Hawke’s Bay Regional
Council
Risk
and Audit Committee
Wednesday
31 July 2024
Subject: Treasury Compliance Report
for the period 1 April - 30 June 2024
Reason for report
1. This item provides
compliance monitoring of Hawke’s Bay Regional Council’s (HBRC)
Treasury activity and reports the performance of Council’s investment
portfolio for the quarter ended 30 June 2024.
Overview of the quarter ending 30 June 2024
2. At the end of the quarter
to 30 June 2024, HBRC was compliant with all measures in its Treasury Policy,
however, during the quarter did breach the counterparty risk policy with BNZ
over 2 weekends due to the requirement to hold additional funds for loan
repayments due on Monday mornings.
3. During the quarter HBRC
confirmed and updated where appropriate the delegated authorities and
signatories with BNZ and Jarden. There was no requirement to file with
the Covenant Trustee Service during this quarter. The next return is due
by 31 October 2024.
4. The effects of Cyclone
Gabrielle and its recovery continue to impact both cash balances and borrowing
requirements. Additional ongoing borrowing to fund recovery will continue
over the next 3-4 years, while proceeds from insurance claims are slower than
earlier forecast.
5. In June, Fitch confirmed it
issued to Council a Long-Term Local-Currency Issuer Default Rating of
‘AA’. This rating allows any lending from LGFA to be at a
discounted rate (generally 20 base points). It also increases the Council’s
Lending Policy Covenants with LGFA.
Background
6. Council’s Treasury
Policy requires a quarterly Treasury Report to be presented to the Risk and
Audit Committee. The policy states that the Treasury Report is to include:
6.1. Treasury exceptions report
6.2. Policy compliance
6.3. Borrowing limit report
6.4. Funding and liquidity
report
6.5. Debt maturity profile
6.6. Interest rate report
6.7. Investment management
report
6.8. Treasury investments
6.9. Cost of funds report, cash
flow and debt forecast report
6.10. Debt and interest rate
strategy and commentary
6.11. Counterparty credit report
6.12. Loan advances.
7. The Investment Management
report has specific requirements outlined in the Treasury Policy.This requires
quarterly reporting on all treasury investments plus annual reporting on all
equities and property investments.
8. In addition to the Treasury
Policy, Council has a Statement of Investment Policy and Objectives (SIPO)
document setting out the parameters required for funds under management for the
HBRC Long Term Investment Fund and the Future Investment Fund.
9. Since 2018, HBRC has
procured treasury advice and services from PricewaterhouseCoopers (PwC) who
provide quarterly treasury reporting for internal monitoring purposes.
Treasury
exceptions report and policy compliance
10. In June, the Council
borrowed an additional $40m from LGFA as detailed in the debt management
section below and resulted in holding larger than normal funds. As per
policy they were placed with multiple counterparties and via Jarden were split
between 2 banks. From 1 July 2024the counterparty limits in the treasury policy
has lifted to be $25m each. 
11. Council staff continue to
maintain the view that management of Recovery Funding held on behalf sits
outside HBRC’s treasury Policy for normal operations and is excluded from
treasury reporting.
12. The Treasury Policy states
the CFO formally delegates to accountants the responsibility for executing
treasury transactions in accordance with approved limits, managing the
operation of all bank accounts, reviewing electronic batch payments to
creditors, and arranging for approval by authorised signatories.
Practical application of the Treasury Policy limits for authorisation of bank
transactions has not been documented to date so we outlined how this is applied
internally the attached report provides a breakdown of the policy and the
internal application of limits.
Funding
and liquidity
13. To ensure HBRC can
adequately fund its operations, current policy requires us to maintain a liquid
balance of ‘greater than 10% of existing total external debt’.
Current liquidity ratio is 30.22% and therefore
meets policy.
14. The following table reports
the cash and cash equivalents on 30 June 2024.
|
30-Jun-24
|
$0
|
|
Cash on Call
|
24,275
|
|
Short-term bank deposits
|
-
|
|
Total Cash & and Deposits
|
24,275
|
15. To manage liquidity risk,
HBRC retains a Standby Facility with BNZ. This facility provides HBRC
with a same-day draw down option, to any amount between $0.3m-$10m, and with a
7-day minimum draw period.
16. With no change to the OCR,
the return on on-call funds remains high with BNZ at 4.75% and Jarden at
5.45%. Because the current cash on hand is required for cashflow purposes
it is not practical for this to be placed on long term deposit. Short
term deposit rates with counterparties currently return less than the above
on-call rates.
Debt
management
17. On 30 June 2024 the current
external debt for the Council group was $113m. There was no pre-funding
of loans due to mature. ($130.16m including loan from HBRIC).
18. Since Q3 Council has
borrowed $40m from LGFA. $25m was utilised to repay short term borrowing
(cyclone related), with the balance to cover operational costs until the next
rates intake and fund expected capital projects related to cyclone recovery.
19. The following summarises
the year-to-date movements in Council’s debt position.
Summary of HBRC Debt
|
|
HBRC only
$000
|
HBRC Group
$000
|
|
Opening Debt – 1 July 2023 – excl HBRIC
Loan
|
84,830
|
84,830
|
|
New Loans raised*
|
124,500
|
124,500
|
|
Less amounts repaid
|
(95,830)
|
(95,830)
|
|
Closing Debt 30 June 2024 (excluding HBRIC
loan)
|
113,500
|
113,500
|
|
Plus opening balance - loan from HBRIC
|
16,663
|
―
|
|
Total Borrowing as at 30 June 2024 *
|
130,163
|
113,500
|
20. Council’s debt
maturity profile remained compliant and with the conversion of cyclone related
short-term borrowing to longer term, the pressure has reduced on the 0-3 year
period. As mentioned last quarter, the Council plans to utilise any insurance
proceeds to minimise future borrowing. The infographic below includes our
$10m BNZ overdraft facility in total debt but excludes internal (HBRIC) debt.
Funding
summary
21. The decision for HBRC to
borrow $40m in June was a result of several factors falling at the same
time. With the insurance claim process taking longer than initial
anticipated (although NEMA has applauded our claims information and advised our
claims are well ahead of other councils) it was prudent to roll the expensive
short-term borrowing of $25m into longer terms, knowing insurance proceeds
received in the future would assist to limit further borrowing required for
capital projects. Additional funding was also required to fund our
cashflow as well to allow have sufficient funds on hand for the major flood
mitigation project.
22. HBRC staff are working to
firm up a cashflow forecast for the capital projects which have been
challenging and this will inform the timing of any future borrowings.
23. The LTP debt forecast
anticipates debt levels rising to $176m by the end of FY27.
Borrowing
limits
24. Council continues to
monitor and work within the agreed borrowing limits set by both Council and the
LGFA.
25. The ratios below excludes
all HB Recovery cash & cash equivalents held and any return on these funds
but does include LTIF managed funds as a liquid asset for assessing net debt.
Interest
rate risk
26. Council currently holds
$49m in fixed rate instruments, 42% hedging of current external debt, and
remains compliant to policy. This is based on the draft FY2025-2027 LTP
plan.
27. These instruments are
currently held with two banks, Westpac and BNZ. Since 30 June, interest rates
have shown movement and Council is considering additional swaps to increase
hedging and proposes to spread risk by introducing swaps from ANZ.
Managed
funds
28. Total Group Investment Fund
portfolios capital on 30 June 2024 is $167m. Adjusted for inflation this is
$1.82m below the inflation-adjusted contribution target. No divestments have
been made from managed funds this year.
29. Markets have overall
remained static in Q4, with the portfolio decreasing by $67k (full year growth
was $11.m). The funds have returned an overall 7.10% after fees and
taxes, with all income reinvested into the fund.
30. The following table summarises the fund balances at the
end of each period and the graph illustrates the asset allocations within each
fund on 30 June 2024.
|
|
30 June 2022
|
30 June 2023
|
30 June 2024
|
|
Fund Balances HBRC
|
$000
|
$000
|
$000
|
|
Fund Balance HBRC
|
104,449
|
110,828
|
118,722
|
|
Capital Protected Amount HBRC (2% compounded since
inception)
|
114,239
|
115,895
|
118,890
|
|
Current HBRC value above/(below) capital protected amount
|
(9,790)
|
(5,067)
|
(168)
|
|
Funds Balances (Group + HBRIC)
|
|
Long-Term Investment Fund (HBRC)
|
45,679
|
48,400
|
51,847
|
|
Future Investment Fund (HBRC)
|
58,770
|
62,428
|
66,875
|
|
Total HBRC
|
104,449
|
110,828
|
118,722
|
|
Plus HBRIC Managed Funds (FIF)
|
43,226
|
45,638
|
48,854
|
|
Total Group Managed Funds
|
147,675
|
156,466
|
167,576
|
|
Capital Protected Amount (2% compound inflation)
|
162,720
|
164,798
|
169,344
|
|
Current group value above/(below) protected amount
|
(15,045)
|
(8,332)
|
(1,768)
|
31. From 1 July HBRIC, on
behalf of the Council, will transition the HBRC-managed fund portfolios to a
new provider, Harbour Asset Management. The transition plan should see
all assets transferred and re-invested by 31 July. Harbour has indicated
that due to the nature of some of the assets transferred they may not be fully
compliant with the SIPO initially but will work as quickly as possible to align
to all SIPO requirements.
32. Financial markets have
rallied to June and recovered earlier valuation falls within the group
portfolio of up $11m on June 2023. The performance of all
portfolio’s has improved this year, in part supported by all cash returns
which are reinvested, leading to all gains as unrealised.
Cost
of funds
33. Rolling 12 months to 30
June 2024, Gross Cost of Funds (COF) was 3.93% and Net COF was 3.83%.
HBRIC
Ltd
34. In accordance with Council
policy, HBRIC provides separate quarterly updates to the Corporate and
Strategic Committee.
Decision-making process
35. Council and its committees
are required to make every decision in accordance with the requirements of the
Local Government Act 2002 (the Act). Staff have assessed the requirements in
relation to this item and have concluded:
35.1. The decisions of the
Committee are in accordance with the Terms of Reference and decision-making
delegations adopted by Hawke’s Bay Regional Council 30 August 2023,
specifically the Risk and Audit Committee shall have responsibility and authority
to:
35.1.1. Review the Council’s revenue and
expenditure policies, amongst others, and the effectiveness of those policies
in ensuring limited risk is generated. (1.3)
35.2. Because this report is for
information only, the decision-making provisions do not apply.
Recommendation
That
the Risk and Audit Committee receives and notes the Treasury Compliance
Report for the period 1 April– 30 June 2024.
Authored by:
|
Tracey O'Shaughnessy
Treasury & Investments
Accountant
|
|
Approved by:
|
Susie Young
Group Manager Corporate Services
|
|
Attachment/s
|
1⇩
|
Treasury Policy application of bank
authorities July 2024
|
|
|
Hawke’s
Bay Regional Council
Risk
and Audit Committee
Wednesday
31 July 2024
Subject: Enterprise Assurance update
Reason for report
1. This item updates the Risk
and Audit Committee (RAC) on the progress of:
1.1. the agreed corrective
actions (with priority risk ratings medium and high) that respond to findings
from enterprise internal assurance reviews that have been previously reported
to the RAC via the Internal Assurance Corrective Actions Dashboard
1.2. the audits/reviews
(including S.17a) completed and proposed for the future via the Assurance
Universe Dashboard
1.3. the position of reviews for
the current financial year shown on the Assurance Plan for 2023-24.
Discussion
2. The Internal Assurance
Corrective Actions Dashboard is attached.
3. The corrective actions
status update provides oversight to the RAC of how the actions taken to address
open internal assurance findings are progressing, including total issues
raised, how many closed and how many remain open. The table below is a summary
of the open audits/reviews.
|
Audit Performed
|
Review
Type
|
Date
|
Total Issues raised
|
Issues
Closed
|
Issues
Open
|
Comments
|
|
Regional Assets
|
Section 17a
|
March 2020
|
N/A
|
0
|
3
|
Of the remaining three actions, two are ‘on
track’ and one is ‘at risk’.
|
|
HBRC Talent Management Report
|
Internal Audit
|
April 2021
|
8
|
7
|
1
|
One remaining action is behind – This action is
on-hold whilst a P&C Manager is recruited.
|
4. The dashboard gives
visibility of:
4.1. open findings of the
milestones, the milestones completed and to be completed by the next RAC, plus
the tracking status since last reported
4.2. a summary of closed actions
since the last RAC report.
5. The Assurance Universe
Dashboard is attached. This links
enterprise reviews or audits undertaken over the past five years, the current
year, and future years to an enterprise risk. Reviews and audits in the
Assurance Universe include external audits, enterprise internal audits, business
reviews with an enterprise focus, and section 17a reviews.
6. The Assurance
Plan for 2023-24 is below. This gives a status of approved audits and
the current status.
|
Approved Audit FY23-24
|
Provider
|
Quarter
Due
|
Date
Commenced
|
Management
Comments
|
Reported
to RAC
|
|
Data Analytics (2023-2024)
|
Crowe
|
Q1
|
August 2024
|
Startup meeting in place with Crowe with extraction
expected end of August
|
No
|
Financial and resource implications
7. The budget provided for
internal assurance in 2024-2025 is $64,600.
8. Budget provisions for s.17a
reviews are allocated via the budgets for the activities identified in the
Assurance Universe.
Decision-making process
9. Council and its committees
are required to make every decision in accordance with the requirements of the
Local Government Act 2002 (the Act). Staff have assessed the requirements in
relation to this item and have concluded:
9.1. The decisions of the
Committee are in accordance with the Terms of Reference and decision-making
delegations adopted by Hawke’s Bay Regional Council 30 August 2023,
specifically the Risk and Audit Committee shall have responsibility and authority
to:
9.1.1. Receive the internal and
external audit report(s) and review actions to be taken by management on
significant issues and recommendations raised within the report(s). (2.8)
9.1.2. Ensure that recommendations
in audit management reports are considered and, if appropriate, actioned by
management.
(3.5)
Recommendations
That the Risk and Audit Committee
1. Receives and notes the Enterprise Assurance update staff report.
2. Confirms that the Internal
Assurance Corrective actions update report has provided adequate
information on the status of the Internal Assurance Corrective Actions.
Authored by:
|
Olivia Giraud-Burrell
Quality & Assurance Advisor
|
|
Approved by:
|
Susie Young
Group Manager Corporate Services
|
|
Attachment/s
|
1⇩
|
Internal Assurance Dashboard July
2024
|
|
|
|
2⇩
|
Assurance Universe 1 July 2024
|
|
|
Hawke’s
Bay Regional Council
Risk
and Audit Committee
31 July
2024
Subject: Risk Management update
Reason for report
1. This item and the
accompanying strategic risk report provide the Risk and Audit Committee (RAC)
with a quarterly update of:
1.1. the strategic risk profile
for HBRC, expressed in terms of HBRC’s purpose, strategic priorities and
definition of success, together with an outline of the major areas of
uncertainty/risk relating to this
1.2. the sentiment of both the
Executive Leadership Team and Councillors as to the aggregate level of
confidence/concern (i.e risk rating) with respect to the strategic risk profile
of HBRC
1.3. a deep dive into specific
areas of uncertainty/risk, with the associated One Page Management Plans that
provide transparency as to what these areas are, why these matter, what
contributes to these, how these are managed and monitored, and specific actions
recommended.
2. This item also provides an
update on the wider external environment and specific issues for the attention
of the Risk and Audit Committee, as well as a draft forward work plan (attachment
1) for discussion and feedback.
Executive
summary
3. The external environment
continues to impact on HBRC – both in terms of the political landscape,
economic landscape and climate-related events.
4. Specific areas of focus
since the last meeting include work associated with:
4.1. central government led
priorities and the legislative reform work
4.2. the insurance renewal
process and wider changes within the insurance landscape
4.3. affordability pressures
related to the conclusion of the Long Term Plan
4.4. management of continued
cyber security threats and resilience
4.5. the recent 26th June
weather related event and impact on the Wairoa community and HBRC
4.6. engagement with the Cyclone
Recovery Unit and work related to the North Island Weather Event (NIWE)
Resilience Programme for delivery of Category 2 flood mitigations.
Discussion
Central Government priorities and
legislative reform
5. As at mid-2024, the
coalition Government continues strong momentum in its ambitious resource
management and legislative reform work programme. There are ‘big
ticket’ items such as the Fast-track Approvals Bill, re-setting
legislation for the ‘Local Water Done Well’ programme and the
three-phased reforms of the RMA. There are also a number of more focussed
proposals – some new and others remain a legacy from the previous
Government. Other examples are amendments to national Policy Statements (for
housing, highly productive land and renewable energy) and laws to grant 20-year
extensions to existing marine farms and ports. For Hawke’s Bay in
particular, there may be an ongoing need for further temporary relaxation of
laws to support our recovery from the impacts of Cyclone Gabrielle.
6. The Government’s
reform programme presents some opportunities for re-focussing HBRC’s own
work, but it also poses risks including:
6.1. uncertainty of content and
timing (e.g. how long do we continue working to the current laws, before we
face a switch?)
6.2. short-term policy resets by
Government impact on service delivery and environmental outcomes in our
communities
6.3. increasing number and
complexity of reform proposals across multiple tranches over time
6.4. should we invest in
responding/submitting on all of these proposals, while we also need to focus on
our own BAU programmes
6.5. community misunderstanding
about what are the Government’s proposals and what HBRC might be
proposing (or responding)
6.6. HBRC needing to revisit
some of its previous decisions (e.g. establishment of Māori Wards),
reduced Crown funding for some of HBRC’s activities as a result of public
sector personnel cuts, and Budget 2024
6.7. further uncertainty beyond
this current term of Government if the programme will be maintained or face
further U-turns by the next Government.
7. Treaty partners are
increasingly feeling vulnerable given the combined effect and intent of the
Government’s reforms on the role and interests of Māori in resource
management.
8. The Government has
initiated a targeted review of the Public Works Act 1981. The review
seeks to facilitate the delivery of critical infrastructure projects.
9. The programme of work
related to the Cyclone Gabrielle Category 2 risk mitigation projects, including
flood protection measures continues to progress. Pressure continues to be felt
from central government in particular the Cyclone Recovery Unit, Crown Infrastructure
partners for delivery of Category 2 Flood Mitigations. Timeframes and
scheduling for delivery has limited contingency with pressure to deliver.
The
insurance renewal process
10. Navigating the challenging
insurance market continues to present difficulties for HBRC. Namely, due to the
market conditions for capacity in different types of insurances and the effects
that the natural catastrophes around the world in 2023 have had on the
markets.
11. The global market is facing
affordability issues for insurance for risks in the natural catastrophe exposed
locations and pricing locally is being driven by the increasing frequency of
weather-related claims as well as inflationary pressures.
12. Prior to 30 June 2024, HBRC
held various insurance policies via AON, Asteron and Marsh.
13. In June Marsh advised 13
councils across New Zealand that they could no longer obtain insurance for
Professional /Public Liability, citing a significant deterioration in the
council claims being presented to the London Market as the primary driver for
London Markets exiting this offer. This was mainly due to the professional
exposure associated with building control, which is considered high risk.
14. HBRC immediately engaged
with AON for an offering of this product leveraging existing relationships. AON
have provided a primary layer of cover $15m, however this is a significantly
reduced capacity and cover from our previous $300m cover with Marsh. Further
work is being undertaken to access secondary layers of protection.
15. AON holds the following
policies which are due for renewal on 1 November 2024.
|
Forestry
(Standing Timber)
|
Infrastructure
(40%)
|
|
Contract
Works
|
Material
Damage & Business Interruption
|
|
Commercial
Motor Vehicle
|
Commercial
Marine Hull
|
|
Aviation
Hull (Drone)
|
Travel
Policy
|
|
Statutory
Liability Policy
|
Employers
Liability
|
|
Personal
Accident
|
Crime
Liability
|
16. From 30 June 2024, AON also
holds:
16.1. Public Liability &
Professional Indemnity
16.2. Harbour Masters Wreck
Removal ($10m)
17. Staff are working with AON
regarding the Environmental Impairment insurance and reviewing the cover
required and the HBRC insurable risk that might exist. There is currently no
cover in place for this and we will report back once appropriate cover is found.
18. Marsh held the following
policies:
18.1. Public Liability &
Professional Indemnity
18.2. Harbour Masters Liability
18.3. Environmental Impairment.
19. As of 1 July 2024, HBRC
does not hold any other current policies with Marsh.
20. Asteron held the following
policies:
20.1. Employee Income Protection
20.2. Employee Life.
21. Staff are still working
with AON regarding further excess layers for the Public Liability &
Professional Indemnity, Harbourmasters Wreck Removal and Environmental Impairment
insurance following the change from Marsh.
22. Insurance renewal processes
(roll over/annual reviews) for all insurance policies for HBRC is underway and
will continue to renew until November 2024.
23. HBRC expects more premium
increases, with lower cover due to international insurance markets.
24. Officers have begun looking
at self-insurance options, our current valuation methods used across asset
types and other Councils approaches to their insurances in preparation for the
impending renewal of our HBRC policies.
25. A workshop with the Risk
and Audit Committee on 31 July will provide an overview of the current state of
the insurance market, HBRC’s insurable risk and the nature of cover
provided/sought. We would then look to confirm HBRC’s risk appetite for
insurable risk with Council prior to renewal.
Long Term Plan and affordability
26. The recent Long Term Plan
deliberations and rate payer sentiment have raised affordability concerns
across our region. This sentiment has been felt not only across Hawke’s
Bay but nationally across all of the local government sector.
27. Nationally, economists have
stated New Zealand is in a state of recession, a combination of relative high
interest rates, stubborn persistent inflation and increasing levels of
unemployment.
28. These factors have
implications on HBRC in terms of the affordability of rates by ratepayers and
need for strong community engagement and support, with clear narrative as to
trade-off choices made and LTP priorities in the near term.
29. HBRC have budgeted ~$1.2M
for the impact of rates remissions and expect that days to payment for rates
may increase outwards of 90 days+.
30. To enable appropriate
management of remissions and bad debts, HBRC have recruited short term
assistance to manage the increasing assistance our rate payers may require with
expected increase in payment plan options, and remissions.
Cyber
security
31. We continue to see
increased cyber activity across NZ and into our organisation. The overall focus
in the industry currently pertains to human-introduced vulnerabilities as
phishing becomes increasingly sophisticated.
32. At the start of June 2024,
the Government Communications Security Bureau advised us of a new phishing
campaign that’s targeting NZ organisations. The emails look like they
originate from trusted or known contacts, thus deceiving people into clicking
on them. This reinforces the need for HBRC to remain vigilant around security
controls and cyber training.
33. Most recently, on 19 July,
HBRC was impacted by the global IT outage as a result of the routine but faulty
security software update by global firm crowdstrike. This resulted in
one of the largest operating system outages across the world has
experienced. HBRC experienced computer crashes (the blue screen) and
inability to restart.
34. HBRC immediately triggered
incident response lead by the Information technology team, manually applying
fixes to desk machines, and putting in place weekend drop ins for staff across
the weekend. There were very limited impacts as the result of the immediate
response HBRC put in place.
35. Since the presentation to
the RAC in April pertaining to cyber risk, further controls around staff
adherence to phishing training have been undertaken:
35.1. Phishing training for new
employees has been increased from 2 introduction courses to completion of all 3
introduction modules within the first 6 months of tenure.
35.2. The completion of an
additional phishing training course will now be required of all staff each
year, upon their annual anniversary.
35.3. Further courses and
communications will be available each October, during “Cyber Security
Awareness” month.
35.4. Course completion is
monitored and provided to the GMs each quarter.
36. In response to this focused
campaign, we have increased our Phishing training completion rates from ~50% to
71.25% over the past 8 weeks.
Issues
and concerns
37. This quarter, high risk
events are outlined below.
|
Type
|
Number of High-Risk
Events
|
|
Non-financial Risk
Incidents
|
1
|
|
Health and Safety
|
3
|
38. One significant
non-financial risk incident was recorded this quarter, relating to an outage of
Hilltop data display on the HBRC public website. This was deemed high
risk, at that time, given the high reputational potential damage this had, with
external media enquiries, community enquires combined with a potential rain
event at that time. A copy of the Post Implementation Report is attachment
2 to this report.
39. This was caused by an
internal action, where an unidentified / generic external Hilltop user account
was disabled, without going through standard ICT change procedures and approval
processes. This action resulted in an interruption to the flow of data to the
website. The issue was resolved with follow up actions taken to ensure this is
not repeated.
40. Three public health and
safety incidents were noted that all involved NZ Police.
40.1. An external contractor
working for HBRC in Wairoa was threatened whilst on site specifically threat to
life and tried to the contractor’s boat. Police were called at the time
with immediate escalation. Increased communications with Police, Wairoa District
Council, local Iwi and Community Groups has been undertaken.
40.2. Late one evening in June
the HBRC Dalton Street security card readers were intentionally smashed from
fittings. Police were notified immediately with the sharing of security
footage. The offender was caught and charged. Reader cards were immediately
fixed with reminders sent to all staff regarding the need for vigilance when
entering and exiting buildings.
40.3. HBRC has and continues to
receive threatening messages, notably one threatening email which was received
suggesting harm and a bomb threat through info@HBRC email address. This was
immediately notified to the Chief Executive and reported to Police via 105
Police Report. Police Intelligence Unit conducted a sophisticated search and found no
matches for the email supplied and were unable to identify a source or who sent
the email. As a result, a security guard has been placed in HBRC reception.
Dealing with Aggressive People training has been undertaken by CX/Reception
staff.
Assurance
Activities
Security Reviews
41. For sensitive data (held
on-premise but residing outside of our core enterprise stack), we requested a
review of data security and access controls.
41.1. Rates (MagiQ): All user
access is controlled at a role-level, with read-only access provided where
needed.
41.2. HR (Sharepoint): A review
of user access to the P&C folders has been completed, and access
streamlined to critical users only.
Audits
42. This quarter saw two
separate audits undertaken.
Information Management
43. This audit was conducted by
Increment, (funded by Microsoft), across HBRC’s data and information
management policies, with a focus on data classification, how to then manage
the storage and sharing of documents labelled ‘confidential’ or
‘restricted’, and record retention and disposal.
44. This is an area which has
not been addressed within HBRC over the past few years, as the Information
Management role within the organisation has not been funded.
45. Unsurprisingly, this
highlighted several known issues in our Information Management space regarding
the use of metadata, rules around storage and sharing of documents with
specific classifications, and lack of retention & disposal.
46. ICT has received approval
for a Fixed Term 1-Year Information Management role in FY24/25 to work through
these recommendations and provide an initial IM framework. This is expected to
occur in early 2025.
External Security
47. This complimentary audit,
conducted by Orange Cyber defence, was a 1-week trial of their external attack
programme, which seeks to find vulnerabilities in our external facing network.
48. HBRC obtained
‘Hero’ status, with only 3 prioritised findings relating to
dead-link sites on the HBRC website. These have been addressed.
Financial Reviews
49. Ernst and Young is
currently preparing for the HBRC onsite audit review.
50. Next quarter will focus on
preparing for the annual security audit with EY. This is scheduled for Sept/Oct
2024.
51. A forward workplan is
attached as Appendix 2 outlining tasks that the Risk and Audit Committee will
undertake aligned with the Terms of Reference for clarity.
Independent Flood Review
52. At the time of submission
of this paper, the independent
review into the performance of all HBRC-owned and operated flood protection,
control, and drainage schemes during Cyclone Gabrielle (HBIFR) was released.
53. On 24 July the Council
received the report on the HBIFR from the panel, noting that the range of
recommendations from the review will be considered in detail by the Executive
Leadership Team in conjunction with flood scheme reviews and mitigation works currently
under way.
Decision-making process
54. Staff have assessed the
requirements of the Local Government Act 2002 in relation to this item and have
concluded that:
54.1. The decisions of the
Committee are in accordance with the Terms of Reference and decision-making
delegations adopted by Hawke’s Bay Regional Council 30 August 2023,
specifically the Risk and Audit Committee shall have responsibility and authority
to provide advice and recommend actions, responses, and
changes to the Council about risk management, assurance activities, governance
oversight and internal control matters, including external reporting and audit
matters. Specifically, this includes:
54.1.1. The robustness of
Council’s risk management systems, policies, practice and assurance
processes. (1.1)
54.1.2. Review whether Council
management has a current and comprehensive risk management framework and
associated procedures for effective identification and management of the
Council’s significant risks in place. (2.1)
54.1.3. Undertake periodic
monitoring of corporate risk assessment, and the internal controls instituted
in response to such risks. (2.2)
54.2. Because this report is for
information only, the decision-making provisions do not apply.
Recommendations
That
the Risk and Audit Committee receives and considers the Risk Management
update staff report.
Authored by:
|
Jess Bennett
Programme Finance & Controls
Manager
|
Katrina Brunton
Group Manager Policy &
Regulation
|
|
Karina Campbell
Strategic Advisor
|
David Nalder
Acting Risk Manager
|
Approved by:
|
Susie Young
Group Manager Corporate Services
|
|
Attachment/s
|
1⇩
|
Risk & Audit Committee forward
work plan
|
|
|
|
2⇩
|
21 May 2024 Hilltop Data Display
Incident Report
|
|
|
