Agenda of Risk and Audit Committee - Wednesday, 1 May 2024

Hawke’s Bay Regional Council

Risk and Audit Committee

1 May 2024

Subject: Risk Management update

Reason for Report

1. This item and the accompanying enterprise risk report provide the Risk and Audit Committee (RAC) with a quarterly update of Council’s risk profile, risk activities and surrounding environment for discussion and awareness.

Executive Summary

2. HBRC continues to develop and work on enhancing risk management and systems in place. With the departure of the Risk Manager, HBRC has engaged the services of David Nalder, an experienced Risk Consultant with a background in local and central government. The primary objective of this work has been to:

2.1. Increase the quality, relevance, and awareness of HBRC’s risk profile and risk management process at governance, executive and management levels

2.2. More directly link risk to decision making, with explicit linkages between HBRC’s purpose and commitments, major areas of uncertainty presenting both upside opportunity and down-side threat, and controls/activities that manage these areas of uncertainty/risk

2.3. Provide a simple and transparent method of describing key areas of risk, consequences related to this, critical controls, assurance, and related monitoring mechanism.

3. A review has been undertaken to validate the strategic risk profile of HBRC by looking at areas of risk identified by other organisations. Specific sources of information were: the Office of the Auditor General’s report into risk within local government; Department of Prime Minister and Cabinet’s New Zealand national risk register; LGNZ’s key risks/issues for local government; and other material such as white papers and thought leadership from external professional services consultancies, including PwC, KPMG, EY, Deloitte, AON, Grant Thornton and others across NZ, Australia and the UK. Pleasingly, common risk themes identified were all reflected within the Enterprise Dashboard (strategic risk profile) or supporting one-page management plans (risk assessments).

4. The delivery of the North Island Weather Events (NIWE) programme (Infrastructure PMO) is critical to the ongoing success of HBRC and this risk/uncertainty has been added to the overarching risk profile for HBRC as a new risk (refer to Risk 22 - Rated moderate). There is significant political pressure being applied to execution timeframes for delivery. Ensuring there is a balance between political pressure, winter weather for construction and community engagement will be crucial to the success of the programme and for mitigating both reputational and financial risks associated with non-delivery.

5. HBRC was the subject of a procurement probity check in March 2024 for the Silt and Debris taskforce. There were no material issues noted in processes supporting the procurement of contractors for the further $40m funding received in February 2024.

6. An incident report pertaining to Holiday Payments has been escalated through to RAC this quarter and will be considered in public excluded.

7. During March 2024, Hawke’s Bay Civil Defence Emergency Management Group’s response to Cyclone Gabrielle (the Mike Bush review) was released. The CDEM Group Joint Committee has formally agreed that an independent role will be established to lead the remediation of the report’s recommendations. It is expected that RAC will be provided with the plan and timeline for actions on the recommendations for oversight and awareness only, and that the Joint Committee will be accountable for approving and monitoring the implementation of the work programme for the transformational change required.

Discussion

Risk Environment and Sentiment Surveys

8. The one-page Enterprise Dashboard represents the strategic risk profile. This is intended to be a live document with updates to reflect the changing priorities and risks for the organisation. Since the last RAC meeting, this dashboard has been updated to reflect feedback at that meeting and the transition from cyclone recovery to the wider focus on future resilience to extreme weather events. Engagement has been positive across the organisation.

9. Key insights on the dashboard this quarter are:

9.1. The removal of the risk around Impacts of cyclone and recovery. This risk was a point in time and reflected the uncertainty at the time of creation of cyclone-related matters such as categorisation, remediation funding, and insurance claim activities. With the closure of Recovery as a separate matter at ELT, this risk has now been replaced with the Effectiveness of the NIWE Resilience programme, and a more general Effectiveness of Emergency Management.

9.2. The small deterioration (from low to moderate) for Effectiveness of governance and partnerships, Our impact on the environment and Effectiveness of infrastructure asset management. In part, Council officers believe this is due to staff awareness and further consideration of risks since the creation of the dashboard and supporting one-page management plans. In one respect this is positive as it indicates greater clarity and transparency in defining risk and how this is managed and causes officers to reconsider the extent to which there are opportunities to increase rigour around how these areas are managed.

9.3. Effectiveness of Technology continues to be of shared concern from ELT and councillors. With the recent appointment of a new Chief Information Officer, renewed attention is being applied to getting the critical controls and infrastructure in place. We expect, over time, this will improve along with considered control improvements across our network and infrastructure. Positive strides have been achieved with the implementation of Techone in particular within the finance team.

9.4. All ELT members and ten councillors have contributed to the sentiment survey this quarter, the results of which will be considered in Public Excluded with the Risk deep dives. Overall, there has been a marked increase in the general level of confidence expressed by councillors since February, although there is a high degree of divergence of views between individual councillors. Insights from this include:

9.4.1. A relatively higher level of concern in the mind of councillors than that of the ELT

9.4.2. A higher degree of alignment of view exists at an ELT level than at Council

9.4.3. Amongst councillors, there were very different viewpoints on common areas of risk/uncertainty – in some cases, the overall level of confidence expressed by individuals in the overall risk statements (i.e. trust and confidence from the community that HBRC enables a healthy environment and a resilient and prosperous community) is much higher that the aggregate of the individual areas of risk that contribute to this. This suggested that councillors are more confident in HBRC’s overall performance than the aggregate of the specific aspects that contribute to this performance.

9.5. The consultation on the Long Term Plan continues to generate public feedback and in some areas negative sentiment (similar to all local authorities across NZ) due to the national and regional planned rate rises. This is putting pressure on delivery teams (Finance and Governance) and Communication and Engagement teams to ensure our community has appropriate information. In part, this negative sentiment is reflected in uncertainties shown across the councillor sentiment survey by amber ratings for a number of risks, such as those relating to HBRC’s groups of activities (e.g. Emergency Management and Transport Management), wider community engagement (effectiveness of communication, consultation and engagement, coordination and connectedness of activity and decision making across HBRC) and ultimate outcomes (we keep our community safe / our impact on the environment).

9.6. A number of regulatory settings are currently being reformed by Government with potential impacts on Council’s business. These include the reform and replacement of the Resource Management Act (during this term of Parliament), changes to national direction (principally the National Policy Statement for Freshwater Management, the National Poilcy Statement for Highly Productive Land, and the National Policy Statement for Indigenous Biodiversity), and changes to the consenting processes via the fast track regime currently before Parliament. Additional changes are contemplated to the farm planning system. There is uncertainty about the final shape of reform of which is reflected as a high risk on our risk profile.

9.7. Officers have prioritised the Regional Policy Statement as part of Kotahi and have focussed on the vision and values work related to freshwater. These are no regrets areas of work. Farm planning work is largely on hold. HBRC continues to work with the regional sector through Te Uru Kahika to provide advice to Government and, where appropriate, HBRC will submit to the select committee on proposed reforms.

10. This quarter, deep dives into the following specific areas of risk/uncertainty will be provided in public excluded time.

10.1. Effectiveness of technology

10.2. Impact of external change and reform

10.3. Effectiveness of the investment strategy

10.4. Security, integrity and privacy of information

10.5. Cyber security.

11. A proposed review and deep dive schedule is attached and will be used to present information to RAC going forward.

12. This is intended to give councillors a common understanding of major areas of importance to HBRC (purpose, success and uncertainties/risks tied to success) together with transparency on the control environment underpinning this. This is important to enable RAC to deliver on its governance obligation or ensuring that there is an effective system of risk management and internal control in place.

Assurance Activities

Organisational Change and Prioritisation Report

13. Recently Crowe, our external assurance provider, released the final draft report for Organisational Change and Prioritisation. (This was agreed within the Enterprise Internal Audit Plan for 2022-2023.)

14. The scope of the review looked at opportunities to strengthen decision-making to ensure organisational change effectively drives the creation of value while ensuring the organisation is protected from undue risk, e.g., impact on people, compliance, etc, which is sometimes referred to as ‘risk in change’. (The audit did not cover the strategic decision-making process on each individual organisational change initiative and project management process as that was out of scope.)

15. While there was one high priority finding observed (being that staff members interviewed had differing interpretations of what a change initiative is), it is pleasing that the auditors noted that the organisation has the correct tools to enable good project management going forward. The main themes of the findings for corrective action and improvement, include:

15.1. A lack of clear definitions relating to change initiatives

15.2. A lack of formal policies relating to change and project management

15.3. Development of a change management methodology

15.4. Project management requirements

15.5. Prioritisation of activities.

16. Management will address recommendations made with the owner being Group Manager Corporate Services.

Hawke’s Bay Civil Defence Emergency Management Group’s response to Cyclone Gabrielle– Mike Bush

17. This review report was finalised and released in March 2024, with the purpose of the independent review being to assess the operational performance of the Hawke’s Bay Civil Defence Emergency Management Group’s immediate response to Cyclone Gabrielle, with a particular emphasis on the systems and processes, and roles and responsibilities of Group members and partners.

18. The formal report has now been received. A sub-working group of the Coordinating Executive Group (CEG) has been formed and will provide recommendations on the short-term recommendations and actions to be undertake to the CEG initially, to then be presented to the Joint Committee along with a recommendation on an appropriate structure to successfully implement the review outcomes for the future. The intention is that this will be presented at the Joint Committee’s July meeting, if not earlier.

19. Further recommendations are expected to be relevant to Hawke’s Bay Civil Defence Emergency Management from the Report of the Government Inquiry into the Response to the North Island Severe Weather Events. At the time of writing of this paper there was no indication of how this report will impact other recommendations and what remediation will be required.

Ernst and Young – Half Year Financial Statement Review

20. Ernst and Young, our external auditors are currently onsite performing mid-year controls review as part of the half year Financial Statement audit. This review involved updating understanding of processes and controls as well as testing transactional information for 8 months of the year for certain accounts. No issues have been identified to date.

21. Last year HBRC received a qualified audit opinion, primarily based on the decision by HBRC not to formally value infrastructure assets (due to valuation and impairment work continuing post cyclone with uncertainty). Formal external valuations will be completed this year.

Probity Check – Silt and Debris Taskforce

22. A probity check on the contracting for the Silt and Debris taskforce was undertaken in March 2024 in response to concerns raised by the public to government officials pertaining to potential conflicts or inappropriate controls supporting the programme. In offering further funding of $40m to the Silt and Debris Taskforce, central government requested a probity check be undertaken by McHale Group – a public sector assurance company.

23. While a formal report is yet to be received, initial email correspondence with McHale Group has concluded “From a probity perspective and from HBRC’s perspective, the current tender process is appropriate, justified, and appropriately approved in relation to supporting the response to the original emergency situation. The very tight response timeframe (5 ½ working days plus a weekend) within which companies were required to respond to the tender invitation was justified within the context of emergency procurement although with hindsight, improvements could have been made to the process.“

24. This outcome is positive and further supports other assurance work HBRC has received across the Silt and Debris programmes, in particular the Agreed-Upon Procedure work undertaken by PricewaterhouseCoopers in December 2023 specifically looking at how the Silt and Debris Taskforce operated within the boundaries of eligibility criteria and the allocation of jobs within the programme. No material issues were noted in this review.

Decision-making process

25. Staff have assessed the requirements of the Local Government Act 2002 in relation to this item and have concluded that:

25.1. The decisions of the Committee are in accordance with the Terms of Reference and decision-making delegations adopted by Hawke’s Bay Regional Council 30 August 2023, specifically the Risk and Audit Committee shall have responsibility and authority to provide advice and recommend actions, responses and changes to the Council about risk management, assurance activities, governance oversight and internal control matters, including external reporting and audit matters. Specifically this includes:

25.1.1. The robustness of Council’s risk management systems, policies, practice and assurance processes. (1.1)

25.1.2. Review whether Council management has a current and comprehensive risk management framework and associated procedures for effective identification and management of the Council’s significant risks in place. (2.1)

25.1.3. Undertake periodic monitoring of corporate risk assessment, and the internal controls instituted in response to such risks. (2.2)

25.2. Because this report is for information only, the decision-making provisions do not apply.

Recommendations

That the Risk and Audit Committee receives and considers the Risk Management update staff report.

Authored by:

David Nalder

Acting Risk Manager

Approved by:

Susie Young

Group Manager Corporate Services

Attachment/s

Risk management update 1 May 2024

Under Separate Cover

Hawke’s Bay Regional Council

Risk and Audit Committee

1 May 2024

Subject: Treasury Compliance Report for the period 1 January - 31 March 2024

Reason for report

1. This item provides compliance monitoring of Hawke’s Bay Regional Council’s (HBRC) Treasury activity and reports the performance of Council’s investment portfolio for the quarter ended 31 March 2024.

Overview of the quarter ending 31 March 2024

2. At the end of the quarter to 31 March 2024, HBRC was compliant with all measures in its Treasury Policy with the exception of the counterparty risk policy as a result of the management of recovery funds.

3. During the quarter HBRC appointed credit rating agency Fitch to provide a public credit rating for Council and HBRC is expecting an outcome before the end of April. A public notice will be issued by Fitch on the outcome.

4. The effects of Cyclone Gabrielle and its recovery continue to impact both cash balances and borrowing requirements. Additional ongoing borrowing to fund recovery will continue over the next 3-4 years, while proceeds from insurance claims are slower than earlier forecast.

Background

5. Council’s Treasury Policy requires a quarterly Treasury Report to be presented to the Risk and Audit Committee. The policy states that the Treasury Report is to include:

5.1. Treasury exceptions report

5.2. Policy compliance

5.3. Borrowing limit report

5.4. Funding and liquidity report

5.5. Debt maturity profile Interest rate report

5.6. Investment management report

5.7. Treasury investments

5.8. Cost of funds report, cash flow and debt forecast report

5.9. Debt and interest rate strategy and commentary

5.10. Counterparty credit report

5.11. Loan advances.

6. The Investment Management report has specific requirements outlined in the Treasury Policy. This requires quarterly reporting on all treasury investments plus annual reporting on all equities and property investments.

7. In addition to the Treasury Policy, Council has a Statement of Investment Policy and Objectives (SIPO) document setting out the parameters required for funds under management for the HBRC Long Term Investment Fund and the Future Investment Fund.

8. Since 2018, HBRC has procured treasury advice and services from PricewaterhouseCoopers (PwC) who provide quarterly Treasury reporting for internal monitoring purposes.

Treasury exceptions report and policy compliance

9. As at 31 March 2024 all counterparty exposures were within limits.

10. There were no Investment Limit breaches in this period relating to funds held by HBRC for its normal activities.

11. However, during the quarter to 31 March 2024, there continued to be a number of Investment Limit breaches relating to cyclone recovery funding received from the Crown and held in the Jarden and BNZ Recovery accounts. During this quarter total recovery funds held ranged from ~$32m to ~$78m. HBRC continues to mitigate potential risks by Jarden managing their funds across both ANZ and Westpac, meaning funds are split across 3 main registered NZ banks.

12. Council officers maintain the view that management of Recovery Funding held on behalf sits outside HBRC’s treasury policy for normal operations, and although reported on, does not cause a formal breach to limits.

13. This will remain an issue while HBRC works through the Silt and Debris recovery on behalf of the Crown. As HBRC moves into the FRP programme with the Crown we expect to manage cashflow on a monthly basis.

Funding and Liquidity

14. To ensure HBRC has the ability to adequately fund its operations, current policy requires us to maintain a liquid balance of “greater than 10% of existing total external debt”. Current liquidity ratio is 13.33% and therefore meets policy.

15. The following table reports the cash and cash equivalents on 31 March 2024.

31 March 2024	$000
Cash on Call	3,192
Short-term bank deposits	―
Total Cash & and Deposits	3,192

16. To manage liquidity risk, HBRC retains a Standby Facility with BNZ. This facility provides HBRC with a same-day draw-down option, to any amount between $0.3-$10.0m, and with a 7-day minimum draw period.

Debt Management

17. On 31 March 2024 the current external debt for the Council group was $103m which includes $4.3m of pre-funded debt ($119.9m including loan from HBRIC).

18. Since Q2 there has been no additional new borrowing. However, during this quarter we have continued to push our short-term borrowing out in anticipating of a credit rating, allowing us to capture lower interest rates.

19. The following summarises the year-to-date movements in Council’s debt position.

Summary of HBRC Debt

	HBRC only $000	HBRC Group $000
Opening Debt – 1 July 2023 – excl HBRIC Loan	84,830	84,830
New Loans raised*	84,500	84,500
Less amounts repaid	(66,015)	(66,015)
Closing Debt 31 March 2024 (excluding HBRIC loan)	103,315	103,315
Plus opening balance - loan from HBRIC	16,663	―
Total Borrowing as at 31 March 2024 *	119,978	103,315

*Includes pre-funding debt of $4.3m.

20. Council’s debt maturity profile remained compliant, however short-term drawdowns continue to put pressure on the policy limit in the 0–3-year bucket. This is expected to remain high while the credit rating process is underway. We will then look to transition short-term debt out to longer term, utilising any insurance proceeds to minimise future funding. The table below includes our $10m BNZ overdraft in total debt.

Funding summary

21. HBRC had no new borrowing in Q3 but rolled over $25m short term borrowing. We anticipate relieving the pressure on the 0–3-year bucket by converting short-term debt to long term after the credit rating process is complete.

22. HBRC officers are currently investigating the options of ‘Green Loans’ with LGFA, as an alternative to standard bonds. These are available to fund sustainability projects that promote environmental and social wellbeing, or act on climate change and reduce greenhouse gas emissions. Projects that fit these criteria attract lower interest rate charges than standard LGFA bonds.

23. Any insurance or NEMA proceeds will be used to offset further funding requirements anticipated in the new financial year.

Borrowing limits

24. Council continues to monitor and work within the agreed borrowing limits set by both Council and the LGFA.

Interest rate risk

25. Council currently holds $50m in fixed rate instruments, hedging 46% of current external debt, and remains compliant to policy. This is based on the draft FY2025-2027 LTP plan.

Managed funds

26. Total Investment Fund portfolios capital at 31 March 2024 is $167m. Adjusted for inflation this is $0.938m below the inflation-adjusted contribution target. No divestments have been made from managed funds this year.

27. Based on results to date, the current fund structures are not sufficient to deliver the returns required to meet Council’s requirement. This is being addressed by the updates to the Investment Strategy and the transfer of management of these assets to HBRIC which is currently undertaking an RFP process for new investment managers.

28. Council currently budgets separately for revenue from directly-held managed funds and those held by HBRIC. HBRIC is required to deliver an overall portfolio return by way of an annual dividend agreed through an annual Statement of Intent. The composition between revenues from managed funds and other sources such as Port dividends, is up to the HBRIC board. While the Council budgeted to receive $10.9m in dividends from HBRIC within the FY 2023-2024, Council has received only $3.9m to date due to reduced earnings from the Port. It is anticipated the overall dividend will fall short of the Council budget for the year.

29. The following table summarises the fund balances at the end of each period and the graph illustrates the asset allocations within each fund at 31 March 2024.

	30 Sept 2023	31 Dec 2023	31 Mar 2024
Fund Balances HBRC	$000	$000	$000
Fund Balance HBRC	108,038	114,407	118,752
Capital Protected Amount HBRC (2% compounded since inception)	117,124	117,709	118,298
Current HBRC value above/(below) capital protected amount	(9,086)	(3,302)	(454)
Funds Balances (Group + HBRIC)
Long-Term Investment Fund (HBRC)	47,164	49,975	51,844
Future Investment Fund (HBRC)	60,874	64,432	66,908
Total HBRC	108,038	114,407	118,752
Plus HBRIC Managed Funds (FIF)	44,415	47,138	48,810
Total Group Managed Funds	152,453	161,545	167,563
Capital Protected Amount (2% compound inflation)	166,828	167,662	168,500
Current group value above/(below) protected amount	(14,375)	(6,117)	(938)

30. Financial markets have continued to rally this quarter and as at 31 March 2024 the consolidated portfolio value was up 7.09% on 30 June 2023. Fund performances have also improved this quarter, although much of this is in unrealised gains and therefore subject to market volatility. Under current policy all cash returns reinvested.

Cost of funds

31. Rolling 12 months to 31 March 2024, Gross Cost of Funds (COF) was 4.15% and Net COF was 3.99%.

HBRIC Ltd

32. In accordance with Council Policy, HBRIC provides separate quarterly updates to the Corporate and Strategic Committee.

Decision-making process

33. Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:

33.1. The decisions of the Committee are in accordance with the Terms of Reference and decision-making delegations adopted by Hawke’s Bay Regional Council 30 August 2023, specifically the Risk and Audit Committee shall have responsibility and authority to:

33.1.1. Review the Council’s revenue and expenditure policies, amongst others, and the effectiveness of those policies in ensuring limited risk is generated. (1.3)

33.2. Because this report is for information only, the decision-making provisions do not apply.

Recommendation

That the Risk and Audit Committee receives and notes the Treasury Compliance Report for the period 1 January – 31 March 2024.

Authored by: Approved by:

Tracey O'Shaughnessy

Treasury & Investments Accountant

Susie Young

Group Manager Corporate Services

Attachment/s There are no attachments for this report.

Hawke’s Bay Regional Council

Risk and Audit Committee

1 May 2024

Subject: Health, Safety and Wellbeing update

Reason for report

1. This item provides the Audit and Risk Committee with:

1.1. An update on progress transitioning the Council’s Health, Safety and Wellbeing Management Framework (HSWMF) to comply with the ISO 45001:2018 Occupational health and safety management systems requirements, including the findings of the desktop review.

1.2. An overview of HBRC’s HSWMF including the roles of governors and Council staff, and H&S incident reporting.

Executive Summary

2. The HSW Team Leader reported to the Risk and Audit Committee in October 2023 on the intended alignment of the HBRC Health, Safety and Wellbeing Management System (HSWMS) with the ISO45001 framework, including ongoing assurance over Health and Safety matters. This item provides a summary of findings of the ECAAS Certification’s Gap Analysis and the report itself is attached.

3. The purpose of providing an explanation of the Council’s health, safety and wellbeing system, is to provide a broad understanding of how the system works.

Background

4. From 2001 to 2019 HBRC’s HSWMS was audited and certified under the ACC Workplace Safety Management Practice (WSMP) audit standard. The WSMP audit standard aligned with AS/NZS 4801:2001, the joint Australia/New Zealand Standard for Occupational Health and Safety Management Systems. While organisations may have sought certification under AS/NZ4801 or OHSA 18001, this was generally in response to parent company and/or customer requirements and not common. In terms of market acceptance within NZ, ACC WSMP was the ‘default’ standard.

5. Despite the impacts of Covid 19 lockdowns of 2020-2021 and the staffing levels within the HSW team, HBRC’s HSWMS was maintained at a level commensurate with WSMP Tertiary. This was verified via an internal review conducted in 2022.

6. In 2022, the HSW Team and ELT agreed to the need for a new HSW audit programme to replace the defunct ACC WSMP and investigations to determine which might best suit HBRC.

7. As an initial step in the investigation, the HSW team sought information from the wider health and safety community, which included other councils such as Napier City and Horizons (Manawatu-Whanganui Regional Council), about their progression from ACC WSMP into other audit programmes. From the discussions held and evidence observed, the majority had maintained their HSMS (updated as relevant to meet any applicable legislative or industry changes) but had not progressed into another certification programme. Organisations who had moved to another certification programme undertook one of the following options:

Programme	Programme Status	Certification availability
AS/NZ4801	Available superseded until 13 July 2023. After 13/7/23 refer to ISO45001.	N/a
OHSA 18001	Withdrawn replaced by ISO45001	N/a
ISO45001	Current	Yes
Safe+	Current	No* outcome defined by 3 performance levels

8. In October 2023 it was agreed that a review of the current health and safety management systems would be undertaken with the intention of moving to ISO 45001 Occupational health and safety management systems requirements as the Council’s new HSW audit programme. The review was undertaken in November 2023 and the findings and actions to remediate those are outlined following and contained in attachments 1 and 2.

ISO 45001 Gap analysis

9. The ECAAS Certification’s Gap Analysis occurred on 28 and 29 November 2023 with the review report being provided to the CE (as the PCBU) in December 2023 for discussion at the 19 February 2024 Executive Leadership Team meeting.

10. Key findings of the review, and actions to address them, include:

10.1. Consultation and Participation – the HSW Committee is well established, however, the Terms of Reference need to be made more explicit.

10.1.1. After consultation with the HSW Committee, this is now complete. The HSW Committee will have further opportunities to consult and participate in the HSWMS, and for this to be evidenced as per the requirements of the standard.

10.2. Internal Audit – future internal audits will need to be conducted against ISO45001.

10.2.1. The document review forms part of the HSW internal audit programme, and will serve to meet the requirements (in the first instance) as we move forward.

10.3. Legal requirements – Work Methods need to detail the exact requirements of

10.3.1. HBRC uses Work Methods (previously called Codes of Practice) to outline the procedure, inherent risks, and the controls related to a specific task. Each Work Method (WM) refers to applicable legislation, industry guidelines, standards, Approved Codes of Practice, etc. Most of the WM do not detail the exact requirements of these, e.g. will refer to Civil Aviation Rules but not specify which part of the rules apply. There is no central repository for this information. The knowledge for the level of detail the standard requires very likely exists within the HBRC, but it will take some time and resource to map out.

10.3.2. As the specifics are mapped, HBRC must also evaluate its compliance with the requirements. Compliance evaluation outcomes will feed into the requirements for monitoring, measurement, analysing, evaluation, and management review.

10.4. Management of change

10.4.1. The current change management process will need to be redefined in line with ISO45001 requirements.

10.5. Non-conformances & continuous improvement

10.5.1. Under ISO45001, non-conformances are not limited to just incidents (injury, damage, near miss etc) but also include any instances of not meeting the performance measures of the HSWMS itself. A process to record HSWMS non-conformances has been included in the Incident Report Form and will also feed into the requirements for monitoring, measurement, analysing, evaluation, and management review.

10.6. Objectives – HBRC needs to establish HSW objectives at relevant functions and levels (PDP).

10.6.1. Objectives for the HSW Committee have recently been finalised, and the HSW Team objectives are included in the 2024 and 2025-2027 work plans.

10.6.2. Objectives for management or similar will need to be scoped and will be related to things such as completing investigations of incidents or closing out incidents within a specified time period.

10.6.3. The first two objectives are part of the incident management process already, albeit without the specific measures. Including measures (objectives) will contribute to the improvement of HBRC’s HSWMS, provide more structure and accountability for the incident management process, and feed into the criteria HBRC uses to monitor the performance of the HSWMS.

10.7. Monitoring, measurement, analysis, evaluation and management review – HBRC has established safety performance reporting, and a new HSW performance dashboard is in the process of being developed.

10.7.1. HBRC had established safety performance reporting; it was also noted that a new HSW performance dashboard was in the process of being developed. This area will need further development to ensure that not only is HSW performance being measured, monitored, evaluated, and updated, but that also the performance of HBRC’s HSWMS is being measured, monitored, evaluated and updated.

10.7.2. The Management Review process (of the HSWMS) will need to be updated to capture the above points and any other specifics required for ISO45001.

11. Being based on the ACC WSMP standard, it was expected that updates to the HBRC HSWMS would be required to meet ISO45001 requirements. However, not meeting requirements of a standard does not mean an organisation is not meeting the intent of relevant legislation, e.g. The Health and Safety at Work Act 2015.

12. With the HSW Strategy and Workplan due for renewal, the timing is opportune to update the HSWMS as part of the new HSW 2024-2027 Strategy and Workplan.

HBRC’s Health, Safety and Wellbeing Management Framework

Overview

13. The HSWM system that HBRC operates under is a framework to support and maintain a level of employee safety, health, and wellbeing excellence. It enables the organisation to identify, manage and reduce risk to create a safe working environment for everyone under our umbrella – staff, volunteers, contractors and the wider public. Underpinning this framework is leadership, management, a vast number of policies, work methods (procedures with risk controls), staff participation, training, investigations, and assurance.

14. HBRC has a system of continuous improvement and reviews to ensure that the health, safety, and wellbeing of all is an evolving process – supported by a work plan that is reviewed annually and agreed by the Executive Leadership Team (ELT) then signed off by the Chief Executive (CE).

15. Overarching the HSW work plan is the Health, Safety and Wellbeing Strategic Plan (HSWSP), which is due for its 3-yearly update. The 2021-2024 HSWSP will be updated for acceptance by the ELT and the CE before being presented to Council in July 2024. The underpinning HSW work plan is currently being updated to incorporate the desk top review recommendations and updates to general health, safety and wellbeing objectives for the next 3 years and will be presented to the CE and ELT for approval.

Role of Council governors and management

16. The difference between Governance and Management, in the simplest terms, is that governance is responsible for oversight and planning while management takes care of the daily operations, for example:

16.1. HBRC governors and ELT sign off the HSW Strategy every 3 years.

16.2. The HSW Team Lead reports to ELT when required as well as in future, presenting a monthly HSW dashboard with metrics (under development).

16.3. The HSW team updates the HBRC Organisational Performance report every 3 months (OPAL3) which includes incidents, training, and wellbeing which ELT and governors have access to.

16.4. A monthly Health Safety and Wellbeing of people report is part of the Risk and Assurance Maturity work programme as a live document with the Asset Management Group Manager as the risk champion. This document is accessed by ELT and presented to the Risk and Audit Committee by David Nalder (Consultant).

HBRC health and safety incident reporting

17. An incident form (PINC) is used to record all health, safety or wellbeing incidents and allows for a single process across Council to manage reportable events. An event can be an accident, near miss, incident, complaint, work related injury or illness, or property damage. All events must be notified immediately, or as soon as reasonably practicable. As soon as the event is lodged in the HSW system, notifications go to the reporting Group Manager, direct manager and HSW.

18. Incidents are investigated by the HSW team in conjunction with the worker, the person they report directly to and their Manager. This includes actions required to minimise the likelihood of the event (or a similar event) happening again and a review of current controls, policy or Work Method if the event is linked to a risk/hazard that is already being managed. If additions or amendments to policies or the Work Method are required, these will be discussed with all relevant staff immediately and training will be provided if the risk/hazard process or controls change. Any changes are circulated back through the HSW Committee and circulated through group meetings and internal communications (Snappy and Team Connect).

19. All incident reports are collated monthly for reporting to the wider business and presented at all group meetings. Quarterly updates are presented to the Health, Safety and Wellbeing Committee, the Executive Leadership Team and, through the Organisational Performance Report, the Corporate and Strategy Committee.

Originator
- Fill out relevant sections on PINC/ Hazard, Injury & Incident Reporting (HI&IR) form
- Sign and submit the form Team Lead / Manager / Group Manager
• Discuss PINC/HI&IR form with originator
• If the PINC/HI&IR incident is significant or is a potential high risk to council it must be raised with the Team Leader Health, Safety & Wellbeing
• Discuss findings of investigation or preventative measures at the next team meeting

Financial and resource implications

20. The transition to align with ISO45001 is an ambitious piece of work, however, at this stage there are no financial or resource implications to consider.

Next steps

21. Recommendations from the ECAAS Certification Gap Analysis will be incorporated into the HBRC HSW Work Plan for 2024-2027. This is underway but is an extensive piece of work, alongside the general HSW objectives in the workplan for the HSW team. This will take more than 12 months to change, document, socialise, and embed before a further review of documentation or gap analysis can be considered.

22. The Health, Safety and Wellbeing Strategy for 2024-2027 will be updated and presented to ELT and RAC for approval.

23. ECAAS Certification’s Gap Analysis recommendations will be reported via the Audit Assurance Dashboard (similar to attachment 2), to update RAC quarterly on progress.

Decision-making process

24. Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:

24.1. The decisions of the Committee are in accordance with the Terms of Reference and decision-making delegations adopted by Hawke’s Bay Regional Council 30 August 2023. The Risk and Audit Committee has responsibility and authority to:

24.1.1. provide advice and recommend actions, responses and changes to the Council about risk management, assurance activities, governance oversight and internal control matters, including external reporting and audit matters. Specifically, this includes:

24.1.1.1. the appropriateness of controls to safeguard the Council’s financial and non-financial assets, the integrity of internal and external reporting and accountability arrangements. (1.2)

24.1.1.2. Council’s compliance with applicable laws, regulations, standards and best practice guidelines. (1.5)

24.1.1.3. receive the internal and external audit report(s) and review actions to be taken by management on significant issues and recommendations raised within the report(s). (2.8)

Recommendations

That the Risk and Audit Committee:

1. Receives and considers the Health, Safety and Well-being update staff report.

2. Confirms that the actions taken to address the ECAAS Certification Gap Analysis findings are adequate in the circumstances explained.

Authored by:

Kirsty McInnes

Team Leader Health Safety & Wellbeing

Approved by:

Susie Young

Group Manager Corporate Services

Attachment/s

1	ECAAS HSWMS Gap Analysis Nov23 report	Under Separate Cover
2 ⇩	ISO45001 Document Review recommendations
3 ⇩	Health and Safey on a Page
4 ⇩	Health, safety, resilience and wellbeing of people - One-page Risk Management Plan

Hawke’s Bay Regional Council

Risk and Audit Committee

1 May 2024

Subject: Enterprise Assurance update

Reason for Report

1. This item updates the Risk and Audit Committee (RAC) on the progress of the following dashboards:

1.1. Internal Assurance Corrective Actions Dashboard outlines progress of the agreed corrective actions (with priority risk ratings medium and high) that respond to findings from enterprise internal assurance reviews that have been previously reported to the RAC.

1.2. Assurance Universe Dashboard provides a clear picture of the audits/reviews (including S.17a) completed and proposed for the future.

1.3. Assurance Plan for FY 2022-23 and 2023-24 gives the position of the reviews for the last and current financial years.

Discussion

2. The Internal Assurance Corrective Actions Dashboard is attached.

3. The corrective action status update provides oversight to the RAC of the progress of actions taken to address open internal assurance findings, including total issues raised, how many closed and how many remain open. The table below is a summary of the open audits/reviews.

Audit Performed	Review Type	Date	Total Issues raised	Issues Closed	Issues Open	Comments
Regional Assets	Section 17a	March 2020	N/A	0	3	Of the remaining three actions, two are ‘on track’ and one is ‘at risk’.
Risk Management Maturity	Internal Audit	June 2020	11	10	1	One remaining action is ’behind’.
HBRC Talent Management Report	Internal Audit	April 2021	8	6	2	Two remaining actions are ‘behind’.

4. The dashboard gives visibility of:

4.1. open findings of the milestones plus milestones completed and to be completed by the next RAC plus the tracking status since last reported.

4.2. a summary of closed actions since the last RAC report.

5. The Assurance Universe Dashboard is attached. This links enterprise reviews or audits undertaken over the past five years, the current year, and future years to an enterprise risk. Reviews and audits in the Assurance Universe include external audits, enterprise internal audits, business reviews with an enterprise focus, and section 17a reviews.

6. The Assurance Plan for FY 2022-23 and 2023-24 is attached. This gives a status of overflow from 2022-23 approved audits and the current status of FY 2023-24.

Financial and resource implications

7. The budget provided for internal assurance in 2024-2025 is $64,600.

8. Budget provisions for s.17a reviews are allocated via the budgets of those activities identified in the Assurance Universe.

Decision-making process

9. Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:

9.1. The decisions of the Committee are in accordance with the Terms of Reference and decision-making delegations adopted by Hawke’s Bay Regional Council 30 August 2023, specifically the Risk and Audit Committee shall have responsibility and authority to:

9.1.1. Receive the internal and external audit report(s) and review actions to be taken by management on significant issues and recommendations raised within the report(s). (2.8)

9.1.2. Ensure that recommendations in audit management reports are considered and, if appropriate, actioned by management. (3.5)

Recommendations

That the Risk and Audit Committee

1. Receives and notes the Enterprise Assurance update staff report.

2. Confirms that the Internal Assurance Corrective actions update report has provided adequate information on the status of the Internal Assurance Corrective Actions.

Authored by:

Olivia Giraud-Burrell

Quality & Assurance Advisor

Approved by:

Susie Young

Group Manager Corporate Services

Attachment/s

1 ⇩	Internal Assurance Dashboard May 2024
2 ⇩	Internal Assurance Plan FY22-23 and 2023-24 May 2024
3 ⇩	Assurance Universe