Audit and Risk Subcommittee Wednesday 2 December 2020 at 1.00pm
|
|
|
|
Audit and Risk Subcommittee
2 December 2020
Audit and Risk Subcommittee Agenda
Meeting to be held in the Council Chamber
36 Water Street, Whangārei
on Wednesday 2 December 2020, commencing at 1.00pm
Recommendations contained in the agenda are NOT decisions of the meeting. Please refer to minutes for resolutions.
MEMBERSHIP OF THE Audit and Risk Subcommittee
Chairperson, Councillor Colin Kitchen
Councillor Amy Macdonald |
Councillor Joce Yeoman |
Ex-Officio Penny Smart |
Councillor Rick Stolwerk |
Independent Audit & Risk Advisor Danny Tuato'o |
Independent Financial Advisor Geoff Copstick |
Item Page
1.0 Housekeeping
2.0 apologies
3.0 declarations of conflicts of interest
4.0 Health & Safety Update 3
5.1 Confirmation of Minutes - 6 October 2020 4
6.1 Enterprise System Project Update 8
6.2 Insurance Update 11
6.3 Risk Management Activity Update 41
6.4 Internal Audit Programme 58
Audit and Risk Subcommittee item: 4.0
2 December 2020
TITLE: |
Health & Safety Update |
ID: |
A1390129 |
From: |
Beryl Steele, Human Resources Manager |
Authorised by Group Manager: |
Bruce Howse, Group Manager - Corporate Excellence, on date |
Executive summary/Whakarāpopototanga
The presentations that will be presented at the meeting are listed below.
That the presentations:
4.1 Health & Safety Update
be received.
Attachments/Ngā tapirihanga
Audit and Risk Subcommittee item: 5.1
2 December 2020
TITLE: |
Confirmation of Minutes - 6 October 2020 |
ID: |
A1391036 |
From: |
Judith Graham, Corporate Excellence P/A |
Authorised by Group Manager: |
Bruce Howse, Group Manager - Corporate Excellence, on |
That the minutes of the Audit & Risk Subcommittee meeting held on 6 October 2020 be confirmed as a true and correct record.
Attachments/Ngā tapirihanga
Attachment 1: Audit & Risk Subcommittee Minutes 6 October 2020 ⇩
Audit and Risk Subcommittee item: 6.1
2 December 2020
TITLE: |
Enterprise System Project Update |
ID: |
A1386886 |
From: |
Carol Cottam, Information Services and Technology Manager |
Authorised by Group Manager: |
Bruce Howse, Group Manager - Corporate Excellence, on date |
Executive summary/Whakarāpopototanga
The purpose of the report is to provide and update on progress with the Enterprise System project.
That the report ‘Enterprise System Project Update’ by Carol Cottam, Information Services and Technology Manager and dated 18 November 2020, be received.
Background/Tuhinga
At the conclusion of the Request for Information phase, the Detailed Business Case for the Enterprise System project was presented to and endorsed by ELT on 2 July 2020, approving the project to proceed to the detailed procurement phase.
The detailed procurement phase of the project includes establishment of a project team, issuing a Request for Proposal, undertaking due diligence and includes supplier demonstrations to recommend a preferred supplier.
The Key Milestones for this phase of the project are:
Milestone description |
Baseline date |
Actual date |
Issue Request for Proposal |
18/09/2020 |
18/9/2020 |
Proposals Received |
23/10/2020 |
23/10/2020 |
Complete Evaluation |
09/11/2020 |
10/11/2020 |
Demonstrations Commence |
16/11/2020 |
17/11/2020 |
Demonstrations Conclude |
04/12/2020 |
|
Moderation |
07/12/2020 |
|
Due diligence reference checks |
10-12/12/2020 |
|
Update to Audit and Risk |
02/12/2020 |
|
Recommendation of preferred supplier to ELT |
17/12/2020 |
|
Implementation Business Case |
21/01/2021 |
|
Workshop recommendation with Council |
02/02/2021 |
|
Recommendation to Council |
23/02/2021 |
|
At the time of writing this report, we are mid-way through the supplier demonstrations and the process is progressing well.
There has been a high level of engagement from the evaluation team and supporting staff.
Attachments/Ngā tapirihanga
Attachment 1: Risk Register - Enterprise System ⇩
2 December 2020
TITLE: |
Insurance Update |
ID: |
A1389846 |
From: |
Bruce Howse, Group Manager - Corporate Excellence |
Authorised by Group Manager: |
Bruce Howse, Group Manager - Corporate Excellence, on |
Executive summary/Whakarāpopototanga
This report provides a copy of the AON insurable risk profiling report that was produced following a workshop with council staff and AON. The AON report profiles councils risk across a number of areas and provides a summary of opportunities and actions that can be undertaken to further limit or mitigate NRC’s risk exposure and optimise insurance outcomes.
An update is provided on the increased costs of insurance for 2020/21. There has been a 20% average increase in insurance premiums for this year which equates to a 14% increase in costs to council from $369k in 2019/20 to $420k in 2020/21.
That the report ‘Insurance Update’ by Bruce Howse, Group Manager - Corporate Excellence and dated 25 November 2020, be received.
Background/Tuhinga
Insurable Risk Profiling Report
The attached AON report profiles councils risk across a number of areas and provides opportunities for actions that can be undertaken to further limit or mitigate NRC’s risk exposure and optimise insurance outcomes.
The AON report was produced following a workshop with council staff and AON. The main intention of the workshop was to identify opportunities to further limit or mitigate NRC’s risk exposure and optimise insurance outcomes. A further workshop was then held with AON to prioritise the opportunities and determine actions to give effect to the opportunities.
Staff will undertake work to give effect to the actions identified in the report.
Increased Insurance Costs
There has been a 20% average increase in insurance premiums for this year which equates to a 14% increase in costs to council from $369k in 2019/20 to $420k in 2020/21. The breakdown of premium increases is provided in Table 1.
A 15% increase in premium cost was budgeted for this year, giving a total budget of $412,942. A further 15% has been budgeted for in each following year of the draft LTP, including a $28k provision for the risk pool ongoing liability in Year 1 of the draft LTP.
Revised quotes have been received from AON to assess the value in increasing excesses for a number of the insurable items to reduce cost. However, upon review the potential savings in insurance costs do not justify the revised risk and as such management has not directed AON to make changes to excesses. Attachment 2 provides a breakdown of excesses and cover for 2019/20 and 2020/21 and highlights areas where changes have occurred.
Table 1. breakdown of premium increases.
Northland Regional Council Premium Summary |
|||
|
Total Ex GST 2019/2020 |
Total Ex GST 2020/2021 |
% Increase |
Material Damage Fire |
$ 29,740.19 |
$ 43,334.56 |
46% |
Material Damage Ex Fire |
$ 47,468.92 |
$ 55,156.33 |
16% |
Business Interruption |
$ 2,348.76 |
$ 3,521.77 |
50% |
Infrastructure Cover |
$ 24,693.00 |
$ 28,315.88 |
15% |
Commercial Motor |
$ 61,308.06 |
$ 53,886.75 |
-12% |
General Liability |
$ 15,376.40 |
$ 17,438.00 |
13% |
Liability Excess Layer |
$ 9,626.89 |
$ 11,833.39 |
23% |
Professional Indemnity |
$ 50,778.47 |
$ 65,797.00 |
30% |
Employers Liability |
$ 1,291.34 |
$ 1,510.00 |
17% |
Statutory Liability |
$ 6,899.83 |
$ 7,870.00 |
14% |
Fidelity/Crime |
$ 6,682.79 |
$ 7,316.51 |
9% |
Personal Accident |
$ 8,143.75 |
$ 8,963.00 |
10% |
Travel |
$ 1,669.65 |
$ 1,140.00 |
-32% |
Harbour Masters & Wreck Removal |
$ 58,700.00 |
$ 64,575.00 |
10% |
Computer & Electronic Equipment |
$ 6,730.00 |
$ 8,517.23 |
27% |
Forestry |
$ 3,913.04 |
$ 4,835.76 |
24% |
Marine Hull |
$ 23,378.93 |
$ 23,871.92 |
2% |
Drone Cover |
$ 1,802.97 |
$ 2,763.08 |
53% |
Cyber |
$ 5,830.00 |
$ 5,840.00 |
0% |
Flyger road - Nursery |
$ 2,140.17 |
$ 3,755.89 |
75% |
TOTAL |
$ 368,523.16 |
$ 420,242.07 |
20% Average |
Attachments/Ngā tapirihanga
Attachment 1: Northland Regional Council Insuravle Risk Profile 2020 ⇩
Attachment 2: Insurance ⇩
2 December 2020
TITLE: |
Risk Management Activity Update |
ID: |
A1387123 |
From: |
Kym Ace, Corporate Systems Champion |
Authorised by Group Manager: |
Bruce Howse, Group Manager - Corporate Excellence, on date |
Executive summary/Whakarāpopototanga
The Risk Management Activity Update Report outlines the summary of Council’s progress in risk
management related activities including updates on Corporate and Group risks, risk management maturity assessment and the risk management maturity roadmap
1. That the report ‘Risk Management Activity Update’ by Kym Ace, Corporate Systems Champion and dated 18 November 2020, be received.
2. That Subcommittee conforms that it is comfortable that the management actions are adequate to respond to the findings of the Risk Management Maturity Assessment
3. That Subcommittee notes the risk maturity roadmap update.
Background/Tuhinga
Risk Register:
The corporate and group risks, their risk types, pre-control (inherent) and post control (residual rating) and trending are summarised in Appendix 1.
Risk Maturity Matrix:
The All-of-Government (AoG) enterprise risk maturity framework was used as the benchmark to assess our risk maturity. The framework enables agencies to objectively measure the current level of risk maturity and identify improvement opportunities. It is grouped into four key dimensions:
· Leadership & Direction
· People & Development
· Processes and Tools
· Business Performance
An overview of the framework is provided in the below graphic:
With input from ELT, it was determined that given NRC’s size, scale and mandate a minimum maturity level of “3” would need to be attained using the AoG model.
The review determined across all dimensions within the framework NRC scored below the minimum threshold of ‘3’. The framework dimensions that noted the largest maturity gaps included:
1. Leadership and Direction:
· Establishing a long-term vision for risk management to provide a frame that enables continuous improvement
2. People and Development:
· There are limited resources across the business (e.g. risk champions) that can assist with embedding a consistent approach to risk management. These champions would need to be supported by adequate training.
3. Processes and Tools:
· An absence of a formal (lines of defence) assurance framework that could guide an internal audit programme and the execution of audits within the programme.
4. Business Performance:
· Partnership An absence in policy for the assessment of risk in partnership and the regular performance management of these partners
· An absence of a comprehensive Business Continuity Plan (other than Covid).
The full risk assessment maturity gaps using the AoG model is outlined in the spider diagram below:
The following section outlines the key decisions recommended by ELT regarding this assessment and the roadmap to implementation:
Attribute |
Improvement opportunity/ Management actions |
By Whom |
Due Date |
|
Leadership & Direction |
Governance, Policy & Accountabilities |
* Risk training for: |
|
|
· Councillors and |
Danny Tuato’o |
Commencing Dec 2020 |
||
· staff. |
TBC |
TBC |
||
* The senior leadership team to provide specific direction around the management of top risks and start to challenge risk and assurance information: action taken and the potential impact on other areas/groups and partners. |
ELT |
Quarterly |
||
Culture, Innovation & Risk Appetite |
* Review risk appetite statement in the framework, get approval of ELT and endorsement from A&R Subcommittee. |
Kym Ace |
Jun-21 |
|
* Utilise the risk appetite statement to define risk tolerance levels for individual risks |
Risk Owners |
Dec-21 |
||
Continuous Improvement |
*Perform a review of the effectiveness of risk management practices on a formal basis, consider if an external audit is warranted. |
Bruce Howse |
Jul-21 |
|
People & development |
Roles and Responsibilities |
* Ensure risk management roles and responsibilities are communicated for all risk areas and across all business activities |
TBC |
TBC |
* Ensure adequate support is provided to corporate risk management roles and responsibilities to drive elements of good practice across council activities |
Bruce Howse |
On-going |
||
Resources, Skills & Training |
* Develop structured risk management training for roles with risk management responsibilities |
TBC |
TBC |
|
* Consider the development of risk champions in various business activities. This could potentially be the risk treatment stakeholders |
ELT |
Apr-21 |
||
Processes & Tools |
Risk Assessment & Mitigation |
* Develop / review all tools, templates and training to enable staff to perform risk assessment processes to ensure consistency across council activities. |
Kym Ace |
Ongoing |
* Implement a process to evaluate the effectiveness of existing treatments in the assessment of risk ratings. (i.e. do the risk treatments correlate to the residual risk ratings) e.g. H, M, L scoring system. |
Bruce Howse Kym Ace |
Jun-21 |
||
Assurance |
* Risk gaps and emerging risks included as a standard ELT and A&R agenda item at least quarterly |
Bruce Howse Kym Ace |
Ongoing |
|
Risk Monitoring & Reporting |
* Develop a practical and fit-for-purpose risk reporting model that meets the needs of ELT, A&R and council. |
Bruce Howse Kym Ace |
June 21 and ongoing |
|
* Provide these risk reports to ELT and A&R to assist decision making and management action |
Kym Ace |
Quarterly - on going |
||
Business Performance |
Strategic Risk Management |
*Enhance and/or ensure that the LTP cycle includes a review of the risks as well as external trends and indicators. |
Kyla Carlier |
Underway |
Managing Risk in Partnerships |
* Enhance Project, Contract and Procurement Management practices to perform assessment of risks and the regular performance monitoring of partners. |
Kym Ace |
Align with Enterprise system |
|
Business Resilience |
*Develop a comprehensive BCP ensuring alignment between disruptive and extreme event assessment and BCP planning as well as longer term investment planning |
Kym Ace Framework only. |
Apr-21 |
|
Change & Transformation |
*Review existing policies, frameworks and templates and develop as necessary to ensure formal monitoring and assurance regimes are in place for significant change initiatives. This assurance should be independently performed. |
Bruce Howse Carol Cottam |
Align with Enterprise system |
Full details for each individual dimension and the specific assessment gaps can be found in Appendix Two:
Audit and Risk Subcommittee item: 6.3
2 December 2020
Lastly, NRC will need to maintain the following success factors throughout our risk management journey:
1 Buy-in and tone at the top. Risk management practices are more effective when they are supported by senior managers. Managers and leaders need to be actively involved in risk management activities, encourage risk-related conversations and apply risk-based decision making
2 Clear direction by Governance. Audit & Risk Subcommittee should provide input into Council’s risk appetite, assist management in risk assessment, and define what risk information they want to receive
3 Risk culture. Risk management process improvement requires Council to not only have tools and processes, but also to embrace a culture of risk awareness and transparency. All staff have a role to play and should be encouraged to actively participate in Council’s risk identification, communication or response
4 To support this journey, Council should support its staff with a relevant risk related training and awareness programme.
Attachments/Ngā tapirihanga
Attachment 1: Appendix 1- Risk Register Summary ⇩
Attachment 2: Appendix 2 - Detailed Risk Maturity Assessment This attachment will be sent separately ⇩
2 December
2020
Placeholder for Attachment b
Risk Management Activity Update
Appendix 2 - Detailed Risk Maturity Assessment This attachment will be sent separately
2 December 2020
TITLE: |
Internal Audit Programme |
ID: |
A1388420 |
From: |
Bruce Howse, Group Manager - Corporate Excellence |
Authorised by Group Manager: |
Bruce Howse, Group Manager - Corporate Excellence, on |
Executive summary/Whakarāpopototanga
A schedule of items for an internal audit programme has been identified for the next three years, subject to annual budget ($52k), as presented in Table 1. The findings from the internal audit programme will be reported to the Audit and Risk subcommittee as the work is completed.
Table 1. Proposed 3-year internal audit programme
Year 1 - 2020/21 |
Year 2 – 2021/22 |
Year 3 - 2022/23 |
· FNDC rates collection, audit to confirm robustness of collection of NRC rate revenue and general title arrears recovery process. · Human resources procedures. · Fraud control environment. · Insurance – AON insurable risk review (completed). |
· WDC rates collection. · Property management. · Procurement. · Risk management.
|
· KDC rates collection. · Externally managed funds – SIPO, governance, reporting, treasury management. · Legislative compliance.
|
Other items that have been identified for internal audit include:
· Asset management - once Enterprise System is implemented and operational
· Cyber security audits
· User fees and charges
· Business continuity plan – once developed and operational
· Health and safety
· Record keeping compliance
These items are beyond the scope of the current budget for internal audit but could be exchanged for the items included in Table 1.
Direction is sought from the Audit and Risk subcommittee on the proposed 3-year internal audit programme.
1. That the report ‘Internal Audit Programme’ by Bruce Howse, Group Manager - Corporate Excellence and dated 23 November 2020, be received.
2. That the Audit and Risk subcommittee review the proposed 3-year internal audit programme, make any amendments considered necessary, and endorse the programme.
Attachments/Ngā tapirihanga