Agenda of Risk and Audit Committee - Wednesday, 23 October 2024

Hawke’s Bay Regional Council

Risk and Audit Committee

23 October 2024

Subject: Risk Management update

Reason for report

1. This item provides the Risk and Audit Committee (RAC) with a quarterly update of:

1.1. the strategic risk profile for HBRC, expressed in terms of HBRC’s purpose, strategic priorities, and definition of success, together with an outline of the major areas of uncertainty/risk relating to this.

1.2. the sentiment of both the Executive Leadership Team and Councillors as to the aggregate level of confidence/concern (i.e. risk rating) with respect to the strategic risk profile of HBRC.

2. This item also provides an update on the wider external environment and specific issues for the attention of the Risk and Audit Committee, as well as a draft forward work plan (attachment 1) for discussion and feedback.

Executive summary

3. The external environment continues to impact on HBRC – both in terms of the political landscape, economic landscape, and climate-related events.

4. Specific areas of focus since the last meeting include work associated with:

4.1. Continuing to embed the strategic risk approach across HBRC

4.2. Drawing out the key HBRC-wide internal controls from each of the one-page risk plans and aggregating this so that there is a common view of the critical controls within HBRC and sources of monitoring, oversight and assurance related to these

4.3. Defining key risks related to the NIWE Flood Resilience Programme at both a programme-wide strategic risk level, and project specific delivery risk level

4.4. Updating Business Continuity Plans and Emergency Management Procedures for the organisation

4.5. Developing a supporting ICT Business Continuity Plan and associated Disaster Recovery Plans

4.6. Commissioning or completing external assurance over areas such as financial transactions, cyber security and ICT operational infrastructure.

5. Updates are provided on specific matters including:

5.1. An incident related to patched gang members entering the Council Chamber

5.2. A potential issue associated with the subsidised Public Transport Targeted Rate

5.3. Remediation of historical holiday pay calculation issues

5.4. Public health and safety incidents related to aggressive public behaviour directed at staff

5.5. Health and safety incidents relating to the towing of trailers.

Discussion

External – Wider External Context

Legislative and regulatory changes

6. In July, Prime Minister Christopher Luxon’s publicly challenged local government “to rein in the fantasies and to get back to delivering the basics brilliantly” as part of central governments’ focus on fiscal restraint. This was after their statement that communities’ economic, social, environmental and cultural wellbeing are to be removed from the Local Government Act.

7. In September the Government announced plans for the Resource Management Act replacement with two acts – one focused on driving urban development and infrastructure and the other on managing environmental effects.

8. 149 projects across New Zealand eligible for the NZ Government’s fast track legislation were announced in early October

9. The legislation has proven controversial since it was first announced. Initially, it gave three ministers final sign-off over what projects would be fast-tracked, while perception was it didn’t put enough weight on the environmental impacts of potential developments.

NIWE Flood Resilience Programme

10. There continues to be challenge and focus from central government on our ability to deliver critical category 2 flood mitigation. The NIWE team has put in place measures to provide assurance to our Council that effective and transparent processes are in place.

11. A successful request for proposal has been completed for the Preferred List of Suppliers for the NIWE Land Category earthworks projects (total value c$100-120m). A larger pool A ($20m+) and pool B (less than $20m) is complete. A Probity Officer is now in place to provide oversight and challenge for this programme. A further process is now underway for pump station work.

12. The Programme Steering Committee has changed memberships; namely the CEO of Crown Infrastructure Partners, the HBRC CEO, and Crown Manager are now attending members for oversight, challenge and review of the programme. These memberships supplement the existence of an independent specialist and Group Manager Corporate Services.

Internal Council Operating Environment

Risk management

13. HBRC continues to work on increasing the maturity of risk management and internal controls across the organisation. The focus of work to date has been to:

13.1. Define ‘risk’ in terms of the major areas of uncertainty related to the purpose, commitments and priorities of HBRC (as set out in the Long-Term Plan), provide a simple and easy to use way of articulating this through the HBRC Enterprise Risk Dashboard.

13.2. Develop one page management plans for each of the areas of uncertainty (i.e. strategic risk) that enable a consistent understanding of:

13.2.1. what this area of risk is

13.2.2. why it matters in terms of the opportunities/threats this presents to HBRC

13.2.3. what contributes to this and how this is managed through HBRC internal control environment

13.2.4. how this is assured

13.2.5. to draw out any gaps, areas of improvement of actions to strengthen risk management in this area.

14. The collective assessment of ELT and councillors as to HBRC’s strategic risk profile is shown in the attached HBRC Enterprise Risk Dashboard.

Progress on Independent Reviews

15. Consolidation and oversight of review findings is underway and will be managed via the following Council meetings.

Third Party Reviews

HBIFR, & Wairoa Flood Review (Mike Bush and Independents)

HBRC response to Flood Reviews is being collated and managed as a Programme of work within Asset Management. 53 recommendations have been assessed, and actions plans are being put in place to address.

Regular reporting will be completed monthly through to HBRC Full council. The last full update was provided to HBRC in August 2024.

CDEM

An independent consultant (Matt Boags) has been appointed as transformational manager for the CDEM reviews. These will be managed and overseen through the CDEM Joint Committee.

Key internal controls and assurance

16. Work has started to define and document the key aspects of HBRC’s internal control environment. In this work reference has been made to the industry standard lines of defence (also known as three lines) model as defined by the Institute of Internal Auditors (IIA) and endorsed by the Office of the Auditor General (OAG), where there is a distinction between:

16.1. Actions and controls that directly manage risk and ensure HBRC delivers on its objectives (first line roles)

16.2. Supporting monitoring and oversight to ensure these actions and controls are effective and to challenge of risk related matters (second line roles)

16.3. Independent and objective assurance and advice (third line roles).

17. Critical controls have been defined in the following broad areas:

Purpose	Examples of critical HBRC-wider internal controls
Sets expectations Ensures staff understand what is expected of them and that they are clear on their authority to act	Critical controls include:  Policies and procedures  Delegations of authority  Segregations of duties  Strategic and annual planning
Delivers on expectations Supports operational delivery and ensures work performed is managed appropriately, in line with expectations set	Critical controls include:  Stakeholder engagement and communication  Funding, budget setting and financial management  People management  Health, safety, and wellbeing management  Procurement and vendor management  Project delivery and change management  Flood protection asset management  Corporate asset management  Investment management  Information, record and data management  Technology and communication management  Physical security and site access management  Logical security and system access management  Business continuity and disaster recovery management
Ensures expectations are met Checks that actions taken and work delivered is consistent with the expectations set above	Critical controls include:  Regulatory compliance management  Corporate compliance management

Purpose

Examples of critical HBRC-wider internal controls

Sets expectations

Ensures staff understand what is expected of them and that they are clear on their authority to act

Critical controls include:

 Policies and procedures

 Delegations of authority

 Segregations of duties

 Strategic and annual planning

Delivers on expectations

Supports operational delivery and ensures work performed is managed appropriately, in line with expectations set

Critical controls include:

 Stakeholder engagement and communication

 Funding, budget setting and financial management

 People management

 Health, safety, and wellbeing management

 Procurement and vendor management

 Project delivery and change management

 Flood protection asset management

 Corporate asset management

 Investment management

 Information, record and data management

 Technology and communication management

 Physical security and site access management

 Logical security and system access management

 Business continuity and disaster recovery management

Ensures expectations are met

Checks that actions taken and work delivered is consistent with the expectations set above

Critical controls include:

 Regulatory compliance management

 Corporate compliance management

18. RAC can expect to see ongoing assurance activities through this committee as appropriate through both internal and external assurance mechanisms.

Compliance Management

19. HBRC has committed to enhancing oversight and assurance mechanisms of how to demonstrate compliance with corporate legal compliance obligations, e.g. the Privacy Act, Local Government Act, Resource Management Act, etc.

20. Discussions are underway with an external company called ComplyWith, used across many other Council entities. The appointment of a Senior Solicitor will drive this solution in FY25.

Business and ICT continuity management

21. HBRC has proactively updated the Business Continuity and Emergency Procedures documentation. There is a legislative requirement for HBRC to support the GECC in an emergency, and council staff have been providing certainty of essential functions (and names) that need to support HBRC, and those that will be able to be seconded to the GECC in an event. Plans are underway to address any shortfalls in the required FTE (on a rotational basis) including options to outsource or form engagements with other regional areas to supplement resourcing and SME requirements.

22. HBRC plans to proactively be part of the ‘shake-out exercise on 24 October. After this exercise a drop-in meeting room will be used to enhance the internal knowledge of how the BCP and Emergency procedures apply to all staff and improve knowledge.

23. The above has been supplemented with an internal ICT Business Continuity Plan (BCP) and a Disaster Recovery (DR) Plan. This confirmed the inherent resilience provided by our cloud infrastructure, however, some improvements have been identified to further bolster our ability to continue critical operations in the event of a significant event.

24. On 18 September, the Information Computer Technology (ICT) team held an ICT incident simulation. Under false pretenses, ICT gathered all the members of the Critical Response Team (CRT) and presented them with an outage scenario whereby all access in and out of 159 Dalton had been cut. This was a valuable exercise and will now be added on a bi-annual basis to our operational calendar. The lessons arising from this have also been added to our Incident Response Plan. In cooperation with the Hydro and Asset Management teams, Phase 2 of the review is now extending out of ICT into other critical technical infrastructure such as Hydro and Pumped, with some good resilience improvements already underway.

Health, Safety and Wellbeing Management System (HSWMS) Update

25. Risk work continues the HSWMS. This includes aligning the system with the requirements of ISO45001 and ensuring that other activities undertaken across HBRC are integrated within the HSWMS, e.g., the one-page management plans referred to under the heading: Internal Council Operating Environment – Risk Management (point 13) and Key internal controls and assurance (points 16 and 17).

26. HBRC’s Health, Safety and Wellbeing Committee (HSWC), is managing HBRC’s ‘shake-out’ and subsequent Hikoi exercise as mentioned under the heading: Internal Council Operating Environment - Business and ICT continuity management (point 21). Management of this exercise forms part of the HSWC’s annual objectives and is included as part of the overall performance of the HSWMS.

27. Progress to align the HSWMS with ISO45001 continues. The HSW team has developed their 2024-2027 strategy, and workplan. HSWMS performance metrics have been defined and reported to ELT. Reporting will occur quarterly with an annual review of the HSWMS set to occur each June. The HSWMS will be externally reviewed every two years, with the next review due in November 2025. This will be undertaken by ECAAS, who conducted the previous review.

28. The requirement to consult with workers exists under the Health and Safety at Work Act and are further defined under ISO45001. In effect this means that all changes to align the HSWMS must go through the worker consultation process. As the HSWC is Council’s main worker engagement mechanism, the HSWC, along with relevant subject matter experts (SMEs) have been and continue to be, important stakeholders in this process.

Key strategic risk themes

29. Each month, the Executive Leadership Team provides their perspective as to the relative level of confidence or concern related to the major areas of uncertainty/risk reflected in HBRC’s strategic risk profile. This enables ELT to consider are where there is shared concern, a divergence of viewpoints or significant change from prior periods. The most recent ELT sentiment is provided in the appendix.

30. Similarly, each quarter, Councillors are invited to provide their perspective on these strategic risk areas. Five Councillors took the opportunity to do so this quarter.

31. The results of this ‘sentiment survey’, reflecting the collective views of ELT and Councillors, highlights the following:

31.1. There is a relatively high level of alignment of views across the ELT which contrasts to a quite low level of alignment of views amongst Councillors. This indicates that, while ELT has a relatively consistent view on the state of HBRC’s priorities and risks, Councillors do not.

31.2. The effectiveness of communication, consultation and engagement continues to be an area of high interest and concern, particularly with respect to HBRC’s reputation, connection with communities, Wairoa relationships, media portrayal, and clarity of message re choices, constraints and rationale for decisions made.

31.3. There is a shared level of confidence across ELT and Councillors in the effectiveness of funding and financial management.

31.4. The area where there is a greatest difference between the perspective of ELT and Councillors related to the effectiveness of emergency management.

Significant Events

32. This quarter, high risk events are outlined below.

Type	Number of Medium/High-Risk Events
Non-financial Risk Incidents	2 (1)
Health, Safety and Wellbeing	3

33. Additionally, we continue to address historical holiday pay issue with PricewaterhouseCoopers engaged to assist with remediation. We expect to have this issue addressed by February 2025.

Gang insignia

34. On 28 August 2024, patched Mongrel Mob members entered the Hawke’s Bay Regional Council chambers public meeting (in relation to the vote to keep Māori constituencies). The Group (circa 6 members) came into the meeting late and sat at the front of the Chamber. At the time, albeit late arrival, their attendance was uneventful and no issues arose. However, the attendance of patched members drew negative public feedback, including the receipt of a letter from the Minister of Local Government. The public display of gang insignia within public buildings, including the Council Chambers, is illegal. The Prohibition of Gang Insignia in Government Premises Act 2013 clearly prohibits the wearing or display of gang patches or insignia in public buildings, including those owned by local authorities, to uphold the safety and integrity of these spaces.

35. Feedback given to the Minister was that it was certainly not the intent of the Council to celebrate gang culture and those in the Council at the time were concerned about not escalating the situation given the number of people in our chamber. HBRC reviewed pictures of the event immediately after the Council meeting and removed those with gang insignia in them from our social media accounts. This was a first-time occurrence for us in a Council meeting. Actions undertaken post this event include:

35.1. Putting signage at the entrance to our Council building about the law and gang insignia

35.2. Ensuring our social media staff understand the law in relation to insignia

35.3. Looking at additional security to assist with large meetings

35.4. Briefings to committee chairs on the law

35.5. Ensuring we continue to have a strong working relationship with police

35.6. The maximum capacity of our chambers is 85 pax and, for larger meetings, a proactive count measure will be put in place.

36. Napier City Council held a similar meeting a week later and under the guidance of the HSW and facilities teams, HBRC took proactive measures to engage local Māori Wardens, Police and community assist staff to ensure public safety.

Subsidised public transport targeted rate

37. As part of the recent issue of Rates invoices, a potential issue with the Subsidised Public Transport targeted rate (PTTR), adopted on 10 July 2024 was identified. The Council’s financial modelling regarding the PTTR was based on a wide geographic area being rated for public transport activities. However, in the consultation documents provided to the public, and in the Council staff advice provided to elected members, two rating valuation rolls (the Specified Rolls) were unintentionally excluded from the maps showing the area to be rated. Residents on the Specified Rolls have since been invoiced for the PTTR, and some of those residents have complained that the PTTR should not apply to them given that they were not part of the rating proposal put out to the community. Legal advice received highlighted that the Revenue and Financing Policy effectively excludes the two rolls, so HBRC has reissued those invoices without the public transport rate – a proposed loss of revenue of $157k.

Holiday pay

38. PricewaterhouseCoopers continues to work through the Holiday Pay calculation and errors. This was first identified and scoped in April 2024. The recalculation is complex and has been hindered with data issues obtaining required data points from TechOne. However, PWC have made good progress such that we are expecting the draft preliminary number for total errors in October 2024. Health, Safety and Wellbeing

39. Three Health, Safety and Wellbeing incidents that have involved the public have been identified pertaining to negative public feedback, aggressive in nature. Namely:

39.1. A member of the public came in to pay rates, suggested they would bring a balaclava and shotgun in if rates go up again. The ratepayer was annoyed but staff felt like it was a throw away comment.

39.2. Email received from a member of the public regarding HBRC payments being collected through Debt Collection Agency specifically referencing HBRC as ‘scum’ linking HBRC to suicide rates.

39.3. Dalton Street Reception. Member of the public, and a total mobility card holder was yelling, abusive and demanding HBRC speak to the taxi drivers regarding the use of his card as it was peeling.

40. In all instances corrective actions were undertaken, such as a formal letter sent to the individual to outline HBRC expectations for appropriate communication when engaging with our staff and the continued use of his card within the parameters of the programme. Also, the HSW team continues to manage and coordinate relevant training, e.g., dealing with aggressive people and Psychological First Aid. Training is delivered to front-facing staff with CX/Reception, Debt Recovery staff included, the HSWC, and relevant support staff such as People & Capability. Any threat to life will be automatically referred to the Police for further investigation.

41. Three medium events have occurred pertaining to towing trailers; the most serious of which was a CDEM staff member towing the Mobile Emergency trailer. A ‘puff’ of smoke was seen to come from rear of the trailer with a fire in the trailer a short time afterwards, which was subsequently put out using CO2 fire extinguisher. There was no immediate threat to life however this incident had to be reported to WorkSafe NZ under the legislation. Central Hawke’s Bay District Council took responsibility, given they manage the asset, completed the investigation, signed off by the CHB CE, notified and forwarded to HBRC. This was closed out with No Action (as expected).

Assurance Activities

42. There are several internal audits, independent assessments and external assurance reviews that routinely take place over aspects of HBRC’s operations and controls. We draw the Committee’s attention to the following work planned or completed:

Data analytics review of transactions

43. The annual review of Data Analytics is underway across Hawke’s Bay Regional Council and expected to be completed by November 2024. The objective of this review is to perform specified tests to detect suspicious transactions and master data. The testing areas are payroll and accounts payable payments and master data. Specific tests look for, and not limited to, duplicate payments, vendors, payments without purchase orders or multiple purchase orders raised on a single day, and payments made to vendors that are deactivated. An update will be made to this Committee at the next meeting.

Review of ICT operational infrastructure

44. In October, with our CCL partners (a Spark subsidiary), HBRC conducted a thorough audit of our operational infrastructure encompassing public cloud, in-country hosted cloud and on-premises infrastructures. The main objective is to provide HBRC with visibility of our current IT environment, hosted services, potential cost savings, current good practices, and risks. The report has identified a few cost-saving and infrastructure-optimising recommendations, as well as some risks to investigate further. A plan will be developed to work through these, with remedial action expected to start from January-2025 (when our Infrastructure Engineer is onboarded).

Cyber Security Audit

45. We are in the process of commissioning a review of our cyber security management practices from Ernst Young and have received their Statement of Work. The intent is to use this first audit to benchmark HBRC’s cyber security practices against relevant industry peers, and provide key recommendations where weaknesses are identified. The audit absorbs all of the cyber security budget for this financial year ($60k), so we will action remediation actions internally, or fund via other infrastructure budget, or defer until next financial year if feasible. The audit is expected to commence in November.

Quality Management Systems revalidation audit

46. ISO cert – revalidation. This is an External Audit – Management System Assessment Report, produced by Telarc. The scope includes the provision of local government services to the Hawkes Bay Regional Council from the following teams: Environmental Science, Environmental Information, Consents, Compliance and Harbourmaster and the activities of the Works Group including Civil Construction, Asset, and Infrastructure Maintenance.

Outstanding audit issues and recommendations

47. All recommendations from prior audit and assurance reviews undertaken are formally captured and progress to address these recommendations monitored. The following table provides an update on progress in this area:

Audit Performed	Review Type	Date	Total Issues raised	Issues Closed	Issues Open	Comments
Regional Assets	Section 17a	March 2020	N/A	0	3	Of the three remaining actions, two are on track and one is at risk.
ISO45001 - ECAAS Certification’s Gap Analysis	Review	30 November 2023	19	6	13	All actions on track
Organisational Change Consolidation and Prioritisation	Internal Audit	July 2025	5	0	5	Priority has not been given currently to addressing issues within this report, as resource reallocated to other priority work. It is expected these actions will be picked up in 2025.

Decision-making considerations

48. Staff have assessed the requirements of the Local Government Act 2002 in relation to this item and have concluded that:

48.1. The decisions of the Committee are in accordance with the Terms of Reference and decision-making delegations adopted by Hawke’s Bay Regional Council 30 August 2023, specifically the Risk and Audit Committee shall have responsibility and authority to provide advice and recommend actions, responses, and changes to the Council about risk management, assurance activities, governance oversight and internal control matters, including external reporting and audit matters. Specifically, this includes:

48.1.1. The robustness of Council’s risk management systems, policies, practice and assurance processes. (1.1)

48.1.2. Review whether Council management has a current and comprehensive risk management framework and associated procedures for effective identification and management of the Council’s significant risks in place. (2.1)

48.1.3. Undertake periodic monitoring of corporate risk assessment, and the internal controls instituted in response to such risks. (2.2)

48.2. Because this report is for information only, the decision-making provisions do not apply.

Recommendations

That the Risk and Audit Committee receives and considers the Risk Management update staff report.

Authored by:

Jess Bennett

Programme Finance & Controls Manager

Katrina Brunton

Group Manager Policy & Regulation

Karina Campbell

Strategic Advisor

David Nalder

Acting Risk Manager

Approved by:

Susie Young

Group Manager Corporate Services

Attachment/s

1 ⇩

HBRC Enterprise Risk Dashboard September 2024

Specific responsibilities	July 2024 (last meeting)	October 2024 (this meeting)	February 2025 (next meeting)	May 2025
Review whether Council management has a current and comprehensive risk management framework and associated procedures for effective identification and management of the Council’s significant risks in place	Risk Management update	Risk Management update	Risk Management update	Risk Management update
Undertake periodic monitoring of corporate risk assessment, and the internal controls instituted in response to such risks	Strategic risk deep dives: 1. Effectiveness of funding and financial management 2. Coordination and connectedness of activity and decision-making across HBRC 3. Extent to which we understand expectation needs of our community 4. Effectiveness of the NIWE Resilience Programme Wairoa flood event reviews	Summary of HBRC wide critical controls, risks these relate to, monitoring and assurance activities	Suggested future focus of Internal Audit programme, aligned to critical controls. Control Testing – 4-5 tests.	Control Testing – 4-5 tests.
Review the effectiveness of the system for monitoring the Council’s compliance with laws (including governance legislation, regulations and associated government policies), Council’s own standards, and best practice guidelines, including health and safety	Health and Safety Framework review – proposal foward.	Overview of HBRC’s compliance management approach, adoption of ComplyWith and deep dive into the strategic risk related to legislative and regulatory compliance by HBRC
Consider the appropriateness of the Council’s existing accounting policies and principles and any proposed changes		Undertaken in conjunction with external audit (Ernst and Young)
Satisfy itself that the financial statements and statements of service performance are supported by adequate management sign-off and adequate internal controls	Treasury Compliance Report
Confirm that processes are in place to ensure that financial information included in Council’s Annual Report is consistent with the signed financial statements
Confirm the terms of appointment and engagement of external auditors, including the nature and scope of the audit, timetable, and fees		To be completed in conjunction with finalisation of FY24 Financial Audit	Appointment of the External Financial Auditors Confirmation of the External Audit plan

Specific responsibilities	July 2024 (last meeting)	October 2024 (this meeting)	February 2025 (next meeting)	May 2025
Receive the internal and external audit report(s) and review actions to be taken by management on significant issues and recommendations raised within the report(s)	Enterprise Assurance update, including: 1. Corrective action status update 2. Assurance universe	External Audit report	Internal audit report on data analytics review of accounts payable and payroll ISO9001 review of quality management system	Internal audit report on procurement Annual NZTA / Waka Kotahi financial and activity audit report
Enquire of internal and external auditors any information that affects the quality and clarity of the Council’s financial statements and statements of service performance, and assess whether appropriate action has been taken by management in response to this		External Audit report
Conduct a Committee members-only session with Council’s appointed Auditors to discuss any matters that the auditors wish to bring to the Committee’s attention and/or any issues of independence		External auditor only session, with Ernst & Young	Internal auditor only session with Crowe Horwath
Review and recommend to Council the approach to insurance strategy and placements as part of its risk management practices	Workshop: HBRC Insurance arrangements (facilitated by AON)		Update on November 2024 insurance renewal process/QA over renewals

Hawke’s Bay Regional Council

Risk and Audit Committee

23 October 2024

Subject: Port and Harbour Marine Safety Code Review

Reason for report

1. This item provides the Risk and Audit Committee with information on the Regional Council’s compliance with the Port & Harbour Marine Safety Code. It includes the findings and corrective actions.

Executive summary

2. This report outlines the key findings, recommendations, and conclusion from the audit conducted on 27 and 28 March 2024.

3. The objective of the audit was to assess the adequacy and effectiveness of internal controls, operational efficiency, and compliance with the provisions of the Port and Harbour Marine Safety Code (the Code). The audit focused on specific areas of the Council’s management of the port and harbour.

4. The methodology included reviewing documentation, conducting a site visit, and assessing the effectiveness of the Council’s risk assessment and safety management system as it applies to Hawke’s Bay regional waters.

5. Key findings include:

5.1. Policies and procedures are aligned with the principles of the Port and Harbour Marine Safety Code

5.2. The risk assessment and safety management system are fit for purpose and adequately address the scope and scale of both commercial operations and recreational activities within the region

5.3. Collaboration between the maritime stakeholders in the region is excellent. There are regular meetings and forums with commercial and recreational organisations

5.4. The Harbourmaster’s office is understaffed for the size of the region and scale of operations

5.5. The Harbourmaster’s office should engage with the Councillors on a regular basis regarding maritime affairs/risks, which have implications on marine pollution, infrastructure, and regional commerce

5.6. The Hawke’s Bay Regional Council is far too reliant on external contractors and the HB Coastguard (volunteer organisation) to satisfy regulatory functions and remains the only Council that does not have a Harbourmaster vessel.

6. Recommendations include:

6.1. Conduct a risk assessment to determine the number of staff required to adequately manage maritime safety within the region

6.2. Acquire a Harbourmaster vessel that can be utilised for on-water compliance, emergency response, maritime safety maintenance and pollution response

6.3. Minimise the use of external contractors for regulatory and maritime safety functions.

Background

7. The Port and Harbour Marine Safety Code is a tripartite agreement between Maritime New Zealand, regional councils, and Port companies. The Code provides a standard for maritime operations within the respective regions to ensure that commercial and recreational water users can operate safely.

8. It involves a high level of collaboration between Code signatories to ensure that all operations comply with the applicable legislations, safety management systems, risk analysis/assessments, and standard operating procedures. The foundation of the Code is based on the identification, mitigation, and management of all maritime risks.

9. A panel representing the signatories conduct audits of the councils and port companies to determine if the operations, documentation, policies, and practices are aligned with the principles of the Code.

Strategic Fit

10. Maritime Safety and compliance with the Port and Harbour Marine Safety Code are connected to the core focus areas of the Strategic Plan of water safety and infrastructure services. Napier Port is a key regional asset, damage to critical port infrastructure would have a severe impact on regional trade and commerce. Ensuring our Maritime Safety operations, documentation, policies, and practices are aligned with the principles of the Code helps to protect the marine environment and this regionally significant asset.

Discussion

Focus areas and findings

11. Organisational Structure – It was noted that the organisational structure was aligned with many other regional councils. The majority of Harbourmasters across the region are tier three managers. The panel was pleased with the expression of commitment to the Code that was made by the Group Manager for Policy and Regulation and commended the fact that the Council had a structure that was functioning well. The panel was interested in the visibility of the Harbourmaster and maritime safety matters to other areas of council, particularly around some of the issues being faced nationally. There should be more interaction with Councillors regarding maritime issues and the implications both regionally and nationally.

12. Collaboration – The collaboration was assessed both internally and externally. The Harbourmaster’s Office was observed to have great collaboration with other areas of council, specific attention was drawn to departments within the Policy and Regulation group such as Compliance, Consents and Policy, and extended to ICM, Assets and Corporate Services. External collaboration with commercial and recreational stakeholders was also assessed as being positive. It was noted that there is room for increased collaboration with local Iwi.

13. Aids to navigation – The Harbourmaster is responsible for the installation and maintenance of a variety of aids to navigation within the region. This includes navigation buoys, navigation lights, navigation leads, demarcated access lanes, and the associated signage as reflected in the Navigation Safety Bylaw. The processes were aligned with the undertaking; however, the Council is heavily reliant on contractors to carry out maintenance. This is identified as a risk that needs to be mitigated - aids to navigation have a direct impact on the safety of lives and the environment.

14. Memoranda of Understanding (MoU) – The Council currently has two memoranda of understanding in place, one with Napier Port and the other with Napier City Council. The delineation of responsibilities, management of assets, and incident response are some of the key areas outlined in the MoU. The Napier City Council MoU is due to be updated based on a change to the fees and charges between the councils.

15. Council resourcing – The Harbourmaster’s office is understaffed for the requirements of the region. The Hawke’s Bay region has the second largest export port by volume in the North Island, a commercial Inner Harbour and rocket launching/recovery operations that are all regulated and monitored by the Harbourmaster’s office. In addition, there are a variety of recreational activities within the region that are regulated by the Harbourmaster’s Office using primary and secondary legislation. Harbourmaster’s offices across the country of a similar scale have a minimum of five staff which usually includes a Harbourmaster, Deputy Harbourmaster, and three Maritime officers. It was also noted that the region does not have a Harbourmaster vessel and is the only one in the country without one. This raises questions as to the Council’s ability to effectively respond to incidents, adequately monitor and enforce compliance with maritime legislation, respond to maritime emergencies, and respond to marine pollution, all of which the Council has a statutory responsibility to fulfil. This is a significant risk for the Council and would be the subject of investigation in the event of an adverse occurrence.

16. Incident/Emergency management – There are robust procedures in place for the management of incidents, near-misses, accidents, and emergencies. Evidence of that was demonstrated for both commercial operations and recreational activities within the region. Examples of these were vessel groundings, sinkings, collisions, fire, engine failures and steering gear failures. The incidents were managed in a way that mitigated or averted adverse outcomes. However, it must be re-emphasised that the Harbourmaster was heavily reliant on the use of external contractors as well as the Coastguard, which is a volunteer service, to carry out this response. These incidents also involved or could have involved marine pollution. This puts the Council in an untenable position if these external parties are unavailable or unfit at the time of an incident.

17. Stakeholder meetings – The Harbourmaster, Maritime New Zealand, and Napier Port representatives meet at least monthly to discuss maritime issues. Meetings are also held ad hoc in response to any situations that arise. The Harbourmaster also meets with other commercial and recreational clubs/organisations, and key stakeholders around the region on a regular basis.

18. Policies and processes – The software utilised by the Harbourmaster’s Office for document storage/management adequately incorporated the provisions of the Code. There were clear links to the implementation, management, and review of policies and procedures. This is an excellent tool and will be recommended other Councils during future reviews.

19. Hydrographic surveys and dredging – Adequate measures were demonstrated for risk mitigation associated with hydrography. The Harbourmaster’s Office oversees the dredging and survey programmes for Napier Port and Napier City Council. There are clauses in the respective MOU that outlines the responsibility for maintenance dredging in high-risk areas. There are also policies that address the frequency of dredging and surveys. Evidence was shown of the most recent dredging and survey campaigns within the region. Surveys and dredging were also undertaken post cyclone to ensure that the region could safely accommodate vessel movements, this prevented shipping delays and assisted the recovery of the region.

20. Anchorage – The Harbourmaster is responsible for the designation, management, and maintenance of the anchorage areas used by commercial ships within the region. Measures to ensure that the depths and nature of the seabed were accurately depicted on navigational charts and in navigational publications were adequately demonstrated. The Harbourmaster utilises the Vesper-Garmin Automatic Identification System (AIS) to monitor ships at anchor as well as vessel movements within the region. It was discussed that there would be upcoming changes to the designated areas and a new procedure would be implemented to further reduce risks and optimise the use of the anchorage areas.

21. Marine Pollution Response – The Pollution Response Team, which falls within the Compliance Group manages marine pollution. The team has staff that have been trained in marine pollution response, and the region has a Regional On-scene Commander (ROSC), as well as an alternate ROSC that provides cover. The team will also be in a position of relying on the availability of external contractors, or the Coastguard to effectively respond to marine pollution due to a lack of on-water capabilities. This would also be the case for conducting training exercises.

Decision-making considerations

22. Staff have assessed the requirements of the Local Government Act 2002 in relation to this item and have concluded that:

22.1. The decisions of the Committee are in accordance with the Terms of Reference and decision-making delegations adopted by Hawke’s Bay Regional Council 30 August 2023, specifically the Risk and Audit Committee shall have responsibility and authority to provide advice and recommend actions, responses, and changes to the Council about risk management, assurance activities, governance oversight and internal control matters, including external reporting and audit matters. Specifically, this includes:

22.1.1. The robustness of Council’s risk management systems, policies, practice and assurance processes. (1.1)

22.1.2. Review whether Council management has a current and comprehensive risk management framework and associated procedures for effective identification and management of the Council’s significant risks in place. (2.1)

22.1.3. Undertake periodic monitoring of corporate risk assessment, and the internal controls instituted in response to such risks. (2.2)

22.2. Because this report is for information only, the decision-making provisions do not apply.

Recommendations

That the Risk and Audit Committee receives and considers the Port Harbour Marine Safety Code Review staff report.

Authored by:

Adrian Wright

Harbourmaster

Approved by:

Katrina Brunton

Group Manager Policy & Regulation

Attachment/s

1 ⇨	Hawke's Bay Port & Harbour Marine Safety Code Review Report - 2024		Under Separate Cover
2 ⇩	20 August 2024 HB Code Consistency Letter - PHMSC NZ

Hawke’s Bay Regional Council

Risk and Audit Committee

23 October 2024

Subject: Treasury Compliance Report for the period 1 July - 30 September 2024

Reason for report

1. This item provides compliance monitoring of Hawke’s Bay Regional Council’s (HBRC) Treasury activity and reports the performance of Council’s investment portfolio for the quarter ended 30 September 2024.

Overview of the quarter ending 30 September 2024

2. On 30 September 2024 and during the preceding quarter, HBRC was compliant with all measures in its Treasury Policy except for six days during the quarter where the counterparty risk policy was breached as managed funds were transferred between managers.

3. During the quarter HBRC transitioned its Managed Portfolio investments from Mercer and Jarden to Harbour Asset Management and the HBRIC portfolio transition is in progress.

4. The effects of Cyclone Gabrielle and its recovery continue to impact both cash balances and borrowing requirements. Additional ongoing borrowing to fund recovery will continue over the next 3-4 years, while proceeds from insurance claims are slower than initially forecast.

5. During the quarter HBRC took advantage of favourable movements in the interest rate swap curve and executed two interest rate swaps with a total notional value of $25m.

Background

6. Council’s Treasury Policy requires a quarterly Treasury Report to be presented to the Risk and Audit Committee. The policy states that the Treasury Report is to include:

6.1. Treasury exceptions report

6.2. Policy compliance

6.3. Borrowing limit report

6.4. Funding and liquidity report

6.5. Debt maturity profile

6.6. Interest rate report

6.7. Investment management report

6.8. Treasury investments

6.9. Cost of funds report, cash flow and debt forecast report

6.10. Debt and interest rate strategy and commentary

6.11. Counterparty credit report

6.12. Loan advances.

7. The Investment Management report has specific requirements outlined in the Treasury Policy. This requires quarterly reporting on all treasury investments plus annual reporting on all equities and property investments.

8. In addition to the Treasury Policy, Council has a Statement of Investment Policy and Objectives (SIPO) document setting out the parameters required for all HBRC Group funds under management.

9. Since 2018, HBRC has procured treasury advice and services from PricewaterhouseCoopers (PwC) who provide quarterly treasury reporting for internal monitoring purposes.

Treasury exceptions report and policy compliance

10. During the quarter HBRC was non-compliant with the counterparty risk policy with BNZ for three days in July as it transitioned both managed portfolio investments to new providers through their BNZ account. It occurred again in late September as the annual rates intake was received. Both non-compliance incidents occurred over a weekend and were rectified within one business day.

11. Council staff continue to maintain the view that management of Recovery Funding held on behalf of others sits outside HBRC’s Treasury Policy for normal operations and is excluded from treasury reporting.

12. The Treasury Policy states the CFO formally delegates to accountants the responsibility for executing treasury transactions in accordance with approved limits, managing the operation of all bank accounts, reviewing electronic batch payments to creditors, and arranging for approval by authorised signatories. Practical application of the Treasury Policy limits for authorisation of bank transactions has not been previously documented so we have outlined how this is applied internally in the attached report which provides a breakdown of the policy and the internal application of limits.

Funding and liquidity

13. To ensure HBRC can adequately fund its operations, current policy requires us to maintain a liquid balance of ‘greater than 10% of existing total external debt’. Current liquidity ratio is 45.16% and therefore meets policy.

14. The following table reports the cash and cash equivalents on 30 September 2024.

30 Sept 2024	$000
Cash on Call	36,750
Short-term bank deposits	8,000
Total Cash & Deposits	44,750

15. To manage liquidity risk, HBRC retains a Standby Facility with BNZ. This facility provides HBRC with a same-day draw down option, to any amount between $0.3m-$10m, and with a 7-day minimum draw period.

16. $40m was received during the quarter from the annual rates intake. These funds have been deposited between 3 banks to maintain the Council’s counterparty policy and $8m placed on term deposit to pre-fund a LGFA loan maturing in April 2025.

17. The OCR reduced on 14 August to 5.25%, with corresponding reduction in returns to on-call funds with Jarden dropping to 5.25% and BNZ reducing to 5.2%. The Term deposit of $8m with Rabo for six months returns 5.9%. Because the current cash on hand is required for cashflow purposes it is not practical for this to be placed on long term deposit.

Debt management

18. On 30 September 2024 the current external debt for the Council group was $113m of which $8m is due to mature in April 2025. This has been pre-funded from the 2024 rates intake. (external debt is $129m including loan from HBRIC).

19. Since Q4 of FY24 there has been no additional new borrowing.

20. The following summarises the year-to-date movements in Council’s debt position.

Summary of HBRC Debt

	HBRC only $000	HBRC Group $000
Opening debt – 1 July 2024 – excluding HBRIC loan	113,500	113,500
New loans raised	-	-
Less amounts repaid	(225)	(225)
Closing Debt 30 September 2024 (excluding HBRIC loan)	113,275	113,275
Plus loan from HBRIC	16,663	-
Total Borrowing as at 30 June 2024	129,938	113,275

21. Council’s debt maturity profile remains compliant. The infographic below includes our $10m BNZ overdraft facility in total debt and planned $8m repayment utilising term deposit. The internal (HBRIC) debt is excluded.

A screenshot of a graph

Description automatically generated

Funding summary

22. HBRC had no new borrowing in Q1 but anticipates further borrowing before Christmas to fund costs relating to the major flood mitigation projects.

23. HBRC staff continue to work on firming up the challenging cashflow forecast for the capital projects and this will inform the timing of any future borrowings.

24. The LTP debt forecast anticipates debt levels rising to $176m by the end of FY27.

Borrowing limits

25. Council continues to monitor and work within the agreed borrowing limits set by both Council and the LGFA.

26. The ratios below exclude all HB Recovery cash & cash equivalents held and any return on these funds but does include LTIF managed funds as a liquid asset for assessing net debt.

Ratio	HBRC	LGFA	Actual to 30 September 2024
Net external debt as a percentage of revenue	<250%	<285%	23.97%
Net interest on external debt as a percentage of total revenue	<30%	<20%	1.09%
Net interest on external debt as a percentage of annual rates income	<20%	<25%	6.90%
Liquidity buffer amount comprising liquid assets and available committed debt facility amounts relative to existing total external debt	>110%	>110%	145.16%

Interest rate risk

27. Council currently holds $54m in fixed rate instruments, hedging 44% of current external debt, and remains compliant to policy. This is based on the FY2025-2027 LTP plan.

A table with numbers and percentages

Description automatically generated A graph showing the number of risk timelines

Description automatically generated with medium confidence

28. These hedging instruments are currently held with two banks, Westpac and BNZ. Since 30 June, interest rates have shown movement and Council has increased their hedging instruments with these banks. Council has also created a facility with ANZ for possible future swaps.

Managed funds

29. Total Group Investment Fund portfolios capital on 30 September 2024 is $172m. No divestments have been made from managed funds this year.

30. HBRC has fully transferred their Managed Investment Portfolio’s from both Mercer and Jarden to Harbour Asset Management Ltd. On 30 September HBRIC’s portfolio is still in transition.

31. As all portfolios were in a sell-down/purchase phase, the performance of the portfolios has not been benchmarked. Once all are fully transferred to their new portfolio’s we will commence reporting on performance.

32. It will also need to be confirmed if the Capital Protected Amount HBRIC as manager of the funds will be reset to the value transferred. With the improvement in market values this quarter the total funds are now back above the historical capital protected amount.

33. The following table summarises the fund balances at the end of each period and the graph illustrates the asset allocations within each fund on 30 September 2024.

	30 June 2023	30 June 2024	30 Sept 2024
Fund Balances HBRC	$000	$000	$000
Fund Balance HBRC	110,828	118,722	121,112
Capital Protected Amount HBRC (2% compounded since inception)	115,895	118,890	119,484
Current HBRC value above/(below) capital protected amount	(5,067)	(168)	1,628
Funds Balances (HBRC + HBRIC)
Long-Term Investment Fund (HBRC)	48,400	51,847	52,898
Future Investment Fund (HBRC)	62,428	66,875	68,214
Total HBRC	110,828	118,722	121,112
Plus HBRIC Managed Funds (FIF)	45,638	48,854	50,658
Total Group Managed Funds	156,466	167,576	171,770
Capital Protected Amount (2% compound inflation)	164,798	169,344	170,191
Current group value above/(below) protected amount	(8,332)	(1,768)	1,579

Cost of funds

34. Rolling 12 months to 30 September 2024, Gross Cost of Funds (COF) was 4.19% and Net COF was 4.09%.

HBRIC Ltd

35. In accordance with Council policy, HBRIC provides separate quarterly updates to the Corporate and Strategic Committee.

Decision-making process

36. Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:

36.1. The decisions of the Committee are in accordance with the Terms of Reference and decision-making delegations adopted by Hawke’s Bay Regional Council 30 August 2023, specifically the Risk and Audit Committee shall have responsibility and authority to:

36.1.1. Review the Council’s revenue and expenditure policies, amongst others, and the effectiveness of those policies in ensuring limited risk is generated. (1.3)

36.2. Because this report is for information only, the decision-making provisions do not apply.

Recommendation

That the Risk and Audit Committee receives and notes the Treasury Compliance Report for the period 1 July - 30 September 2024.

Authored by:

Tracey O'Shaughnessy

Treasury & Investments Accountant

Approved by:

Susie Young

Group Manager Corporate Services

Attachment/s

There are no attachments for this report.