Meeting of the Finance Audit & Risk Sub-committee

 

 

Date:                 Tuesday 22 September 2015

Time:                9.00am

Venue:

Council Chamber

Hawke's Bay Regional Council

159 Dalton Street

NAPIER

 

Agenda

 

Item       Subject                                                                                                                  Page

 

1.         Welcome/Notices/Apologies 

2.         Conflict of Interest Declarations  

3.         Confirmation of Minutes of the Finance Audit & Risk Sub-committee held on 3 June 2015

4.         Matters Arising from Minutes of the Finance Audit & Risk Sub-committee held on 3 June 2015

5.         Follow-ups from Previous Finance Audit & Risk Sub-committee meetings                 3

Decision Items

6.         Annual Report Year Ending 30 June 2015                                                                    7

7.         HBRC Risk Management                                                                                           13

8.         Internal Audit Programme                                                                                           41

Information or Performance Monitoring

9.         Work Programme Going Forward                                                                              45  

Decision Items (Public Excluded)

10.       Independent Representative on Finance Audit & Risk Sub-committee                     47

 


HAWKE’S BAY REGIONAL COUNCIL

Finance Audit & Risk Sub-committee

Tuesday 22 September 2015

SUBJECT: Follow-ups from Previous Finance Audit & Risk Sub-committee meetings

 

Reason for Report

1.      In order to track items raised at previous meetings that require follow-up, a list of outstanding items is prepared for each meeting. All follow-up items indicate who is responsible for each, when it is expected to be completed and a brief status comment. Once the items have been completed and reported to the Committee they will be removed from the list.

Decision Making Process

2.      Council is required to make a decision in accordance with Part 6 Sub-Part 1, of the Local Government Act 2002 (the Act). Staff have assessed the requirements contained within this section of the Act in relation to this item and have concluded that as this report is for information only and no decision is required in terms of the Local Government Act’s provisions, the decision making procedures set out in the Act do not apply.

 

Recommendation

1.      That the Committee receives the report “Follow-ups from Previous Finance Audit and Risk Sub-committee Meetings”.

 

 

 

Liz Lambert

Chief Executive

 

 

Attachment/s

1

Follow-ups from Previous Sub-committee meetings

 

 

  



Follow-ups from Previous Sub-committee meetings

Attachment 1

 

Follow-ups from Finance, Audit & Risk Sub-committee Meetings

 

 

3 June 2015

 

Agenda Item

Follow-up / Request

Person Responsible

Status Comment

1

Role and Functions of the Finance, Audit & Risk Sub-Committee

Draft a Charter for consideration at the 22 September FA&R meeting

Liz

Clarification sought from sub-committee as to purpose and likely content of Charter

2

Role and Functions of the Finance, Audit & Risk Sub-Committee

Seek Council approval of amendments to Terms of Reference

Leeanne

Council adopted amended Terms of Reference 24 June 2015

3

Appointment of Independent Member

Seek expressions of interest from suitably qualified applicants

Liz

Expressions of interest sought – paper for Sub-committee consideration at 22 September meeting

4

Members Liability

Insurance cover for members’ – investigate level of coverage required

Paul

Council’s insurance brokers, Jardines, Lloyd, Thompson, will make a presentation at the November FA&R Sub-committee, and this issue will be discussed at that time

 

 


HAWKE’S BAY REGIONAL COUNCIL

Finance Audit & Risk Sub-committee

Tuesday 22 September 2015

Subject: Annual Report Year Ending 30 June 2015

 

Reason for Report

1.      To outline the issues that Stephen Lucy, Director Audit NZ, proposes to discuss with the Committee in relation to the audit of Hawke’s Bay Regional Council’s (HBRC’s) financial statements for the year ending 30 June 2015.

Comment

2.      During Stephen’s presentation to the last meeting of the Finance Audit and Risk Subcommittee held on Wednesday 3 June 2015, it was proposed that he attend this meeting in order to discuss any issues that arose during the Audit of HBRC’s Annual Report.

3.      At the time of writing this paper there were only a few items to be resolved before Audit NZ would be in a position to complete their audit report.  It is therefore anticipated that by the time Stephen Lucy makes his presentation to this meeting, the Annual Report audit would have been finalised.

4.      Attached as Attachment 1 are the issues that Stephen Lucy proposes to discuss with the Sub-committee.

5.      At the conclusion of these discussions there will be time for a Councillor only discussion with Stephen.

6.      The audited Annual Report will be sent to Council for adoption at its meeting on 30 September 2015.

Decision Making Process

7.      As no decisions are required by this paper, the decision making provisions of the Local Government Act 2002 do not apply.

 

Recommendations

1.      That the Finance Audit and Risk Subcommittee receives the issues forwarded by Stephen Lucy, Director Audit NZ, for discussion on HBRC’s Annual Report for Year Ending 30 June 2015.

 

 

Paul Drury

Group Manager
Corporate Services

 

 

Attachment/s

1

Audit NZ September 2015 Update for Finance Audit and Risk Subcommittee Meeting

 

 

  


Audit NZ September 2015 Update for Finance Audit and Risk Subcommittee Meeting

Attachment 1

 




HAWKE’S BAY REGIONAL COUNCIL

Finance Audit & Risk Sub-committee

Tuesday 22 September 2015

Subject: HBRC Risk Management

 

Reason for Report

1.      At the meeting on 3 June 2015, the Finance Audit and Risk Sub-committee considered a briefing paper on risk assessment and management.  This paper set out a draft risk assessment and management framework.  Since that time staff, with assistance from an external consultant, have reviewed organisational risks for each of the corporate groups.

2.      The group risks have, where appropriate, been aggregated up to higher level corporate risk.

3.      This report sets out the process in more detail and presents the risks.

Background

4.      The purpose of the Finance Audit and Risk Sub-committee is to report to the Corporate and Strategic Committee on matters that will assist the Council to fulfil its responsibilities for:

4.1.      The robustness of risk management systems, processes and practices

4.2.      The provision of appropriate controls to safeguard the Council’s financial and non-financial assets, the integrity of internal and external reporting and accountability arrangement

4.3.      The independence and adequacy of internal and external audit functions

4.4.      Compliance with applicable laws, regulations, standards and best practice guidelines

4.5.      The review of Council’s expenditure policies and the effectiveness of those policies.

5.      This requires a systematic mechanism with a robust framework in place to achieve confidence that risk management is being carried out efficiently and effectively within policy limits.

6.      Each of the management groups within Council are committed to identifying and mitigating or managing all actual and potential risks associated with their work area and implementing robust control measures.  

7.      For this purpose the Council has utilised external resources, engaging a web-based Risk and Assurance industry solution (Quantate), for a structured approach to assessing and recording identified risks and their treatment approach.

8.      Through the identification and analysis of potential and actual risks, possible impacts on the organisation can be quantified.  The framework allows the Executive management team to have an overview of risks, and to therefore provide, with confidence, an overview of the key risks and how they are being managed.

9.      Quantate is an on-line program which can be used as a risk management register for simplified and improved risk identification and reporting. Many councils across the country (Greater Wellington Regional Council, Environment Canterbury, West Coast Regional Council) and larger corporations and government organisations (e.g. Spark, NZ Rail, CAA, Dept. of Internal Affairs) airports, ports, and healthcare organisations use Quantate.

10.    The programme can also be used to provide risk control improvement plans, monitor internal controls, and as a notification centre for reviews and/or updates.  Several of the benefits to the organisation in using Quantate are the capacity to:

10.1.    Identify risks

10.2.    Assess and evaluate organisation-wide risks, via a set of standardised criteria

10.3.    Record and assess the risk controls

10.4.    Rate the relative importance of the controls

10.5.    Monitor the controls and their effectiveness.

11.    Not all the tools available within the Quantate program are currently being utilised.  It is proposed that these tools will be used in the future as the system is bedded down across the organisation.  It will however require additional resource to rapidly develop more in-depth solutions for risk awareness, management and control. There is the potential, for example, for Quantate to be used to a greater degree for monitoring internal controls, setting up control improvement plans, monitor control improvement plan activity, and set tasks.

Risk Assessment Framework

12.    At the core of Risk Management is the recognition and consideration of key risks facing an organisation.  Fundamental to this is for the governing body to communicate to staff through the Chief Executive its risk tolerance.  Risk tolerance is defined as:

the amount of risk an organisation is willing to accept in pursuit of its strategic objectives

13.    The Finance, Audit and Risk Committee therefore needs to provide feedback to staff on the risks presented in this report and the assessment of the current level of risk (residual risk) to which the organisation is exposed.  If the Committee believes that the residual risk is too great, then they are able to request staff to report back to them with options for reducing that risk over time.

14.    Council staff are required to manage a variety of risks as part of their everyday responsibilities.  Each management group has assessed risks that may impact on their team’s organisational and operational objectives.  Council staff are required to initially identify the risks pertaining to their work area and utilise professional experience and qualifications to effectively manage those risks. Group Managers (together with third tier managers) assemble and assess risks identified along with controls.

15.    Risks are then ranked through Quantate using the standardised risk assessment criteria attached as Attachment 1.

16.    Responsibility for the risk and control typically sits with Group Managers.  Risks are mitigated by ensuring controls are implemented and maintained.

Aggregation of risks

17.    Many risks are not unique to particular Groups and some risks have the potential to be experienced by more than one Group, while others have the potential to affect the organisation as a whole. However, an individual Group may score a particular risk’s consequences lower than another Group.

18.    Risks common to many Groups are ‘aggregated’ up to Executive Level. The Chief Executive and executive team is responsible for reviewing the risks and assessing if the risk controls are adequate. The Chief Executive will also review previous risks; track the performance of the organisation from the previous review; assess whether the risks facing the organisation are of an appropriate level; and assess whether controls are being implemented.

Risk Assessment and Management reporting

19.    Risks to the organisation have been identified, reviewed and evaluated by staff members within each management group.  A presentation will be made at the meeting to explain the process of assessing group level risks, and how key risks are aggregated up to the Executive level.

20.    The Executive Level risk register is attached to this report in table form (Attachment 2), and in memo form (Attachment 3).  These present the key risks either identified directly within the Executive Level or aggregated up from the management group level.  Health and Safety and Stakeholder Relationship risks are common to many groups within Council, have been aggregated up to Executive level and are included in the Executive level risk register.

21.    Feedback is sought on the presentation of risk information.

Decision Making Process

22.    Council is required to make a decision in accordance with the requirements of the Local Government Act 2002 (the Act).  Staff have assessed the requirements contained in Part 6 Sub Part 1 of the Act in relation to this item and have concluded the following:

22.1.   The decision does not significantly alter the service provision or affect a strategic asset.

22.2.   The use of the special consultative procedure is not prescribed by legislation.

22.3.   The decision does not fall within the definition of Council’s policy on significance.

22.4.   The decision is not inconsistent with an existing policy or plan.

 

Recommendations

That the Finance Audit & Risk Sub-committee:

1.      Receives and considers the “HBRC Risk Management” report

2.      Advises staff of specific risks where the sub-committee believes the current level of risk is unacceptable to Council, and requests that staff report back to the sub-committee with options and associated resources required to modify the risk profile.

3.      The Finance Audit & Risk Sub-committee recommends that the Corporate & Strategic Committee confirms the Committee’s confidence that the risk assessment process outlined in the “HBRC Risk Management” report and its attachments is an appropriate process to identify and assess organisational risks.

 

 

Mike Adye

Group Manager
Asset Management

Liz Lambert

Chief Executive

 

Attachment/s

1

HBRC Risk Assessment Framework Criteria

 

 

2

Executive Level Risk Register

 

 

3

HBRC Risk Assessment and Management

 

 

  


HBRC Risk Assessment Framework Criteria

Attachment 1

 







Executive Level Risk Register

Attachment 2

 


Executive Level Risk Register

Attachment 2

 


HBRC Risk Assessment and Management

Attachment 3

 





HBRC Risk Assessment and Management

Attachment 3

 




HBRC Risk Assessment and Management

Attachment 3

 



HBRC Risk Assessment and Management

Attachment 3

 


HBRC Risk Assessment and Management

Attachment 3

 






HAWKE’S BAY REGIONAL COUNCIL

Finance Audit & Risk Sub-committee

Tuesday 22 September 2015

Subject: Internal Audit Programme

 

Reason for Report

1.      To continue discussions with John Dixon, Partner PricewaterhouseCoopers, on the areas of focus for the internal audit programme.

Comment

2.     At the previous meeting of the Subcommittee held on 3 June 2015,  John Dixon set out the recommendations from the internal audits that had been completed – namely:

2.1.      Accounts payable

2.2.      Treasury management

2.3.      Payroll.

3.     John also discussed other potential areas where Hawke’s Bay Regional Council (HBRC) may want internal audit assurance in the future. Attached as Attachment 1 is a document entitled “Internal Audit Universe” that John discussed at the last meeting of the Subcommittee.

4.     It is John’s intention to attend this meeting of the Subcommittee to continue discussions covering further areas of internal audit that the Subcommittee may wish to commission to be completed.  He also proposes to link his discussions in with the areas covered in the paper entitled “HBRC Risk Management” which is a separate paper on this meeting’s agenda.

Decision Making Process

5.      Council is required to make a decision in accordance with the requirements of the Local Government Act 2002 (the Act).  Staff have assessed the requirements contained in Part 6 Sub Part 1 of the Act in relation to this item and have concluded the following:

5.1.      The decision does not significantly alter the service provision or affect a strategic asset.

5.2.      The use of the special consultative procedure is not prescribed by legislation.

5.3.      The decision does not fall within the definition of Council’s policy on significance.

5.4.      There are no persons affected by this decision.

5.5.      Options to be considered by the Subcommittee will be which areas of internal audit should be proceeded with.

5.6.      The decision is not inconsistent with an existing policy or plan.

 

Recommendations

1.      That the Finance Audit and Risk Subcommittee receives and notes the Internal Audit Programme report and advises staff and the PricewaterhouseCoopers Auditor which areas of HBRC business require an internal audit review.

2.      The Finance Audit and Risk Sub-committee recommends that the Corporate and Strategic Committee:

2.1.      Agrees that the decisions to be made are not significant under the criteria contained in Council’s adopted policy on significance and that Council can exercise its discretion under Sections 79(1)(a) and 82(3) of the Local Government Act 2002 and make decisions on this issue without conferring directly with the community and persons likely to be affected by or to have an interest in the decision.

2.2.      Approves the schedule of Internal Audits to be carried out over the next 12 months as determined by the Subcommittee.

 

 

Paul Drury

Group Manager
Corporate Services

 

 

Attachment/s

1

Internal Audit Universe Table

 

 

  


Internal Audit Universe Table

Attachment 1

 

   


HAWKE’S BAY REGIONAL COUNCIL

Finance Audit & Risk Sub-committee

Tuesday 22 September 2015

Subject: Work Programme Going Forward

 

Reason for Report

1.      In order to ensure the sub-committee’s ability to effectively and efficiently fulfill its role and responsibilities, an overall suggested work programme for the remainder of 2015 is provided following.

4 November meeting

Follow-up on Health & Safety

Insurance programme (presentation by Council’s insurance brokers – Jardine, Lloyd Thompson)

Internal Audit report

Follow-up on HBRC Risk Management Framework

Proposed 2016 meeting schedule

 

Decision Making Process

2.      As this report is for information only and no decision is to be made, the decision making provisions of the Local Government Act 2002 do not apply.

 

Recommendation

1.      That the Finance, Audit and Risk Sub-committee receives and considers the “Work Programme Going Forward” report.

 

 

Paul Drury

Group Manager
Corporate Services

 

 

Attachment/s

There are no attachments for this report.    


HAWKE’S BAY REGIONAL COUNCIL

Finance Audit & Risk Sub-committee

Tuesday 22 September 2015

Subject: Independent Representative on Finance Audit & Risk Sub-committee

That Council excludes the public from this section of the meeting, being Agenda Item 10 Independent Representative on Finance Audit & Risk Sub-committee with the general subject of the item to be considered while the public is excluded; the reasons for passing the resolution and the specific grounds under Section 48 (1) of the Local Government Official Information and Meetings Act 1987 for the passing of this resolution being as follows:

 

GENERAL SUBJECT OF THE ITEM TO BE CONSIDERED

REASON FOR PASSING THIS RESOLUTION

GROUNDS UNDER SECTION 48(1) FOR THE PASSING OF THE RESOLUTION

Independent Representative on Finance Audit & Risk Sub-committee

7(2)(a) That the public conduct of this agenda item would be likely to result in the disclosure of information where the withholding of the information is necessary to protect the privacy of natural persons.

7(2)(i) That the public conduct of this agenda item would be likely to result in the disclosure of information where the withholding of the information is necessary to enable the local authority holding the information to carry out, without prejudice or disadvantage, negotiations (including commercial and industrial negotiations).

The Council is specified, in the First Schedule to this Act, as a body to which the Act applies.

 

 

 

Liz Lambert

Chief Executive