in Section 5 of the provider licence.

NHS England may, where it judges the risk to the continued delivery of services is sufficiently serious, act to:

  • use its powers to investigate whether there has been a breach of the CoS licence conditions, and if so its extent
  • depending on the outcome of an investigation, initiate enforcement action to address financial or quality stress (see Enforcement guidance for more detail)
  • appoint a person (or persons) who can assist or advise on the management of the licensee’s affairs, where a notice of going concern or a notice of quality stress is issued. This person’s primary objective is to ensure continuity of services for the patients who rely on them.

This overarching regulatory approach is summarised in Figure 1. Note: the sequence of events is indicative; in some circumstances, the order of those under investigation and action may vary.

Figure 1: NHS England’s regulatory approach to overseeing financial and quality governance risk at independent sector providers subject to the CoS licence conditions


Figure 1 alternative text:

Monitoring

Annual submissions:

  • forward financial plan
  • annual report and accounts
  • auditor opinion

If applicable:

  • quality accounts

In-year reporting requirements:

  • YTD financial performance
  • Reforecasts (if applicable)
  • Banking covenant compliance

Licence requirements:

  • availability of resources (CoS7)
  • ultimate controller undertaking (CoS4)

NHS England requirements:

  • fit and proper persons certification (G3)
  • licence compliance certification (G5)

Exception reports:

  • profits warnings
  • transactions
  • CQC reports
  • refinancing
  • other material actions/events

Risk assessment

Continuity of service risk assessment
Ultimate controller information/assurance
Availability of resources

Investigation

  • potential considerations

Gathering any additional evidence

Consideration for regulatory action:

  • impact: degree of services at risk
  • likelihood: level of risk

Potential statutory powers:

  • co-operation with NHS England/other nominated parties (COS 6)
  • provision of information (s.104)

Action

  • potential actions to protect provision of key services

Statutory enforcement powers

  • discretionary requirements (s.105)
  • enforcement undertaking (s.106)

Powers under the licence

  • contingency planning teams (CoS6)
  • asset lock (CoS2)

Licence conditions that relate to financial and quality governance oversight of providers subject to the CoS licence conditions

NHS England will primarily rely on three conditions in the NHS provider licence – CoS licence conditions 3, 4 and 7 – in its oversight of providers subject to the CoS conditions (see above).

CoS3

  • Requires providers to maintain suitable ‘systems and standards of corporate governance, and financial management”, and which reasonably safeguard against the risk of the provider no longer being a going concern.
  • It also requires providers to have standards of quality governance that provide reasonable safeguards against their not being able to deliver a service due to quality stress.
  • In doing so, providers must take account of NHS England’s risk rating methodologies and maintain risk ratings equal to or greater than the level NHS England considers acceptable.

CoS4

  • Independent sector providers may be part of a larger corporate structure or have a single or majority shareholder who can influence their operations.
  • This licence condition enables NHS England to gain assurance regarding the influence (or potential influence) of an ‘ultimate controller’ on the financial stability or standards of quality governance of a provider, and consequently on its ability to continue to deliver services covered by this framework.
  • Where providers have such ultimate controller(s), NHS England can use this condition to complement any direct risk assessment of the licensee.

CoS7

  • Requires relevant providers to inform NHS England on an annual basis whether or not they have sufficient resources to provide CRS or ‘hard to replace’ services, including:
    • managerial (including clinical leadership)
    • quality-related information flows
    • financial and physical resources

to provide the services subject to the CoS licence conditions.

  • The assurance needs to be given after the provider takes account of its financial obligations (including dividend and interest payments).
  • Providers should inform NHS England immediately if the basis of this assurance changes during the year.

Licence conditions that safeguard continuity of services

CoS1

  • Prevents a provider of CRS from ceasing to provide or materially altering the specification or means of provision of these services except where this has been agreed in writing with the commissioners of those services.
  • This may include, by virtue of licence condition G8(7), continuing to provide CRS on the terms of the contract if that contract has expired without extension or renewal being agreed.
  • This condition does not apply to ‘hard to replace’ providers (as identified by NHS England as regulator) unless that provider also has services designated as CRS, in which case CoS1 would only apply to the services designated as CRS.

In practice NHS England would expect, in the first instance, providers and commissioners to agree changes to the provision of CRS between themselves through the normal contract negotiation processes. However, NHS England can intervene if a disagreement cannot be bridged, or a risk not easily mitigated.

Where NHS England is concerned about a provider’s ability to continue as a going concern or provide a particular service because of quality stress and it has formally notified the provider of this, NHS England can apply the following two CoS licence conditions:

CoS2

  • Prevents providers of CRS disposing of, or relinquishing control over, any relevant asset except with the written consent of NHS England.
  • Relevant assets are any items without which the licensee’s ability to meet its obligations to provide CRS would reasonably be regarded as materially prejudiced (a full definition is given in the licence condition).
  • This condition does not apply to a ‘hard to replace’ provider as identified by NHS England unless that provider also has services designated as CRS, in which case CoS2 would apply to those services designated as CRS.

CoS6

  • Requires the licensee to co-operate in the provision of information as NHS England may direct to commissioners and others, to allow such persons as NHS England may appoint to enter and inspect premises, and to co-operate with such persons as NHS England may appoint to assist in or advise on the management of the licensee’s affairs, business and property.

Other licence conditions

The full set of licence conditions relevant to all licensees – covering general conditions, pricing, competition, integrated care and also the continuity of services conditions above – can be found here.

Part 7 of this document sets out the annual reporting requirements that licensed independent sector providers must fulfil to comply with the terms of the NHS provider licence.

Part 2: Risk assessment framework for independent sector providers subject to the continuity of services licence conditions

The 2012 and 2022 Acts give NHS England powers to ensure the continued delivery of NHS services (‘continuity of services’ or ‘CoS’). These powers are expressed by the inclusion of CoS conditions in Section 5 of the NHS provider licence as set out above.

The application of the CoS conditions activates NHS England’s financial oversight of independent sector providers subject to the CoS conditions under the IPRAF. It also means that, where there is potential evidence of quality stress at a provider subject to these conditions, NHS England may investigate and/or take regulatory action.

This part describes how NHS England will carry out this role at independent sector providers that are subject to the CoS conditions. It sets out:

  • the providers the IPRAF applies to
  • how NHS-controlled providers are regulated
  • NHS England’s approach to assessing risk at independent sector providers subject to the CoS licence conditions.

The providers the IPRAF applies to

The IPRAF applies to:

  • confirmed providers of CRS (as designated by commissioners) and/or ‘hard to replace’ providers (as identified by NHS England) that are not NHS foundation trusts or NHS trusts
  • NHS-controlled providers that have been told they will be regulated under the IPRAF (see below).

For NHS England’s purposes, ‘confirmed’ means either:

  • A commissioner has formally designated one or more of the provider’s services as CRS (and this has been accepted by the provider) and formally informed NHS England of this designation.
    • On receiving this information NHS England has formally confirmed CRS status to the provider.
    • Alternatively, a CRS review process has formally confirmed the CRS designation of one or more of the provider’s services and NHS England has formally confirmed CRS status to the provider.
  • NHS England considers that the provider is ‘hard to replace’ due to the impact on the NHS of the loss of its services should the provider fail, and NHS England has formally confirmed this status to the provider.

Licence holders that do not meet either of the criteria above will not be subject to the CoS licence conditions and the oversight approach set out in this part. Consequently, the framework outlined here will not be used for finance or quality oversight at providers not subject to the CoS licence conditions. In these situations, other levers (eg CQC actions, commissioning decisions, provider collaborative support) should continue to be used to ensure the provision of NHS services.

How NHS-controlled providers are regulated

NHS-controlled providers are providers that:

  • are not themselves NHS trusts or NHS foundation trusts
  • hold a provider licence
  • are ultimately controlled by one or more NHS trusts and/or NHS foundation trusts, where ‘control’ is defined on the basis of IFRS 10.

They are regulated under either the current NHS Oversight Framework for NHS trusts and NHS foundation trusts or the IPRAF. This will depend on factors such as the scope of the services provided, size of turnover and whether the provider is a wholly owned subsidiary or is jointly owned by a number of providers. NHS England’s approach to regulating NHS-controlled providers is set out in this oversight document.

Where NHS England decides to regulate an NHS-controlled provider under the IPRAF, the default position is that the provider will be subject to the approach to monitoring and risk assessment set out in this document.

This default position will always be the case where the NHS-controlled provider provides services designated as CRS by a commissioner or has been informed that it is ‘hard to replace’ by NHS England.

However, where it does not and NHS England assesses that less frequent monitoring is appropriate, NHS England may adjust the approach and agree to do so on a case-by-case basis.

NHS England’s approach to assessing risk at independent sector providers subject to the CoS licence conditions

NHS England’s monitoring and risk assessment will focus on the risk to the provision of NHS services subject to the CoS licence conditions at independent sector providers should:

  • such an organisation no longer be a going concern (assessing financial risk), or
  • its relevant services be reduced or suspended due to quality stress (assessing quality governance risk).

and therefore, no longer be able to provide the relevant NHS services. NHS England does not assess finance or governance risk at organisations that are not subject to the CoS licence conditions.

Financial risk and quality governance are often linked and as such both will be monitored to provide a holistic view of the organisation. However, NHS England has deliberately opted to rate risk associated with finance and quality governance separately, meaning it will determine two risk ratings for each provider.

Monitoring cycle

Although some independent sector providers will have financial year ends and planning cycles that align with those of NHS trusts and NHS foundation trusts, ie 1 April to 31 March, not all do. NHS England will collect in-year submissions based on the licensee’s year end.

Figure 2 summarises the in-year and annual risk assessments for those independent sector providers subject to the CoS licence conditions that require routine quarterly monitoring.

Figure 2: Annual monitoring cycle for independent sector providers subject to the CoS licence conditions

Part 3: NHS England’s approach to assessing financial risk at IPs subject to the continuity of services licence conditions

NHS England uses three main approaches to assess financial risk:

i. Three financial measures underpinning an overall continuity of services risk rating:

  • liquidity
    • what is the fundamental working capital position of the organisation?
  • capital servicing capacity:
    • to what degree can the provider meet its financing obligations?
  • operating margin:
    • what is the underlying financial performance of the organisation and is it sustainable?

ii. An assessment of other financial data, including:

  • forward-looking and in-year income and expenditure, balance sheet and cash flow information; plus (where applicable) debt maturity profiles and banking covenants, and the extent to which the provider is meeting these commitments
  • mitigating factors such as undrawn and committed overdraft or revolving credit facility, and liquid investments, which NHS England will consider incorporating into the liquidity measure above.

iii. Where applicable, other information, including but not limited to:

  • annual reports and accounts (including auditors’ opinions)
  • information such as the materiality of contracts held by the provider that are due for re-procurement, sudden drops in share price of the parent/ultimate controller/monitored entity, a charity’s own reserves policy.

This information should be commonly available to boards and senior management teams. When NHS England informs a provider that it is subject to the CoS licence conditions, NHS England will send it templates setting out the information to be provided and the definitions to be used.

NHS England’s framework is intended to flag material concerns regarding the above information, or variance from planned projections. Where it has such concerns, NHS England may, usually following discussions with the licensee, choose to investigate.

This approach is necessarily distinct from the monitoring frameworks applied to NHS trusts and NHS foundation trusts. Independent sector providers represent a more diverse set of operating models than NHS trusts and NHS foundation trusts, with varying levels of exposure to NHS funding streams and in many cases a wider range of customers in addition to NHS commissioners.

Unlike NHS trusts and NHS foundation trusts, independent sector providers are not public bodies and they have different ownership and governance arrangements. Consequently, the drivers of financial risk are more likely to be broader. For this reason, NHS England has developed an adjusted approach to their financial risk assessment, summarised in Figure 3.

Figure 3: NHS England’s approach to assessing financial risk at independent sector providers subject to the CoS licence conditions

Figure 3 alternative text: 

I. Adapted Continuity of Services Risk Rating

Assessing risk through…

  • Liquidity: is the underlying liquidity (expressed in days of liquid assets) a concern?
  • Capital servicing capacity: can the provider meet its financing obligations? Is its ability to service debts or other financing obligations a concern?
  • Operating margin: are reserves being eroded through operating losses? Can the provider cover its costs of capital?

II. Other financial data

Assessing risk through…

  • Do other financial elements/ movements give cause for concern? E.g. cash flow, working capital movements, debt repayment schedules, performance vs banking covenants etc.
  • Are there additional mitigating factors that should be taken into account? E.g. undrawn overdraft or revolving credit facilities, liquid investments, group treasury policies etc. Provides an additional layer of data to assess financial risk.

III. Other information

Assessing risk through…

  • Does information from external bodies give cause for concern? E.g. auditor opinions, CQC concerns? 
  • Does any other information give cause for concern? E.g. the materiality of contracts due for re-procurement, sudden drops in the share price of the parent/ ultimate controller/ monitored entity, a charity’s own reserves policy, difficulties obtaining insurance etc.
  • Provides an additional layer of information to assess organisational risk.

How the financial continuity of service risk rating is calculated

An overall risk rating for finance will be based on the average of the three CoS risk rating (CoSRR) scores for liquidity, capital servicing capacity and operating margin. The calculation for each of these metrics is set out in Figure 4. Each CoSRR score carries equal weighting.

Figure 4: Calculating CoSRR for finance

Calculating CoSRR for finance

To ensure that emerging risk is not masked by one or two strongly performing metrics, the overall risk rating will be subject to two overriding rules:

  • if a provider scores CoSRR1 on one metric, its overall rating cannot be greater than CoSRR2
  • if a provider scores two CoSRR1s, its overall rating cannot be greater than CoSRR1.

Consequences of financial CoSRR scores

The CoSRR scores assign four levels of risk to CoS, with ‘1’ representing the highest level of risk and ‘4’ the lowest. The consequences of these scores in terms of NHS England’s regulatory approach, including potential regulatory action, are set out in Table 1.

Table 1: Consequences of financial CoSRR scores for NHS England’s regulatory approach

Risk ratingDescription of consequences

4

Low risk – NHS England will continue to review performance on a routine quarterly basis.

3

Residual risk – the financial position is such that where NHS England has residual concerns, additional information may be requested and/or more detailed conversations may be held, but routine quarterly monitoring will be maintained.

2

Structural but stable risk – the financial position is stable but lacks resilience. NHS England is likely to request additional information and/or hold more detailed conversations, but routine quarterly monitoring is likely to be maintained.

or

Emerging concern – where sudden or sustained deterioration in one or more CoSRR metrics is observed, NHS England is likely to initiate monthly monitoring and may consider opening an investigation to determine whether there has been a breach of CoS licence conditions. If an investigation finds that a breach has taken place NHS England may take action against a provider to require it to put remedies in place.

In some cases, NHS England may also start taking an active role in ensuring continuity of services using provisions in the relevant licence conditions, eg requesting the co-operation of the provider to assess risk to services; preventing the disposal of assets used in the provision of CRS.

1

Actual concern – providers in this risk category are highly likely to be experiencing financial stress sufficient for NHS England to open an investigation and consider taking an active role in ensuring continuity of services as set out under ‘emerging concern’ above.

Providers scoring CoSRR1 will be placed on monthly monitoring.

How the approach to financial risk assessment is implemented

Monitoring frequency

NHS England will vary the level of financial oversight of independent sector providers subject to the CoS licence conditions according to:

  • Class of provider
    • that is, whether is it is a ‘hard to replace’ provider or a provider of CRS.
  • Level of CRS provided
    • the greater the value of CRS a licensee provides, the more complex any effort to address the provider’s risk of financial failure is likely to be, with a corresponding need to identify issues sooner.
  • Level of risk
    • where a ‘hard to replace’ provider or a provider of CRS is shown to be at greater financial risk, NHS England will require financial information on a more frequent basis or in greater detail.

Table 2 below sets out the frequency of monitoring and the degree of forward-looking information NHS England will incorporate in its assessment based on the type of provider:

Table 2: Monitoring frequency/forward planning for providers subject to CoS licence conditions

 

 

Overall risk rating

Scale of services

Forward-looking

4

3

2

1

Hard to replace providers

Any

2 years*

Quarterly

Quarterly

Quarterly/ monthly

Monthly

Providers of CRS

>£5 million CRS

2 years*

Quarterly

Quarterly

Quarterly/ monthly

Monthly

≤£5 million CRS

12 months

Quarterly

Quarterly

Quarterly/ monthly

Monthly

* Year 1 in standard template, and Year 2 base case and board-approved downside risk analysis in management’s own format.

Routine monitoring will be conducted on a quarterly basis. This will be applied to providers scoring an overall risk rating of CoSRR3 or CoSRR4, and some scoring CoSRR2 that are assessed to have ‘structural but stable risk’. Monthly monitoring will be applied to providers scoring an overall risk rating of CoSRR1 and those categorised as ‘emerging ‘concern’ under CoSRR2 (see Table 1 above).

This approach is proportionate to the level of risk presented, with a more intense level of monitoring reserved for situations where clear risks to continuity of services emerge.

Financial monitoring requirements for independent sector providers subject to CoS licence conditions

Annual submissions – the forward plan

On an annual basis, one month after the financial year end, independent sector providers subject to the CoS licence conditions are required to submit their board-approved budget (ie their forward plan) for the forthcoming year to assist NHS England in assessing risks to the sustainability of the services they provide.

Where the forward plan, or any subsequent deviation from or adaptation to it, reveals potential risk to the continuity of those services, NHS England may seek further information to understand the situation and any consequences. This may involve using financial information over and above the three measures that inform the overall risk rating.

Annual submissions – outer year monitoring

For providers determined to be ‘hard to replace’ or delivering more than £5 million of CRS per year, a board-approved forecast base case for Year 2 with downside risk analysis will be collected alongside the forward plan template, one month after the financial year end. In some exceptional cases NHS England may require independent sector providers to supply this information for Year 3.

The board-approved forecast base case for Year 2 will be in management’s own format and will comprise income and expenditure and cashflow base case. The accompanying board-approved downside risk analysis will set out the impact of a reasonable set of downside factors; for example, the loss of contribution from contracts that are due to be re-procured.

As part of NHS England’s discussions with management, it may ask questions about the impact of such factors on net earnings, reserves and cash, and where appropriate any mitigating actions.

In-year submissions

In year NHS England will collect financial submissions from independent sector providers subject to the CoS licence conditions in accordance with the frequency shown in Table 2 above to calculate the year-to-date risk rating.

Where the actual rating for the past monitoring period is CoSRR1 or 2, or where other trends in financial data are of concern, NHS England may consider whether further information or an investigation is appropriate.

The annual and in-year reporting requirements discussed above are summarised in Figure 5.

Figure 5: Monitoring requirements for independent sector providers subject to the CoS licence conditions

*In addition, providers with an ultimate controller (as per Cos4) will need to submit a one-off ultimate controller undertaking

Format of financial submissions

For all independent sector providers subject to the CoS licence conditions on routine quarterly monitoring, budget and actual in-year results will be collected in NHS England’s standard templates, except for the board-approved downside risk analysis for Year 2, which will be in management’s own format.

For providers that are subject to monthly monitoring, NHS England will agree on an individual basis what format these submissions will take. This may, for example, include collecting monthly management accounts submitted to the board, subject to these being prepared in sufficient detail for NHS England to undertake its risk assessment. Where there are concerns about cash, a rolling 13-week cash flow forecast will be requested at regular intervals.

Part 4: NHS England’s approach to assessing quality stress at providers subject to the CoS licence conditions

As with NHS England’s approach to financial risk, its overarching objective is to preserve access to services for NHS patients. In assessing quality governance, NHS England will ensure that it avoids duplicating CQC’s role. NHS England will use the risk-based approach set out here to identify and investigate any shortcomings in standards of quality governance, and if there are shortcomings that may put services at risk, take appropriate action.

The CQC has the power to suspend services where it has significant concerns regarding the quality of care. Where this occurs at providers subject to CoS conditions and there are no obvious alternatives to these services, suspension could result in access being limited or even terminated for NHS patients. Suspension would have the same practical effect on commissioners and patients as provider insolvency.

Quality governance and patient care

The standard of quality governance at an organisation is an important factor in ensuring safe and sustainable care for patients. Where NHS England considers situations of quality stress could reduce access to services for NHS patients, it may investigate a provider’s governance of care and/or take regulatory action under the provider licence. NHS England’s work will be closely based on CQC’s oversight of providers, and it will work closely with the CQC in judging what, if any, actions need to be taken.

Quality governance requirements for providers subject to the CoS licence conditions

Under revisions to the NHS provider licence (consulted on in October 2022), independent sector providers subject to the CoS licence conditions must:

  • have appropriate systems of governance to ensure continuity of the relevant services on quality grounds
  • have regard to guidance issued by NHS England from time to time regarding quality oversight
  • co-operate with NHS England where it identifies a situation of ‘quality stress’* – including by sharing information and allowing NHS England to enter their facilities
  • assure NHS England at least annually that they have both the management and information resources to provide safe and sustainable care for NHS patients.

*‘Quality stress’ refers to a situation where the sustainability of the services provided by the organisation is uncertain due to quality factors, eg safety risks may lead to a service being shut down.

Quality governance oversight approach

NHS England’s approach to overseeing and protecting key services from quality governance (QG) risks will have four stages, as set out in Figure 6. The approach will align with the NQB’s Quality Risk Response and Escalation Guidance, which is based on quality risks/concerns being managed as close to the point of care as possible.

Figure 6: NHS England’s regulatory approach to overseeing quality governance risk and ensuring continuity of services for independent sector providers subject to the CoS licence conditions

Monitoring

As outlined above, regular oversight will be based on a range of information at site, service and organisational level.

Care Quality Commission information

The CQC is responsible for regulating the quality of care provided for NHS patients across England. The intelligence it gathers on relevant independent sector providers from inspections and monitoring will be a core input to NHS England’s assessment of quality governance and risks to patients and services. Consequently, NHS England will look at information including, but not limited to:

  • % of sites or % of services rated ‘inadequate’ by the CQC
  • trends in CQC views of provider sites and services, eg increases in number of sites rated ‘requires improvement’
  • CQC enforcement actions.

Other information

NHS England will use a range of other sources of information as necessary to form a judgement as to potential quality governance concerns requiring further discussions with providers. These will include:

  • integrated care boards (ICBs) and specialised commissioning
  • NHS England regional clinical quality teams
  • system quality groups and regional quality groups
  • national quality forums (eg NHS England Executive Quality Group).

Ad-hoc and exception reporting

In addition to the routinely collected information above, providers must, as part of their obligations to co-operate with NHS England, inform it immediately of any events or information that relate to concerns about their quality governance. These can include:

  • CQC inspections
  • significant adverse media information
  • transactions
  • governance reviews.

Risk assessment

NHS England will use the information it receives from the sources above to consider the provider’s overall risk level regarding quality governance. This will inform NHS England’s level of engagement with the provider, as set out in Table 3 below, but will not be published.

The risk level may arise directly from monitoring or following investigation (see below). For example, based on information received from the CQC and ICBs, NHS England could move an organisation’s risk rating from ‘low’ to ‘medium’ but, following receipt of additional information, conclude no concerns are evident and restore the rating to ‘low’.

Enhanced monitoring and investigations

NHS England will always look to respond in a proportionate fashion to any potential concerns arising through its oversight. Given the level of risk and the associated issues driving this, NHS England will generally consider several factors before judging the appropriate response to any potential concern.

These include:

  • the extent to which management teams at site and/or organisational level were/are aware of the issues and the drivers behind them
  • the length of time the issues have been apparent (continuously or otherwise)
  • the quality of plans management teams have in place and their ability and capacity to implement them
  • management’s track record of addressing quality issues.

Where NHS England suspects that there is a breach of the quality governance criteria in the provider licence, it is likely to require:

  • additional information
  • site visits to discuss issues with management teams at site or organisational level
  • engagement with senior resource (eg leadership or clinical governance expertise).

If necessary, NHS England will use its information gathering powers via the NHS provider licence or s104 of the 2012 Act to support this process. The investigative process could result in various outcomes, for example:

  • no concerns
  • enhanced monitoring to keep track of issues
  • an agreed set of informal actions with management teams to address or mitigate issues
  • formal regulatory action to address quality governance concerns.

Table 3: Consequences of quality governance CoSRR ratings for NHS England’s regulatory approach

Risk ratingDescription of consequences

Low

No apparent concerns

Ongoing monitoring based on CQC and third-party information.

Medium

Emerging or ongoing concern

Where there is either a heightened quality governance risk or an emerging quality stress at the provider, action may be needed to prevent significant issues.

NHS England is likely to maintain or initiate additional levels of monitoring and may consider opening an investigation to assess whether there has been a breach of the CoS licence conditions. If any investigation finds that a breach has taken place, NHS England may take action to require a provider to put remedies in place.

In some cases, NHS England may also start taking an active role in ensuring continuity of services using provisions in the relevant licence conditions, eg requesting the co-operation of the provider to assess and address quality stress and fix governance issues that may be negatively affecting the care provided to patients.

High

Significant concern

Providers in this category are highly likely to be exhibiting quality stress sufficient for NHS England to open an investigation and consider using formal enforcement powers to take an active role in addressing governance issues and ensuring continuity of services as set out under Medium risk above. Providers exhibiting this level of risk may be subject to monthly monitoring.

NHS England may use the KLOEs in the appendix to identify the issues and inform the course(s) of action required.

Responding to quality stress

Where there are concerns regarding quality stress, NHS England may:

  • informally engage with the provider
  • hold a rapid quality review meeting with key stakeholders
  • consider formal regulatory action
  • in the most extreme cases, use powers under CoS6 of the provider licence to require the provider to receive support, ie mandate support.

For more information on the process of investigation and regulatory action, please refer to the NHS England enforcement guidance.

Informal engagement

Where there are concerns regarding quality stress, but these are insufficiently material to merit regulatory interventions or NHS England is seeking more information to ascertain the severity of the situation, NHS England may engage informally with the provider. This may involve discussions with management, requesting the ad-hoc provision of information and/or referring providers to the key lines of enquiry (KLOE) in the appendix.

Regulatory action

Where appropriate, eg when providers are either unwilling to take the necessary actions to address risks or are not doing so with sufficient urgency, or where we need to set formal requirements on them to safeguard key services, NHS England will use its statutory powers. The enforcement guidance sets out how these may be used.

Mandated support

In situations where there is material quality stress or providers are in breach/potential breach of the quality governance criteria in the provider licence, or where there are clear and serious failings in quality governance with material risks to patients, NHS England may consider using powers to require the provider to receive mandated support. Note: where possible NHS England may seek to recover the costs it incurs to access this support.

Part 5: Exceptions reporting and notifications to NHS England

Material in-year changes in providers’ financial and other circumstances can have significant implications for their financial stability and/or the provision of high-quality care. For example:

  • suspended or terminated NHS services
  • material transactions, which can have far-reaching consequences for revenues and costs
  • losing a major contract (eg >10% of revenue), which can leave a provider with significant ‘stranded’ assets and costs, at least for a period
  • CQC warning notices or other regulatory requirements, which can require providers to spend significantly more to meet safety/quality requirements or see services reduced
  • serious clinical incidents, which may indicate governance issues
  • refinancing, which may affect a provider’s ability to service its financing costs
  • exceptional or one-off income, which may conceal the provider’s actual financial position
  • difficulties obtaining insurance, which may expose the provider to greater financial and professional risk.

In addition, providers may experience several smaller factors that may result, cumulatively, in greater risk to the ongoing provision of services. Where an independent sector provider subject to CoS licence conditions is aware of anything that has or will have a material impact on its ability to provide services subject to these conditions, it should inform NHS England. Figure 7 gives examples of exception reporting triggers.

Providers making exception reports to NHS England should, in the first instance, indicate:

  • the amount of services subject to the CoS licence conditions affected
  • the potential impact on the provider’s income or costs, with reference to the provider’s EBITDA (earnings before interest, taxes, depreciation and amortisation) margin and cash flow
  • the impact on quality of care, including access, experience and outcomes for patients
  • any changes to the provider’s ability to finance its operations and/or oversee quality, eg as a result of a change in cash flows, banking covenants, material transactions or forward debt repayment profile.

NHS England may request additional information to assess what would be appropriate actions to take and when. In each circumstance, it will consider what response would be appropriate.

Transactions reporting requirements

Independent sector providers subject to the CoS licence conditions should inform NHS England of any upcoming transaction amounting to greater than 10% of its net assets, total revenue or capital.

On receiving this notification, NHS England may request further information to assess any risk to services subject to the CoS licence conditions. In each circumstance it will consider what response would be appropriate.

Figure 7: Examples of exception reporting triggers (non-exhaustive)

(Providers subject to the Continuity of Services Conditions should report to the Independent Providers team at NHS England any information that may, in their view, have material implications for financial risk and/ or compromise their ability to continue providing Commissioner Requested Services or other services that NHS England has designated as hard to replace).

Part 6: Monitoring independent sector providers subject to continuity of services licence conditions that are part of a larger group

Ultimate controller undertakings

In some cases, licensees may be part of larger corporate structures or have a single or majority shareholder that can influence their operations. In such circumstances the assessment of that licensee’s continued ability to provide services subject to the CoS licence conditions involves considering the extent to which intra-group financial and legal arrangements could affect the licensee’s financial position.

Where there is such an ultimate controller, as defined in CoS4, an undertaking is required from the controller(s) to refrain from any action that would likely cause the licensee to contravene its obligations under either the 2012 Act or the provider licence.

The controller should also provide the licensee with any information that it possesses or can obtain to enable the licensee to comply with its obligation to provide NHS England with information. NHS England will consider the appropriate form of this for licensees and, if it considers it necessary, discuss the appropriate information required from specific licensees.

In any event, where a licensee has an ultimate controller for the purposes of CoS4, NHS England will request information on, among others:

  • intercompany guarantees underpinning the liquidity of the licensee
  • ‘cash sweep’ and other group treasury management practices affecting the cash and other liquid assets held by the licensee
  • any calls that the controller has over the assets (liquid or otherwise) of the licensee.

Please refer to guidance on the required format of the ultimate controller undertaking.

Collection of information

Where a licensee that is subject to the CoS licence conditions is part of a larger group structure, the assessment of that licensee’s continued ability to provide services subject to these conditions involves considering the extent to which intra-group financial, governance and legal arrangements could affect this. NHS England will also look to ascertain what, if any, implications these arrangements may have for the oversight of quality of care.

Where NHS England can link a parent company’s information with the enforcement of the CoS licence conditions against the licensee, it will request (through Condition G1 of the provider licence) that the licensee provides information about its parent company.

In practice, this means NHS England may collect the information set out in this IPRAF at a parent company consolidated level and calculate the formal risk ratings at this level.

Part 7: Annual reporting requirements for compliance with the NHS provider licence

The full set of licence conditions relevant to all licensees – covering general conditions, pricing, competition, integrated care and also the continuity of services conditions above – can be found on our website here.

Tables 4, 5 and 6 below set out the annual requirements that all licensees must fulfil for compliance with the provider licence they hold. The annual requirements vary depending on the type of provider (an Independent Provider or an NHS-controlled provider), and whether the licensee delivers services covered by this framework.

Table 4: Mandatory requirements under the licence

Requirement

Not subject to CoS conditions

Subject to CoS conditions

Due

Independent providers and NHS-controlled providers

N/A

Condition CoS7 (availability of resources) self-certification

Within 2 months of the licensee’s year end

Table 5: Other information requested through Condition G1 of the provider licence, section 96(2) of the Health and Social Care Act 2012 and the National Health Service (Quality Accounts) Regulations 2010 for purposes of compliance with the licence

RequirementNot subject to CoS conditions
Subject to CoS conditions
Due

Independent providers and NHS-controlled providers

Condition G3 Fit and proper persons’ declaration

Condition G3 Fit and proper persons’ declaration

Within 2 months of the licensee’s year end

Turnover declaration for the most recent financial year

Turnover declaration for the most recent financial year

Within 2 months of the licensee’s year end

Condition G5 Systems for compliance with licence conditions and related obligations self-certification

Condition G5 Systems for compliance with licence conditions and related obligations self-certification

Within 2 months of the licensee’s year end

N/A

Quality accounts

Annually when published unless exempt

Part 8: How NHS England will handle business-sensitive information

From 1 July 2022 NHS England assumed Monitor’s statutory licensing and oversight role for independent sector providers of NHS services. From this date regulatory decisions over independent sector providers have fallen within the legal remit of NHS England. This change has not impacted on how the NHS England Independent Provider team interacts with licensed independent sector providers of NHS services on a day-to-day basis.

However, given NHS England is now in the statutory position of regulator and also sometimes commissioner of NHS services from non-NHS providers, strict controls are in place to ensure business-sensitive information of licensees remains confidential.

  • Information collected for the purpose of financial oversight will continue to be stored in a secure area of the servers, one that is only accessible to members of the Independent Provider team. There will be no routine sharing of licensees’ financial information outside this team and the directors they report to.
  • With regards to commercially sensitive information, the Independent Provider team will maintain information barriers between themselves and other NHS England teams, including those responsible for commissioning and commissioning oversight.
  • Confidential or business-sensitive information about providers will only be provided to committee members in cases where NHS England is taking or lifting regulatory action for a suspected breach of licence, or where concerns about the financial viability of a provider are such that a notice should be issued that it may no longer be a going concern.
  • Recommendations for decisions to the committees will be made by the Independent Provider team. Such cases are infrequent and detailed discussions with providers will likely precede any decision to take such action.
  • All committee members will be reminded of the confidential and business-sensitive nature of the content of any committee paper and asked to consider if they have any conflicts of interests in line with NHS England’s internal policies.
  • NHS England will continue to treat market-sensitive information in accordance with the local policies introduced by Monitor, which include maintaining an insiders list and reminding recipients of the potential consequences of misuse of that information.

As part of NHS England’s normal operations, it will share quality-related information with relevant stakeholders (eg the CQC) to effectively carry out its functions and help others carry out theirs. Where concerns are being escalated, NHS England will strive to ensure that this information is treated in an appropriately sensitive way, and it will be cognisant of commercial considerations.

NHS England is committed to its duty of confidentiality with regard to commercially-sensitive licensee information and will notify licensees if there are material changes in the way it processes information or makes decisions relating to information processing.

Appendix: Independent sector provider quality governance domains

These draft key lines of enquiry show the proposed areas of focus in instances where NHS England has identified an elevated quality risk concerning a ‘hard to replace’ provider or a provider of CRS. These areas will allow NHS England to better understand the nature of the risk and therefore make an informed decision on whether further action is appropriate.

Domain 1: Capability and culture

Key line of enquiry

Supporting prompts

QG1.1 – Do you promote a quality‐focused culture?

Does the leadership have the necessary skills and knowledge to maintain and improve the quality of all clinical services?

Does your leadership/executive comprise the appropriate mix of skills and capabilities in relation to delivering good quality governance?

Do you have a systematic process to assess the training needs of new and existing board members and provide access to training as needed? Please explain.

Does your organisation take proactive steps to listen to patients and staff and involve them in all aspects of service monitoring, design and improvement? Please illustrate with examples

Is there a strong culture of reporting and learning from evidence in your organisation without fear of retribution, and is this evidenced by an increase in incident reporting and continuous learning?

Do you effectively communicate quality success and areas for improvement across your organisation? If so, can you illustrate this with an example?

QG1.2 – Do you actively engage patients, staff and other key stakeholders on quality?

Do you systematically involve patients, carers, staff, local authorities and the wider community in defining the quality strategy and framework for monitoring outcomes and developing plans for quality improvement? If so, what are your processes for this?

Domain 2: Structures, processes and systems of accountability

Key line of enquiry

Supporting prompts

QG2.1 – Are there clear responsibilities, roles and systems of accountability to support good quality governance?

Do leaders understand and acknowledge their ultimate accountability for quality and the responsibility for delivering quality performance throughout all levels of the organisation? Please demonstrate how they do this.

Are there assigned leads for quality governance that oversee risk and performance, and ensure quality is managed throughout your operations?

What steps do you take to ensure all staff understand their responsibilities for governance within their individual, team or divisional role? How do you ensure that they maintain a good understanding of effective quality governance?

QG2.2 – Do you have clearly defined, well‐understood processes for identifying opportunities for maintaining and driving quality improvement? Including identifying the potential risks to quality, and for escalating and resolving issues?

Does your organisation make effective use of processes to identify opportunities for maintaining and delivering quality improvement? Can you point to examples in which these processes have resulted in demonstrable improvements in line with national best practice? Please describe the internal process for staff reporting quality concerns.

Are there effective structures, processes and systems of accountability to support the delivery of the quality/clinical strategy and good quality, sustainable services? Are these regularly reviewed and improved? How are they performing against core indicators?

Does the organisation ensure that performance and risk issues are escalated and challenged using the most appropriate structures and processes, eg quality governance committees? Does this enable the board/executive to challenge effectively?

How are you ensuring that services are fully engaged with their systems/wider NHS stakeholders in meeting the needs of the local health populations? How are risks managed within this engagement approach? How do you ensure that information is escalated within the system?

For those entering the enhanced level of monitoring only – How do you approach the processes for identifying Serious Incidents? How do you ensure that structures and processes support effective and efficient resolution and quality improvement?

Domain 3: Data and reporting

Key line of enquiry

Supporting prompts

QG3.1 – Is appropriate quality information analysed and challenged in the organisation?

As a leadership team do you consider what information is routinely available to you across all the domains of quality, and whether this is appropriately aligned with integrated care board (ICB)/regional strategic quality goals and assessment of the key risks to quality where services are located? What information do you review and how often?

How comprehensive is the quality information you receive to support decision-making? Are there obvious risks associated with not considering specific outcome measures (and associated process measures) that your organisation is responsible for? If so, are you taking steps to address the gap? Do the chosen indicators readily identify where there is the greatest need/potential for improvement?

Do you have access to the relevant information for benchmarking your performance? If so, how does this inform your quality strategy?

How do you ensure that quality metrics are seen as routine business throughout the organisation, from board level to staff delivering care? Is the information you review supported by more detailed information in the organisation?

QG3.2 – Do you consistently assure the robustness of all information relating to quality?

How do you continually assure ongoing information, accuracy, validity, timeliness and comprehensiveness?

QG3.3 – Do you look to monitor and understand current and future risks to quality and take steps to address these?

Do you ensure that quality information is used to maintain and drive improvement in quality performance?

Is there an effective and comprehensive process to identify, understand, monitor and address current and future risks? If so, how often is this reviewed and updated?

What processes, systems and mechanisms does the organisation have to manage current and future performance and to highlight risks when they arise? Please illustrate with examples.

Does the organisation ensure that clinical and internal audit processes function well and have a positive impact on quality governance, with clear evidence of action to resolve concerns and maintain the improvement?

When considering transactions and developments to services or efficiency changes, how is the impact on quality and sustainability assessed and monitored? Do you have examples of where financial pressures have compromised care?

Publication reference: PRN00425_i