Audit and Risk Subcommittee

Wednesday 2 December 2020 at 1.00pm

 

 

AGENDA

 


Audit and Risk Subcommittee

2 December 2020

Audit and Risk Subcommittee Agenda

 

Meeting to be held in the Council Chamber

36 Water Street, Whangārei

on Wednesday 2 December 2020, commencing at 1.00pm

 

Recommendations contained in the agenda are NOT decisions of the meeting. Please refer to minutes for resolutions.

 

MEMBERSHIP OF THE Audit and Risk Subcommittee

Chairperson, Councillor Colin Kitchen

Councillor Amy Macdonald

Councillor Joce Yeoman

Ex-Officio Penny Smart

Councillor Rick Stolwerk

Independent Audit & Risk Advisor Danny Tuato'o

Independent Financial Advisor Geoff Copstick

 

 

Item                                                                                                                                                                                   Page

1.0       Housekeeping

2.0       apologies   

3.0       declarations of conflicts of interest

4.0       Health & Safety Update                                                                                                                                  3

5.0       Confirmation of Minutes

5.1       Confirmation of Minutes - 6 October 2020                                                                                        4

6.0       Reports

6.1       Enterprise System Project Update                                                                                                        8

6.2       Insurance Update                                                                                                                                      11

6.3       Risk Management Activity Update                                                                                                     41

6.4       Internal Audit Programme                                                                                                                     58    

   


Audit and Risk Subcommittee                                                                                                                                    item: 4.0

2 December 2020

 

TITLE:

Health & Safety Update

ID:

A1390129

From:

Beryl Steele, Human Resources Manager

Authorised by Group Manager:

Bruce Howse, Group Manager - Corporate Excellence, on date

 

Executive summary/Whakarāpopototanga

The presentations that will be presented at the meeting are listed below.

 

Recommendation

That the presentations:

4.1       Health & Safety Update

be received.

 

Attachments/Ngā tapirihanga

Nil  


Audit and Risk Subcommittee                                                                                                                                    item: 5.1

2 December 2020

 

TITLE:

Confirmation of Minutes - 6 October 2020

ID:

A1391036

From:

Judith Graham, Corporate Excellence P/A

Authorised by Group Manager:

Bruce Howse, Group Manager - Corporate Excellence, on

 

Recommendation

That the minutes of the Audit & Risk Subcommittee meeting held on 6 October 2020 be confirmed as a true and correct record.

 

Attachments/Ngā tapirihanga

Attachment 1: Audit & Risk Subcommittee Minutes 6 October 2020   


Audit and Risk Subcommittee  ITEM: 5.1

2 December 2020Attachment 1

PDF Creator


 

PDF Creator


 

PDF Creator

 


Audit and Risk Subcommittee                                                                                                                                    item: 6.1

2 December 2020

 

TITLE:

Enterprise System Project Update

ID:

A1386886

From:

Carol Cottam, Information Services and Technology Manager

Authorised by Group Manager:

Bruce Howse, Group Manager - Corporate Excellence, on date

 

Executive summary/Whakarāpopototanga

The purpose of the report is to provide and update on progress with the Enterprise System project.

 

Recommendation

That the report ‘Enterprise System Project Update’ by Carol Cottam, Information Services and Technology Manager and dated 18 November 2020, be received.

 

Background/Tuhinga

At the conclusion of the Request for Information phase, the Detailed Business Case for the Enterprise System project was presented to and endorsed by ELT on 2 July 2020, approving the project to proceed to the detailed procurement phase. 

 

The detailed procurement phase of the project includes establishment of a project team, issuing a Request for Proposal, undertaking due diligence and includes supplier demonstrations to recommend a preferred supplier.

The Key Milestones for this phase of the project are:

 

Milestone description

Baseline date

Actual date

Issue Request for Proposal

18/09/2020

18/9/2020

Proposals Received

23/10/2020

23/10/2020

Complete Evaluation

09/11/2020  

10/11/2020

Demonstrations Commence

16/11/2020

17/11/2020

Demonstrations Conclude

04/12/2020

 

Moderation

07/12/2020

 

Due diligence reference checks

10-12/12/2020

 

Update to Audit and Risk

02/12/2020

 

Recommendation of preferred supplier to ELT

17/12/2020

 

Implementation Business Case

21/01/2021

 

Workshop recommendation with Council

02/02/2021

 

Recommendation to Council

23/02/2021

 

 

At the time of writing this report, we are mid-way through the supplier demonstrations and the process is progressing well.

There has been a high level of engagement from the evaluation team and supporting staff.

 

 

Attachments/Ngā tapirihanga

Attachment 1: Risk Register - Enterprise System   


Audit and Risk Subcommittee  ITEM: 6.1

2 December 2020Attachment 1

PDF Creator


 

PDF Creator


Audit and Risk Subcommittee                                                                                                                                    item: 6.2

2 December 2020

 

TITLE:

Insurance Update

ID:

A1389846

From:

Bruce Howse, Group Manager - Corporate Excellence

Authorised by Group Manager:

Bruce Howse, Group Manager - Corporate Excellence, on

 

Executive summary/Whakarāpopototanga

This report provides a copy of the AON insurable risk profiling report that was produced following a workshop with council staff and AON.  The AON report profiles councils risk across a number of areas and provides a summary of opportunities and actions that can be undertaken to further limit or mitigate NRC’s risk exposure and optimise insurance outcomes.

 

An update is provided on the increased costs of insurance for 2020/21.  There has been a 20% average increase in insurance premiums for this year which equates to a 14% increase in costs to council from $369k in 2019/20 to $420k in 2020/21.  

 

Recommendation

That the report ‘Insurance Update’ by Bruce Howse, Group Manager - Corporate Excellence and dated 25 November 2020, be received.

 

Background/Tuhinga

Insurable Risk Profiling Report

The attached AON report profiles councils risk across a number of areas and provides opportunities for actions that can be undertaken to further limit or mitigate NRC’s risk exposure and optimise insurance outcomes. 

 

The AON report was produced following a workshop with council staff and AON.  The main intention of the workshop was to identify opportunities to further limit or mitigate NRC’s risk exposure and optimise insurance outcomes.  A further workshop was then held with AON to prioritise the opportunities and determine actions to give effect to the opportunities. 

 

Staff will undertake work to give effect to the actions identified in the report. 

 

Increased Insurance Costs

There has been a 20% average increase in insurance premiums for this year which equates to a 14% increase in costs to council from $369k in 2019/20 to $420k in 2020/21.  The breakdown of premium increases is provided in Table 1.  

A 15% increase in premium cost was budgeted for this year, giving a total budget of $412,942.  A further 15% has been budgeted for in each following year of the draft LTP, including a $28k provision for the risk pool ongoing liability in Year 1 of the draft LTP.

 

Revised quotes have been received from AON to assess the value in increasing excesses for a number of the insurable items to reduce cost.  However, upon review the potential savings in insurance costs do not justify the revised risk and as such management has not directed AON to make changes to excesses.  Attachment 2 provides a breakdown of excesses and cover for 2019/20 and 2020/21 and highlights areas where changes have occurred.

 

Table 1. breakdown of premium increases.

Northland Regional Council Premium Summary

 

Total Ex GST 2019/2020

Total Ex GST 2020/2021

% Increase

Material Damage Fire

$   29,740.19

 $   43,334.56

46%

Material Damage Ex Fire

$   47,468.92

 $   55,156.33

16%

Business Interruption

$     2,348.76

 $      3,521.77

50%

Infrastructure Cover

$   24,693.00

 $   28,315.88

15%

Commercial Motor

$   61,308.06

 $   53,886.75

-12%

General Liability

$   15,376.40

 $   17,438.00

13%

Liability Excess Layer

 $     9,626.89

 $   11,833.39

23%

Professional Indemnity

$   50,778.47

 $   65,797.00

30%

Employers Liability

$     1,291.34

 $      1,510.00

17%

Statutory Liability

$     6,899.83

 $      7,870.00

14%

Fidelity/Crime

$     6,682.79

 $      7,316.51

9%

Personal Accident

$     8,143.75

 $      8,963.00

10%

Travel

$     1,669.65

 $      1,140.00

-32%

Harbour Masters & Wreck Removal

$   58,700.00

 $   64,575.00

10%

Computer & Electronic Equipment

$     6,730.00

 $      8,517.23

27%

Forestry

$     3,913.04

 $      4,835.76

24%

Marine Hull

$   23,378.93

 $   23,871.92

2%

Drone Cover

$     1,802.97

 $      2,763.08

53%

Cyber

$     5,830.00

 $      5,840.00

0%

Flyger road - Nursery

$     2,140.17

 $      3,755.89

75%

TOTAL

 $ 368,523.16

 $ 420,242.07

20% Average

 

 

 

 

Attachments/Ngā tapirihanga

Attachment 1: Northland Regional Council Insuravle Risk Profile 2020

Attachment 2: Insurance   


Audit and Risk Subcommittee  ITEM: 6.2

2 December 2020Attachment 1

PDF Creator


 

PDF Creator


 

PDF Creator


 

PDF Creator


 

PDF Creator


 

PDF Creator


 

PDF Creator


PDF Creator


 

PDF Creator


 

PDF Creator


 

PDF Creator


 

PDF Creator


 

PDF Creator


 

PDF Creator


 

PDF Creator


 

PDF Creator


 

PDF Creator


 

PDF Creator


 

PDF Creator


 

PDF Creator


Audit and Risk Subcommittee  ITEM: 6.2

2 December 2020Attachment 2

PDF Creator


 

PDF Creator


 

PDF Creator


 

PDF Creator


 

PDF Creator


 

PDF Creator


 

PDF Creator


 

PDF Creator


Audit and Risk Subcommittee                                                                                                                                                                        item: 6.3

2 December 2020

 

TITLE:

Risk Management Activity Update

ID:

A1387123

From:

Kym Ace, Corporate Systems Champion

Authorised by Group Manager:

Bruce Howse, Group Manager - Corporate Excellence, on date

 

Executive summary/Whakarāpopototanga

The Risk Management Activity Update Report outlines the summary of Council’s progress in risk

management related activities including updates on Corporate and Group risks, risk management maturity assessment and the risk management maturity roadmap

 

Recommendation(s)

1.         That the report ‘Risk Management Activity Update’ by Kym Ace, Corporate Systems Champion and dated 18 November 2020, be received.

2.         That Subcommittee conforms that it is comfortable that the management actions are adequate to respond to the findings of the Risk Management Maturity Assessment

3.         That Subcommittee notes the risk maturity roadmap update.

 

Background/Tuhinga

 

Risk Register:

The corporate and group risks, their risk types, pre-control (inherent) and post control (residual rating) and trending are summarised in Appendix 1.

 

Risk Maturity Matrix:

The All-of-Government (AoG) enterprise risk maturity framework was used as the benchmark to assess our risk maturity. The framework enables agencies to objectively measure the current level of risk maturity and identify improvement opportunities. It is grouped into four key dimensions:

·    Leadership & Direction

·    People & Development

·    Processes and Tools

·    Business Performance

An overview of the framework is provided in the below graphic:

 

 

 

With input from ELT, it was determined that given NRC’s size, scale and mandate a minimum maturity level of “3” would need to be attained using the AoG model.

The review determined across all dimensions within the framework NRC scored below the minimum threshold of ‘3’. The framework dimensions that noted the largest maturity gaps included:

1.         Leadership and Direction:

·        Establishing a long-term vision for risk management to provide a frame that enables continuous improvement

2.         People and Development:

·        There are limited resources across the business (e.g. risk champions) that can assist with embedding a consistent approach to risk management. These champions would need to be supported by adequate training.

3.         Processes and Tools:

·        An absence of a formal (lines of defence) assurance framework that could guide an internal audit programme and the execution of audits within the programme.

4.         Business Performance:

·        Partnership An absence in policy for the assessment of risk in partnership and the regular performance management of these partners

·        An absence of a comprehensive Business Continuity Plan (other than Covid).


 

The full risk assessment maturity gaps using the AoG model is outlined in the spider diagram below:

 

 

 

The following section outlines the key decisions recommended by ELT regarding this assessment and the roadmap to implementation:

 


Element

Attribute

Improvement opportunity/ Management actions

By Whom

Due Date

Leadership & Direction

Governance, Policy & Accountabilities

* Risk training for:

 

 

·    Councillors and

Danny Tuato’o

Commencing Dec 2020

·    staff.

TBC

TBC

* The senior leadership team to provide specific direction around the management of top risks and start to challenge risk and assurance information: action taken and the potential impact on other areas/groups and partners.

ELT

Quarterly

Culture, Innovation & Risk Appetite

* Review risk appetite statement in the framework, get approval of ELT and endorsement from A&R Subcommittee.

Kym Ace

Jun-21

* Utilise the risk appetite statement to define risk tolerance levels for individual risks

Risk Owners

Dec-21

Continuous Improvement

*Perform a review of the effectiveness of risk management practices on a formal basis, consider if an external audit is warranted.

Bruce Howse

Jul-21

People & development

Roles and Responsibilities

* Ensure risk management roles and responsibilities are communicated for all risk areas and across all business activities

TBC

TBC

* Ensure adequate support is provided to corporate risk management roles and responsibilities to drive elements of good practice across council activities

Bruce Howse

On-going

Resources, Skills & Training

* Develop structured risk management training for roles with risk management responsibilities

TBC

TBC

* Consider the development of risk champions in various business activities. This could potentially be the risk treatment stakeholders

ELT

Apr-21

Processes & Tools

Risk Assessment & Mitigation

* Develop / review all tools, templates and training to enable staff to perform risk assessment processes to ensure consistency across council activities.

Kym Ace

Ongoing

* Implement a process to evaluate the effectiveness of existing treatments in the assessment of risk ratings. (i.e. do the risk treatments correlate to the residual risk ratings) e.g. H, M, L scoring system.

Bruce Howse Kym Ace

Jun-21

Assurance

* Risk gaps and emerging risks included as a standard ELT and A&R agenda item at least quarterly

Bruce Howse Kym Ace

Ongoing

Risk Monitoring & Reporting

* Develop a practical and fit-for-purpose risk reporting model that meets the needs of ELT, A&R and council.

Bruce Howse Kym Ace

June 21 and ongoing

* Provide these risk reports to ELT and A&R to assist decision making and management action

Kym Ace

Quarterly - on going

Business Performance

Strategic Risk Management

*Enhance and/or ensure that the LTP cycle includes a review of the risks as well as external trends and indicators.

Kyla Carlier

Underway

Managing Risk in Partnerships

* Enhance Project, Contract and Procurement Management practices to perform assessment of risks and the regular performance monitoring of partners.

Kym Ace

Align with Enterprise system

Business Resilience

*Develop a comprehensive BCP ensuring alignment between disruptive and extreme event assessment and BCP planning as well as longer term investment planning

Kym Ace Framework only.
OMT - detail

Apr-21


1/8/2021

Change & Transformation

*Review existing policies, frameworks and templates and develop as necessary to ensure formal monitoring and assurance regimes are in place for significant change initiatives. This assurance should be independently performed.

Bruce Howse Carol Cottam

Align with Enterprise system

 

 

Full details for each individual dimension and the specific assessment gaps can be found in Appendix Two:


Audit and Risk Subcommittee                                                                                                                                    item: 6.3

2 December 2020

 

Lastly, NRC will need to maintain the following success factors throughout our risk management journey:

1          Buy-in and tone at the top. Risk management practices are more effective when they are supported by senior managers. Managers and leaders need to be actively involved in risk management activities, encourage risk-related conversations and apply risk-based decision making

2          Clear direction by Governance. Audit & Risk Subcommittee should provide input into Council’s risk appetite, assist management in risk assessment, and define what risk information they want to receive

3          Risk culture. Risk management process improvement requires Council to not only have tools and processes, but also to embrace a culture of risk awareness and transparency.  All staff have a role to play and should be encouraged to actively participate in Council’s risk identification, communication or response

4          To support this journey, Council should support its staff with a relevant risk related training and awareness programme.

 

 

Attachments/Ngā tapirihanga

Attachment 1: Appendix 1- Risk Register Summary

Attachment 2: Appendix 2 - Detailed Risk Maturity Assessment This attachment will be sent separately   


Audit and Risk Subcommittee  ITEM: 6.3

2 December 2020Attachment 1

PDF Creator


 

PDF Creator


 

PDF Creator


 

PDF Creator


 

PDF Creator


 

PDF Creator


 

PDF Creator


 

PDF Creator


 

PDF Creator


Audit and Risk Subcommittee  ITEM: 6.3

2 December 2020Attachment 2

 

 

Placeholder for Attachment b

Risk Management Activity Update

Appendix 2 - Detailed Risk Maturity Assessment This attachment will be sent separately


Audit and Risk Subcommittee                                                                                                                                    item: 6.4

2 December 2020

 

TITLE:

Internal Audit Programme

ID:

A1388420

From:

Bruce Howse, Group Manager - Corporate Excellence

Authorised by Group Manager:

Bruce Howse, Group Manager - Corporate Excellence, on

 

Executive summary/Whakarāpopototanga

A schedule of items for an internal audit programme has been identified for the next three years, subject to annual budget ($52k), as presented in Table 1.  The findings from the internal audit programme will be reported to the Audit and Risk subcommittee as the work is completed.

 

Table 1. Proposed 3-year internal audit programme

Year 1 - 2020/21

Year 2 – 2021/22

Year 3 - 2022/23

·   FNDC rates collection, audit to confirm robustness of collection of NRC rate revenue and general title arrears recovery process.

·    Human resources procedures.

·    Fraud control environment.

·    Insurance – AON insurable risk review (completed).

·   WDC rates collection.

·   Property management.

·   Procurement.

·   Risk management.

 

·   KDC rates collection.

·   Externally managed funds – SIPO, governance, reporting, treasury management.

·   Legislative compliance.

 

 

Other items that have been identified for internal audit include:

·    Asset management - once Enterprise System is implemented and operational

·    Cyber security audits

·    User fees and charges

·    Business continuity plan – once developed and operational

·    Health and safety

·    Record keeping compliance

 

These items are beyond the scope of the current budget for internal audit but could be exchanged for the items included in Table 1. 

Direction is sought from the Audit and Risk subcommittee on the proposed 3-year internal audit programme.  

 

Recommendation(s)

1.         That the report ‘Internal Audit Programme’ by Bruce Howse, Group Manager - Corporate Excellence and dated 23 November 2020, be received.

2.         That the Audit and Risk subcommittee review the proposed 3-year internal audit programme, make any amendments considered necessary, and endorse the programme.

 

 

Attachments/Ngā tapirihanga

Nil