A RISKY GAME TO PLAY
An internal HSE review called for the hiring of a chief risk officer in 2019. But the agency repeatedly dragged its feet despite warning
THE Health Service Executive has been operating without a dedicated chief risk officer for years and has failed to recruit one since an internal review recommended the appointment two years ago, the Irish Mail on Sunday can reveal.
The presence of a chief risk officer (CRO) – responsible for ensuring that risks such as the cyberattack that has crippled the health service and put patients’ private data in peril are prepared for – is common practice in large companies and state sector organisations across the world.
Trinity College, for example, has a dedicated CRO as do the Defence Forces. The same is true for virtually all financial institutions and blue chip firms.
But the HSE – the largest public sector body in the country and responsible for one third of all public expenditure – has never had a dedicated CRO and will not hire one before the end of this year.
The need for a new focus on risk management at the top of the HSE has been repeatedly identified in recent years – as has the need for a dedicated CRO.
For example, the 2018 inquiry into the CervicalCheck screening scandal pointed to the need for new HSE governance standards relating to risk.
‘The implementation of new governance arrangements for the HSE should include a substantial revision to the organisational approach to risk management and its reporting,’ the CervicalCheck inquiry recommended.
Then in 2019 a HSE internal review of risk policies recommended the appointment of a ‘dedicated chief risk officer’ as well as other changes to the way the organisation managed its risks.
At its September 2019 meeting the HSE board agreed to recruit a CRO and the position was duly advertised.
But after the recruitment process closed in January 2020 the HSE confirmed it had been ‘unable to identify a suitable candidate’.
In June 2020 the HSE Audit & Risk Committee held a special meeting to consider the HSE’s ‘revised corporate risk register’ in the context of additional risks posed by the Covid pandemic.
Though the possibility of a cyberattack is on the HSE’s risk register, that particular issue appears not to have featured significantly in this meeting.
However, minutes of the meeting show that the committee believed there was a need to develop a ‘deeper understanding of the HSE’s risk infrastructure’. The committee also ‘emphasised the need to reactivate the process to appoint the chief risk officer’ and advised additional ‘external support for the risk process’ in the HSE.
A dedicated risk officer was once again promised in March of this year when the HSE launched its three-year corporate plan up to 2024. The corporate plan promised various improvements in risk management procedures.
‘We will improve risk management and internal controls by adopting an Enterprise Risk Management approach; establishing an ERM Programme; and appointing a dedicated chief risk officer,’ the plan says.
The HSE’s ongoing failure to recruit a CRO in recent years took place at the same time management was being warned of IT system weaknesses.
‘Internal audits have identified vulnerabilities in the area of security controls across parts of the domain including application password protocols and the management of secure access,’ the HSE 2018 annual report reads.
‘Weaknesses have been acknowledged in some of the areas audited in disaster recovery protocols, particularly in relation to older and legacy systems,’ the report says.
News of the HSE’s failure to appoint a dedicated CRO comes after it was revealed this week that the National Cyber Security Centre’s (NCSC) top job has also been vacant for over a year.
The ongoing NCSC vacancy has been blamed on the salary on offer – €89,000.
In response to queries from the MoS this weekend, the HSE did not say how much the salary on offer for a CRO was.
National risk assessment reports compiled by the NCSC have been warning for years of how cyberattacks represent a key threat to national security. In 2016 the centre warned cyberattacks posed a ‘specific risk’ and that a successful attack would reduce ‘confidence in public service administration and
‘Emphasised the need to appoint the CRO’
‘Weaknesses have been acknowledged’
the use of technology for public services’.
The following year the NCSC noted cyberattacks were ‘becoming increasingly more sophisticated and potentially damaging’.
The centre warned that ‘a wellplanned and coordinated response’, would have to be put in place.
By 2018 the NCSC was warning that ‘criminal gangs’ had a growing capacity to launch ‘disruptive cyberattacks’ resulting in ‘entities being held to ransom’.
In 2019, the risk report concluded that cyberattacks had the potential to lead to civil unrest and last year the NCSC predicted that attacks on the country’s power grid represented the most likely threat to national security.
To deal with this and other risks the ESB – unlike the HSE – does have a chief risk officer in place.
Last night a spokesman for the HSE said the recruitment of a CRO had been ‘delayed due to Covid pressures’. ‘It is expected the role of the CRO will be finalised by the end of 2021,’ they said.
They added that the ‘risk management process’ was being ‘managed by a senior HSE lead’ while the full-time appointment is waiting to be filled.
When asked what salary was on offer for the CRO role and how many candidates had applied last year, the HSE said it was ‘not possible to confirm the recruitment details of the role at this time’ because of locked-away files caused by last week’s cyberattack.