Meeting of the Finance Audit & Risk Sub-committee
Date: Wednesday 18 May 2016
Time: 1.00 pm
Venue: |
Council Chamber Hawke's Bay Regional Council 159 Dalton Street NAPIER |
Agenda
Item Subject Page
1. Welcome/Notices/Apologies
2. Conflict of Interest Declarations
3. Confirmation of Minutes of the Finance Audit & Risk Sub-committee held on 11 February 2016
4. Matters Arising from Minutes of the Finance Audit & Risk Sub-committee held on 11 February 2016
5. Follow-ups from Previous Finance Audit & Risk Sub-committee meetings 3
Decision Items (Public Excluded)
12. Internal Audit Report – Cyber Security 61
13. Proposed Council Insurance Programme for 2016-17 63
Decision Items
6. Six Monthly Report on Risk Assessment and Management 7
7. Fraud Policy 41
Information or Performance Monitoring
8. Business Continuity and Disaster Recovery Plan Progress Update 49
9. HBRC Staff Conflict of Interest Policy 53
10. Infrastructure as a Service
11. 2016 Sub-committee Work Programme 59
Finance Audit & Risk Sub-committee
Wednesday 18 May 2016
SUBJECT: Follow-ups from Previous Finance Audit & Risk Sub-committee meetings
Reason for Report
1. In order to track items raised at previous meetings that require follow-up, a list of outstanding items is prepared for each meeting. All follow-up items indicate who is responsible for each, when it is expected to be completed and a brief status comment. Once the items have been completed and reported to the Committee they will be removed from the list.
Decision Making Process
2. Council is required to make every decision in accordance with the Local Government Act 2002 (the Act). Staff have assessed the in relation to this item and have concluded that as this report is for information only and no decision is required, the decision making procedures set out in the Act do not apply.
1. That the Finance, Audit and Risk Sub-committee receives and notes the report “Follow-ups from Previous Finance Audit and Risk Sub-committee Meetings”. |
Paul Drury Group Manager Corporate Services |
Liz Lambert Chief Executive |
Follow-ups from Previous Finance, Audit & Risk Sub-committee Meetings |
|
|
Follow-ups from Previous Finance, Audit & Risk Sub-committee Meetings |
Attachment 1 |
Follow-ups from Finance, Audit & Risk Sub-committee Meetings
11 February 2016
|
Agenda Item |
Follow-up / Request |
Person Responsible |
Status Comment |
1 |
Audit Management Letter for 2014-15 |
HBRIC investment to be appropriately recorded at fair value each year, rather than on 3-yearly cycle |
P Drury |
Discussions are currently underway with Deloittes to undertake a desktop valuation as at 30 June 2016 which will provide an indication of how the value of the investment is tracking. |
2 |
Audit Management Letter for 2014-15 |
· Policy on how Elected Reps conflicts will be managed or mitigated to be developed and added to the Register of Interests; · Policy on what must be declared on the Register of Interests to be developed; and Both Policies to be incorporated into an updated Code of Conduct for Elected Representatives |
L Lambert |
|
3 |
Finance Audit & Risk Sub-committee Charter |
Charter to be amended and then approved by Corporate & Strategic Committee |
L Lambert /L Hooper |
Charter updated and approved by C&S 17/2/16, with the inclusion of one additional amendment re reviewing Council activities |
4 |
Internal Audit – Business Continuity & Disaster Recovery Plan |
Update to be provided to FA&R on progress and timelines to action PWC recommendations from BCP audit |
P Drury |
On May FA&R Subcommittee agenda |
5 |
Risk Management Policy & Framework |
Update to be provided to FA&R on progress and timelines to action PWC recommendations, including: ∙ Strategy mapping exercise ∙ Fraud risk ∙ Health & Safety risks ∙ Cyber security identification & assessment ∙ Large projects risks ∙ Procurement risk |
L Lambert /M Adye |
Cyber Security internal audit approved within current budgets, to be reported to 18May16 FA&R. Fraud Prevent Policy included on this agenda. |
9 November 2015
|
Agenda Item |
Follow-up / Request |
Person Responsible |
Status Comment |
6 |
Follow-ups |
Staff ‘Conflict of Interest’ policy review |
L Lambert/ V Moule |
On May FA&R Subcommittee agenda.
|
7 |
Council Insurance programme |
Proposed 2016-17 Council insurance programme |
P Drury |
On May FA&R Subcommittee agenda Paper on insurances attached to this agenda. |
Finance Audit & Risk Sub-committee
Wednesday 18 May 2016
Subject: Six Monthly Report on Risk Assessment and Management
Reason for Report
1. To provide the Subcommittee with the six monthly review of the risks that Council is exposed to and the mitigation actions in place to manage Council’s risk profile.
Comment
2. At its meeting on 11 February 2016, the Subcommittee adopted the Hawke’s Bay Regional Council (HBRC) Risk Management Policy and HBRC Risk Management Framework. These documents drive the approach taken to risk assessment and management through the use of the “Quantate” model.
3. This model is updated every six months and all management staff are involved in reviewing the risks and mitigation actions in place for their area of the business.
4. The six monthly report is appended to this paper as Attachment 1. The main emphasis of this paper is the strategic risks for Council and details are provided for the mitigation actions currently in place to control such risks. All other risks are shown for each management group within Council, and the presentation to show this assessment is a colour pictorial chart. Executive managers will be at this meeting to answer questions in relation to the risks within their area of Council’s business.
Decision Making Process
5. Council is required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements contained in Part 6 Sub Part 1 of the Act in relation to this item and have concluded the following:
5.1. The decision does not significantly alter the service provision or affect a strategic asset.
5.2. The use of the special consultative procedure is not prescribed by legislation.
5.3. The persons potentially affected by this decision are staff or persons in the community that rely on Council services.
5.4. Options for Council in regard to this paper are to defer or not consider risks that this Council is exposed to. This paper adopts the option of Council reviewing the risk profile.
5.5. The decision is not inconsistent with an existing policy or plan.
5.6. Given the nature and significance of the issue to be considered and decided, and also the persons likely to be affected by, or have an interest in the decisions made, Council can exercise its discretion and make a decision without consulting directly with the community or others having an interest in the decision.
1. That the Finance Audit and Risk Subcommittee: 1.1 Considers and receives the “HBRC Risk Assessment and Management Report”. 1.2 Advises staff of specific risks where it believes the current level of risk is unacceptable to Council, and request that staff report back to the Subcommittee with options and associated resources required to modify the risk profile.
2. That the Finance Audit and Risk Subcommittee recommends to the Corporate and Strategic Committee that it: 2.1 Agrees the decisions to be made are not significant under the criteria contained in Council’s adopted Significance and Engagement Policy, and that Council can exercise its discretion and make decisions on this issue without conferring directly with the community. 2.2 Confirms the Subcommittee’s confidence that the risk assessment process outlined in the HBRC Risk Assessment and Management Report is an appropriate process to identify and assess organisational risks. |
Mike Adye Group Manager |
Paul Drury Group Manager |
Liz Lambert Chief Executive |
|
HBRC Risk Management Review April 2016 |
|
|
Finance Audit & Risk Sub-committee
Wednesday 18 May 2016
Subject: Fraud Policy
Reason for Report
1. To provide to the Subcommittee, a copy of the Council’s adopted Fraud Policy which has been put in place to protect the Council from the risk of fraud.
Comment
2. The Fraud Policy is appended to this paper as Attachment 1 – this was adopted by Council in July 2007. Since the time of adoption there have been no instances of fraud reported in respect to activities undertaken by Council elected members, staff and contractors etc.
3. The Audit Office regularly checks that Council has an effective fraud policy and that staff are aware of this policy. They also verify that frequent audits are carried out of Council’s activities in relation to the financial internal controls.
4. While the external audit does a high level check on these internal control areas on an annual basis, a more comprehensive audit has recently been undertaken by Pricewaterhouse Coopers which focussed on financial and internal controls. The last Pricewaterhouse Coopers audit covering these controls was reported to the Finance Audit and Risk Sub-committee at its meeting on 3 June 2015.
5. Staff attention has been drawn to this policy over the years since Council’s approval of the policy, and a copy of the policy is on Council’s intranet for ease of access by staff.
Decision Making Process
6. As this paper is for information only for the Subcommittee, the decision making process requirements of the Local Government Act 2002 do not apply.
1. That the Finance, Audit and Risk Subcommittee receives and notes the “Fraud Policy” report as reviewed and previously adopted by Council. |
Paul Drury Group Manager |
Liz Lambert Chief Executive |
Fraud Policy - March 2016 |
|
|
Finance Audit & Risk Sub-committee
Wednesday 18 May 2016
Subject: Business Continuity and Disaster Recovery Plan Progress Update
Reason for Report
1. To provide the Subcommittee with an update on progress that is being made on updating of Council’s Business Continuity & Disaster Recovery Plan.
Comment
2. At its meeting on 11 February 2016 the Subcommittee received a presentation from Price Waterhouse Coopers (PWC) on their audit of the Council’s Business Continuity & Disaster Recovery Plan. The management recommendation provided as part of this audit acknowledged that the current Business Continuity & Disaster Recovery Plan needed to be updated and advised that management was in the process of developing a work plan to carry out this update.
3. A significant amount of work has been carried out to provide this update, and a number of Council staff have been involved in this process. Appended to this paper as Attachment 1 is a progress report which includes a list of the sections of the Business Continuity & Disaster Recovery Plan, together with details of the status of updating for each of these sections.
Decision Making Process
4. As this paper does not require a decision of the Sub-committee, the provisions of the Local Government Act 2002 (the Act) in relation to decision making do not apply.
1. That the Finance, Audit & Risk Sub-committee recommends that the Corporate & Strategic Committee receives the progress report on the updating of Council’s “Business Continuity & Disaster Recovery Plan”. |
Paul Drury Group Manager |
Liz Lambert Chief Executive |
Business Continuance Plan Review Progress Update |
|
|
Business Continuance Plan Review Progress Update |
Attachment 1 |
BUSINESS CONTINUANCE PLAN (BCP) REVIEW
PROGRESS UPDATE
From our PwC audit recommendations, the following work plan has been outlined and is being completed by Jolene Townshend – Contractor:
1. Review Business Continuance Plan (BCP) – In progress
Current the BCP document is being updated to reflect any changes in the business.
This includes updating all 16 Appendices with the responsible owners.
2. Close off previous mitigations (from Sept 2013) and establish new mitigations, if any – Completed.
All mitigation tasks have been reviewed and updated and new mitigations added.
3. Review Essential Functions and Services - Completed.
A review of what is considered to be our essential functions and services of the business has been reviewed by our Group Managers. The following is a reflection of our essential functions and services for HBRC:
Management Functions |
Information Needs: |
Pollution Response |
Computer Services |
Marine Oil Spill Response Team |
Records Management/ Access |
Hydrology Flood Warning |
Finance (Payroll) |
Harbour Master Function |
Telemetry |
Duty Management |
Digital Flood Prediction Computer Models |
Emergency Coordination Centre (Group) & Emergency Operations Centre (HBRC) |
|
Asset Disaster Assessment |
Resources |
Manage Contractual Obligations |
Vehicles / Generator |
Coordinate Recovery incl HR & Health & Safety |
Radio Communications |
Communications & Web |
Telecommunications |
|
Accommodation |
4. Review ICT Systems required to deliver essential functions and services – In progress
Each group is to review our current catalogue of ICT systems, identify which systems are required to continue operating essential functions and services during and following an “interruption". And/or how long they could manage without these. Also identify what they would use as a back-up plan. This will allow ICT to establish a prioritised disaster recovery plan based on business needs.
5. Create simulation events – a schedule of exercises – In progress
Working with Group leaders to establish simulation exercises we could conduct to test staff and our BCP.
6. Create BCP Policy – In progress
We are creating an overarching policy that identifies the BCP, the role staff should take and also a list of potential simulations that could follow.
7. Communications and Training – Next Steps
Promote awareness through adding a button on our intranet homepage to ‘BCP page’ which has links to the plan and the policy and general information about BCP.
Ask Managers to engage with their staff to promote awareness.
Finance Audit & Risk Sub-committee
Wednesday 18 May 2016
Subject: HBRC Staff Conflict of Interest Policy
Reason for Report
1. The Conflict of Interest Staff Policy is attached to this agenda as Attachment 1. The policy is one of a suite of staff policies that have been prepared and regularly reviewed by the Executive.
2. The policy was reviewed in February 2016.
3. Should the Committee advise that it wishes to see additional matters covered by the policy, the Executive will review it accordingly and bring the policy back to the next sub-committee meeting.
Decision Making Process
4. As this paper does not require a decision of the Subcommittee, the provisions of the Local Government Act 2002 (the Act) in relation to decision making do not apply.
1. That the Finance, Audit and Risk Sub-committee receives and considers the “Conflicts of Interest Staff Policy” report. |
Liz Lambert Chief Executive |
|
Staff Conflict of Interest Policy |
|
|
Finance Audit & Risk Sub-committee
Wednesday 18 May 2016
Subject: 2016 Sub-committee Work Programme
Reason for Report
1. In order to ensure the sub-committee’s ability to effectively and efficiently fulfill its role and responsibilities, an overall suggested work programme is provided following.
Task |
Item |
Scheduled / Status |
Internal Audits |
Processes, policies and procedures around stakeholder communications and relationship management (from risk register) |
2016-17 financial year |
|
Fraud prevention and detection (from risk register) |
2016-17 financial year |
|
Capturing and managing general and procurement related Conflicts of Interest |
· Staff policy to be presented at18 May FA&R meeting · Interests Register for Executive staff initiated · Policy on how potential conflicts will be managed or mitigated being developed for addition to the Register of Interests for Elected Representatives alongside the Policy on what Elected Representatives must declare on the Register of Interests being developed |
|
Cyber security, including future proofing IT systems and IT general computer systems control |
Approved 17Feb16, to be reported back to FA&R 18May16 |
|
Rating system – processes involved in striking the rate |
tbc |
|
Health & Safety compliance with policies and procedures |
tbc |
|
Stakeholder relationship management and risks in relation to elected representatives, and how such an audit might be conducted |
tbc |
|
Staff development and succession planning |
tbc |
Risk Assessment & Management |
Routine (6 monthly) reporting on risks to the FA&R Sub-committee |
December FA&R meeting |
|
Review previous 6-month Risk Assessment to note changes / improvements / areas that require attention |
December FA&R meeting |
|
Sub-committee carry out detailed review of individual Group’s Risk Management (as part of the programmed reviews of activities) |
tbc |
Insurance |
Council’s proposed 2016-17 Insurance programme |
FA&R 18May16 |
Annual Report |
Adoption of Audit report 20 September for recommendation to Council |
Auditor scheduled to attend September FA&R meeting |
Decision Making Process
2. As this report is for information only and no decision is to be made, the decision making provisions of the Local Government Act 2002 do not apply.
1. That the Finance, Audit and Risk Sub-committee receives and notes the “Sub-committee Work Programme” report. |
Paul Drury Group Manager |
Liz Lambert Chief Executive |
Finance Audit & Risk Sub-committee
Wednesday 18 May 2016
Subject: Internal Audit Report – Cyber Security
1. That the Sub-committee excludes the public from this section of the meeting, being Agenda Item 12 Internal Audit Report – Cyber Security with the general subject of the item to be considered while the public is excluded; the reasons for passing the resolution and the specific grounds under Section 48 (1) of the Local Government Official Information and Meetings Act 1987 for the passing of this resolution being:
GENERAL SUBJECT OF THE ITEM TO BE CONSIDERED |
REASON FOR PASSING THIS RESOLUTION |
GROUNDS UNDER SECTION 48(1) FOR THE PASSING OF THE RESOLUTION |
Internal Audit Report – Cyber Security |
7(2)(b)(i) That the public conduct of this agenda item would be likely to result in the disclosure of information where the withholding of the information is necessary to ensure a trade secret is not disclosed. 7(2)(j) That the public conduct of this agenda item would be likely to result in the disclosure of information where the withholding of the information is necessary to prevent the disclosure or use of official information for improper gain or improper advantage. |
The Council is specified, in the First Schedule to this Act, as a body to which the Act applies. |
2. That John Dixon and Sophie Hay from Pricewaterhouse Coopers attend the public excluded part of the meeting to present their audit report on Cyber Security.
Paul Drury Group Manager |
Liz Lambert Chief Executive |
Finance Audit & Risk Sub-committee
Wednesday 18 May 2016
Subject: Proposed Council Insurance Programme for 2016-17
1. That the Sub-committee excludes the public from this section of the meeting, being Agenda Item 13 Proposed Council Insurance Programme for 2016-17 with the general subject of the item to be considered while the public is excluded; the reasons for passing the resolution and the specific grounds under Section 48 (1) of the Local Government Official Information and Meetings Act 1987 for the passing of this resolution being:
GENERAL SUBJECT OF THE ITEM TO BE CONSIDERED |
REASON FOR PASSING THIS RESOLUTION |
GROUNDS UNDER SECTION 48(1) FOR THE PASSING OF THE RESOLUTION |
Proposed Council Insurance Programme for 2016-17 |
7(2)(i) That the public conduct of this agenda item would be likely to result in the disclosure of information where the withholding of the information is necessary to enable the local authority holding the information to carry out, without prejudice or disadvantage, negotiations (including commercial and industrial negotiations). |
The Council is specified, in the First Schedule to this Act, as a body to which the Act applies. |
2. That Matthew Meachen from Jardine Lloyd Thompson attends the public excluded section of this meeting to present his paper on insurance matters.
Trudy Kilkolly Financial Accountant |
Mike Adye Group Manager
|
Paul Drury Group Manager |
Liz Lambert Chief Executive |