Meeting of the Finance Audit & Risk Sub-committee

 

 

Date:                 Wednesday 11 November 2020

Time:                9.00am

Venue:

Council Chamber

Hawke's Bay Regional Council

159 Dalton Street

NAPIER

 

Agenda

 

Item     Title                                                                                                                            Page

 

1.       Welcome/Notices/Apologies

2.       Conflict of Interest Declarations

3.       Confirmation of Minutes of the Finance Audit & Risk Sub-committee held on 12 August 2020

4.       Risk Maturity Roadmap                                                                                                    3

5.       HBRC Covid-19 Response Review Report                                                                     7

6.       Internal Audit Work Programme Update                                                                        27

7.       Verbal FUSE Project Update

8.       Sub-committee Work Programme November 2020 Update                                         43

10.     2019-20 Annual Treasury Report (late item to come)

11.     Q1 2020-21 (1 July- 30 September 2020) Treasury Report (late item to come)

Public Excluded

9.       Section 17a Review of the HBRC Works Group                                                           45

 


HAWKE’S BAY REGIONAL COUNCIL

Finance Audit & Risk Sub-committee

Wednesday 11 November 2020

Subject: Risk Maturity Roadmap

 

Reason for Report

1.      This item and accompanying bowtie analysis demonstration presentation updates the Sub-committee on the Regional Council’s implementation of the risk maturity roadmap activities.

Officers’ Recommendations

2.      Council Officers recommend that the Sub-committee notes:

2.1.      the risk maturity progress as being on track

2.2.      the bowtie analysis as being an appropriate tool providing clarity on the scope of each enterprise risk, that will enable Council to set the risk appetite by mid-2021

2.3.      the bowtie analysis as being a useful tool to strengthen visibility of the Regional Council’s control environment to better protect against material operational incidents, and

2.4.      how bowtie analysis expands the visibility of critical controls enabling better ELT oversight and improved assurance to Council that operational risks and operational decisions are managed within the Council’s risk appetite.

Background

3.      At the Corporate and Strategic Committee meeting held on 10 June 2020 the Committee endorsed a risk maturity roadmap for the Regional Council.  At that meeting it was agreed that the FARS would oversee progress of the risk maturity roadmap to ensure that the evolving risk management system was on track and providing value to the organisation.  Therefore, this paper and accompanying presentation aims to provide the FARS with oversight and details of progress to date.

Discussion

4.      The Regional Council’s risk maturity roadmap has targeted mid-2021 for the development of the Regional Council’s risk appetite statement.  The risk appetite statement will set out the Councils willingness and tolerance levels to accept risk across its key risk areas.  The levels of acceptable risk will inform management to what extent activities can be undertaken in order to manage outcomes and execute on the strategy and strategic objectives. 

5.      Central to setting of the risk appetite is ensuring that key enterprise risks are identified and that the scope of each of those enterprise risks is clear.  The scope of the enterprise risks includes identifying the:

5.1.      main risk event

5.2.      risks causes

5.3.      risk exclusions

5.4.      risk impacts, and

5.5.      critical controls.

6.      There are a few risk methods available to synthesise risk to ensure the full scope of the risk is clear and well understood. Within the Regional Council’s risk management framework that was endorsed by the FARS at the 12 August 2020 meeting the preferred methodology is noted as bowtie analysis. 

7.      The FARS members asked that for the 11 November 2020 risk maturity update staff provide a demonstration of a bowtie in motion. The objective of the session is to validate how the application of the bowtie methodology will better protect the organisation against material risk incidents. And, also how Council will gain greater level of assurance that risks are being managed within their approved risk appetite.

8.      After reviewing the current 13 Regional Council enterprise risks it was agreed with management that enterprise risk 12 – Asset and Infrastructure - be used to demonstrate the bowtie analysis to the FARS.  The asset and infrastructure risk was identified as a good risk to demonstrate the use of bowtie analysis as asset and infrastructure has both an operational and strategic risk component. Operationally assets and infrastructure must be maintained to ensure that the lifecycle is optimised. However, strategically climate change is testing the relevance of historical strategic assumptions in todays disrupted world.  In addition, unlike other enterprise risks the asset and infrastructure risk in recent years has not been subject to S17a review or a review as a consequence of a material incident being realised.  Therefore, any areas for improvement identified through application of the bowtie analysis can be used in real time by the Regional Council to prioritise asset of infrastructure initiatives.

Strategic Fit

9.      Maturity of HBRC’s risk management system contributes towards achieving all strategic goals/vision by protecting the organisation.  A mature risk system provides consistent risk intelligent decision making enabling the efficient prioritisation of finite organisational resources to deliver on strategy.

Financial and Resource Implications

10.    Maturity of the risk management system is phased to minimise budgetary implications.  Some facilitated workshops will be required to establish the risk appetite with Council.

Next Steps

11.    Continue progressively applying the bowtie methodology to each enterprise risk through a series of workshops with the business.  As a bowtie is completed for an enterprise risk the enterprise risk report ‘one-pager’ for that enterprise risk will be updated to capture the revised risk scope.

Decision Making Process

12.    Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:

12.1.    The decision does not significantly alter the service provision or affect a strategic asset, nor is it inconsistent with an existing policy or plan.

12.2.    The use of the special consultative procedure is not prescribed by legislation.

12.3.    The decision is not significant under the criteria contained in Council’s adopted Significance and Engagement Policy.

12.4.    The decision of the sub-committee is in accordance with the Terms of Reference and decision-making delegations adopted by Hawke’s Bay Regional Council 25 March 2020, specifically the Finance, Audit and Risk Sub-committee shall have responsibility and authority to:

12.4.1.   Review whether Council management has a current and comprehensive risk management framework and associated procedures for effective identification and management of the council’s significant risks in place

12.4.2.   Undertake periodic monitoring of corporate risk assessment, and the internal controls instituted in response to such risks

12.4.3.   report on the robustness of risk management systems, processes and practices to the Corporate and Strategic Committee to fulfil its responsibilities.

 

Recommendations

That the Finance, Audit and Risk Sub-committee:

1.      Receives and considers the Risk Maturity Roadmap staff report and accompanying presentation.

2.      Confirms that management actions undertaken and planned for the future adequately respond to the risk maturity roadmap that was approved by the Corporate and Strategic Committee at the June 2020 meeting. 

3.      Confirms that the bowtie analysis is an appropriate tool to drive risk maturity as defined by the risk maturity road map.

 

 

Authored by:

Helen Marsden

Risk and Assurance Lead

 

Approved by:

Jessica Ellerm

Group Manager Corporate Services

 

 

Attachment/s

There are no attachments for this report.  


HAWKE’S BAY REGIONAL COUNCIL

Finance Audit & Risk Sub-committee

Wednesday 11 November 2020

Subject: HBRC Covid-19 Response Review Report

 

Reason for Report

1.      This item provides the learnings and findings of the internal review of the Regional Council’s organisational response to the Covid-19 pandemic.

2.      When an organisation has operated under business continuity arrangements it is deemed good practice to review the response. The review’s purpose is to identify learnings and areas for improvement that better prepare the organisation to respond to similar, or other, disruptive events in the future.

Officers’ Recommendation

3.      Council officers recommend that Finance Audit and Risk Sub-Committee (FARS) members consider and note the attached ‘HBRC Covid19 response debrief and learnings’ report and note the extended timeframe likely to be required to enhance the Regional Council’s continuity suite of documents.

Executive Summary

4.      Overall, the report notes the Regional Council’s response to the Covid19 alert level three and alert level four lockdown was commendable. No material issues were identified for immediate corrective action. A highlight of the response was feedback from staff that rated the Regional Council’s internal response 8.49 percent positive on a scale of 1 being poor and 10 being excellent.

Background

5.      In December 2019 an outbreak of Coronavirus disease (Covid19) was detected in Wuhan, China.  The virus rapidly spread across the globe. On 11 March 2020 the World Health Organisation (WHO) declared a global pandemic.  Shortly after this declaration, on 19 March 2020, the NZ government began implementing a series of actions in response to the global pandemic declaration.

6.      Actions by the NZ government included implementing a four-tiered pandemic alert system.  Each alert level requires a different series of actions to be taken by the public and by business.  Except for staff that undertake essential services, at alert level three and four an organisation is required to send staff home and operate remotely.  Therefore, at alert level three and four many organisations operated under business continuity arrangements, as was the case for the Regional Council.

7.      When an organisation operates under business continuity arrangements it is deemed good practice to review the effectiveness of the response.  The objective of a review is to identify improvement opportunities to ready the continuity plans to respond to future events more efficiently.

Discussion

8.      The report was split into five key themes, being:

8.1.      continuity documents (business continuity plan (BCP), pandemic plans, disaster recovery plans)

8.2.      communication (internal and external)

8.3.      technology

8.4.      health, safety and wellbeing, and

8.5.      work distribution.

9.      A ‘low’ priority rating that primarily related to formalising documentation was given to the following three themes:

9.1.      communication (internal and external)

9.2.      technology, and

9.3.      health, safety and wellbeing

10.    While a ‘medium’ priority rating was given to:

10.1.    continuity documents (BCP, pandemic plans, disaster recovery plans), and

10.2.    work distribution.

11.    The medium finding within the continuity documents (7.1) relates to the Regional Council pandemic safety plan not explicitly being linked to the Regional Council’s continuity suite of documents for use when responding to future pandemics.  However, in the review it was noted that pandemic specific health and safety processes instigated to respond to the Covid19 pandemic were progressively recorded into the pandemic safety plan as they were implemented.  In addition, while not specific to a pandemic response, the review highlighted that the various suite of continuity documents did not always integrate. For example, the maximum tolerable downtime of various critical processes identified in the BCP’s are not necessarily informing the restoration and prioritisation of systems and applications in the disaster recovery plan.

12.    The medium finding for work distribution (7.2) primarily related to tensions between the Regional’s Council’s need to contribute staff to run the CDEM GECC, and the Regional Councils requirement to deliver on its own business processes. Robust and documented guidelines did exist and effectively directed staff to their primary activity, but it appears the rostering system to support this may have been less effective. The Covid19 pandemic event was a slower moving long burn event with lockdown extending over a period of nearly two months which may have also been a contributing factor.  Many other disruptive events are often sudden, one off and hard hitting.  Due to the slow but sustained nature of the pandemic event there was an expectation that the Regional Councils business processes extended beyond just sustaining those deemed critical. 

13.    Specific details relating to each finding can be found under section two ‘Detailed Observations’ in the attached full Covid19 response debrief and learnings report.

14.    The approach to obtain necessary information to undertake the BCP review included: an organisational wide staff survey, a facilitated workshop with organisational leaders using outputs from the staff survey, other key stakeholder insights, and a desktop review of relevant documentation such as the Regional Council’s BCP, pandemic plan and response team structure.

15.    The scope of the review specifically excludes Hawke’s Bay CDEM response.  However, did include Hawke’s Bay CDEM requests for Regional Council staff time required to staff the Group Emergency Coordination Centre. In addition, the scope of the review excludes additional business activities required under alert level one and alert two.  The additional practices under alert level one and two were not deemed extensive and did not require the Regional Council to respond under BCP arrangements.

Financial and Resource Implications

16.    Remediation of findings relating to the continuity documents, that includes enhancing the BCP to enable better integration of all continuity suite of documents, will take either extended time or additional resource.  To spread the cost of remediation it is suggested that these documents be refreshed and integrated over a period of two years.

Decision Making Process

17.    Council and its Committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:

17.1.    The decision does not significantly alter the service provision or affect a strategic asset, nor is it inconsistent with an existing policy or plan.

17.2.    The use of the special consultative procedure is not prescribed by legislation.

17.3.    The decision is not significant under the criteria contained in Council’s adopted Significance and Engagement Policy.

17.4.    The decision is in accordance with the Finance, Audit and Risk Sub-committee Terms of Reference, specifically to report to the Corporate and Strategic Committee to fulfil its responsibilities for:

17.4.1.   receiving the internal and external audit report(s) and review actions to be taken by management on significant issues and recommendations raised within the report(s).

17.4.2.   undertaking systematic reviews of Council operational activities against Council stated performance criteria to determine efficiency/effectiveness of delivery of Council services.

17.4.3.   ensuring that recommendations in audit management reports are considered and, if appropriate, actioned by management.

 

Recommendations

That the Finance, Audit and Risk Sub-committee:

1.      receives and considers the “HBRC Covid-19 Response Debrief and Learnings Report”

2.      notes the extended timeframe required to enhance the Regional Council’s suite of business continuity and recovery documents

3.      agrees support for the improvements proposed by staff.

 

Authored by:

Helen Marsden

Risk and Assurance Lead

 

Approved by:

Jessica Ellerm

Group Manager Corporate Services

James Palmer

Chief Executive

 

Attachment/s

1

HBRC Covid-19 Response Debrief Report

 

 

  


HBRC Covid-19 Response Debrief Report

Attachment 1

 

PDF Creator


PDF Creator


PDF Creator


PDF Creator


PDF Creator


PDF Creator


PDF Creator


HBRC Covid-19 Response Debrief Report

Attachment 1

 

PDF Creator


PDF Creator


PDF Creator


PDF Creator


PDF Creator


PDF Creator


PDF Creator


HBRC Covid-19 Response Debrief Report

Attachment 1

 

PDF Creator


HAWKE’S BAY REGIONAL COUNCIL

Finance Audit & Risk Sub-committee

Wednesday 11 November 2020

Subject: Internal Audit Work Programme Update

 

Reason for Report

1.      This item updates the Finance Audit and Risk Sub-committee (FARS) on the internal audit work programme. And, seeks feedback from the Sub-committee on any changes to the newly formatted internal audit programme update dashboards.

Officers’ Recommendation

2.      Council officers recommend that Finance Audit and Risk Sub-Committee (FARS) members consider and note the internal audit updates and the newly formatted internal audit programme update dashboards. 

Executive Summary

3.      As part of the Regional Councils risk maturity, improvements to the internal audit reporting to the FARS was considered with an emphasis on:

3.1.      tracking of corrective actions for previously reported internal audit findings, and

3.2.      tracking on the progress of the FARS approved annual internal audit programme 

4.      Two internal audit dashboards are attached to this paper. These dashboards are populated with current data to provide an update to the FARS on:

4.1.      the status of annual internal audit programme that was approved by the FARS at the August 2020 Sub-committee meeting (dashboard 1), and 

4.2.      corrective action progress for internal audits findings that have been previously reported to the FARS (dashboard 2).

Discussion

5.      Reporting to the FARS on the Regional Council’s internal assurance programme consists of four components, these include:

5.1.      tracking of the annual internal audit programme approved by the FARS

5.2.      reporting to the FARS any completed internal audits that formed part of the approved annual internal programme, and

5.3.      tracking progress of agreed management corrective actions from internal audit findings previously reported to the FARS

5.4.      Continuous auditing monitoring – complement the above with regular updates from staff / project managers regarding changes that are or have been implemented through either delivery of transformational projects (ie FUSE, HRIS, AMIS), process or structural changes to ensuring that ‘change’ has been embraced, adopted and utilised.

6.      As part of the Regional Councils risk maturity, risk and internal audit reporting to the FARS was reviewed.  Improvements to the risk report were provided to the FARS at the August 2020 meeting.  For the November 2020 meeting the focus has been to improve internal audit reporting to the FARS with an emphasis on:

6.1.      tracking of progress on the FARS approved annual internal audit programme, and

6.2.      corrective action progress of previously reported internal audit findings 


7.      Benefits of the newly formatted corrective actions dashboard, referred to as the ‘Issues and Actions’ dashboard include:

7.1.      for material audit findings where, corrective actions span an extended period the dashboard provides visibility that full remediation is on track through prominence of key interim milestones actions.

7.2.      action owners are assigned responsibility for updating their own corrective action in the dashboard each reporting period.  Therefore, improving oversight of corrective action progress for audit findings to the Risk and Assurance function, and improving visibility of corrective action progress to the FARS.

7.3.      through improved oversight early indications that corrective actions are falling behind can be proactively managed through risk-based decisions to reprioritise resourcing.

7.4.      as the risk system matures an opportunity for continuous improvement to expand the issues and action tracking dashboard to incorporate critical control remediation form risk and control assessments or other reviews reported to the FARS, can be easily implemented.

8.      Benefits of tracking the progress of the FARS approved annual internal audit programme through a dashboard provides improve visibility on the programme’s status.  Therefore, when appropriate, the FARS can modify the programme as the year progresses to respond to emerging risks.

Internal Audit 2020-2021 Work Programme Status Update (dashboard 1)

9.      At the FARS meeting on August 2020 the annual internal audit programme was approved. A status update on the progress of the approved annual internal audit programme is outline in the attached dashboard 1.  It is noted in the dashboard that the People, Retention, Recruitment and Wellbeing review commencement date is yet to be confirmed and was on hold pending the commencement of the People and Capability Manager.

Internal Audit Issues and Actions Tracking (dashboard 2)

10.    The attached issues and actions tracking dashboard 2 provides a status update on audits previously reported to the FARS that have open audit findings with corrective actions in progress.  The dashboard includes action updates for the following audits:

10.1.    Risk Management Maturity – original audit report dated June 2020

10.2.    Procurement and Contract Management – original audit report dated May 2018

10.3.    Health and Safety – original audit report dated September 2018, and

10.4.    Cyber Security – original audit report dated August 2019 

Financial and Resource Implications

11.    There are no financial implications or additional resource requirements resulting from this internal audit programme update.

Decision Making Process

12.    Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:

12.1.    The decision does not significantly alter the service provision or affect a strategic asset, nor is it inconsistent with an existing policy or plan.

12.2.    The use of the special consultative procedure is not prescribed by legislation.

12.3.    The decision is not significant under the criteria contained in Council’s adopted Significance and Engagement Policy.

12.4.    The decision is in accordance with the Finance, Audit and Risk Sub-committee Terms of Reference, specifically to report to the Corporate and Strategic Committee to fulfil its responsibilities for:

12.4.1. receiving the internal and external audit report(s) and review actions to be taken by management on significant issues and recommendations raised within the report(s).

12.4.2. Ensuring that recommendations in audit management reports are considered and, if appropriate, actioned by management.

12.4.3. Given the nature and significance of the issue to be considered and decided, and also the persons likely to be affected by, or have an interest in the decisions made, Council can exercise its discretion and make a decision without consulting directly with the community or others having an interest in the decision.

 

Recommendations

That the Finance, Audit and Risk Sub-committee:

1.      Receives and notes the ‘Internal Audit Work Programme Update’ staff report and accompanying dashboards.

2.      Confirms that management actions undertaken or planned for the future adequately respond to the findings and recommendations of the internal audits.

3.      Confirms that the dashboard reports provide adequate information on the progress of corrective actions and the progress of the approved annual internal audit programme

 

 

Authored by:

Helen Marsden

Risk and Assurance Lead

 

Approved by:

Jessica Ellerm

Group Manager Corporate Services

 

 

Attachment/s

1

Internal Audit Work Programme Status Update Dashboard

 

 

2

Internal Audit Issues and Actions Tracking Dashboard

 

 

  


Internal Audit Work Programme Status Update Dashboard

Attachment 1

 

Dashboard 1

 

Internal Audit Work Programme Status Update

 

Approved Audit
FY20-21

Provider

Quarter Due

Date Commenced

Management Comments

Reported to FARS

Data Analytics

Crowe

Q3 20-21

Not Started

 

 

People, Recruitment, Retention & Wellbeing

Crowe

TBC - pending commencement of People & Capability Manager

Not Started

 

 

Retained Audit Capacity - 40 hours

Crowe

 

 

 

 

 

 


Internal Audit Issues and Actions Tracking Dashboard

Attachment 2

 

 

Internal Audit – Risk Management Maturity – June 2020

Finding / Theme

Priority
Rating

Action and Owner

Due Date

Milestone Achieved
Since Last Report

Milestone
For Next Report

Tracking Status

Risk, Governance, Policy and Accountabilities - to improve risk and assurance challenge.  With clearer risk escalation.

Not Stated

Develop  risk management policy and framework that includes roles and responsibilities.  Risk & Assurance Lead

September 2020

Council approved single Regional Council risk management policy and framework.

 

Closed

Leadership and Direction -  Improve linkage of risk informed decision making to strategy. Improving clarity of boundaries for decision making.

Not Stated

Develop a comprehensive risk appetite statement that defines tolerance levels for individual enterprise risks. ELT

March 2021

Redefine Regional Councils enterprise risks context to the new risk policy and framework.

Complete bowties for six enterprise risks and update the FARS risk report one pagers accordingly.

At riskborders may limit access to trainer / facilitator.  Viability of Zoom v delay will be analysed

Leadership and Direction - Risk system continuous improvement.

Not Stated

Incorporate into the risk policy and framework a risk vision.  Tailor the Council’s risk policy and framework to align to the strategy.  Develop a risk maturity roadmap to execute the risk vision. Risk & Assurance Lead

September 2020

Council approved risk policy includes a risk vision that aligns to the C&S approved risk maturity roadmap.  And, the risk policy and framework tailored based on HBRC’s strategy.

 

Closed

People and Development -  Risk roles ad responsibilities beyond the risk and assurance lead were not defined. With no risk related training.

Not Stated

Develop a competency framework to upskill staff on risk and embed the risk policy.  Communicate and train BU on the risk policy and framework.  Provide targeted training to specialist risk roles e.g. risk champions. ELT and Risk and Assurance Lead

October 2021

 

In conjunction with Group Managers identify a Risk Champion in each Group.

On track

Processes and Tools - For risk assessment and mitigation.

Not Stated

Through a single risk management policy and framework ensure that clear risk and control identification and assessment criterion exists. Risk and Assurance Lead

September 2020

Council approved risk framework  includes a criteria of risk and control identification and assessment.  With recommended tools.

 

Closed

Processes and Tools - For assurance.

Not Stated

Develop a formal assurance framework based on the ‘three lines of defence model’.  Framework should ensure assurance targets critical council functions and activities applying a risk based approach. Risk and Assurance Lead

July 2021

 

Develop a Regional Council assurance framework for Council adoption and approval.

Develop a targeted approach to implement subject to framework approval.

On track

Process and Tools - For risk monitoring and reporting.

Not Stated

Reformatted risk reporting to enhance visibility can be developed when the risk policy and framework is approved by Council.  However, risk reporting will be subject to continuous improvement as the risk system matures e.g. the incorporation of key risk/control indicator trend reporting. Risk and Assurance Lead

September 2021

Frequency and minimum criteria for risk reporting incorporated into the risk management policy and framework.

Phase one ‘new look’ risk report presented to the FARS for endorsement.

Update risk reporting to reflect insights from risk bowties as these are completed.

On track

Business Performance – Strategic risk management.

Not Stated

Strategic planning cycle to include a review of enterprise risks to better link and integrate the risk register and LTP. Risk & Assurance Lead & Strategy and Governance Manager

September 2021

 

Complete bowties for six enterprise risks and update the FARS risk report one pagers accordingly.

On track

Business Performance – Managing Risk in Partnerships.

Not Stated

Develop risk and performance monitoring of key third parties.  Ensure contingency planning is included. Risk & Assurance Lead

December 2020

 

Complete bowtie analysis for the third party risk.  In the risk workshop identify the top 20 highest risk third parties.

At riskthis enterprise risk is not prioritised for bowtie pre Xmas

Business Performance – Business resilience ensure continuity planning is sufficient to cover HILP events.

Not Stated

Develop a process to assess disruptive and extreme events (low probability high impact ‘HILP’ events). Risk & Assurance Lead

December 2021

 

Develop a roadmap to enhance continuity plans include business impact risk assessments based on HILP events. Stress test on a ‘denial’ premise.

On track

Business Performance – Change and transformation.

Not Stated

Develop a change management framework to ensure a portfolio view of risks related to significant change is managed. Marketing & Communications Manager

September 2021

 

Recruit fixed term Change Management Resource to focus on corporate maturity / readiness that can develop a change management framework and strategy while managing current change projects. It is expected to transition the role into a permanent position through the LTP.

On track

 

 

Internal Audit – Procurement & Contract Management – May 2018

Finding / Theme

Priority
Rating

Action and Owner

Due Date

Milestone Achieved
Since Last Report

Milestone
For Next Report

Tracking Status

Lack of evidence for procurement decisions.

High

Procurement plan template designed based on MBIE/NZTA best practice guidelines; implemented

Procurement Lead

Sept 2020

Completed as part of amendments to procurement manual, approved by Council Sept 2020.

 

Closed

Lack of contract evaluation.

Medium

Policy and manual updated; evaluation criteria included in selection and post contract performance evaluation

Procurement Lead

Sept 2020

Policy and manual amendments approved by Council Sept 2020  - Completed.

 

Closed

 

 

Internal Audit – Health and Safety – Sept 2018

Finding / Theme

Priority
Rating

Action and Owner

Due Date

Milestone Achieved
Since Last Report

Milestone
For Next Report

Tracking Status

Improve indicator risk control reporting.

High

Bow tie analysis for identified critical risks to ensure hierarchy of controls

To enhance lead indicators.  Senior Health, Safety & Wellbeing Advisor and Risk & Assurance Lead

March 2021

Draft Bowtie created.

Finalise bowtie with critical controls.

On track

Update of Health and Safety Manual.

Medium

Review Manual  Senior Health, Safety and Wellbeing Advisor

October 2020

Health and Safety Manual in final draft.

Health and Safety Manual scheduled for Executive Leadership Team final sign off.

On track

Move towards Lead Indicators.

Medium

Health and Safety Manual to include Lead Indicators  Senior Health, Safety & Wellbeing Advisor

June 2021

Lead/Lag narrative included in Health and safety Manual update.

Lead indicators  identified.

Reporting on lag/lead indicators as part of ELT Dashboard reporting.

On track

Improve Incident reporting  detail to include Root Cause Analysis (5 Why's).

High

Update incident reporting form to include root cause analysis (5 Why's)  Senior Health, Safety & Wellbeing Advisor

June 2021

Update to incident form underway to include 5 Why's.

Finalise update and improvement to incident reporting across the organisation.

On track

Increased reporting to ELT.

High

Create dashboard report for health and safety reporting.  Senior Health, Safety & Wellbeing Advisor

March 2021

Improved draft dashboard created for ELT.

Dashboard delivered to ELT and Council.

On track

Increased visibility of health and safety activity by ELT.

High

ELT representative attends quarterly Health and Safety Committee Meeting  Senior Health, Safety & Wellbeing Advisor

March 2021

Regular and minuted  ELT attendance at quarterly meetings.

Continued attendance of ELT at quarterly meetings.

On track

Improvement in Contractor Inductions.

Medium

Review induction process of  contractors and service providers Senior Health, Safety and Wellbeing Advisor

September 2020

High risk contractors identified for site observation visits overseen by the Senior Health, Safety and Wellbeing Advisor..

Review of induction process via survey developed, delivered and corrective outcomes identified.

Behindinitial indication was a CI only.  However remediation is wider and now linked to action below due 08/21

Improvement in Contractor Engagement process.

Medium

A full review of contractor inductions across all risks  Senior Health, Safety & Wellbeing Advisor

August 2021

Initial discussions with Procurement Team initiated regarding wider project.

Develop a contractor management audit programme.

On track

 

 

Internal Audit – Cyber Security – August 2019

Finding / Theme

Priority
Rating

Action and Owner

Due Date

Milestone Achieved
Since Last Report

Milestone
For Next Report

Tracking Status

Asset management – Software & application inventory– IT oversight and value as a service.

High

Automate as many software updates as possible. Chief Information Officer

Sept 2020

Software updates now automated.

 

Closed

As above

High

Update and review software list annually. Chief Information Officer

Sept 2020

2020 Annual Review completed

 

Closed

Asset management – Software & application inventory – Legacy Systems.

High

Develop an architecture strategy that considers long term phased replacement of legacy systems, including documenting the legacy software components and systems. Chief Information officer

December 2021 – if funding request accepted

Catalogued legacy systems.

Reviewed ICT roles to ensure legacy system support.

Requested resourcing in LTP to develop enterprise architecture and IT Strategy.

Requested resourcing in LTP for projects to modernise remaining legacy systems.

On track

Note action is defining the strategy – implementation for legacy systems will take over 10 years with current resourcing

Asset management – Software & application inventory–  Inventory

High

Reviewed and documented all software used at HBRC. Chief Information officer

Oct 2019

Documented software inventory reviewed.

 

Closed

Asset management – Software & application inventory – Legacy Systems.

High

High-level documentation of software components. Chief Information officer

Dec 2019

High level documentation complete.

 

Closed

As above.

High

Review software versions in use and compare to latest available. Chief Information officer

Mar 2020

Implemented a system to capture all software and versions.

IT Support team are reviewing the list of active software, and updating old versions – starting with areas of highest risk.

Behind

As above.

High

Finance System Replacement Chief Information officer

June 2021

Completed Enterprise Budgeting.
Work commenced on HR & Payroll plus Financials.

Payroll planned to go live 1/4/21.

On track

Access Control – Principle of least privilege – Periodic Review.

High

Perform an annual review of access to HR and Regulatory systems (adding this to the current AuditNZ reviews of core and finance systems). Chief Information officer

Sept 2019

 

Review access of HR and Regulatory systems.  Request for new HR system in LTP.  This would include HR access review.

Behind

Access Control – Principle of least privilege – Enforce the principle of least privilege.

High

Reviewed and reduced domain administrator access. Chief Information officer

Oct 2019

Domain administrator access reviewed and reduced.

 

Closed

Access Control – Principle of least privilege – Legal & Regulatory requirements.

High

Identified systems containing confidential data and tightened up processes for assigning access rights for new users Chief Information officer in conjunction with Risk and Assurance Lead

Oct 2019

Information Management Advisor recruited- due to commence in role on 30 November 2020.

Stocktake with business to assess what information and records are held and where including PII.

With Information re-baseline due date based on scope of remediation and linkage to ICT Governance below.

Behind -  Date needs rebaselining. Part of  wider information management project – dedicated resource to strengthen data management now recruited

Access Control – Principle of least privilege – Periodic Review.

High

Reviewed Active Directory Accounts – archiving accounts by last logon date > 60 days Chief Information officer

Oct 2019

Accounts directory reviewed with >60days archived.

 

Closed

Access Controls – External Information Systems – Password Managers.

Medium

Investigate and evaluate solutions for single sign-on / password management. Chief Information officer

Sept 2020

 

Requested resourcing to evaluate solutions for implementation.

Behind

Business Environment – Resilience requirements – IT Disaster Recovery Plan – resilience requirements.

High

Implement DR Technology Changes  and Test Disaster Recovery processes and environment. Chief Information officer

Dec 2021

Request funding for ICT Disaster Recovery Project.

Scope and design a Disaster Recovery solution when funding is available.

On track

As above.

High

Develop cybersecurity incident management processes based on CERT NZ guidelines.  Including, developing templates for incident repsonse and post incident review.  Chief Information officer

Mar 2020

Response process drafted and response templates complete.

 

Closed

Governance – Information security policy framework – Policy Review Required.

Medium

ICT Governance - firstly, assess the quality of Councils ICT policy framework against good practice including the development of a RACI matrix for cybersecurity roles outlined in the matrix. Chief Information officer in conjunction with Risk and Assurance Lead

June 2020

Identified all ICT Policy documents and checked their review dates and the review process.

Define Council's risk appetite for enterprise risk 5 ‘information security’. Assess gap to systemise,  develop business case and project plan that incorporates updating ICT governance documentation.

Behind broader Information security strategy – also links to PII, DR and third parties

Anomalies & events, Security Continuous Monitoring & Detection Processes – Monitoring/Detection – Alerts.

Medium

Setup a central mailbox for system alerts. Chief Information officer

Oct 2019

Central mailbox activated for alerts.

 

Closed

As above.

Medium

Add critical alerts to our monitoring dashboard. Chief Information officer

Mar 2020

Central mailbox above is sufficient.

 

Closed

Information Protection Processes & Procedures – Third parties – Contractors Responsibilities.

Medium

As part of policy review , ensure risk based decision is made around contractors including system access by contractors and third parties are covered by policy. Chief Information officer in conjunction with Risk and Assurance Lead

June 2020

 

Define Council's risk appetite for enterprise risk 5 ‘information security’.  Assess gap to systemise, develop business case and project plan that incorporates managing information risks from third parties.

Behind refer update under ICT governance due date needs rebaselining as the solution requires integration with other key management systems.

Maintenance – remote access is managed (third parties) – Maintenance.

Medium

Implement ‘enable on demand’ access for third party providers. Chief Information officer

Oct 2019

Accounts disabled by default, and enabled when requested for a fixed period.

 

Closed

Access control – Remote access is managed (mobile devices)– Mobile device management.

Low

Continue the planned deployment of asset management tools for mobile devices. Chief Information officer

Ongoing

Implemented Microsoft Intune to manage mobile devices. Completed June 2020.

 

Closed

 

Tracking Status

Key

On track

Milestones on track to meet due date

At risk

Milestones falling behind putting at risk delivery on due date

Behind

Milestones outstanding due date will not be met

Closed

Corrective action fully implemented

 

   


HAWKE’S BAY REGIONAL COUNCIL

Finance Audit & Risk Sub-committee

Wednesday 11 November 2020

Subject: Sub-committee Work Programme November 2020 Update

 

Reason for Report

1.      In order to ensure the sub-committee’s ability to effectively and efficiently fulfill its role and responsibilities, an overall update on its work programme is provided following.

Task

Item

Scheduled / Status

Internal Audits

Cyber Security follow-up for FARS

Status of management actions now tracked in a dashboard and reported as a separate paper to 11 November FARS

Risk Management Maturity Assessment

Status of management actions now tracked in a dashboard and reported as a separate paper to 11 November FARS

Internal Audit Follow-up (Audit of Audits) including Contracts Management, Water Management, Procurement, Health & Safety

Status of management actions for Contracts Management, Procurement and Health and Safety now tracked in a dashboard and reported as a separate paper to 11 November FARS meeting.  Note no outstanding actions were reported for Water Management.

2020-21 internal audit plan

Status of 2020-21 internal audit plan now tracked in a dashboard and reported as a separate paper to the 11 November FARS meeting.

Risk Assessment & Management

Risk Maturity Roadmap

Bowtie analysis for Tier 1 enterprise risks ongoing.  Bowtie analysis demonstration presented to the FARS at the 11 November meeting.

Insurance

Placement of insurance required within timeframes

In June, along with Councils from Hawke’s Bay, Manawatu-Wanganui and Bay of Plenty, HBRC conducted an RFP for insurance brokers. This resulted in the Hawke’s Bay councils changing insurance brokers for its above-ground insurances to AON NZ Ltd from Marsh. AON has conducted an Insurance Risk Profile to better inform the insurance placement and to develop an Insurance Maturity programme. We are waiting for this report. Placement for 1 November is underway.

Annual Report

Completion of the Annual Report and the adoption prior to the statutory deadline with an unqualified audit option

Scheduled for ‘recommendation to 16 December 2020 Council for adoption’ at extraordinary FARS meeting on 2 December

LGA S17a Efficiency Reviews

Works Group

Review completed and subject of 11 November FARS meeting agenda item

 

Biosecurity

Review report completed and presented to 10 September Environment & Integrated Catchments Committee, with progressing of actions in response to recommendations under way through the LTP process.

 


Decision Making Process

2.      Staff have assessed the requirements of the Local Government Act 2002 in relation to this item and have concluded that, as this report is for information only, the decision making provisions do not apply.

 

Recommendation

That the Finance, Audit and Risk Sub-committee receives and notes the “Sub-committee Work Programme November 2020 Update” staff report.

 

Authored by:

Leeanne Hooper

Team Leader Governance

Helen Marsden

Risk and Assurance Lead

Bronda Smith

Chief Financial Officer

 

Approved by:

Jessica Ellerm

Group Manager Corporate Services

 

 

Attachment/s

There are no attachments for this report.


HAWKE’S BAY REGIONAL COUNCIL

Finance Audit & Risk Sub-committee

Wednesday 11 November 2020

Subject: Section 17a Review of the HBRC Works Group

That Hawke’s Bay Regional Council excludes the public from this section of the meeting, being Agenda Item 9 Section 17a Review of the HBRC Works Group with the general subject of the item to be considered while the public is excluded; the reasons for passing the resolution and the specific grounds under Section 48 (1) of the Local Government Official Information and Meetings Act 1987 for the passing of this resolution being:

 

GENERAL SUBJECT OF THE ITEM TO BE CONSIDERED

REASON FOR PASSING THIS RESOLUTION

GROUNDS UNDER SECTION 48(1) FOR THE PASSING OF THE RESOLUTION

Section 17a Review of the HBRC Works Group

s7(2)(f)(ii) The withholding of the information is necessary to maintain the effective conduct of public affairs through the protection of such members, officers, employees, and persons from improper pressure or harassment.

s7(2)(a) That the public conduct of this agenda item would be likely to result in the disclosure of information where the withholding of the information is necessary to protect the privacy of natural persons.

The Council is specified, in the First Schedule to this Act, as a body to which the Act applies.

 

 

Authored and Approved by:

Chris Dolley

Group Manager Asset Management