Agenda of Finance Audit & Risk Sub-committee

HAWKE’S BAY REGIONAL COUNCIL

Finance Audit & Risk Sub-committee

Wednesday 17 February 2021

Subject: Six Monthly Risk Report and Risk Maturity Update

Reason for Report

1. This item and accompanying presentation present the Regional Council’s (Council) six-monthly enterprise risk report as well as an update on progress towards risk maturity.

Background

2. At the Corporate and Strategic Committee meeting held on 10 June 2020 the Committee endorsed the risk maturity roadmap for Council. At that meeting it was agreed that the FARS would oversee implementation of the maturing risk management system. With the focus on ensuring the evolving risk system is progressively delivering value to the organisation, and that the roadmap deliverables remain on track. Oversight of Council’s risk maturity by FARS can be evidenced through improvements to governance risk reporting. Therefore, the risk maturity update and Council’s six-monthly risk report have been combined into one agenda item.

Discussion

3. As part of the risk management maturity roadmap both a risk management policy and framework were developed and approved by Council. By applying the risk methodologies outlined in the risk framework a ‘new look’ risk report with refreshed enterprise risks was presented to, and endorsed by, the FARS at the August 2020 meeting. The August 2020 enterprise risk report and the accompanying enterprise risks have now formed the baseline for presenting changes to the Council’s risk profile. All updates between risk reports are denoted as tracked changes or red text.

4. At the August 2020 meeting it was noted that due to timing of the meeting each enterprise risk had not been subject to bowtie analysis as required in the framework. Therefore, some changes noted from the August 2020 report to this current risk report reflect Council’s continual risk maturity and improved risk synthesisation resulting from undertaking the bowtie analysis, rather than reflecting a change to Council’s risk profile.

5. At the November 2020 FARS meeting and as a milestone for risk maturity it was agreed over the proceeding risk reporting period to February 2021 at least six enterprise risk would have bowtie analysis applied. And, the bowtie analysis output to be reflected in the enterprise risk report. Bowtie analysis was subsequently undertaken for the following risks with the enterprise risk report updated accordingly:

5.1. Information Management and Security Not Fit for Purpose (incl. cyber)

5.2. Business Interruption

5.3. People Capability

5.4. Fraud

5.5. Heath, Safety and Wellbeing

5.6. Infrastructure and Asset Management Not Fit for Purpose.

6. As per the agreed risk maturity roadmap the remaining enterprise risks will have bowtie analysis undertaken over the next risk reporting period to April 2021. Completion of bowties by April 2021 is in preparation for meeting the target date of setting the Council’s risk appetite within the first half of 2021.

Summary of Risk Reporting Changes

7. The following material changes are noted in the current enterprise risk report compared to the August 2020 report.

8. Risk 5 - Information Not Fit for Purpose (incl. Cyber) formally titled Information Security (Cyber)

8.1. Through the bowtie analysis it is clearer that this risk has two distinct components, being:

8.1.1. information management, and

8.1.2. information security.

8.2. Analysis of information management has determined that without implementing additional controls to improve information storage over the next 12 months it is ‘likely’ that increased storage costs will exceed $500k. Therefore, the residual likelihood risk assessment has been elevated from ‘possible’ to ‘likely’. There was no resulting change to the risk rating. It is noted that without changing information management processes and staff behaviours storage cost increases will likely be exponential and not linear over proceeding years. A deeper dive into this risk and proposed corrective action initiatives will be presented to the FARS at the meeting.

9. Risk 8 – Business Interruption

9.1. There has been no change to the risk or overall control rating for Business Interruption. However, the risk has been updated to reflect structured activities that Council has initiated to ensure the pandemic safety response plan remains relevant for the more virulent mutations of Covid19. Especially as the more virulent strains are now being detected at New Zealand’s border.

10. Risk 9 - People Capability

10.1. There has been no change to the risk or overall control rating for People Capability. However, bowtie analysis undertaken has helped reinforce that the People and Culture (P&C) strategy is successfully targeting improvements to ‘People Capability’ by focussing on core P&C activities and critical P&C controls. Therefore, the residual risk commentary and control corrective action plan has been updated to better reflect the current state.

11. Risk 11 - Health, Safety and Wellbeing

11.1. Over the last six months several improvements have been implemented to Council’s Health and Safety System. While continual improvement to Council’s Health and Safety System will endure, the overall control assessment has improved from ‘requires improvement’ to ‘effective’. Resulting in the residual likelihood assessment changing from ‘possible’ to ‘unlikely’. The change in the residual likelihood reflects the focus for control corrective actions being on reducing the likelihood for a ‘major’ health and safety incident. There was no resulting change to the residual risk rating.

12. Risk 13 - Third Parties and Contractors

12.1. Critical contracts such as Council’s Work’s Group and other key contracts that expose Council’s to direct material financial risks are well managed. These contracts follow structured procurement practices from initiation to ongoing performance monitoring. However, services or supply arrangements that do not attract high direct financial risks are not explicitly included in the formalised procurement management system. Some contracts or MOU’s arrangements while not attracting significant direct financial risk could present elevated qualitative risks to Council e.g. reputation. Therefore, a feasibility review on incorporating such arrangements into the procurement management system is being considered. For this reason, the overall control assessment has changed from ‘effective’ to ‘requires improvement’ and the residual likelihood assessment has been elevated from ‘unlikely’ to ‘possible’. There was no resulting change to the residual risk rating.

13. The remainder of changes noted within the enterprise risk report relate to minor updates due to new information contained within the supporting risk information. Or, because of risk clarification due to bowtie analysis having been undertaken.

Strategic Fit

14. The six-monthly risk report facilitates discussions to ensure that any emerging matters within Council’s internal or external environment are being managed. And, therefore unlikely to impinge of Council’s ability to deliver on its strategy. In addition, the maturity of Council’s risk management system contributes towards achieving excellence in execution of strategy. A mature risk system provides consistent risk intelligent decision making enabling the efficient prioritisation of finite organisational resources to deliver on strategy.

Financial and Resource Implications

15. Maturity of the risk management system is phased to minimise budgetary implications. Some facilitated workshops will be required to establish the risk appetite with Council.

Next Steps

16. Implementation of the risk management maturity roadmap continues. Scheduled actions for the next quarter include:

16.1. Finalising the bowtie analysis for all remaining enterprise risks

16.2. Analysing the feasibility of continuing with the scheduled risk appetite workshop between the ELT and Council due to ongoing border closures and the inability to get the preferred workshop facilitator in person

16.3. Identification of Risk Champions within each Group

16.4. Training of those Risk Champions on Regional Council’s risk management policy, framework and practices, and finally

16.5. Approval of the draft Regional Council internal assurance framework

17. The FARS should note that while these activities are targeted for the next quarter, there is some dependency on the speed at which a replacement Risk and Assurance Lead can be appointed.

Decision Making Process

18. Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:

18.1. The decision of the Sub-committee is in accordance with the Terms of Reference and decision-making delegations adopted by Hawke’s Bay Regional Council on 25 March 2020, specifically the Finance, Audit and Risk Sub-committee shall have responsibility and authority to:

18.1.1. Review whether Council management has a current and comprehensive risk management framework and associated procedures for effective identification and management of the council’s significant risks in place

18.1.2. Undertake periodic monitoring of corporate risk assessment, and the internal controls instituted in response to such risks

18.1.3. report on the robustness of risk management systems, processes and practices to the Corporate and Strategic Committee to fulfil its responsibilities.

Recommendations

That the Finance, Audit and Risk Sub-committee:

1. Receives and considers the “Six Monthly Risk Report and Risk Maturity Update” staff report, specifically noting the changes in the February 2021 Enterprise Risk Report.

2. Confirms that the management actions undertaken and planned, as detailed in the February 2021 Enterprise Risk Report, adequately respond to the Risk Management Maturity Roadmap as endorsed by Hawke’s Bay Regional Council on 24 June 2020.

3. Reports to the Corporate and Strategic Committee, the Sub-committee’s satisfaction that the Six Monthly Risk Report and Risk Maturity Update provides adequate evidence of the robustness of Council’s risk management policy and framework and progress to implement the maturing risk management system.

Authored by:

Helen Marsden

Risk and Assurance Lead

Approved by:

Jessica Ellerm

Group Manager Corporate Services

Attachment/s

⇩1

February 2021 Enterprise Risk Report

Dashboard 1 - Internal Assurance Dashboard - Corrective Action Status Update

Attachment 1

HBRC Covid-19 Response Debrief Report – November 2020
Finding / Theme	Priority Rating	Action and Owner	Due Date	Milestone Achieved Since Last Report	Milestone For Next Report	Tracking Status
Business Continuity, Pandemic Plans and Technology To enable a holistic based response and maintenance of critical pandemic supplies (e.g. PPE) for future pandemic events HBRC’s pandemic safety plan should be linked to business continuity plan (BCP) Consider feasibility of restructuring HBRC’s BCP’s to take a denial type approach rather than an external hazard approach i.e. denial of: people, systems, suppliers, facilities. Strengthen the Disaster Recovery (DR) and BCP linkage.	Medium	Review current suite of BCP documents to identify improvements. Develop an implementation plan. *Risk & Assurance Lead & Senior Health and Safety Advisor* Refer - Cyber security audit - resilience finding and action	March 2021	Reviewed current Covid response plan to reflect MOH updates. IT DR test scheduled for March 27^th 2021.	Develop project plan to prioritise updating HBRC’s BCP documents. Add reviewed Covid19 response plan to the BCP suite of docs in Herbi. Analyse the feasibility of restructuring the BCP approach. If required, develop a roadmap. IT DR test to be executed. Review lessons learnt from DR test and allocate resourcing to quick wins / high risks.	On track On track
Communication (Internal & External) Internal communication in lockdown were positive. Therefore, the approach should be documented to ensure it is repeatable for future requirement to work remotely. There are a number of key stakeholder groups that may need to be specifically commuicated with tailored messages depending on the event. Telephony processes need to be consistent regardless of whether the call is being responded to by Council or Contact Centre staff.	Low	Update BCP suite of documents. *Marketing and Communications* Identify HBRC’s key stakeholdder groups through developing a key stakeholder wheel and document in HBRC’s BCP. Marketing and Communications Taking into account new capability of the recently upgraded telephony system. Review and improve processes for calls currently managed by the Palmerston North Contact Centre in a BCP situation. *Corporate Support Manager*	March 2021		Capture internal comms practices that were initiated as part of the Covid19 lockdown response and link to the BCP Suite iof docs on Herbi Finalise key stakeholder wheel and link to HBRC’s BCP suite of documents in Herbi. Review current telephony BCP practices to identify improvements. Develop a project plan for implementation	On track On track On track
The corrective actions to control the risk of cross contamination of work bubbles at Guppy Road should now be documented.	Low	Ensure the pandemic safety plan is up to date with the most recent pandemic response process. *Senior Health and Safety Advisor*	Febuary 2021		Review underway for Guppy Road staff bubbles to ensure continuity in case of a second Covid wave.	On track
Improve the rostering system for prolonged and slow-moving events (e.g. pandemics) with the aim of ensuring equitable distribution of tasks.	Medium	Improved rostering system to better manage staff resourcing requirements. *Team Leader Hazard Reduction*	December 2020	Worked with HBRC ICT to present draft proposal October 2020 to HBCDEM using rostering app.	Obtain approval from HBCDEM of proposed rostering app.	Behind – due to Napier Flood and HBCDEM staff departures.

Internal Audit – Risk Management Maturity – June 2020
Finding / Theme	Priority Rating	Action and Owner	Due Date	Milestone Achieved Since Last Report	Milestone For Next Report	Tracking Status
Risk, Governance, Policy and Accountabilities - to improve risk and assurance challenge. With clearer risk escalation.	Not Stated	Develop risk management policy and framework that includes roles and responsibilities. *Risk & Assurance Lead*	September 2020	Council approved single Regional Council risk management policy and framework.		Closed as at Nov 2020 FARS
Leadership and Direction - Improve linkage of risk informed decision making to strategy. Improving clarity of boundaries for decision making.	Not Stated	Develop a comprehensive risk appetite statement that defines tolerance levels for individual enterprise risks. ELT	March 2021	Bowties for six enterprise risks completed and update the FARS risk report one pagers..	Finalise bowties for remaining enterprise risks and run risk appetite workshop. Subject to accessibility of facilitator.	At risk – borders may limit access to trainer / facilitator. Viability of Zoom v delay will be analysed
Leadership and Direction - Risk system continuous improvement.	Not Stated	Incorporate into the risk policy and framework a risk vision. Tailor the Council’s risk policy and framework to align to the strategy. Develop a risk maturity roadmap to execute the risk vision. Risk & Assurance Lead	September 2020	Council approved risk policy includes a risk vision that aligns to the C&S approved risk maturity roadmap. And, the risk policy and framework tailored based on HBRC’s strategy.		Closed as at Nov 2020 FARS
People and Development - Risk roles ad responsibilities beyond the risk and assurance lead were not defined. With no risk related training.	Not Stated	Develop a competency framework to upskill staff on risk and embed the risk policy. Communicate and train BU on the risk policy and framework. Provide targeted training to specialist risk roles e.g. risk champions. ELT and Risk and Assurance Lead	October 2021		In conjunction with Group Managers identify a Risk Champion in each Group. Risk and Assurance Lead to develop Risk Champion Training..	On track
Processes and Tools - For risk assessment and mitigation.	Not Stated	Through a single risk management policy and framework ensure that clear risk and control identification and assessment criterion exists. Risk and Assurance Lead	September 2020	Council approved risk framework includes a criteria of risk and control identification and assessment. With recommended tools.		Closed as at Nov 2020 FARS
Processes and Tools - For assurance.	Not Stated	Develop a formal assurance framework based on the ‘three lines of defence model’. Framework should ensure assurance targets critical council functions and activities applying a risk based approach. Risk and Assurance Lead	July 2021	Regional Council assurance framework drafted and awaiting ELT approval.	Develop a targeted approach to implement the framework subject to ELT and FARS approval.	On track
Process and Tools - For risk monitoring and reporting.	Not Stated	Reformatted risk reporting to enhance visibility can be developed when the risk policy and framework is approved by Council. However, risk reporting will be subject to continuous improvement as the risk system matures e.g. the incorporation of key risk/control indicator trend reporting. *Risk and Assurance Lead*	September 2021	Enterprise risk report updated to reflect completed bowties.	Update risk reporting to reflect insights from risk bowties as thes final bowties are completed. Update risk report to reflect approved risk appetite.	On track
Business Performance – Strategic risk management.	Not Stated	Strategic planning cycle to include a review of enterprise risks to better link and integrate the risk register and LTP. Risk & Assurance Lead & Strategy and Governance Manager	September 2021	Complete bowties for six enterprise risks and update the FARS risk report one pagers accordingly.	Finalise bowties for remaining enterprise risks and update risk report to enable a better linkage to the LTP.	On track
Business Performance – Managing Risk in Partnerships.	Not Stated	Develop risk and performance monitoring of key third parties. Ensure contingency planning is included. Risk & Assurance Lead	December 2020	Bowtie analysis undertaken for the enterprise risk for third parties. With the risk report updated accordingly.	Finalise bowtie and identify the top 20 highest risk third parties.	At risk – this enterprise risk is not prioritised for bowtie pre Xmas
Business Performance – Business resilience ensure continuity planning is sufficient to cover HILP events.	Not Stated	Develop a process to assess disruptive and extreme events (low probability high impact ‘HILP’ events). Risk & Assurance Lead	December 2021		Develop a roadmap to enhance continuity plans include business impact risk assessments based on HILP events. Stress test on a ‘denial’ premise.	On track
Business Performance – Change and transformation.	Not Stated	Develop a change management framework to ensure a portfolio view of risks related to significant change is managed. *Marketing & Communications Manager*	September 2021	Recruited fixed term Change Management Resource to focus on corporate maturity / readiness that can develop a change management framework and strategy while managing current change projects. Has been recruited. It is expected to transition the role into a permanent position through the LTP.	The new Change Manager to draft a change management framework for approval.	On track

Internal Audit – Procurement & Contract Management – May 2018
Finding / Theme	Priority Rating	Action and Owner		Due Date	Milestone Achieved Since Last Report	Milestone For Next Report	Tracking Status
Lack of evidence for procurement decisions.	High		Procurement plan template designed based on MBIE/NZTA best practice guidelines; implemented *Procurement Lead*	Sept 2020	Completed as part of amendments to procurement manual, approved by Council Sept 2020.		Closed as at Nov 2020 FARS
Lack of contract evaluation.	Medium		Policy and manual updated; evaluation criteria included in selection and post contract performance evaluation *Procurement Lead*	Sept 2020	Policy and manual amendments approved by Council Sept 2020 - Completed.		Closed as at Nov 2020 FARS

Internal Audit – Health and Safety – Sept 2018
Finding / Theme	Priority Rating	Action and Owner	Due Date	Milestone Achieved Since Last Report	Milestone For Next Report	Tracking Status
Improve indicator risk control reporting.	High	Bow tie analysis for identified critical risks to ensure hierarchy of controls To enhance lead indicators. *Senior Health, Safety & Wellbeing Advisor and Risk & Assurance Lead*	March 2021	H&S bowtie analysis complete.	Now bowtie analysis complete the Lead Indicator Action below captures next steps	Closed
Update of Health and Safety Manual.	Medium	Review Manual *Senior Health, Safety and Wellbeing Advisor*	October 2020	Health and Safety Manual scheduled for Executive Leadership Team final sign off February 2021.	Safety Plan to be signed off.	Behind – Bowtie analysis now complete and awaiting Safety Plan sign off.
Move towards Lead Indicators.	Medium	Health and Safety Manual to include Lead Indicators *Senior Health, Safety & Wellbeing Advisor*	June 2021	Key lag/lead indicators now reported as part of ELT Organisational Performance reporting.	Further develop ELT lead and lag indicators.	On track
Improve Incident reporting detail to include Root Cause Analysis (5 Why's).	High	Update incident reporting form to include root cause analysis (5 Why's) *Senior Health, Safety & Wellbeing Advisor*	June 2021	Updated incident formto include (5 Why’s).		Closed
Increased reporting to ELT.	High	Create dashboard report for health and safety reporting. *Senior Health, Safety & Wellbeing Advisor*	March 2021	Agreement with Organisational Performance to specifically include health and safety as part of performance reporting.	Finalise key H&S measures to include in HBRC performance reporting.	On track
Increased visibility of health and safety activity by ELT.	High	ELT representative attends quarterly Health and Safety Committee Meeting *Senior Health, Safety & Wellbeing Advisor*	March 2021	Process for regular attendance by ELT at quarterly meetings established.		Closed
Improvement in Contractor Inductions.	Medium	Review induction process of contractors and service providers *Senior Health, Safety and Wellbeing Advisor*	September 2020	Review of induction process via survey to be developed, delivered and corrective outcomes identified.	Linked to below item – collaborate with procurement to confirm induction process and complile list of contractors that require corrective actions. Establish timetable for corrective actions.	Behind
Improvement in Contractor Engagement process.	Medium	A full review of contractor inductions across all risks *Senior Health, Safety & Wellbeing Advisor*	August 2021	Procurement have endorsed working with H&S to oversee that H&S inductions and risk assessments. That occur as part of the wider procurement management system.	Continue to work with Procurement to finalise contractor processes so that these include H&S risks.	On track

Internal Audit – Cyber Security – August 2019
Finding / Theme		Priority Rating	Action and Owner		Due Date	Milestone Achieved Since Last Report	Milestone For Next Report	Tracking Status
Asset management – Software & application inventory– IT oversight and value as a service.	High			Automate as many software updates as possible. *Chief Information Officer*	Sept 2020	Software updates now automated.		Closed as at Nov 2020 FARS
As above	High			Update and review software list annually. *Chief Information Officer*	Sept 2020	2020 Annual Review completed		Closed as at Nov 2020 FARS
Asset management – Software & application inventory – Legacy Systems.	High			Develop an architecture strategy that considers long term phased replacement of legacy systems, including documenting the legacy software components and systems. *Chief Information officer*	December 2021 – if funding request accepted	IT Projects have been identified and described in 1 page briefs.	Projects are prioritised by exec team. Resourcing is recruited to begin scoping and delivery of prioritised projects. Resourcing is recruited to develop enterprise architecture artefacts.	On track Note action is defining the strategy – implementation for legacy systems will take over 10 years with current resourcing
Asset management – Software & application inventory– Inventory	High			Reviewed and documented all software used at HBRC. *Chief Information officer*	Oct 2019	Documented software inventory reviewed.		Closed as at Nov 2020 FARS
Asset management – Software & application inventory – Legacy Systems.	High			High-level documentation of software components. *Chief Information officer*	Dec 2019	High level documentation complete.		Closed as at Nov 2020 FARS
As above.	High			Review software versions in use and compare to latest available. *Chief Information officer*	Mar 2020	IT Support team reviewed the list of active software, and updated old versions – starting with areas of highest risk.	Our current approach to this has been adhoc. Reporting will be provided on the size of this issue, progress to date and target state.	Behind
As above.	High			Finance System Replacement *Chief Information officer*	June 2021	Enterprise Budgeting is live.	FMIS planned to go live 1/7/21. Payroll to go live 14/4/21	On track
Access Control – Principle of least privilege – Periodic Review.	High			Perform an annual review of access to HR and Regulatory systems (adding this to the current AuditNZ reviews of core and finance systems). *Chief Information officer*	Sept 2019	Reviewed access of HR and Regulatory systems. Request for new HR system in LTP. This included HR access review.	If HRIS is prioritised – access review will be included as part of the project. If not, a thorough access review will be performed on the current system.	Behind
Access Control – Principle of least privilege – Enforce the principle of least privilege.	High			Reviewed and reduced domain administrator access. *Chief Information officer*	Oct 2019	Domain administrator access reviewed and reduced.		Closed as at Nov 2020 FARS
Access Control – Principle of least privilege – Legal & Regulatory requirements.	High			Identified systems containing confidential data and tightened up processes for assigning access rights for new users *Chief Information officer in conjunction with Risk and Assurance Lead*	Oct 2019	Information Management Advisor recruited- due to commence in role on 30 November 2020.	Stocktake with business to assess what information and records are held and where including PII. With Information re-baseline due date based on scope of remediation and linkage to ICT Governance below.	Behind - Date needs rebaselining. Part of wider information management project – dedicated resource to strengthen data management now recruited
Access Control – Principle of least privilege – Periodic Review.	High			Reviewed Active Directory Accounts – archiving accounts by last logon date > 60 days *Chief Information officer*	Oct 2019	Accounts directory reviewed with >60days archived.		Closed as at Nov 2020 FARS
Access Controls – External Information Systems – Password Managers.	Medium			Investigate and evaluate solutions for single sign-on / password management. *Chief Information officer*	Sept 2020	Requested resourcing to evaluate solutions for implementation.		Behind
Business Environment – Resilience requirements –– IT Disaster Recovery Plan – resilience requirements.	High			Implement DR Technology Changes and Test Disaster Recovery processes and environment. *Chief Information officer*	Dec 2021	Scoped and designed a Disaster Recovery solution for when funding is available.	IT DR test scheduled for March 27^th2021. Scenario - simulating the loss of the Dalton St building	On track
As above.	High			Develop cybersecurity incident management processes based on CERT NZ guidelines. Including, developing templates for incident repsonse and post incident review. *Chief Information officer*	Mar 2020	Response process drafted and response templates complete.		Closed as at Nov 2020 FARS
Governance – Information security policy framework – Policy Review Required.	Medium			ICT Governance - firstly, assess the quality of Councils ICT policy framework against good practice including the development of a RACI matrix for cybersecurity roles outlined in the matrix. *Chief Information officer in conjunction with Risk and Assurance Lead*	June 2020		Define Council's risk appetite for enterprise risk 5 ‘information security’. Assess gap to systemise, develop business case and project plan that incorporates updating ICT governance documentation.	Behind – broader Information security strategy – also links to PII, DR and third parties
Anomalies & events, Security Continuous Monitoring & Detection Processes – Monitoring/Detection – Alerts.	Medium			Setup a central mailbox for system alerts. *Chief Information officer*	Oct 2019	Central mailbox activated for alerts.		Closed as at Nov 2020 FARS
As above.	Medium			Add critical alerts to our monitoring dashboard. *Chief Information officer*	Mar 2020	Central mailbox above is sufficient.		Closed *as at Nov 2020 FARS*
Information Protection Processes & Procedures – Third parties – Contractors Responsibilities.	Medium			As part of policy review , ensure risk based decision is made around contractors including system access by contractors and third parties are covered by policy. *Chief Information officer in conjunction with Risk and Assurance Lead*	June 2020		Define Council's risk appetite for enterprise risk 5 ‘information security’. Assess gap to systemise, develop business case and project plan that incorporates managing information risks from third parties.	Behind – refer update under ICT governance due date needs rebaselining as the solution requires integration with other key management systems.
Maintenance – remote access is managed (third parties) – Maintenance.	Medium			Implement ‘enable on demand’ access for third party providers. *Chief Information officer*	Oct 2019	Accounts disabled by default, and enabled when requested for a fixed period.		Closed as at Nov 2020 FARS
Access control – Remote access is managed (mobile devices)– Mobile device management.	Low			Continue the planned deployment of asset management tools for mobile devices. *Chief Information officer*	Ongoing	Implemented Microsoft Intune to manage mobile devices. Completed June 2020.		Closed as at Nov 2020 FARS

Tracking Status	Key
On track	Milestones on track to meet due date
At risk	Milestones falling behind putting at risk delivery on due date
Behind	Milestones outstanding due date will not be met
Closed	Corrective action fully implemented since last update
Closed	Corrective action fully implemented in previous period

HAWKE’S BAY REGIONAL COUNCIL

Finance Audit & Risk Sub-committee

Wednesday 17 February 2021

Subject: Quarterly Treasury Report for 1 October - 31 December 2020

Reason for Report

1. This item provides compliance monitoring of Hawkes Bay Regional Council (HBRC) treasury activity and reports the performance of Council’s investment portfolio for the quarter ended 31 December 2020.

Overview of the Quarter - ending 31 December 2020

2. The investment portfolio continued its strong performance with the global economy seemingly continuing its recovery from the lows seen in Q3 2019-20.

3. Managed Funds have provided a year-to-date gross income net of fees of ~9%, enabling a combined (Council and HBRIC) divestment of $7.7m. This ensures that previous gains are now realised, and a $2.6m reduction of the Covid-19 Impact Loan.

4. Napier Port paid a final dividend to HBRIC of $5.5m, of which HBRIC passed through dividend of $4.0m; $1.0m greater than the budgeted $3.0m in the Covid-19 impacted 2020-21 Annual Plan.

5. Earlier collection of rates resulted in a strong liquidity position right throughout the quarter.

Background

6. The Investment management reporting requirements, outlined within Council’s Treasury Policy, requires quarterly reporting to the Financial Audit & Risk Sub-Committee (FARS) of current investment allocation and investment performance.

7. All Treasury investments are to be reported on quarterly. As at 31 December 2020, Treasury Investments to be reported on consist of:

7.1. Liquidity

7.1.1. Cash and Cash Equivalents

7.1.2. Debt Management

7.2. Externally Managed Investment Funds

7.2.1. Long-Term Investment Fund (LTIF)

7.2.2. Future Investment Fund (FIF)

7.3. Investment properties

7.4. HBRIC Ltd

7.5. 2020-21 Year to Date Performance Summary.

8. Since 2018, HBRC has procured treasury advice and services from PwC. Their quarterly compliance report is attached.

Discussion

Liquidity - Cash & Cash Equivalents

9. To ensure HBRC has the ability to adequately fund its operations, current policy requires HBRC to maintain a liquid balance of $3.0m.

10. The following table reports the cash and cash equivalents as at 31 December 2020.

31 December 2020	$000
Cash	4,534
HBRC Held Cash	3,817
Works Group	432
Other – managed trusts	286
Short-term bank deposits	9,000
Cash & and cash equivalents	13,534

11. HBRC liquidity throughout Q2 benefited from the early collection of rates (~$18.0m), HBRIC Dividend ($4.0m), and divestment of returns achieved from the LTIF and FIF managed funds ($6.5m).

12. Any cash surplus to operating requirements is placed on term deposit. For 81 of the possible 91 days in the quarter an average of $5.5m was held in term deposits, returning an average of 0.36% or $4.3k for the period.

13. To further manage its liquidity risk, HBRC currently retains a Standby Facility with BNZ. This facility provides HBRC with a same day draw down option, to any amount between $0.3-$5.0m, and with no minimum draw period. The cost of the current facility is an annual line fee 0.30% ($15,000) + a margin above BKBM of 1.1% on any borrowings.

14. This facility is due to expire in April 2021 and Officers are currently pursuing options to extend this Facility for a further 3 years.

14.1. Currently BNZ 3-year indicative cost is an Annual Line Fee 0.35% ($17,500) and a margin above BKBM of 1.3%. This pricing remains competitive when compared to the 15-month Standby Facility being offered by the LGFA whom price the Annual Line fee of 0.20% ($10,000) + a margin above BKBM of 0.90%. Additionally, the LGFA requires a business days’ notice, a minimum draw down of $1.0m and a 30 day minimum draw period.

15. The graph below shows the daily closing cash position and Term Deposits held throughout Q2.

16. Low interest rates are expected to remain throughout the remainder of the financial year impacting the 2020-21 budgeted income received from cash deposits - budgeted at $0.4m or 4.5%. A recent revised forecast based on current interest rates is $0.2m or 1.5%. The $0.2m shortfall will be offset by lower than budgeted borrowing rates.

Debt Management

17. As at 31 December 2020, current external debt was $22.2m, $38.9m when taking into consideration the internal $16.7m HBRIC Loan. All financial covenant ratios are currently at least 4 times under any internal or external limit. The financial covenant ratios can be seen in the attached PwC report.

18. The year end position is forecast at $38.1m. Accounting for the existing $22.2m plus forecast $15.9m requirement detailed below. This is slightly above that forecast in the 2018-28 LTP, which forecast borrowing to be $35.5m at the end of the 2020-21 year.

19. As the current debt profile continues to mature, and the 2020-21 forecast borrowing is not required yet, HBRC is currently outside its interest rate risk management policy. The policy is written to minimize any adverse movements in interest rates which could affect future Council Cash Flows. As per the Policy, Officers now have 90 days to correct the interest profile before it becomes a policy breach.

20. The borrowing discussed below will be raised with the LGFA via the scheduled March 2021 tender. Officers will work with PwC to ensure that HBRC realigns to its Interest Rate Risk Policy by the end of the next quarter.

21. The table below details forecast debt requirements compared to the 2020-21 Annual Plan.

Loan Requirements	2020-21 Annual Plan	2020-21 Debt Requirement	Variance
	$000	$000	$000
Sustainable Homes	3,527	3,527	-
Systems Integration	1,913	1,275	(638)
Building Accommodation	2,000	500	(1,500)
HBRC Recovery Fund	1,000	100	(900)
Integrated Catchment	2,250	4,700	2,450
Covid-19 Budget Impacts	7,584	5,000	(2,584)
Other	755	755	-
Total	19,029	15,857	(3,172)

22. 2020-21 borrowing is forecast at $15.9m, $3.2m lower than planned.

23. As at 31 December 2020, the borrowing forecast of $15.9m is based on the expected full year expenditure for 2020-21. The adjusted forecast requirements for “Systems Integration” and “Building Accommodation” is due to the timing of expenditure and request to carry forward this borrowing into 2021-22 is expected.

24. Borrowing required for the Covid-19 related reduction in investment income is subject to change. Any upside in investment income, from either an additional HBRIC dividend or managed fund returns, will reduce the current requirement.

25. The Recovery Fund has committed spend of $300k, $200k in outer years.

Managed Funds

26. For the purposes of this report, the following terms have been referred to and have the following meaning.

Term	Meaning
Gross Income Net of Fees	The full amount the fund has returned for the period, net of any fees paid to the fund managers. This amount remains in the funds unless divested.
Capital Protection	The amount the fund must earn in relation to the rate of inflation to retain its real purchasing power.
Funding Council Operating Costs	The amount the fund must earn to fund Council operating costs (offsetting rating requirements).
Divested Capital	Unrealised Gross Income Net of Fees less Capital Protection and have now been withdrawn from the funds.
Undivested Funds Available	Unrealised Gross Income Net of Fees less Capital Protection that are still invested within the funds.

27. The first six months of 2020-21 saw better than expected results achieved with an average gross income net of fees of 9% (annualised 17%) compared to the Post Covid-19 2020-21 Annual Plan of 3% (6% annualised).

28. This performance aligns with general market expectation given the results of the US election and the announcement of a successful COVID-19 vaccine trial. Both events reduce uncertainty either by reducing a tariff-inspired manufacturing recession or a clearer pathway out of the pandemic.

29. Officers remain cautiously optimistic regarding the expected full year 2020-21 performance. In mid-December, Officers, with FARS endorsement divested $6.4M from the Funds. Thereby ensuring prior gains are realised and available to fund operating costs.

30. Council’s current policy is silent on triggers which define at what point divestment from the managed fund should occur. With global markets seemly at a high in December 2020 Officers made the prudent decision to divest $6.4m, de-risking the future possibility of losing any of the unrealised gains.

31. At the time of the divestment, $6.4m equaled the current policy limit of what could have been withdrawn less the required capital protection for the remaining six months of the 2020-21 year ($1.1M).

32. After the December 2020 divestment, the Q2 actual closing position reflects that an additional $3.4m could have been divested, or $2.2m whilst still protecting the capital base until June 2021.

33. If the current strong performance of the funds continues, there will be potential for further divestment, reducing the forecast borrowing requirement arising from the Covid-19 adjusted 2020-21 Annual Plan.

34. The table and graphs below summarise the quarter end fund balances over the last 12 months.

Fund	31 Dec 2019	31 Mar 2020	30 Jun 2020	30 Sep 2020	31 Dec 2020
	$000	$000	$000	$000	$000
Long-Term Investment Fund	50,674	46,305	49,950	51,810	49,925 *
Future Investment Fund	44,724	41,712	61,128	63,094	64,300 *
Total	95,398	88,017	111,078	114,904	114,224

* December 2020 saw Funds being divested for the first time, which explains the reduced fund balance.

Long-term Investment Fund

35. Invested since November 2018, the fund provides a return which, protects capital value first and then funds Council’s operating costs.

36. The table below shows the LTIF income earned YTD against the 2020-21 Annual Plan.

Income	Full Year Annual Plan 2020-21		YTD Ann. Plan		YTD Q2 Actuals		Variance to YTD Ann. Plan
	$000	%	$000	%	$000	%	$000
Capital Protection	838	2%	419	1%	480	1%	61
Fund Operating Costs	1,876	4%	938	2%	3,973	8%	3,035
Gross Income Net of Fees	2,715	6%	1,357	3%	4,453	9%	3,096

37. The table below shows the key balances of the LTIF as at the end of Q2.

	1 July 2020 – Opening Balances			31 December 2020 – Closing Balances
	Capital Protected Balance	Undivested Funds Available	Total Fund Balance	Capital Protected Balance	Undivested Funds Available	Total Fund Balance
	$000	$000	$000	$000	$000	$000
LTIF	47,996	1,954	49,950	48,476	1,449	49,925

38. The table above has been prepared as at 31 December 2020 (Q2), it should be noted, that the LTIF needs to earn a further $480k, to meet the required annual capital protection of $980k. This amount is slightly different to the 2020-21 Annual Plan, due to the budgeted numbers being set off the Fund Balances in March 2020.

Future Investment Fund (FIF)

39. Invested since September 2019, the fund provides a return which, protects capital value first and then funds Council’s operating costs.

40. The table below shows the FIF income earned YTD against the 2020-21 Annual Plan.

Income	Full year Annual Plan 2020-21		YTD Ann. Plan		Q2 YTD Actuals		Variance to YTD Ann. Plan
	$000	%	$000	%	$000	%	$000
Capital Protection	974	2%	487	1%	618	1%	131
Fund Operating Costs	1,690	4%	845	2%	4,496	7%	3,651
Gross Income Net of Fees	2,665	6%	1,332	3%	5,114	8%	3,781

41. The table below shows the key balances of the FIF as at the end of Q2.

	1 July 2020 – Opening Balances			31 December 2020 – Closing Balances
	Capital Protected Balance	Undivested Funds Available	Total Fund Balance	Capital Protected Balance	Undivested Funds Available	Total Fund Balance
	$000	$000	$000	$000	$000	$000
FIF	61,775	(647)	61,128	62,394	1,906	64,300

42. As mentioned previously, the table above has been prepared as at 31 December 2020 (Q2), similar to the LTIF, the FIF will need to earn a further $618k, to meet the required annual capital protection of $1,236k.

Investment Property

43. In the current financial period, 2020-21, 5 Napier Endowment Leasehold Properties have been freeholded totaling $776k. $693k of this has been subsequently paid to ACC as settlement for the remaining 42 years rent for these properties.

44. HBRC has recently been contacted by a Leasehold occupier in Wellington regarding the Freeholding of the land. The Leasehold offer and how this aligns to HBRC investment strategy will be presented at the Corporate and Strategic Committee in March 2021 (publicly excluded).

HBRIC

45. On 18 December 2020, HBRC received a dividend payment of $4.0m from HBRIC, $1m favourable to the $3.0m budgeted in the Covid-19 adjusted Annual Plan.

46. Per Council Policy, HBRIC will separately provide a six-monthly update to Corporate at Strategic committee in March 2021. Main matters of relevance are:

46.1. PONL advised it would pay $0.05 per share as its interim dividend. HBRIC holds 110M shares (55%) resulting in a $5.5m dividend

46.2. There is potential in that the PONL will pay a final dividend in June 2021

46.3. The following table shows the key balances of the FIF (HBRIC) as at the end of Q2.

	1 July 2020 – Opening Balances			31 December 2020 – Closing Balances
	Capital Protected Balance	Undivested Funds Available	Total Fund Balance	Capital Protected Balance	Undivested Funds Available	Total Fund Balance
	$000	$000	$000	$000	$000	$000
FIF	46,584	(964)	45,620	47,000	1,314	48,314

2020-21 Year to Date Performance Summary

47. The following table shows investment income to date against the 2020-21 Annual Plan.

Income	Annual Plan 2020-21	YTD Ann. Plan	Q2 Actuals	Variance to YTD Ann. Plan
	$000	$000	$000	$000
Other financial assets	4,195	2,097	7,387	5,290
Managed Funds	3,567	1,783	7,371	5,588
Other Interest*	628	314	16	(298)
Investment property	2,343	1,171	830	(131)
Endowment leasehold land	1,502	751	620	(131)
Wellington Leasehold land	841	420	420	-
Dividends	5,369	4,184	7,012	4,328
PONL Dividend	3,000	3,000	5,500	2,500
Managed Fund	2,369	1,184	3,012	1,828
Total	11,907	7,452	16,729	9,487

* Includes Interest budgeted to be earnt on scheme reserves.

48. The $9.5m favourable YTD performance should be considered cautiously. It is likely that the majority of this performance will be a point in time variance and it potentially will reduce significantly over the next 6 months, particularly when considering the performance of the managed funds. 20-year historical data suggests that an expected annual return for the funds should currently be 5.16%. With the funds returning an average six-month return of 8.64%, it would be prudent to expect that the future returns will equalise over the next six months and come more inline with a 5.16%. If performance does equalise, it could be expected that the full year performance will be ~$2.0m ahead of budget; not the current $7.4m.

49. The other material significant change could arise via Napier Port paying HBRIC an interim dividend in June 2021. Unlike the managed funds, this would continue to improve the actual performance when compared to the 2020-21 Annual Plan

Decision Making Process

50. Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:

50.1. The agenda item is in accordance with the Finance, Audit and Risk Sub-committee Terms of Reference, specifically “The Finance, Audit and Risk Sub-committee shall have responsibility and authority to (2.4) monitor the performance of Council’s investment portfolio”.

50.2. As this report is for information only, the decision making provisions do not apply.

Recommendation

That the Finance, Audit and Risk Sub-committee receives and notes the “Quarterly Treasury Report for 1 October - 31 December 2020” and confirms that the performance of Council’s investment portfolio has been reported to the Sub-committee’s satisfaction.

Authored by:

Geoff Howes

Treasury & Funding Accountant

Bronda Smith

Chief Financial Officer

Approved by:

Jessica Ellerm

Group Manager Corporate Services

Attachment/s

⇩1

PWC HBRC Treasury Reporting to 31 December 2020

Approved Audit FY20-21	Provider	Quarter Due	Date Commenced	Management Comments	Reported to FARS
Data Analytics	Crowe	Q3	December 2020
People, Recruitment, Retention and Wellbeing	Crowe	Q4	IA scope and LOE being finalised with Crowe
Retained Audit Capacity - 40 hours	Crowe

⇩1	Dashboard 1 - Internal Assurance Dashboard - Corrective Action Status Update
⇩2	Dashboard 2 - Internal Assurance Annual Plan FY20-21 Status Update