Meeting of the Finance Audit & Risk Sub-committee
Date: Wednesday 11 November 2020
Time: 9.00am
Venue: |
Council Chamber Hawke's Bay Regional Council 159 Dalton Street NAPIER |
Agenda
Item Title Page
1. Welcome/Notices/Apologies
2. Conflict of Interest Declarations
3. Confirmation of Minutes of the Finance Audit & Risk Sub-committee held on 12 August 2020
4. Risk Maturity Roadmap 3
5. HBRC Covid-19 Response Review Report 7
6. Internal Audit Work Programme Update 27
7. Verbal FUSE Project Update
8. Sub-committee Work Programme November 2020 Update 43
10. 2019-20 Annual Treasury Report (late item to come)
11. Q1 2020-21 (1 July- 30 September 2020) Treasury Report (late item to come)
Public Excluded
9. Section 17a Review of the HBRC Works Group 45
Finance Audit & Risk Sub-committee
Wednesday 11 November 2020
Subject: Risk Maturity Roadmap
Reason for Report
1. This item and accompanying bowtie analysis demonstration presentation updates the Sub-committee on the Regional Council’s implementation of the risk maturity roadmap activities.
Officers’ Recommendations
2. Council Officers recommend that the Sub-committee notes:
2.1. the risk maturity progress as being on track
2.2. the bowtie analysis as being an appropriate tool providing clarity on the scope of each enterprise risk, that will enable Council to set the risk appetite by mid-2021
2.3. the bowtie analysis as being a useful tool to strengthen visibility of the Regional Council’s control environment to better protect against material operational incidents, and
2.4. how bowtie analysis expands the visibility of critical controls enabling better ELT oversight and improved assurance to Council that operational risks and operational decisions are managed within the Council’s risk appetite.
Background
3. At the Corporate and Strategic Committee meeting held on 10 June 2020 the Committee endorsed a risk maturity roadmap for the Regional Council. At that meeting it was agreed that the FARS would oversee progress of the risk maturity roadmap to ensure that the evolving risk management system was on track and providing value to the organisation. Therefore, this paper and accompanying presentation aims to provide the FARS with oversight and details of progress to date.
Discussion
4. The Regional Council’s risk maturity roadmap has targeted mid-2021 for the development of the Regional Council’s risk appetite statement. The risk appetite statement will set out the Councils willingness and tolerance levels to accept risk across its key risk areas. The levels of acceptable risk will inform management to what extent activities can be undertaken in order to manage outcomes and execute on the strategy and strategic objectives.
5. Central to setting of the risk appetite is ensuring that key enterprise risks are identified and that the scope of each of those enterprise risks is clear. The scope of the enterprise risks includes identifying the:
5.1. main risk event
5.2. risks causes
5.3. risk exclusions
5.4. risk impacts, and
5.5. critical controls.
6. There are a few risk methods available to synthesise risk to ensure the full scope of the risk is clear and well understood. Within the Regional Council’s risk management framework that was endorsed by the FARS at the 12 August 2020 meeting the preferred methodology is noted as bowtie analysis.
7. The FARS members asked that for the 11 November 2020 risk maturity update staff provide a demonstration of a bowtie in motion. The objective of the session is to validate how the application of the bowtie methodology will better protect the organisation against material risk incidents. And, also how Council will gain greater level of assurance that risks are being managed within their approved risk appetite.
8. After reviewing the current 13 Regional Council enterprise risks it was agreed with management that enterprise risk 12 – Asset and Infrastructure - be used to demonstrate the bowtie analysis to the FARS. The asset and infrastructure risk was identified as a good risk to demonstrate the use of bowtie analysis as asset and infrastructure has both an operational and strategic risk component. Operationally assets and infrastructure must be maintained to ensure that the lifecycle is optimised. However, strategically climate change is testing the relevance of historical strategic assumptions in todays disrupted world. In addition, unlike other enterprise risks the asset and infrastructure risk in recent years has not been subject to S17a review or a review as a consequence of a material incident being realised. Therefore, any areas for improvement identified through application of the bowtie analysis can be used in real time by the Regional Council to prioritise asset of infrastructure initiatives.
Strategic Fit
9. Maturity of HBRC’s risk management system contributes towards achieving all strategic goals/vision by protecting the organisation. A mature risk system provides consistent risk intelligent decision making enabling the efficient prioritisation of finite organisational resources to deliver on strategy.
Financial and Resource Implications
10. Maturity of the risk management system is phased to minimise budgetary implications. Some facilitated workshops will be required to establish the risk appetite with Council.
Next Steps
11. Continue progressively applying the bowtie methodology to each enterprise risk through a series of workshops with the business. As a bowtie is completed for an enterprise risk the enterprise risk report ‘one-pager’ for that enterprise risk will be updated to capture the revised risk scope.
Decision Making Process
12. Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:
12.1. The decision does not significantly alter the service provision or affect a strategic asset, nor is it inconsistent with an existing policy or plan.
12.2. The use of the special consultative procedure is not prescribed by legislation.
12.3. The decision is not significant under the criteria contained in Council’s adopted Significance and Engagement Policy.
12.4. The decision of the sub-committee is in accordance with the Terms of Reference and decision-making delegations adopted by Hawke’s Bay Regional Council 25 March 2020, specifically the Finance, Audit and Risk Sub-committee shall have responsibility and authority to:
12.4.1. Review whether Council management has a current and comprehensive risk management framework and associated procedures for effective identification and management of the council’s significant risks in place
12.4.2. Undertake periodic monitoring of corporate risk assessment, and the internal controls instituted in response to such risks
12.4.3. report on the robustness of risk management systems, processes and practices to the Corporate and Strategic Committee to fulfil its responsibilities.
That the Finance, Audit and Risk Sub-committee: 1. Receives and considers the “Risk Maturity Roadmap” staff report and accompanying presentation. 2. Confirms that management actions undertaken and planned for the future adequately respond to the risk maturity roadmap that was approved by the Corporate and Strategic Committee at the June 2020 meeting. 3. Confirms that the bowtie analysis is an appropriate tool to drive risk maturity as defined by the risk maturity road map.
|
Authored by:
Helen Marsden Risk and Assurance Lead |
|
Approved by:
Jessica Ellerm Group Manager Corporate Services |
|
Finance Audit & Risk Sub-committee
Wednesday 11 November 2020
Subject: HBRC Covid-19 Response Review Report
Reason for Report
1. This item provides the learnings and findings of the internal review of the Regional Council’s organisational response to the Covid-19 pandemic.
2. When an organisation has operated under business continuity arrangements it is deemed good practice to review the response. The review’s purpose is to identify learnings and areas for improvement that better prepare the organisation to respond to similar, or other, disruptive events in the future.
Officers’ Recommendation
3. Council officers recommend that Finance Audit and Risk Sub-Committee (FARS) members consider and note the attached ‘HBRC Covid19 response debrief and learnings’ report and note the extended timeframe likely to be required to enhance the Regional Council’s continuity suite of documents.
Executive Summary
4. Overall, the report notes the Regional Council’s response to the Covid19 alert level three and alert level four lockdown was commendable. No material issues were identified for immediate corrective action. A highlight of the response was feedback from staff that rated the Regional Council’s internal response 8.49 percent positive on a scale of 1 being poor and 10 being excellent.
Background
5. In December 2019 an outbreak of Coronavirus disease (Covid19) was detected in Wuhan, China. The virus rapidly spread across the globe. On 11 March 2020 the World Health Organisation (WHO) declared a global pandemic. Shortly after this declaration, on 19 March 2020, the NZ government began implementing a series of actions in response to the global pandemic declaration.
6. Actions by the NZ government included implementing a four-tiered pandemic alert system. Each alert level requires a different series of actions to be taken by the public and by business. Except for staff that undertake essential services, at alert level three and four an organisation is required to send staff home and operate remotely. Therefore, at alert level three and four many organisations operated under business continuity arrangements, as was the case for the Regional Council.
7. When an organisation operates under business continuity arrangements it is deemed good practice to review the effectiveness of the response. The objective of a review is to identify improvement opportunities to ready the continuity plans to respond to future events more efficiently.
Discussion
8. The report was split into five key themes, being:
8.1. continuity documents (business continuity plan (BCP), pandemic plans, disaster recovery plans)
8.2. communication (internal and external)
8.3. technology
8.4. health, safety and wellbeing, and
8.5. work distribution.
9. A ‘low’ priority rating that primarily related to formalising documentation was given to the following three themes:
9.1. communication (internal and external)
9.2. technology, and
9.3. health, safety and wellbeing
10. While a ‘medium’ priority rating was given to:
10.1. continuity documents (BCP, pandemic plans, disaster recovery plans), and
10.2. work distribution.
11. The medium finding within the continuity documents (7.1) relates to the Regional Council pandemic safety plan not explicitly being linked to the Regional Council’s continuity suite of documents for use when responding to future pandemics. However, in the review it was noted that pandemic specific health and safety processes instigated to respond to the Covid19 pandemic were progressively recorded into the pandemic safety plan as they were implemented. In addition, while not specific to a pandemic response, the review highlighted that the various suite of continuity documents did not always integrate. For example, the maximum tolerable downtime of various critical processes identified in the BCP’s are not necessarily informing the restoration and prioritisation of systems and applications in the disaster recovery plan.
12. The medium finding for work distribution (7.2) primarily related to tensions between the Regional’s Council’s need to contribute staff to run the CDEM GECC, and the Regional Councils requirement to deliver on its own business processes. Robust and documented guidelines did exist and effectively directed staff to their primary activity, but it appears the rostering system to support this may have been less effective. The Covid19 pandemic event was a slower moving long burn event with lockdown extending over a period of nearly two months which may have also been a contributing factor. Many other disruptive events are often sudden, one off and hard hitting. Due to the slow but sustained nature of the pandemic event there was an expectation that the Regional Councils business processes extended beyond just sustaining those deemed critical.
13. Specific details relating to each finding can be found under section two ‘Detailed Observations’ in the attached full Covid19 response debrief and learnings report.
14. The approach to obtain necessary information to undertake the BCP review included: an organisational wide staff survey, a facilitated workshop with organisational leaders using outputs from the staff survey, other key stakeholder insights, and a desktop review of relevant documentation such as the Regional Council’s BCP, pandemic plan and response team structure.
15. The scope of the review specifically excludes Hawke’s Bay CDEM response. However, did include Hawke’s Bay CDEM requests for Regional Council staff time required to staff the Group Emergency Coordination Centre. In addition, the scope of the review excludes additional business activities required under alert level one and alert two. The additional practices under alert level one and two were not deemed extensive and did not require the Regional Council to respond under BCP arrangements.
Financial and Resource Implications
16. Remediation of findings relating to the continuity documents, that includes enhancing the BCP to enable better integration of all continuity suite of documents, will take either extended time or additional resource. To spread the cost of remediation it is suggested that these documents be refreshed and integrated over a period of two years.
Decision Making Process
17. Council and its Committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:
17.1. The decision does not significantly alter the service provision or affect a strategic asset, nor is it inconsistent with an existing policy or plan.
17.2. The use of the special consultative procedure is not prescribed by legislation.
17.3. The decision is not significant under the criteria contained in Council’s adopted Significance and Engagement Policy.
17.4. The decision is in accordance with the Finance, Audit and Risk Sub-committee Terms of Reference, specifically to report to the Corporate and Strategic Committee to fulfil its responsibilities for:
17.4.1. receiving the internal and external audit report(s) and review actions to be taken by management on significant issues and recommendations raised within the report(s).
17.4.2. undertaking systematic reviews of Council operational activities against Council stated performance criteria to determine efficiency/effectiveness of delivery of Council services.
17.4.3. ensuring that recommendations in audit management reports are considered and, if appropriate, actioned by management.
That the Finance, Audit and Risk Sub-committee: 1. receives and considers the “HBRC Covid-19 Response Debrief and Learnings Report” 2. notes the extended timeframe required to enhance the Regional Council’s suite of business continuity and recovery documents 3. agrees support for the improvements proposed by staff. |
Authored by:
Helen Marsden Risk and Assurance Lead |
|
Approved by:
Jessica Ellerm Group Manager Corporate Services |
James Palmer Chief Executive |
⇩1 |
HBRC Covid-19 Response Debrief Report |
|
|
Finance Audit & Risk Sub-committee
Wednesday 11 November 2020
Subject: Internal Audit Work Programme Update
Reason for Report
1. This item updates the Finance Audit and Risk Sub-committee (FARS) on the internal audit work programme. And, seeks feedback from the Sub-committee on any changes to the newly formatted internal audit programme update dashboards.
Officers’ Recommendation
2. Council officers recommend that Finance Audit and Risk Sub-Committee (FARS) members consider and note the internal audit updates and the newly formatted internal audit programme update dashboards.
Executive Summary
3. As part of the Regional Councils risk maturity, improvements to the internal audit reporting to the FARS was considered with an emphasis on:
3.1. tracking of corrective actions for previously reported internal audit findings, and
3.2. tracking on the progress of the FARS approved annual internal audit programme
4. Two internal audit dashboards are attached to this paper. These dashboards are populated with current data to provide an update to the FARS on:
4.1. the status of annual internal audit programme that was approved by the FARS at the August 2020 Sub-committee meeting (dashboard 1), and
4.2. corrective action progress for internal audits findings that have been previously reported to the FARS (dashboard 2).
Discussion
5. Reporting to the FARS on the Regional Council’s internal assurance programme consists of four components, these include:
5.1. tracking of the annual internal audit programme approved by the FARS
5.2. reporting to the FARS any completed internal audits that formed part of the approved annual internal programme, and
5.3. tracking progress of agreed management corrective actions from internal audit findings previously reported to the FARS
5.4. Continuous auditing monitoring – complement the above with regular updates from staff / project managers regarding changes that are or have been implemented through either delivery of transformational projects (ie FUSE, HRIS, AMIS), process or structural changes to ensuring that ‘change’ has been embraced, adopted and utilised.
6. As part of the Regional Councils risk maturity, risk and internal audit reporting to the FARS was reviewed. Improvements to the risk report were provided to the FARS at the August 2020 meeting. For the November 2020 meeting the focus has been to improve internal audit reporting to the FARS with an emphasis on:
6.1. tracking of progress on the FARS approved annual internal audit programme, and
6.2. corrective action progress of previously reported internal audit findings
7. Benefits of the newly formatted corrective actions dashboard, referred to as the ‘Issues and Actions’ dashboard include:
7.1. for material audit findings where, corrective actions span an extended period the dashboard provides visibility that full remediation is on track through prominence of key interim milestones actions.
7.2. action owners are assigned responsibility for updating their own corrective action in the dashboard each reporting period. Therefore, improving oversight of corrective action progress for audit findings to the Risk and Assurance function, and improving visibility of corrective action progress to the FARS.
7.3. through improved oversight early indications that corrective actions are falling behind can be proactively managed through risk-based decisions to reprioritise resourcing.
7.4. as the risk system matures an opportunity for continuous improvement to expand the issues and action tracking dashboard to incorporate critical control remediation form risk and control assessments or other reviews reported to the FARS, can be easily implemented.
8. Benefits of tracking the progress of the FARS approved annual internal audit programme through a dashboard provides improve visibility on the programme’s status. Therefore, when appropriate, the FARS can modify the programme as the year progresses to respond to emerging risks.
Internal Audit 2020-2021 Work Programme Status Update (dashboard 1)
9. At the FARS meeting on August 2020 the annual internal audit programme was approved. A status update on the progress of the approved annual internal audit programme is outline in the attached dashboard 1. It is noted in the dashboard that the People, Retention, Recruitment and Wellbeing review commencement date is yet to be confirmed and was on hold pending the commencement of the People and Capability Manager.
Internal Audit Issues and Actions Tracking (dashboard 2)
10. The attached issues and actions tracking dashboard 2 provides a status update on audits previously reported to the FARS that have open audit findings with corrective actions in progress. The dashboard includes action updates for the following audits:
10.1. Risk Management Maturity – original audit report dated June 2020
10.2. Procurement and Contract Management – original audit report dated May 2018
10.3. Health and Safety – original audit report dated September 2018, and
10.4. Cyber Security – original audit report dated August 2019
Financial and Resource Implications
11. There are no financial implications or additional resource requirements resulting from this internal audit programme update.
Decision Making Process
12. Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:
12.1. The decision does not significantly alter the service provision or affect a strategic asset, nor is it inconsistent with an existing policy or plan.
12.2. The use of the special consultative procedure is not prescribed by legislation.
12.3. The decision is not significant under the criteria contained in Council’s adopted Significance and Engagement Policy.
12.4. The decision is in accordance with the Finance, Audit and Risk Sub-committee Terms of Reference, specifically to report to the Corporate and Strategic Committee to fulfil its responsibilities for:
12.4.1. receiving the internal and external audit report(s) and review actions to be taken by management on significant issues and recommendations raised within the report(s).
12.4.2. Ensuring that recommendations in audit management reports are considered and, if appropriate, actioned by management.
12.4.3. Given the nature and significance of the issue to be considered and decided, and also the persons likely to be affected by, or have an interest in the decisions made, Council can exercise its discretion and make a decision without consulting directly with the community or others having an interest in the decision.
That the Finance, Audit and Risk Sub-committee: 1. Receives and notes the ‘Internal Audit Work Programme Update’ staff report and accompanying dashboards. 2. Confirms that management actions undertaken or planned for the future adequately respond to the findings and recommendations of the internal audits. 3. Confirms that the dashboard reports provide adequate information on the progress of corrective actions and the progress of the approved annual internal audit programme
|
Authored by:
Helen Marsden Risk and Assurance Lead |
|
Approved by:
Jessica Ellerm Group Manager Corporate Services |
|
⇩1 |
Internal Audit Work Programme Status Update Dashboard |
|
|
⇩2 |
Internal Audit Issues and Actions Tracking Dashboard |
|
|
Internal Audit Work Programme Status Update Dashboard |
Attachment 1 |
Internal Audit Work Programme Status Update
Approved
Audit |
Provider |
Quarter Due |
Date Commenced |
Management Comments |
Reported to FARS |
Data Analytics |
Crowe |
Q3 20-21 |
Not Started |
|
|
People, Recruitment, Retention & Wellbeing |
Crowe |
TBC - pending commencement of People & Capability Manager |
Not Started |
|
|
Retained Audit Capacity - 40 hours |
Crowe |
|
|
|
|
Attachment 2 |
Internal Audit – Risk Management Maturity – June 2020 |
||||||
Finding / Theme |
Priority |
Action and Owner |
Due Date |
Milestone Achieved |
Milestone |
Tracking Status |
Risk, Governance, Policy and Accountabilities - to improve risk and assurance challenge. With clearer risk escalation. |
Not Stated |
Develop risk management policy and framework that includes roles and responsibilities. Risk & Assurance Lead |
September 2020 |
Council approved single Regional Council risk management policy and framework. |
|
Closed |
Leadership and Direction - Improve linkage of risk informed decision making to strategy. Improving clarity of boundaries for decision making. |
Not Stated |
Develop a comprehensive risk appetite statement that defines tolerance levels for individual enterprise risks. ELT |
March 2021 |
Redefine Regional Councils enterprise risks context to the new risk policy and framework. |
Complete bowties for six enterprise risks and update the FARS risk report one pagers accordingly. |
At risk – borders may limit access to trainer / facilitator. Viability of Zoom v delay will be analysed |
Leadership and Direction - Risk system continuous improvement. |
Not Stated |
Incorporate into the risk policy and framework a risk vision. Tailor the Council’s risk policy and framework to align to the strategy. Develop a risk maturity roadmap to execute the risk vision. Risk & Assurance Lead |
September 2020 |
Council approved risk policy includes a risk vision that aligns to the C&S approved risk maturity roadmap. And, the risk policy and framework tailored based on HBRC’s strategy. |
|
Closed |
Not Stated |
Develop a competency framework to upskill staff on risk and embed the risk policy. Communicate and train BU on the risk policy and framework. Provide targeted training to specialist risk roles e.g. risk champions. ELT and Risk and Assurance Lead |
October 2021 |
|
In conjunction with Group Managers identify a Risk Champion in each Group. |
On track |
|
Processes and Tools - For risk assessment and mitigation. |
Not Stated |
Through a single risk management policy and framework ensure that clear risk and control identification and assessment criterion exists. Risk and Assurance Lead |
September 2020 |
Council approved risk framework includes a criteria of risk and control identification and assessment. With recommended tools. |
|
Closed |
Processes and Tools - For assurance. |
Not Stated |
Develop a formal assurance framework based on the ‘three lines of defence model’. Framework should ensure assurance targets critical council functions and activities applying a risk based approach. Risk and Assurance Lead |
July 2021 |
|
Develop a Regional Council assurance framework for Council adoption and approval. Develop a targeted approach to implement subject to framework approval. |
On track |
Process and Tools - For risk monitoring and reporting. |
Not Stated |
Reformatted risk reporting to enhance visibility can be developed when the risk policy and framework is approved by Council. However, risk reporting will be subject to continuous improvement as the risk system matures e.g. the incorporation of key risk/control indicator trend reporting. Risk and Assurance Lead |
September 2021 |
Frequency and minimum criteria for risk reporting incorporated into the risk management policy and framework. Phase one ‘new look’ risk report presented to the FARS for endorsement. |
Update risk reporting to reflect insights from risk bowties as these are completed. |
On track |
Business Performance – Strategic risk management. |
Not Stated |
Strategic planning cycle to include a review of enterprise risks to better link and integrate the risk register and LTP. Risk & Assurance Lead & Strategy and Governance Manager |
September 2021 |
|
Complete bowties for six enterprise risks and update the FARS risk report one pagers accordingly. |
On track |
Business Performance – Managing Risk in Partnerships. |
Not Stated |
Develop risk and performance monitoring of key third parties. Ensure contingency planning is included. Risk & Assurance Lead |
December 2020 |
|
Complete bowtie analysis for the third party risk. In the risk workshop identify the top 20 highest risk third parties. |
At risk – this enterprise risk is not prioritised for bowtie pre Xmas |
Business Performance – Business resilience ensure continuity planning is sufficient to cover HILP events. |
Not Stated |
Develop a process to assess disruptive and extreme events (low probability high impact ‘HILP’ events). Risk & Assurance Lead |
December 2021 |
|
Develop a roadmap to enhance continuity plans include business impact risk assessments based on HILP events. Stress test on a ‘denial’ premise. |
On track |
Business Performance – Change and transformation. |
Not Stated |
Develop a change management framework to ensure a portfolio view of risks related to significant change is managed. Marketing & Communications Manager |
September 2021 |
|
Recruit fixed term Change Management Resource to focus on corporate maturity / readiness that can develop a change management framework and strategy while managing current change projects. It is expected to transition the role into a permanent position through the LTP. |
On track |
Internal Audit – Procurement & Contract Management – May 2018 |
|||||||
Finding / Theme |
Priority |
Action and Owner |
Due Date |
Milestone Achieved |
Milestone |
Tracking Status |
|
Lack of evidence for procurement decisions. |
High |
Procurement plan template designed based on MBIE/NZTA best practice guidelines; implemented Procurement Lead |
Sept 2020 |
Completed as part of amendments to procurement manual, approved by Council Sept 2020. |
|
Closed |
|
Lack of contract evaluation. |
Medium |
Policy and manual updated; evaluation criteria included in selection and post contract performance evaluation Procurement Lead |
Sept 2020 |
Policy and manual amendments approved by Council Sept 2020 - Completed. |
|
Closed |
|
Internal Audit – Health and Safety – Sept 2018 |
||||||
Finding / Theme |
Priority |
Action and Owner |
Due Date |
Milestone Achieved |
Milestone |
Tracking Status |
Improve indicator risk control reporting. |
High |
Bow tie analysis for identified critical risks to ensure hierarchy of controls To enhance lead indicators. Senior Health, Safety & Wellbeing Advisor and Risk & Assurance Lead |
March 2021 |
Draft Bowtie created. |
Finalise bowtie with critical controls. |
On track |
Update of Health and Safety Manual. |
Medium |
Review Manual Senior Health, Safety and Wellbeing Advisor |
October 2020 |
Health and Safety Manual in final draft. |
Health and Safety Manual scheduled for Executive Leadership Team final sign off. |
On track |
Move towards Lead Indicators. |
Medium |
Health and Safety Manual to include Lead Indicators Senior Health, Safety & Wellbeing Advisor |
June 2021 |
Lead/Lag narrative included in Health and safety Manual update. Lead indicators identified. |
Reporting on lag/lead indicators as part of ELT Dashboard reporting. |
On track |
Improve Incident reporting detail to include Root Cause Analysis (5 Why's). |
High |
Update incident reporting form to include root cause analysis (5 Why's) Senior Health, Safety & Wellbeing Advisor |
June 2021 |
Update to incident form underway to include 5 Why's. |
Finalise update and improvement to incident reporting across the organisation. |
On track |
Increased reporting to ELT. |
High |
Create dashboard report for health and safety reporting. Senior Health, Safety & Wellbeing Advisor |
March 2021 |
Improved draft dashboard created for ELT. |
Dashboard delivered to ELT and Council. |
On track |
Increased visibility of health and safety activity by ELT. |
High |
ELT representative attends quarterly Health and Safety Committee Meeting Senior Health, Safety & Wellbeing Advisor |
March 2021 |
Regular and minuted ELT attendance at quarterly meetings. |
Continued attendance of ELT at quarterly meetings. |
On track |
Improvement in Contractor Inductions. |
Medium |
Review induction process of contractors and service providers Senior Health, Safety and Wellbeing Advisor |
September 2020 |
High risk contractors identified for site observation visits overseen by the Senior Health, Safety and Wellbeing Advisor.. |
Review of induction process via survey developed, delivered and corrective outcomes identified. |
Behind – initial indication was a CI only. However remediation is wider and now linked to action below due 08/21 |
Improvement in Contractor Engagement process. |
Medium |
A full review of contractor inductions across all risks Senior Health, Safety & Wellbeing Advisor |
August 2021 |
Initial discussions with Procurement Team initiated regarding wider project. |
Develop a contractor management audit programme. |
On track |
Internal Audit – Cyber Security – August 2019 |
||||||||
Finding / Theme |
Priority |
Action and Owner |
Due Date |
Milestone Achieved |
Milestone |
Tracking Status |
||
Asset management – Software & application inventory– IT oversight and value as a service. |
High |
Automate as many software updates as possible. Chief Information Officer |
Sept 2020 |
Software updates now automated. |
|
Closed |
||
As above |
High |
Update and review software list annually. Chief Information Officer |
Sept 2020 |
2020 Annual Review completed |
|
Closed |
||
Asset management – Software & application inventory – Legacy Systems. |
High |
Develop an architecture strategy that considers long term phased replacement of legacy systems, including documenting the legacy software components and systems. Chief Information officer |
December 2021 – if funding request accepted |
Catalogued legacy systems. Reviewed ICT roles to ensure legacy system support. |
Requested resourcing in LTP to develop enterprise architecture and IT Strategy. Requested resourcing in LTP for projects to modernise remaining legacy systems. |
On track Note action is defining the strategy – implementation for legacy systems will take over 10 years with current resourcing |
||
Asset management – Software & application inventory– Inventory |
High |
Reviewed and documented all software used at HBRC. Chief Information officer |
Oct 2019 |
Documented software inventory reviewed. |
|
Closed |
||
Asset management – Software & application inventory – Legacy Systems. |
High |
High-level documentation of software components. Chief Information officer |
Dec 2019 |
High level documentation complete. |
|
Closed |
||
As above. |
High |
Review software versions in use and compare to latest available. Chief Information officer |
Mar 2020 |
Implemented a system to capture all software and versions. |
IT Support team are reviewing the list of active software, and updating old versions – starting with areas of highest risk. |
Behind |
||
As above. |
High |
Finance System Replacement Chief Information officer |
June 2021 |
Completed Enterprise Budgeting. |
Payroll planned to go live 1/4/21. |
On track |
||
Access Control – Principle of least privilege – Periodic Review. |
High |
Perform an annual review of access to HR and Regulatory systems (adding this to the current AuditNZ reviews of core and finance systems). Chief Information officer |
Sept 2019 |
|
Review access of HR and Regulatory systems. Request for new HR system in LTP. This would include HR access review. |
Behind |
||
Access Control – Principle of least privilege – Enforce the principle of least privilege. |
High |
Reviewed and reduced domain administrator access. Chief Information officer |
Oct 2019 |
Domain administrator access reviewed and reduced. |
|
Closed |
||
Access Control – Principle of least privilege – Legal & Regulatory requirements. |
High |
Identified systems containing confidential data and tightened up processes for assigning access rights for new users Chief Information officer in conjunction with Risk and Assurance Lead |
Oct 2019 |
Information Management Advisor recruited- due to commence in role on 30 November 2020. |
Stocktake with business to assess what information and records are held and where including PII. With Information re-baseline due date based on scope of remediation and linkage to ICT Governance below. |
Behind - Date needs rebaselining. Part of wider information management project – dedicated resource to strengthen data management now recruited |
||
Access Control – Principle of least privilege – Periodic Review. |
High |
Reviewed Active Directory Accounts – archiving accounts by last logon date > 60 days Chief Information officer |
Oct 2019 |
Accounts directory reviewed with >60days archived. |
|
Closed |
||
Access Controls – External Information Systems – Password Managers. |
Medium |
Investigate and evaluate solutions for single sign-on / password management. Chief Information officer |
Sept 2020 |
|
Requested resourcing to evaluate solutions for implementation. |
Behind |
||
Business Environment – Resilience requirements –– IT Disaster Recovery Plan – resilience requirements. |
High |
Implement DR Technology Changes and Test Disaster Recovery processes and environment. Chief Information officer |
Dec 2021 |
Request funding for ICT Disaster Recovery Project. |
Scope and design a Disaster Recovery solution when funding is available. |
On track |
||
As above. |
High |
Develop cybersecurity incident management processes based on CERT NZ guidelines. Including, developing templates for incident repsonse and post incident review. Chief Information officer |
Mar 2020 |
Response process drafted and response templates complete. |
|
Closed |
||
Governance – Information security policy framework – Policy Review Required. |
Medium |
ICT Governance - firstly, assess the quality of Councils ICT policy framework against good practice including the development of a RACI matrix for cybersecurity roles outlined in the matrix. Chief Information officer in conjunction with Risk and Assurance Lead |
June 2020 |
Identified all ICT Policy documents and checked their review dates and the review process. |
Define Council's risk appetite for enterprise risk 5 ‘information security’. Assess gap to systemise, develop business case and project plan that incorporates updating ICT governance documentation. |
Behind – broader Information security strategy – also links to PII, DR and third parties |
||
Anomalies & events, Security Continuous Monitoring & Detection Processes – Monitoring/Detection – Alerts. |
Medium |
Setup a central mailbox for system alerts. Chief Information officer |
Oct 2019 |
Central mailbox activated for alerts. |
|
Closed |
||
As above. |
Medium |
Add critical alerts to our monitoring dashboard. Chief Information officer |
Mar 2020 |
Central mailbox above is sufficient. |
|
Closed |
||
Information Protection Processes & Procedures – Third parties – Contractors Responsibilities. |
Medium |
As part of policy review , ensure risk based decision is made around contractors including system access by contractors and third parties are covered by policy. Chief Information officer in conjunction with Risk and Assurance Lead |
June 2020 |
|
Define Council's risk appetite for enterprise risk 5 ‘information security’. Assess gap to systemise, develop business case and project plan that incorporates managing information risks from third parties. |
Behind – refer update under ICT governance due date needs rebaselining as the solution requires integration with other key management systems. |
||
Maintenance – remote access is managed (third parties) – Maintenance. |
Medium |
Implement ‘enable on demand’ access for third party providers. Chief Information officer |
Oct 2019 |
Accounts disabled by default, and enabled when requested for a fixed period. |
|
Closed |
||
Access control – Remote access is managed (mobile devices)– Mobile device management. |
Low |
Continue the planned deployment of asset management tools for mobile devices. Chief Information officer |
Ongoing |
Implemented Microsoft Intune to manage mobile devices. Completed June 2020. |
|
Closed |
||
Tracking Status |
Key |
On track |
Milestones on track to meet due date |
At risk |
Milestones falling behind putting at risk delivery on due date |
Behind |
Milestones outstanding due date will not be met |
Closed |
Corrective action fully implemented |
Finance Audit & Risk Sub-committee
Wednesday 11 November 2020
Subject: Sub-committee Work Programme November 2020 Update
Reason for Report
1. In order to ensure the sub-committee’s ability to effectively and efficiently fulfill its role and responsibilities, an overall update on its work programme is provided following.
Task |
Item |
Scheduled / Status |
Internal Audits |
Cyber Security follow-up for FARS |
Status of management actions now tracked in a dashboard and reported as a separate paper to 11 November FARS |
Risk Management Maturity Assessment |
Status of management actions now tracked in a dashboard and reported as a separate paper to 11 November FARS |
|
Internal Audit Follow-up (Audit of Audits) including Contracts Management, Water Management, Procurement, Health & Safety |
Status of management actions for Contracts Management, Procurement and Health and Safety now tracked in a dashboard and reported as a separate paper to 11 November FARS meeting. Note no outstanding actions were reported for Water Management. |
|
2020-21 internal audit plan |
Status of 2020-21 internal audit plan now tracked in a dashboard and reported as a separate paper to the 11 November FARS meeting. |
|
Risk Assessment & Management |
Risk Maturity Roadmap |
Bowtie analysis for Tier 1 enterprise risks ongoing. Bowtie analysis demonstration presented to the FARS at the 11 November meeting. |
Insurance |
Placement of insurance required within timeframes |
In June, along with Councils from Hawke’s Bay, Manawatu-Wanganui and Bay of Plenty, HBRC conducted an RFP for insurance brokers. This resulted in the Hawke’s Bay councils changing insurance brokers for its above-ground insurances to AON NZ Ltd from Marsh. AON has conducted an Insurance Risk Profile to better inform the insurance placement and to develop an Insurance Maturity programme. We are waiting for this report. Placement for 1 November is underway. |
Annual Report |
Completion of the Annual Report and the adoption prior to the statutory deadline with an unqualified audit option |
Scheduled for ‘recommendation to 16 December 2020 Council for adoption’ at extraordinary FARS meeting on 2 December |
LGA S17a Efficiency Reviews |
Works Group |
Review completed and subject of 11 November FARS meeting agenda item |
|
Biosecurity |
Review report completed and presented to 10 September Environment & Integrated Catchments Committee, with progressing of actions in response to recommendations under way through the LTP process. |
Decision Making Process
2. Staff have assessed the requirements of the Local Government Act 2002 in relation to this item and have concluded that, as this report is for information only, the decision making provisions do not apply.
That the Finance, Audit and Risk Sub-committee receives and notes the “Sub-committee Work Programme November 2020 Update” staff report. |
Authored by:
Leeanne Hooper Team Leader Governance |
Helen Marsden Risk and Assurance Lead |
Bronda Smith Chief Financial Officer |
|
Approved by:
Jessica Ellerm Group Manager Corporate Services |
|
Finance Audit & Risk Sub-committee
Wednesday 11 November 2020
Subject: Section 17a Review of the HBRC Works Group
That Hawke’s Bay Regional Council excludes the public from this section of the meeting, being Agenda Item 9 Section 17a Review of the HBRC Works Group with the general subject of the item to be considered while the public is excluded; the reasons for passing the resolution and the specific grounds under Section 48 (1) of the Local Government Official Information and Meetings Act 1987 for the passing of this resolution being:
GENERAL SUBJECT OF THE ITEM TO BE CONSIDERED |
REASON FOR PASSING THIS RESOLUTION |
GROUNDS UNDER SECTION 48(1) FOR THE PASSING OF THE RESOLUTION |
Section 17a Review of the HBRC Works Group |
s7(2)(f)(ii) The withholding of the information is necessary to maintain the effective conduct of public affairs through the protection of such members, officers, employees, and persons from improper pressure or harassment. s7(2)(a) That the public conduct of this agenda item would be likely to result in the disclosure of information where the withholding of the information is necessary to protect the privacy of natural persons. |
The Council is specified, in the First Schedule to this Act, as a body to which the Act applies. |
Authored and Approved by:
Chris Dolley Group Manager Asset Management |
|