Capability Risk Logs
Summary
This page outlines the Capability Risk Log activity for Solutions which have applied to the Tech Innovation Framework and are onboarding to the Buying Catalogue.
The Capability Risk Logs activity involves presenting how your Solution mitigates potential risks to patients and security, which have been anticipated based on the Capabilities and Epics selected, or which are identified during the presentation of the Solution. Capability Risk Logs are Excel artefacts which are produced and assessed by us.
Not all Capabilities have Capability Risk Logs - the applicable list of Capabilities is located at the bottom of this page.
Many of the risks recorded in a Capability Risk Log are related to specific Epics, so you may find it valuable to prepare the evidence for your Capability Assessment and your Capability Risk Log at the same time.
When you are ready to deliver evidence for your Capability Risk Log, you will have the option to deliver it either by Live Witness Assessment or by video files. You can do this at the same time as providing evidence for your Capability Assessment.
Epics and risks are assessed in different ways by different teams. If you are unable to sufficiently mitigate a risk then you may not be permitted to advertise your Solution as offering the related Epics on the Buying Catalogue, even if the Epic has been passed during Capability Assessment
Outcomes
At the end of the Capability Risk Log you should have:
declared how you mitigate risks encountered by your Solution.
been informed whether your mitigation proposals are sufficient or whether an insufficiently mitigated risk will prevent Epics being advertised on the Buying Catalogue
At the end of the Capability Risk Log we will have:
identified risks your Solution may present, based on the functions described in your selected Capabilities and Epics.
a record of Capability Risk Log assessments which are up-to-date and contain the full history of the assessment.
assessed your mitigation of identified risks and provided an outcome, with feedback where applicable.
Withdrawing Epics with Risks
You have the option to withdraw Capabilities and Epics from your selection if you do not believe that you can meet the requirements of the Epic(s) or sufficiently mitigate the risks.
We will review any risks which have not been sufficiently mitigated. We may still require you to mitigate the risk(s) on the grounds of safety and security, even if you continue to withdraw the Epic.
Completing the TIF Capability Risk Logs Activity
Actions required of you
Download the Capability Risk Log file from your SharePoint folder and update/complete the file.
Save any requested risk mitigation evidence, such as video files, that you wish to provide in your SharePoint folder.
Return the completed Capability Risk Log file(s) via email to buying.catalogue@nhs.net, copying in your Supplier Manager whist making sure that you have updated the version number in the filename.
Your email should state whether you want to provide further risk mitigation evidence during a Live Witness Assessment.
Attend the Live Witness Assessment as required.
Request to withdraw any Epics which have risks that cannot be mitigated, by emailing buying.catalogue@nhs.net and copying in your Supplier Manager.
Note that we will review these requests and inform you whether any associated risks still need to be mitigated in order to pass the Capability Risk Log.
Actions required of us
Provide you with the Capability Risk Log files you need to complete, based on your Capability selections.
Regularly check in with you to support your progress completing the Capability Risk Log files.
If a Live Witness Assessment session has been requested, we will arrange and attend the session so that you can present any additional risk mitigation evidence.
Review and assess Capability Risk Log and any risk mitigation evidence provided (including files and recordings).
Provide you with an outcome of the assessment including feedback where necessary.
Review any Epics you request to withdraw and inform you whether associated risks must still be mitigated in order to pass the Capability Risk Log
Providing Evidence for Capability Risk Logs
You may provide evidence for your Capability Risk Log either through a Live Witness Assessment or through video files uploaded to SharePoint.
You may wish to provide evidence for your Capability Risk Log at the same time that you provide evidence for your Capability Assessment. If attending a Live Witness Assessment, we will attempt to arrange a combined session where you can provide evidence for your Capability Assessment and your Capability Risk Log at the same time; if this is not convenient then separate sessions can be arranged.
Live Witness Assessments
You may demonstrate your Solution through a Live Witness Assessment. These are done remotely via a video conference (Microsoft Teams) with the Solutions Assurance Team.
Once a date is agreed, an invitation will be sent and you will be able to screen-share to show your Solution in action.
You may be asked questions to ensure that your Solution is understood and that all relevant risks are covered, however it is you responsibility to show all of the evidence required for the assessment.
We strongly advise that you do a practice run of your evidence before attending a Live Witness Assessment.
Video Assessments
You may demonstrate your Solution through pre-recorded video files which show your Solution. These should be uploaded to your secure SharePoint location.
We will review the evidence and may send email questions, however it is your responsibility to provide all of the evidence required for the assessment.
Producing Video Files
You should bear in mind the following when providing video files for assessment:
Multiple video files may be submitted to keep files small and make it easy to understand evidence.
The production quality of the video files will not be assessed, however the image and sound quality must be clear and we must be able to read any onscreen text that is relevant to the assessment.
You are responsible for ensuring that your video evidence is easy to understand and follow.
You should clearly indicate when each risk is being demonstrated.
Onscreen or voiceover narration is optional but recommended.
Running orders with timestamps are requested, particularly for long videos.