Audit and Risk Subcommittee Wednesday 15 April 2020 at 10.00am
|
|
|
|
Audit and Risk Subcommittee
15 April 2020
Audit and Risk Subcommittee Agenda
Meeting to be held in the Zoom meeting
on Wednesday 15 April 2020, commencing at 10.00am
Recommendations contained in the agenda are NOT decisions of the meeting. Please refer to minutes for resolutions.
MEMBERSHIP OF THE Audit and Risk Subcommittee
Chairperson, FNDC Councillor Colin Kitchen
Councillor John Bain |
Councillor Amy Macdonald |
Councillor Joce Yeoman |
Ex-Officio Penny Smart |
Independent Financial Advisor Geoff Copstick |
|
Item Page
1.0 apologies
2.0 declarations of conflicts of interest
3.1 Insurance Overview 3
3.2 Risk Management Policy, Framework and reporting concepts 9
3.3 Health & Safety Update
Presented by Beryl Steele
3.4 Cyber Secuirty Update 36
3.5 Northland Regional Council - High level Audit Plan for the year ended 30 June 2020
Report produced by Peter Gulliver from Deloitte
Attachment 1 Northland Regional Council High Level Audit Plan for the year ended 30 June 2020 38
3.6 Independent GST Review 47
3.7 General Business - Internail Audit
Audit and Risk Subcommittee item: 3.1
15 April 2020
TITLE: |
Insurance Overview |
ID: |
A1297094 |
From: |
Simon Crabb, Finance Manager |
Executive summary/Whakarāpopototanga
A summary of Councils 21 insurance policies is presented in Attachment 1.
The total cost of these policies in the 2019-20 financial year is $396,239 (GST exclusive) which represents an increase of 15% from 2018-19.
Early indications suggest there will be another increase of 10% - 15% in 2020-21.
A representative from AON NZ (council’s insurance brokers) will be present at the March subcommittee meeting to provide an overview of the current insurance market, and discuss council’s current insurance coverage, excess and premiums.
That the report ‘Insurance Overview’ by Simon Crabb, Finance Manager and dated 18 March 2020, be received.
.
Attachments/Ngā tapirihanga
Attachment 1: 2019-20 Insurance summary
⇩
Authorised by Group Manager
Name: |
Dave Tams |
Title: |
Group Manager, Corporate Excellence |
Date: |
19 March 2020 |
15 April 2020
TITLE: |
Risk Management Policy, Framework and reporting concepts |
ID: |
A1283662 |
From: |
Kym Ace, Corporate Systems Champion |
Executive summary/Whakarāpopototanga
The purpose of this report is to present the revised Northland Regional Council Risk Management policy, framework & reporting programme for acceptance.
1. That the report ‘Risk Management Policy, Framework and reporting concepts’ by Kym Ace, Corporate Systems Champion and dated 4 February 2020, be received.
2. That the revised policy, framework, reporting and implementation plan, as attached (Appendix one to four) is accepted.
Background/Tuhinga
In 2018, the International Organisation for Standardisation (ISO) published ISO31000:2018 Risk
Management – Guidelines, providing principles, a framework and a process for managing risk for any
organisation regardless of size, activity or sector.
Based on ISO31000:2018 and a review request from the ELT to ensure our documents are fit for purpose, we have reviewed the Risk Management Framework, separating the policy, rewriting the framework and reviewing the risk register. The Risk register formal review will be a continuous process which will be aligned to the new risk management policy, framework, reporting and related documents.
The summary of changes in the ISO standard include:
· Change of risk definition from “chance or probability of loss” to “effect of uncertainty on objectives”
· Inclusion of recording and reporting
· Enhancement of the leadership by top management and the integration of risk management, starting with the governance of the organisation, specifically:
- Makes Councillors accountable for overseeing risk management
- Makes the Executive Leadership Team accountable for managing risk
While the updated risk definition and other points noted above had already been incorporated,
Governance and leadership accountability have been made more explicit in the Policy and Framework.
Strong leadership from Governance and ELT is required to ensure that the policy and framework are embedded within council. Alongside strong leadership, the development of clear processes, reporting, consistency and good management we will grow a robust risk management culture.
Considerations
1. Options
No. |
Option |
Advantages |
Disadvantages |
1 |
Accept the revised policy and frame work |
Council will have up to date policy & framework that are reflective of best practice |
The framework & policy will not be reflecting best practice |
2 |
Do not accept the revised policy and frame work |
Nil |
The current Risk management framework not reflective of best practice, will remain in place |
The staff’s recommended option is 1
2. Significance and engagement
In relation to section 79 of LGA2002, these matter are part of day-to-day operation of council & hence deemed to be low significance under council policy
3. Policy, risk management and legislative compliance
Being a purely administrative matter, Community Views, Māori Impact Statement, Financial Implications and Implementation Issues are not applicable.
Attachments/Ngā tapirihanga
Attachment 1: Risk Management Policy ⇩
Attachment 2: Risk Management Framework
Feb 2020 ⇩
Attachment 3: Risk Management Reporting
Ideas ⇩
Attachment 4: Risk Management
Implementation Plan ⇩
Authorised by Group Manager
Name: |
Dave Tams |
Title: |
Group Manager, Corporate Excellence |
Date: |
|
Audit and Risk Subcommittee
15 April 2020
Purpose and Scope
1. The purpose of this policy is to state the objectives and behaviours needed to achieve effective risk management across all of council.
2.
3. This policy does not set out how risk management is implemented. Approaches for implementing risk management are detailed in the Risk Management Framework.
4.
Introduction
5. Risk is the impact of an uncertain event or condition that, if it occurs, has a positive or negative effect on the things that we value and want to achieve. We seek to better understand risk because it informs the decisions that we make in order to achieve our vision, mission and community outcomes.
6.
7. Risk management is the knowledge, behaviours, and practices that we use to control the risks that can impact on the things we value. Risk management aims to reduce threats and maximise opportunities.
8.
Policy Statement
9. Northland Regional Council is committed to council wide risk management principles, framework and processes that ensure consistent, efficient and effective assessment of risk in all planning, decision making and operational processes.
10.
Objectives
11. The objectives of risk management are to:
· Support the achievement of council’s vision, mission and community outcomes.
· Embed risk management as an integral part of all council activities.
· Provide a safe and secure environment for employees, contractors and visitors to our workplaces.
· Limit loss or damage to property and other assets.
· Limit interruption to business continuity.
· Be agile and responsive to emerging and changing risks.
· Ensure a structured, comprehensive and effective approach.
· Continually improve risk management through learning, experience, reporting and review.
· Meet or exceed international best practice standards (ISO 31000).
Roles and Behaviours
1. Roles |
2. Behaviours |
3. All Council Staff |
12. Actively involved in owning risk. Consult with and keep managers informed about risk as appropriate. |
4. Managers |
13. Accountable for how risks are managed within their team/department/activities in accordance with relevant policies, frameworks and plans. Identify new and emerging risks. Consult with and keep the Group Manager informed about risk as appropriate. |
5. Corporate Systems Champion |
14. Accountable for developing and maintaining risk management processes across the organisation, including: · Custody of the risk management policy and framework. · Provision of support and guidance to achieve council’s risk management policy and framework. · Collaborating and consulting with the HR Manager regarding health & safety risks. · Reporting council’s risk profile (excluding health & safety) to the ELT and the Audit and Risk Sub-Committee. |
6. Human Resources Manager |
15. Accountable for developing and maintaining health & safety risk management processes across the organisation, including: · Provision of support and guidance to achieve council’s health and safety risk management policy and framework. · Collaborating and consulting with the Corporate Systems Champion regarding risks. · Reporting council’s health and safety risk profile to the ELT and the Audit and Risk Sub-Committee. |
7. Executive Leadership Team (ELT) |
16. Actively support the use of risk management as a key management tool and ensure risk management is an integral part of decision making. Assess and monitor the organisation-wide risk profile. Regularly review risk controls and treatments. Set priorities and allocate resources for risk management. |
8. Audit and Risk Sub Committee |
17. Support the use of risk management for strategic decision making. Set risk management tone and objectives. Confirm that risk is managed within prescribed tolerance. Review the risk management policy and framework. Review and monitor risk management reports and communicate key risks to council and identify new and emerging risks. |
18.
19.
Key relevant documents
20. Include the following: (in hierarchical order)
· Risk Management Framework – (hyperlink)
· Audit and Risk Subcommittee – Terms of Reference: ADOPTED TOR Audit & Risk Subcommittee 2019 (A1262366)
· ISO 31000|2018 – (hyperlink)
· Legislative Compliance Policy, Framework and Programme (hyperlink)
21.
Document approval
22. The approval for distribution and use of this policy has been delegated as per the document information:
Document information:
23. |
24. Information |
25. Document ID: |
26. Objective ID A1250391 |
27. Document version: |
28. 1.0 |
29. Document name |
30. Risk Management Policy |
31. Approved by: |
32. ELT – via GM Corporate Excellence |
33. Date approved: |
34. 29 February 20120 |
35. Policy Owner: |
36. GM Corporate Excellence. |
37. Policy Author: |
38. Corporate Systems Champion |
39. Group |
40. Corporate Excellence |
41. Date policy published: |
42. 29 February 2020 |
43. Date policy created: |
44. January 2020 |
45. Review date: |
46. January 2022 |
Document history:
47. Version |
48. Issue date |
49. Notes |
50. 1.0 |
51. 02/2020 |
52. First edition separating policy from the Risk management framework. |
53. |
54. |
55. |
56. |
57. |
58. |
59. |
60. |
61. |
62. |
63. |
64. |
65. |
66. |
67. |
68. |
69. |
70. |
71. |
72. |
73. |
74. |
75. |
76. |
77. |
78. |
79. |
80. |
81. |
82. |
83. |
84. |
85. |
15 April 2020
Risk management framework reporting ideas
Our proposed risk reporting, which will form the basis of the structure of the registers and inform the details to be included in the forms is presented below for acceptance:
Corporate and group (Currently governance & operational) risks reporting to ELT and the Audit and Risk Sub Committee
It is proposed that the corporate & group risks and mitigation actions are monitored by staff and reported quarterly to the Audit and Risk Subcommittee.
1. Heat Map reporting of overall risks based on pre-control (inherent) and post-control (residual) risks aligned to the level of risk: Low, Moderate, High, and Extreme.
This will look something like e.g.:
2. The corporate risks, their consequences, risk types, pre-control (Inherent) and post-control (implemented controls) ratings will be summarised in a table. See Table 1 for an example of the summarised report.
Table 1 Corporate risk summary
Risk title |
Risk summary and consequence PRE-control (Inherent risk) |
Risk type |
PRE-controls (Inherent) Risk rating |
Controls identified |
POST-controls (Residual) risk rating |
Control status elevator1 |
CORP01 HEALTH AND SAFETY |
Council does not provide a safe and healthy work environment for staff, contractors or visitors that may result in loss of life or permanent disability Appetite: Council accepts a post-controls moderate risk, recognising that safety is paramount |
Health and Safety Financial Legislative Reputation |
EXTREME Likelihood: Likely Consequence: Severe |
Yes |
HIGH Likelihood: Possible Consequence: Severe |
WIP |
CORP02 RELATIONSHIPS |
Council does not effectively manage relationships with iwi, partners and stakeholders that may result in national negative multi-media coverage for more than one week requiring significant additional work to repair stakeholder confidence Appetite: Council accepts a post-controls high risk, recognising that Council can control only their role in relationships |
Reputation Financial |
HIGH Likelihood: Likely Consequence: Major
|
No |
HIGH Likelihood: Possible Consequence: Major |
Nothing |
etc |
|
|
|
|
|
|
1. Control status elevator will be one of: Completed, WIP (i.e. Underway), Nothing (Not commenced).
3. The risk owners will provide deep dives into each corporate and or group risk in accordance with the following schedule (Table 2), initially focussing on the corporate risk with the highest pre-controls risk rating e.g. Health and safety, climate change and business continuity. The number of risks that would require deep dives will depend on the risk appetite set in the framework i.e. all risk that exceed council’s post-control moderate risk appetite for implemented controls.
Table 2 – Example Corporate risk - deep dive schedule
# |
Corporate Risk |
MM 2020 |
MM 2020 |
MM 2020 |
|
|
|
|
|
1 |
Health and safety |
√ |
|
|
2 |
Relationships |
|
√ |
|
3 |
Fraud |
|
|
√ |
4 |
Legislative compliance |
|
√ |
|
5 |
Business continuity |
√ |
|
|
6 |
Climate change |
√ |
|
|
7 |
|
|
|
|
8 |
|
|
|
|
9 |
|
|
|
|
10 |
|
|
|
|
4. The proposed format for a deep dive is presented in Table 3.
Table 3 – Corporate risks deep dive an example – CORP01 Health and safety
CORP01 – HEALTH AND SAFETY
|
Pre-controls (Inherent) risk likelihood |
Pre-controls risk consequence |
Pre-controls risk ranking |
Post- controls risk ranking (Based on mitigations/controls currently complete) |
Risk ranking appetite |
||
There is a risk that council does not provide a safe and healthy work environment for staff, contractors or visitor events that may result in loss of life or permanent disability
|
Likely |
Severe |
Extreme |
High1 |
Moderate
|
||
Appetite: Council accepts a post-control moderate risk, recognising that safety is paramount but recognises that implementing additional controls would be cost-prohibitive Risk Type: Primary: Health and safety Secondary: Financial, legislative, reputation Background: The Health and Safety at Work Act 2015 makes everyone's health and safety responsibilities clear: · Businesses have the primary responsibility for the health and safety of their workers and any other workers they influence or direct. They are also responsible for the health and safety of people at risk from the work of their business. · Officers must do due diligence to make sure the business understands and is meeting its health and safety responsibilities. · Workers must take reasonable care for their own health and safety and that their actions don't adversely affect the health and safety of others. They must also follow any reasonable health and safety instruction given to them by the business and cooperate with any reasonable business policy or procedure relating to health and safety in the workplace. · Other people who come into the workplace, such as visitors or customers, also have some health and safety duties to ensure that their actions don’t adversely affect the health and safety of others. |
|||||||
Key Controls or Mitigation Activities |
Responsible Group and Department |
Timeframe |
Status |
||||
· Health and safety strategy to identify, prioritise and schedule actions/initiatives/projects to align Council’s practices with good practice |
GM CX H&S Team |
Oct 2019 |
Completed |
||||
· Health and safety committee terms of reference |
GM CX, H&S Committee |
Feb 2020 |
Needs updating - In Progress |
||||
· Health and safety policies, processes, practices |
H&S Team, ELT, H&S Reps, All Groups |
|
In Progress |
||||
· Health and safety incident management system for council employees to log, investigate and follow up incidents |
H&S Team All Groups
|
Ongoing |
In Progress |
||||
· Health and safety hazard/risk register |
H&S Team All Groups |
Ongoing |
In Progress |
||||
· Health and safety training: - Induction - Hazard specific - Task safety plans - Contractor management - H&S Representatives - H&S Leadership - Incident management |
GM CX H&S Team |
Ongoing |
In Progress |
||||
· Monitoring and reporting health and safety incidents and trends to health and safety committee, ELT and Audit and Risk Sub-Committee |
GM CX H&S Team |
Ongoing |
In Progress |
||||
1 Likelihood: Possible, Consequence: Severe
15 April 2020
Risk management implementation plan
Strong leadership will be required from ELT to ensure the policy and framework is embedded.
Phase One:
1. Review the framework. Separate the policy from the framework. Decide on reporting and monitoring structure and this will drive the recording. Completed 29 January 2020.
2. Review the current risk register. Initial review completed in Dec 2019.
3. Investigate electronic risk register – Promapp
4. Develop processes
Phase two:
1. Undertake risk management training – to identify risk champions
2. Undertaking current risk identification and evaluation:
§ Externally/internally facilitated workshop to be held with OMT, ELT, Risk Champions, and Council to identify and capture corporate and group risks, including identification and assessment of risk mitigation
§ Workshopping – risk management champions to meet with groups to introduce the policy & framework and then identify and capture risks associated with each group’s activities including identification and assessment of risk mitigation
§ Risk management champions to present findings to relevant GM for review to ensure the risks are comprehensive and those with the highest risk level are accurate.
§ Across group workshops to communicate and identify risks further
Phase three:
Ongoing actions required to embed the risk management culture:
1. Staff made aware of the policy and framework – express page. Inclusion in manager induction, trainings and templates
2. Support from ELT – inclusion of risk management in communications that go to all staff. Recognising and celebrating staff that are risk champions.
3. Integrate risk management into everyday business and decision making:
§ Agenda templates update to include risk management
§ Project management templates.
§ Contract management.
§ Procurement processes.
§ Add risk discussion as a standard item on meeting agendas (including Quality Agendas) to make it easy for staff to raise concerns regarding risk.
§ Allocate sufficient time for those directly involved in managing risk.
§ Risk to be a standing agenda items at ELT and group meetings.
15 April 2020
TITLE: |
Cyber Secuirty Update |
ID: |
A1294318 |
From: |
Carol Cottam, Information Services and Technology Manager |
Executive summary/Whakarāpopototanga
This report provides an update on progress with the implementation of Cyber roadmap actions to improve councils security posture.
Council engaged Deloittes New Zealand to undertake a Cyber Maturity Governance review in June 2019. The report identified areas for improvement to strengthen council’s cyber security posture and included a proposed action plan.
The proposed roadmap focused efforts on Defining a Security Strategy and Training and Awareness.
A revised action plan was prepared that was cognisant of resourcing and budgets constraints (attached). Several training activities have been completed, along with the implementation of new and additional cyber monitoring software to strengthen council’s security posture.
The next planned activity is the development of an Information Security Plan. This activity will be undertaken collaboratively with the District Councils who have identified the same need.
That the report ‘Cyber Secuirty Update’ by Carol Cottam, Information Services and Technology Manager and dated 9 March 2020, be received.
Background/Tuhinga
Attachments/Ngā tapirihanga
Attachment 1: Cyber Security Project
Planner ⇩
Authorised by Group Manager
Name: |
Dave Tams |
Title: |
Group Manager, Corporate Excellence |
Date: |
|
15 April 2020
TITLE: |
Independent GST Review |
ID: |
A1297039 |
From: |
Simon Crabb, Finance Manager |
Executive summary/Whakarāpopototanga
An independent GST review is an effective way to pick up any errors that may have crept into the accounting processes, highlight any areas of concern and opportunity, and provide senior management and governance with guidance on how to correct any GST deficiencies going forward.
Findex, a large Australasian financial advisory and accounting services firm, undertook a review of councils GST processes in February 2020. The Findex report is attached as Attachment 1.
The key opportunity identified in the GST review is to claim GST on all invoices/receipts received that are less than $50, regardless of the provision of a GST number. Most of these instances revolve around parking receipts and small cash purchases made by staff while travelling. This opportunity has been forwarded to our external auditors (Deloitte) to review and confirm acceptable before embedding into our accounting processes.
That the report ‘Independent GST Review’ by Simon Crabb, Finance Manager and dated 18 March 2020, be received.
Attachments/Ngā tapirihanga
Attachment 1: GST Review - Northland
Regional Council ⇩
Authorised by Group Manager
Name: |
Dave Tams |
Title: |
Group Manager, Corporate Excellence |
Date: |
|