Meeting of the Finance Audit & Risk Sub-committee
Date: Tuesday 22 September 2015
Time: 9.00am
Venue: |
Council Chamber Hawke's Bay Regional Council 159 Dalton Street NAPIER |
Agenda
Item Subject Page
1. Welcome/Notices/Apologies
2. Conflict of Interest Declarations
3. Confirmation of Minutes of the Finance Audit & Risk Sub-committee held on 3 June 2015
4. Matters Arising from Minutes of the Finance Audit & Risk Sub-committee held on 3 June 2015
5. Follow-ups from Previous Finance Audit & Risk Sub-committee meetings 3
Decision Items
6. Annual Report Year Ending 30 June 2015 7
7. HBRC Risk Management 13
8. Internal Audit Programme 41
Information or Performance Monitoring
9. Work Programme Going Forward 45
Decision Items (Public Excluded)
10. Independent Representative on Finance Audit & Risk Sub-committee 47
Finance Audit & Risk Sub-committee
Tuesday 22 September 2015
SUBJECT: Follow-ups from Previous Finance Audit & Risk Sub-committee meetings
Reason for Report
1. In order to track items raised at previous meetings that require follow-up, a list of outstanding items is prepared for each meeting. All follow-up items indicate who is responsible for each, when it is expected to be completed and a brief status comment. Once the items have been completed and reported to the Committee they will be removed from the list.
Decision Making Process
2. Council is required to make a decision in accordance with Part 6 Sub-Part 1, of the Local Government Act 2002 (the Act). Staff have assessed the requirements contained within this section of the Act in relation to this item and have concluded that as this report is for information only and no decision is required in terms of the Local Government Act’s provisions, the decision making procedures set out in the Act do not apply.
1. That the Committee receives the report “Follow-ups from Previous Finance Audit and Risk Sub-committee Meetings”.
|
Liz Lambert Chief Executive |
|
Follow-ups from Previous Sub-committee meetings |
|
|
Follow-ups from Previous Sub-committee meetings |
Attachment 1 |
Follow-ups from Finance, Audit & Risk Sub-committee Meetings
3 June 2015
|
Agenda Item |
Follow-up / Request |
Person Responsible |
Status Comment |
1 |
Role and Functions of the Finance, Audit & Risk Sub-Committee |
Draft a Charter for consideration at the 22 September FA&R meeting |
Liz |
Clarification sought from sub-committee as to purpose and likely content of Charter |
2 |
Role and Functions of the Finance, Audit & Risk Sub-Committee |
Seek Council approval of amendments to Terms of Reference |
Leeanne |
Council adopted amended Terms of Reference 24 June 2015 |
3 |
Appointment of Independent Member |
Seek expressions of interest from suitably qualified applicants |
Liz |
Expressions of interest sought – paper for Sub-committee consideration at 22 September meeting |
4 |
Members Liability |
Insurance cover for members’ – investigate level of coverage required |
Paul |
Council’s insurance brokers, Jardines, Lloyd, Thompson, will make a presentation at the November FA&R Sub-committee, and this issue will be discussed at that time |
Finance Audit & Risk Sub-committee
Tuesday 22 September 2015
Subject: Annual Report Year Ending 30 June 2015
Reason for Report
1. To outline the issues that Stephen Lucy, Director Audit NZ, proposes to discuss with the Committee in relation to the audit of Hawke’s Bay Regional Council’s (HBRC’s) financial statements for the year ending 30 June 2015.
Comment
2. During Stephen’s presentation to the last meeting of the Finance Audit and Risk Subcommittee held on Wednesday 3 June 2015, it was proposed that he attend this meeting in order to discuss any issues that arose during the Audit of HBRC’s Annual Report.
3. At the time of writing this paper there were only a few items to be resolved before Audit NZ would be in a position to complete their audit report. It is therefore anticipated that by the time Stephen Lucy makes his presentation to this meeting, the Annual Report audit would have been finalised.
4. Attached as Attachment 1 are the issues that Stephen Lucy proposes to discuss with the Sub-committee.
5. At the conclusion of these discussions there will be time for a Councillor only discussion with Stephen.
6. The audited Annual Report will be sent to Council for adoption at its meeting on 30 September 2015.
Decision Making Process
7. As no decisions are required by this paper, the decision making provisions of the Local Government Act 2002 do not apply.
1. That the Finance Audit and Risk Subcommittee receives the issues forwarded by Stephen Lucy, Director Audit NZ, for discussion on HBRC’s Annual Report for Year Ending 30 June 2015. |
Paul Drury Group Manager |
|
Audit NZ September 2015 Update for Finance Audit and Risk Subcommittee Meeting |
|
|
Finance Audit & Risk Sub-committee
Tuesday 22 September 2015
Subject: HBRC Risk Management
Reason for Report
1. At the meeting on 3 June 2015, the Finance Audit and Risk Sub-committee considered a briefing paper on risk assessment and management. This paper set out a draft risk assessment and management framework. Since that time staff, with assistance from an external consultant, have reviewed organisational risks for each of the corporate groups.
2. The group risks have, where appropriate, been aggregated up to higher level corporate risk.
3. This report sets out the process in more detail and presents the risks.
Background
4. The purpose of the Finance Audit and Risk Sub-committee is to report to the Corporate and Strategic Committee on matters that will assist the Council to fulfil its responsibilities for:
4.1. The robustness of risk management systems, processes and practices
4.2. The provision of appropriate controls to safeguard the Council’s financial and non-financial assets, the integrity of internal and external reporting and accountability arrangement
4.3. The independence and adequacy of internal and external audit functions
4.4. Compliance with applicable laws, regulations, standards and best practice guidelines
4.5. The review of Council’s expenditure policies and the effectiveness of those policies.
5. This requires a systematic mechanism with a robust framework in place to achieve confidence that risk management is being carried out efficiently and effectively within policy limits.
6. Each of the management groups within Council are committed to identifying and mitigating or managing all actual and potential risks associated with their work area and implementing robust control measures.
7. For this purpose the Council has utilised external resources, engaging a web-based Risk and Assurance industry solution (Quantate), for a structured approach to assessing and recording identified risks and their treatment approach.
8. Through the identification and analysis of potential and actual risks, possible impacts on the organisation can be quantified. The framework allows the Executive management team to have an overview of risks, and to therefore provide, with confidence, an overview of the key risks and how they are being managed.
9. Quantate is an on-line program which can be used as a risk management register for simplified and improved risk identification and reporting. Many councils across the country (Greater Wellington Regional Council, Environment Canterbury, West Coast Regional Council) and larger corporations and government organisations (e.g. Spark, NZ Rail, CAA, Dept. of Internal Affairs) airports, ports, and healthcare organisations use Quantate.
10. The programme can also be used to provide risk control improvement plans, monitor internal controls, and as a notification centre for reviews and/or updates. Several of the benefits to the organisation in using Quantate are the capacity to:
10.1. Identify risks
10.2. Assess and evaluate organisation-wide risks, via a set of standardised criteria
10.3. Record and assess the risk controls
10.4. Rate the relative importance of the controls
10.5. Monitor the controls and their effectiveness.
11. Not all the tools available within the Quantate program are currently being utilised. It is proposed that these tools will be used in the future as the system is bedded down across the organisation. It will however require additional resource to rapidly develop more in-depth solutions for risk awareness, management and control. There is the potential, for example, for Quantate to be used to a greater degree for monitoring internal controls, setting up control improvement plans, monitor control improvement plan activity, and set tasks.
Risk Assessment Framework
12. At the core of Risk Management is the recognition and consideration of key risks facing an organisation. Fundamental to this is for the governing body to communicate to staff through the Chief Executive its risk tolerance. Risk tolerance is defined as:
“the amount of risk an organisation is willing to accept in pursuit of its strategic objectives”
13. The Finance, Audit and Risk Committee therefore needs to provide feedback to staff on the risks presented in this report and the assessment of the current level of risk (residual risk) to which the organisation is exposed. If the Committee believes that the residual risk is too great, then they are able to request staff to report back to them with options for reducing that risk over time.
14. Council staff are required to manage a variety of risks as part of their everyday responsibilities. Each management group has assessed risks that may impact on their team’s organisational and operational objectives. Council staff are required to initially identify the risks pertaining to their work area and utilise professional experience and qualifications to effectively manage those risks. Group Managers (together with third tier managers) assemble and assess risks identified along with controls.
15. Risks are then ranked through Quantate using the standardised risk assessment criteria attached as Attachment 1.
16. Responsibility for the risk and control typically sits with Group Managers. Risks are mitigated by ensuring controls are implemented and maintained.
Aggregation of risks
17. Many risks are not unique to particular Groups and some risks have the potential to be experienced by more than one Group, while others have the potential to affect the organisation as a whole. However, an individual Group may score a particular risk’s consequences lower than another Group.
18. Risks common to many Groups are ‘aggregated’ up to Executive Level. The Chief Executive and executive team is responsible for reviewing the risks and assessing if the risk controls are adequate. The Chief Executive will also review previous risks; track the performance of the organisation from the previous review; assess whether the risks facing the organisation are of an appropriate level; and assess whether controls are being implemented.
Risk Assessment and Management reporting
19. Risks to the organisation have been identified, reviewed and evaluated by staff members within each management group. A presentation will be made at the meeting to explain the process of assessing group level risks, and how key risks are aggregated up to the Executive level.
20. The Executive Level risk register is attached to this report in table form (Attachment 2), and in memo form (Attachment 3). These present the key risks either identified directly within the Executive Level or aggregated up from the management group level. Health and Safety and Stakeholder Relationship risks are common to many groups within Council, have been aggregated up to Executive level and are included in the Executive level risk register.
21. Feedback is sought on the presentation of risk information.
Decision Making Process
22. Council is required to make a decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements contained in Part 6 Sub Part 1 of the Act in relation to this item and have concluded the following:
22.1. The decision does not significantly alter the service provision or affect a strategic asset.
22.2. The use of the special consultative procedure is not prescribed by legislation.
22.3. The decision does not fall within the definition of Council’s policy on significance.
22.4. The decision is not inconsistent with an existing policy or plan.
That the Finance Audit & Risk Sub-committee: 1. Receives and considers the “HBRC Risk Management” report 2. Advises staff of specific risks where the sub-committee believes the current level of risk is unacceptable to Council, and requests that staff report back to the sub-committee with options and associated resources required to modify the risk profile. 3. The Finance Audit & Risk Sub-committee recommends that the Corporate & Strategic Committee confirms the Committee’s confidence that the risk assessment process outlined in the “HBRC Risk Management” report and its attachments is an appropriate process to identify and assess organisational risks. |
Mike Adye Group Manager |
Liz Lambert Chief Executive |
HBRC Risk Assessment Framework Criteria |
|
|
|
Executive Level Risk Register |
|
|
|
HBRC Risk Assessment and Management |
|
|
Finance Audit & Risk Sub-committee
Tuesday 22 September 2015
Subject: Internal Audit Programme
Reason for Report
1. To continue discussions with John Dixon, Partner PricewaterhouseCoopers, on the areas of focus for the internal audit programme.
Comment
2. At the previous meeting of the Subcommittee held on 3 June 2015, John Dixon set out the recommendations from the internal audits that had been completed – namely:
2.1. Accounts payable
2.2. Treasury management
2.3. Payroll.
3. John also discussed other potential areas where Hawke’s Bay Regional Council (HBRC) may want internal audit assurance in the future. Attached as Attachment 1 is a document entitled “Internal Audit Universe” that John discussed at the last meeting of the Subcommittee.
4. It is John’s intention to attend this meeting of the Subcommittee to continue discussions covering further areas of internal audit that the Subcommittee may wish to commission to be completed. He also proposes to link his discussions in with the areas covered in the paper entitled “HBRC Risk Management” which is a separate paper on this meeting’s agenda.
Decision Making Process
5. Council is required to make a decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements contained in Part 6 Sub Part 1 of the Act in relation to this item and have concluded the following:
5.1. The decision does not significantly alter the service provision or affect a strategic asset.
5.2. The use of the special consultative procedure is not prescribed by legislation.
5.3. The decision does not fall within the definition of Council’s policy on significance.
5.4. There are no persons affected by this decision.
5.5. Options to be considered by the Subcommittee will be which areas of internal audit should be proceeded with.
5.6. The decision is not inconsistent with an existing policy or plan.
1. That the Finance Audit and Risk Subcommittee receives and notes the Internal Audit Programme report and advises staff and the PricewaterhouseCoopers Auditor which areas of HBRC business require an internal audit review. 2. The Finance Audit and Risk Sub-committee recommends that the Corporate and Strategic Committee: 2.1. Agrees that the decisions to be made are not significant under the criteria contained in Council’s adopted policy on significance and that Council can exercise its discretion under Sections 79(1)(a) and 82(3) of the Local Government Act 2002 and make decisions on this issue without conferring directly with the community and persons likely to be affected by or to have an interest in the decision. 2.2. Approves the schedule of Internal Audits to be carried out over the next 12 months as determined by the Subcommittee. |
Paul Drury Group Manager |
|
Internal Audit Universe Table |
|
|
Finance Audit & Risk Sub-committee
Tuesday 22 September 2015
Subject: Work Programme Going Forward
Reason for Report
1. In order to ensure the sub-committee’s ability to effectively and efficiently fulfill its role and responsibilities, an overall suggested work programme for the remainder of 2015 is provided following.
4 November meeting |
Follow-up on Health & Safety Insurance programme (presentation by Council’s insurance brokers – Jardine, Lloyd Thompson) Internal Audit report Follow-up on HBRC Risk Management Framework Proposed 2016 meeting schedule |
Decision Making Process
2. As this report is for information only and no decision is to be made, the decision making provisions of the Local Government Act 2002 do not apply.
1. That the Finance, Audit and Risk Sub-committee receives and considers the “Work Programme Going Forward” report. |
Paul Drury Group Manager |
|
Finance Audit & Risk Sub-committee
Tuesday 22 September 2015
Subject: Independent Representative on Finance Audit & Risk Sub-committee
That Council excludes the public from this section of the meeting, being Agenda Item 10 Independent Representative on Finance Audit & Risk Sub-committee with the general subject of the item to be considered while the public is excluded; the reasons for passing the resolution and the specific grounds under Section 48 (1) of the Local Government Official Information and Meetings Act 1987 for the passing of this resolution being as follows:
GENERAL SUBJECT OF THE ITEM TO BE CONSIDERED |
REASON FOR PASSING THIS RESOLUTION |
GROUNDS UNDER SECTION 48(1) FOR THE PASSING OF THE RESOLUTION |
Independent Representative on Finance Audit & Risk Sub-committee |
7(2)(a) That the public conduct of this agenda item would be likely to result in the disclosure of information where the withholding of the information is necessary to protect the privacy of natural persons. 7(2)(i) That the public conduct of this agenda item would be likely to result in the disclosure of information where the withholding of the information is necessary to enable the local authority holding the information to carry out, without prejudice or disadvantage, negotiations (including commercial and industrial negotiations). |
The Council is specified, in the First Schedule to this Act, as a body to which the Act applies. |
Liz Lambert Chief Executive |
|