Audit and Risk Subcommittee Wednesday 30 March 2022 at 10.00am

 

30 March 2022

Audit and Risk Subcommittee Agenda

 

 

Recommendations contained in the agenda are NOT decisions of the meeting. Please refer to minutes for resolutions.

 

MEMBERSHIP OF THE Audit and Risk Subcommittee

Chairperson,  Colin Kitchen

Councillor Amy Macdonald	Councillor Joce Yeoman	Councillor Rick Stolwerk
Ex-Officio Penny Smart	Independent Audit & Risk Advisor Danny Tuato'o	Independent Advisor Stuart Henderson

 

 

KARAKIA / WHAKATAU

 

RĪMITI (ITEM)                                                                                                      Page

1.0      Ngā Mahi Whakapai/Housekeeping

2.0      Ngā Whakapahā/apologies   

3.0      Ngā Whakapuakanga/declarations of conflicts of interest

4.0      Ngā Whakaae Miniti (Confirmation of Minutes)

4.1      Confirmation of Minutes - 24 November 2021                  4

5.0      Reports

5.1      Internal Audit Schedule                                                       10

5.2      Audit Fee Proposal For Year Ending 30 June 2022 and 30 June 2023                                                                               12

5.3      Deloitte - Fraud and Corruption Risk Assessment           19

5.4      Internal Audit Update - Kaipara District Council Rating Review                                                                                    40

5.5      Internal Audit Maturity Assessment                                  56

5.6      Investment Policy Revision - Incorporate Protocols for Reporting Investment Fund Gains/Losses                        64

5.7      Local Government Funding Agency (LGFA) Presentation & Funding Strategy Considerations                                   68

5.8      Risk Management Activity Update                                    86

5.9      Risk Deep Dive on workload and Capability and Operational capacity to manage events and directives                                                                                               116

5.10   Health and Safety Update                                                 121

5.11   Insurance Summary 2021/2022                                       129

6.0      Kaupapa ā Roto (Business with the Public Excluded)         137

6.1      Confirmation of Confidentail Minutes - 24 November 2021

6.2      Cyber Security update

30 March 2022

 

TITLE:	Confirmation of Minutes - 24 November 2021
From:	Judith Graham, Corporate Services P/A
Authorised by Group Manager/s:	Bruce Howse, Pou Taumatua – Group Manager Corporate Services, on

 

That the minutes of the Audit and Risk subcommittee meeting held on 24 November 2021 be confirmed as a true and correct record.

 

Attachment 1: Audit and Risk Subcommittee minutes - 24 November 2021 ⇩   

30 March 2022Attachment 1

30 March 2022

 

TITLE:	Internal Audit Schedule
From:	Judith Graham, Corporate Services P/A
Authorised by Group Manager/s:	Bruce Howse, Pou Taumatua – Group Manager Corporate Services, on 17 March 2022

 

The internal audit schedule, as adopted by the Subcommittee, is provided in Table 1. 

 

The schedule shows the timing for each internal audit item and a status update on progress. 

 

All items scheduled for 2020/21 have been completed and work is in progress and on track for all items scheduled for 2021/22.

 

That the report ‘Internal Audit Schedule’ by Judith Graham, Corporate Services P/A and dated 11 January 2022, be received.

 

 

Table 1.  Internal Audit Schedule

Key
Complete		Underway	Deferred		Not Started
Year	Item			Status
2020/21	FNDC rates collection, audit to confirm robustness of collection of NRC rate revenue and general title arrears recovery process.			Audit complete.  Findings reported to Subcommittee in June 2021.  FNDC have implanted audit recommendations in part, some still work in progress.
2020/21	Human resources procedures.			Audit complete.  Findings reported to Subcommittee in September 2021.  Findings will be implemented through Human Resources work programme.
2020/21	Fraud control environment (counter-fraud gap analysis).			Audit complete.  Findings reported to Subcommittee in June 2021.  Additional work underway to strengthen control environment.
2020/21	Insurance – AON insurable risk review.			Audit complete.  Findings presented to Subcommittee in December 2020.  Insurance renewals due November 2021.
2021/22	KDC rates collection, audit to confirm robustness of collection of NRC rate revenue and general title arrears recovery process.
2021/22	Property management.			Work in progress.  Findings to be reported to Subcommittee in mid-2022.
2021/22	Risk management.			Deferred.  Replaced with ‘Fraud and Corruption Risk Assessment’ as reported to Subcommittee in June 2021.
2021/22	Procurement.			Deferred.  Replaced with ‘Strengthen the Management of Third parties’ as reported to Subcommittee in June 2021.
2021/22	Fraud and Corruption Risk Assessment.
2021/22	Strengthen the Management of Third parties.
2022/23	WDC rates collection, audit to confirm robustness of collection of NRC rate revenue and general title arrears recovery process.			Work to commence in 2022/23.
2022/23	Externally managed funds – SIPO, governance, reporting, treasury management.			Work to commence in 2022/23.
2022/23	Legislative compliance.			Work to commence in 2022/23.

 

 

 

Nil

30 March 2022

 

TITLE:	Audit Fee Proposal For Year Ending 30 June 2022 and 30 June 2023
From:	Bruce Howse, Pou Taumatua – Group Manager Corporate Services
Authorised by Group Manager/s:	Bruce Howse, Pou Taumatua – Group Manager Corporate Services, on 10 March 2022

 

Deloitte had proposed an increase in base audit fees from $122,300 to $170,300 for FY22. 

 

Through negotiation Deloitte has agreed to a lower increase in base audit fees of $156,300 for FY22 (refer attachment).  This fee has been approved by the Office of the Auditor General. An additional $15k of audit fees is proposed for FY22 for the Enterprise Project implementation workstream which requires additional audit effort (as noted in the original and revised Deloitte fee proposals).

 

In addition to this Deloitte has proposed base audit fees of $178,800 for FY23, reflective of Council’s FY22 growth (additional $14,000) and 5% inflationary adjustment ($8,500).  An additional $25k of audit fees is proposed for FY23 for the Enterprise Project implementation workstream which requires additional audit effort (as noted in the original and revised Deloitte fee proposals).

 

Deloitte has also outlined an approach to the setting of audit fees for FY24 and FY 25.  The approach is based on three key factors:

·    scope changes - this would include things such as material new business activities, and addressing new regulatory requirements (such as new reporting standards).

·    adjust the fee (up or down) based on 10% +/- annual changes in budgeted annual expenditure from year to year (as set out in the LTP or Annual Plan).

·    inflationary cost escalation – this aspect of the fee would be referenced to the CPI adjustment published annually by Stats NZ.

 

It is recommended that the subcommittee endorses recommendations to council that it approve the Audit fees proposed by Deloitte for FY22 & 23, and agree in principle to the approach outlined by Deloitte for setting of audit fees in FY24 & FY25.

 

 

 

1.        That the report ‘Audit Fee Proposal For Year Ending 30 June 2022 and 30 June 2023’ by Bruce Howse, Pou Taumatua – Group Manager Corporate Services and dated 11 February 2022, be received.

2.        That the subcommittee recommend to council the approval of base audit fees of $156,300 for FY22 and a further $15k in audit fees for the Enterprise Project implementation workstream.

3.        That the subcommittee recommend to council the approval of base audit fees of $178,800 for FY23 and a further $25k in audit fees for the Enterprise Project implementation workstream.

4.        That the subcommittee recommend to council the agreement in principle to the approach outlined in the attached Deloitte proposal for the setting of audit fees for FY24 and FY25.

 

 

No.	Option	Advantages	Disadvantages
1	Recommend to council the approval of audit fees for FY22 & FY23.	We will have certainty (pending councils approval) of audit fees and an auditor available to undertake our audit work.  Approving both FY22 & FY23 provides certainty for both parties and is much more efficient than attempting to renegotiate fees again in FY23.	Increase audit fees, however these are imminent regardless in the current economic conditions and council’s growth.
2	Do not recommend to council the approval of audit fees for FY22 & FY23.	Potential to attempt to negotiate lower audit fees in FY23, however negotiations are unlikely to be successful or favourable to council based on factors such as council’s growth and projected inflation.	Further efforts to continue to negotiate audit fees.

 

The staff’s recommended option is 1.

1.        Financial implications

Budget provision has been made from existing budgets for the increased cost in FY22 audit fees.  The increased audit fees for FY23 are unbudgeted (with the exception of the Enterprise Project audit fees which will be funded from the project budget) and will need to be built into the 2023/24 Annual Plan or found from other funding sources.

 

Attachment 1: FY22 and FY23 Audit Fee Proposal NRC Final ⇩   

30 March 2022Attachment 1

30 March 2022

 

TITLE:	Deloitte - Fraud and Corruption Risk Assessment
From:	Simon Crabb, Finance Manager
Authorised by Group Manager/s:	Bruce Howse, Pou Taumatua – Group Manager Corporate Services, on

 

In May 2021 Council undertook a Counter-Fraud Gap Analysis to identify the specific actions required to improve councils’ approach to managing, and actively reducing, its exposure to fraud and corruption risks.  A key recommendation arising from this May 2021 gap analysis was that council should complete a Fraud and Corruption Risk Assessment.

 

In March 2022 council engaged Deloitte to perform the recommended Fraud and Corruption Risk Assessment with a focus on council’s key corruption risks. Refer to Attachment One for the Deloitte report.

 

Deloitte partner Ian Tuke will attend the March Subcommittee meeting to talk to the Deloitte report and respond to any questions.

 

The key recommendations flagged as priorities (and the corresponding date and responsibility for delivering such recommendations) in the Fraud and Corruption Risk Assessment Report are summarised in the table below.

 

Ref	Deloitte Key Priority Flagged Recommendations	Complete by	Responsible
1	Implement an ongoing early detection-focused analytics programme to identify any outlier trends/activity and serve as a preventive measure against acts of corruption.	June 2022, annually thereafter	Finance Manager
2	Roll out a compulsory online corruption-focussed awareness training module to the entire organisation to educate employees and contractors about the risks and warning signs of corruption, and how to share their concerns.	June 2022	Finance Manager
3	Source and promote Crimestoppers (or similar) as councils independent 24/7 whistle blower service.	June 2022	Fraud Limitation Officer
4	Enhance the reporting available to management in relation to environmental incidents and compliance monitoring in an endeavour to develop insights/visibility into the behaviours of council enforcement officers. Related to the above, is the additional recommendation to generate oversight of the allocation of environmental incident files to council officers.	December 2022	Compliance Monitoring Manager
5	Enhance the reporting of environmental incidents and compliance monitoring in an endeavour to develop insights/visibility into the behaviours of councils contracted service providers.	December 2022	Compliance Monitoring Manager
6	Design and implement a Declaration of Interest form to be completed by council staff (at the point of assessment) who are responsible for assessing/approving the allocation of grant funding.	December 2022	Fraud Limitation Officer
7	Investigate the feasibility of incorporating a “Declaration of Interest” field in the Accounts Payable system of the new Enterprise System to be completed by council staff (at the point of raising a purchase order) when procuring goods/services in excess of $5K	September 2023	Finance Manager

 

 

 

1.        That the report ‘Deloitte - Fraud and Corruption Risk Assessment’ by Simon Crabb, Finance Manager and dated 11 January 2022, be received.

 

 

Attachment 1: Fraud & Corruption Risk Assessment - Deloitte March 2022. ⇩   

30 March 2022Attachment 1

30 March 2022

 

TITLE:	Internal Audit Update - Kaipara District Council Rating Review
From:	Simon Crabb, Finance Manager
Authorised by Group Manager/s:	Bruce Howse, Pou Taumatua – Group Manager Corporate Services, on 18 March 2022

 

Deloitte performed a review of the Kaipara District Council (KDC) rating processes to test the controls and identify any improvements in respect to:

·        user access to, and maintenance of, the Rating Information Database (RID),

·        application, collection, and allocation of rating transactions,

·        and the process and preparation of the reporting provided to NRC.

 

Refer to Attachment One for the Deloitte report on their review. Deloitte partner Peter Gulliver will attend the March Subcommittee meeting to talk to this report and respond to any questions.

 

This agenda item summarises the findings and presents an action plan arising from the Deloitte review.

 

That the report ‘Internal Audit Update - Kaipara District Council Rating Review ’ by Simon Crabb, Finance Manager and dated 4 March 2022, be received.

 

1.    The key recommendations identified as having the potential to cause high or moderate risk to KDC systems and controls, and requiring urgent action are summarised in the table below.

High risk Improvement	Action to be taken	Completion Date
User access rights to the Rates Maintenance function should be comprehensively reviewed and revised to ensure appropriate access levels	The General Manager Corporate Excellence will send a letter to KDC requesting that:   ·    the current rates maintenance access rights are revised to reflect the appropriate functionality,   ·    a schedule is provided to NRC detailing the updated user positions, roles, access functionality and justification for access functionality.   ·    an IT User Access Policy is developed and implemented that will establish clear guidelines around what access rights are provided to each staffing position; and mandate the annual review of all user access rights.	30 April 2022
The Allocation methodology for rate payments should be agreed upon and documented within the Annual Rating Services Agreement	Simpson Grierson were engaged in November 2021 to draft up a variation to the current rating services agreement to document the agreed allocation methodology for rates payments, and in particular in the instance rates assessments are part paid.   The wording provided by Simpson Grierson will be incorporated into all of the 2022-23 Rating Services Agreement.	30 June 2022

 

2.    The processes identified by Deloitte as having the potential to cause high or moderate risk to KDC systems and controls, but remedying actions are considered not urgent are:

 

KDCS management of its debt collection processes, reconciliations, sign off procedures, and reporting to NRC should be improved.

As part of the 2022-23 Rating Services Agreement renewal process, the General Manager Corporate Services will discuss the findings and recommendations of the Deloitte review with his counterpart at KDC, expressing an expectation that their service levels are improved.   In addition, the Rating services Agreement will be amended to mandate that KDC provide an aged debtor analysis to NRC as part of their quarterly rating reconciliation report.

30 June 2022

 

 

Attachment 1: Rating Review of Kaipara District Council  -Deloitte Report, March 2022 ⇩   

30 March 2022Attachment 1

30 March 2022

 

TITLE:	Internal Audit Maturity Assessment
From:	Bruce Howse, Pou Taumatua – Group Manager Corporate Services
Authorised by Group Manager/s:	Bruce Howse, Pou Taumatua – Group Manager Corporate Services, on 09 March 2022

 

Deloitte have undertaken an internal audit (IA) maturity review of NRC (attached).

 

The maturity of NRC’s IA function was assessed at an overall level of 2 out of 5 (5 being the highest maturity level).  The report provides several recommendations for NRC to improve its IA maturity to a level of between 3-4 which is considered an appropriate level for NRC.

 

The Corporate Strategy Team has been tasked with the development of a roadmap to increase our maturity rating in line with the recommendations in the report and ensuring that roadmap is progressively implemented over time.  We expect it will take us several years and some additional resourcing to increase our maturity to a level of between 3-4 score, however this will be further refined once the roadmap has been completed.  This work aligns with the quality systems refresh work that the Continuous Improvement group have been undertaking, which should further enhance NRC’s IA maturity.

 

1.        That the report ‘Internal Audit Maturity Assessment’ by Bruce Howse, Pou Taumatua – Group Manager Corporate Services and dated 12 January 2022, be received.

 

Attachment 1: Internal Audit Maturity Report - Final ⇩   

30 March 2022Attachment 1

30 March 2022

 

TITLE:	Investment Policy Revision - Incorporate Protocols for Reporting Investment Fund Gains/Losses
From:	Simon Crabb, Finance Manager
Authorised by Group Manager/s:	Bruce Howse, Pou Taumatua – Group Manager Corporate Services, on 18 March 2022

 

Council’s Investment policy relates to all of council’s investment asset classes, sets the overall investment objective, governs how investment risks are assessed and managed, and how investments are reported upon.

 

It is proposed to expand the reporting section within the investment policy to include how gains and losses from councils externally managed investment portfolio are recorded and presented in councils financial reporting.

 

The Audit and risk subcommittee are delegated the responsibility for monitoring and reviewing the Investment policy and recommending any policy changes to full council.

 

1.        That the report ‘Investment Policy Revision - Incorporate Protocols for Reporting Investment Fund Gains/Losses’ by Simon Crabb, Finance Manager and dated 15 March 2022, be received.

2.        That the subcommittee endorse that the proposed changes presented in this report are incorporated into councils Investment Policy

 

3.                                                    

Options

No.	Option	Advantages	Disadvantages
1	Incorporate the proposed protocols into the Investment policy	Improve transparency and understanding of how council recognises and reports its externally managed investment portfolio gains/losses. Help preserve key knowledge and promote consistency.	None.
2	Do not Incorporate the proposed protocols into the Investment policy	None.	Risk of inconsistent treatment and confusion over what is being reported.

 

The staff’s recommended option is Number 1.

1.        Being a purely administrative matter, Community Views and Environmental Impact are not applicable.

2.        Māori impact statement

This report relates to a council administrative matter and therefore does not have a direct impact on Māori.  Any potential impacts of future related decisions will be addressed in the relevant reports.

3.        Financial implications

This report promotes protocols in an effort to improve financial consistency and understanding

4.        Implementation issues

The Audit and Risk Subcommittee have delegated authority to review financial policies and recommend any policy changes to full council for adoption.

 

5.        Significance and engagement

In relation to section 79 of the Local Government Act 2002, this decision is considered to be of low significance when assessed against council’s significance and engagement policy because it is part of council’s day to day activities.  This does not mean that this matter is not of significance to tangata whenua and/or individual communities, but that council is able to make decisions relating to this matter without undertaking further consultation or engagement.

6.        Policy, risk management and legislative compliance

The activities detailed in this report are in accordance with council’s Treasury Management Policy, Investment Policy, and the 2021-31 Long Term Plan, all of which were approved in accordance with council’s decision-making requirements contained in the Local Government Act 2002.

To improve the transparency and understanding of how council recognises and reports its externally managed investment portfolio gains/losses it is proposed the following protocols are incorporated into the Investment Policy. 

The “illustrative examples” accompanying the protocols are provided to enhance understanding and are not intended for inclusion into the policy.

1.        Gains

a.        All Gains derived from councils managed fund portfolio will be recognised as revenue.

b.        Any funding contribution (general and/or specific funding) requirement from gains will be booked in line with budget, with the remaining surplus gains recapitalised (reinvested back into the fund) by booking a transfer to reserve.

                                  (1bi) illustrative example

 

c.        If budgeted gains do not eventuate as per budget (on a year-to-date basis), any funding requirement is the first recipient of the gains and the recapitalised amount booked as a transfer to reserve is reduced.

                                  (1ci) illustrative example

                                   

d.        In the case where there are insufficient gains to achieve the budgeted general funding requirement and this results in the net result after reserve transfers being unfavourable to budget, a transfer from the OPEX reserve should be booked. This may result in a crystallising/ cash withdrawal from councils OPEX reserved term deposits subject to cashflow requirements.

                                  (1di) illustrative example

                         

e.        Should the balance of the OPEX reserve fall below the budgeted annual general funding requirement, council must remedy this byway of (but not limited to) utilising (crystallising/ withdrawing) historical managed fund gains, and/or revising, reducing, or deferring work programmes, and/or increasing rating revenue in the corresponding year.

f.         Inflationary pressures may deem some funds reserved for a specific purpose to receive a recapitalisation/reinvestment of gains in preference of contributing gains as a source of general funding.

 

 

2            Capital Losses

 

a.        Any losses derived from councils managed fund portfolio will be recognised as negative revenue in councils’ monthly management accounts, and as other expenditure in the annual statutory accounts (prepared in accordance with GAPP).

 

b.        Should a managed investment fund experience a capital loss (negative gain) throughout the year, the negative impact of the capital loss will be reflected in councils net result after transfers to/from reserve. That is, a transfer from reserve to offset any capital loss will not be booked in the monthly accounts presented to council.

 

                                  (2bi) illustrative example

                                            

                                         

 

c.        Should a managed investment fund register a capital loss (negative gain) over the 12 months of the financial year, a transfer of historical gains will be booked to offset the loss, by way of a transfer from reserve at the end of the financial year. This is a non crystallised (non-cash) accounting entry.

                                             (2ci) illustrative example

                              

 

Nil

30 March 2022

 

TITLE:	Local Government Funding Agency (LGFA) Presentation & Funding Strategy Considerations
From:	Simon Crabb, Finance Manager
Authorised by Group Manager/s:	Bruce Howse, Pou Taumatua – Group Manager Corporate Services, on 18 March 2022

 

The Local Government Funding Agency (LGFA) presented the PowerPoint attached (refer Attachment One) to the Corporate Services and Finance Special Interest Group in March 2022.

 

Worthy of note is the graph shown below (taken from slide 4 of the PowerPoint) depicting the underlying cost of funds for the LGFA at March 2022

 

 

As a comparison, the September 2021 version of the same graph is provided below, emphasising the upward movement in the underlying cost of borrowing, from only 6 months ago.

 

 

 

 

 

 

With the cost of borrowing on an upward trend, it is timely to remind the subcommittee of the principles and fundamental factors to consider when deciding whether a major project is funded by way of external borrowings or by using councils cash reserves. Either way the overarching principle is council should never earn less off its cash reserves than 6% over a 3-year period.

 

The flowchart below summarises the factors to be considered in deciding the funding mechanism for a project.

 

 

At the time of writing the 3-year return on the Long-Term Fund was 10%, and the LGFA rate for borrowings over 15 years was 4.06% - which would imply if council needed project funding today, they would take borrowings from the LGFA. However, with a steep rise anticipated in the cost of borrowings, current inflationary pressures, and the current volatility in the global financial markets, councils funding strategy may soon revert to one of using its own cash reserves.

 

It should also be noted that council has received a legal opinion in the past advising that in any given year council should not receive funding (e.g., Borrowings) in excess of what they are spending.

 

That the report ‘Local Government Funding Agency (LGFA) Presentation & Funding Strategy Considerations’ by Simon Crabb, Finance Manager and dated 17 March 2022, be received.

 

 

Attachment 1: Local Government Funding Agency (LGFA) Presentation - March 2022 ⇩   

30 March 2022Attachment 1

30 March 2022

 

TITLE:	Risk Management Activity Update
From:	Kym Ace, Corporate Systems Champion
Authorised by Group Manager/s:	Bruce Howse, Pou Taumatua – Group Manager Corporate Services, on 15 March 2022

 

The Risk Management Activity Update Report outlines the summary of Council’s progress in risk

management related activities including updates on Corporate, Fraud, Dishonesty and Corruption Risks and the review of the risk management policy and framework.

 

1.        That the report ‘Risk Management Activity Update’ by Kym Ace, Corporate Systems Champion and dated 2 December 2021, be received.

2.        That changes to the Risk Management Policy and Framework be approved

 

 

1.           The corporate, fraud, dishonesty and corruption risk registers have been refreshed following leadership review.

2.           The risks and their treatment/s (mitigation action/s) are being managed by staff through the Promapp risk module.  Risk reporting will be provided quarterly to the Audit and Risk Subcommittee.  The monitoring of the corporate and fraud dishonesty and corruption risk registers is performed by the Corporate Systems Champion on a monthly basis. 

3.           The top ten corporate risks, their pre-control (inherent) and post control (residual) rating and trending (traffic light) are summarised in Table 1.

4.           The corporate risks, their risk types, pre-control (inherent) and post control (residual rating) are summarised in Attachment 1.

5.           Key changes and additions from this quarter’s review are identified in Table 2. Some top risks which were retained through the review have been expanded or narrowed, and this is reflected in the relevant risk descriptors within the full document.

 

 

 

Table 1. Top ten corporate risk

Key – Risk rating
Extreme	High	Moderate	Low
Key – Trend	Increasing	Decreasing	Static

#	Risk Statement	Inherent Rating	Residual Rating	Trend
244	Failure to respond to COVID-19 Impact	25	20
246	Recruitment and retention of specialist staff	20	20
080	Changes in legislation and central government policy impacting council’s resources, budgets and activities.	25	20
014	Cyber security attack	20	16
230	Climate change response	20	16
136	Capability and operational capacity to manage events and directives	20	16
221	Workload	20	16
245	Failure to prepare for future of local government review/reforms and its impacts	20	16
012	Non-compliance with Health and Safety at Work Act 2015	20	15
015	Core IT applications/system are not designed and/or implemented to support all organisational processes, or applications will stop working	20	15

 

 

 

Table 2. Key Top Risks changes and additions through the review Top Risk

Key
New specific risk		Increase rating	Decrease rating		Treatment added risk rating remains static
Status	Description			Commentary
	Water			Specific risk identified in the top risk list waiting to hear back from Colin
	Policies and protocols not clearly documented and followed			Residual risk likelihood decreased from often to likely as we have: ·    Improved accessibility on policies from a hub on the express ·    Providing training to managers ·    Audit planning includes a review of policy adherence
	Climate Change response			Inherent and residual likelihood has increased from likely to often to recognise the increased impact of climate change council’s operations and the difficulties in recruiting staff. This risk and the treatments will be fully reviewed as part of the work programme of the new Climate Change Specialists
	Covid			Residual likelihood has increased from often to frequent recognising the effects of the Omicron variant on the workforce even though we have developed BCP and response planning.
	Council decisions and directions			Residual risk likelihood increased from possible to likely in recognition of the potential risk associated with an election year for council and the CEO recruitment
	Fraud corruption and dishonesty			Residual risk likelihood increased from rare to possible due to increased staff turnover and record levels of new roles.
	Procurement			Inherent likelihood from likely to often. Residual risk likelihood increased from possible likely as we need to progress the procurement project to provide our staff with resources, templates, and training.
	Management of data and information assets			Residual risk consequences increased from moderate to major as progress on work plan has been restricted by resourcing and workload issues.
	Recruitment and retention of specialist roles			Residual risk likelihood increased from often to frequent as determined by the deep dive in December and the continued difficulties of recruiting and retaining specialist staff.
	Non-compliance with Health and Safety at Work Act 2015			Increase inherent likelihood increased from likely to often and residual increased from possible to likely to reflect the loss of Health & Safety specialist and therefore exposing the potential of not having all the checks in place to ensure that everything is happening as it should be and the heightened risk regarding contractor health and safety.
	Changes in legislation and central government policy impacting council’s resources, budgets and activities			Inherent likelihood increased from often to frequent and Residual risk consequences increased from moderate to major as staff report an increased volume of changes coming from central government. These changes will affect our operational capacity.
	Capability and operational capacity to manage events and directives			Residual risk consequences increased from moderate to major because as we are only approximately halfway in developing our BCP framework and the issues covered in the deep dive report in this agenda
	Enterprise Project			Increase inherent and residual likelihood from possible to likely to reflect the current scheduling and resourcing issues.
	Cyber security			Residual risk consequences increased from Moderate to major because as even though we are constantly defending threats and if/when a threat gets through the consequences could be major. Policy rules are being triggered and alerts remedied daily. We are also early on our roadmap to increasing our security maturity

 

 

 

Risk Management Policy and Framework review

The risk management policy and framework were comprehensively reviewed in February 2020 to align with ISO 31000:2018 standard.

 

As scheduled in the policy review programme for 2022, staff have recently reviewed the policy and framework. The updates include:

·    updated roles and responsibilities in line with the operational structure,

·    inclusion of programme risk and

·    objective review.

 

The revised policy and framework are attached at Attachment 2 and 3 for approval

 

Risk Appetite

Risk appetite is the decision about the amount and type of risk Council is willing to take to achieve its objectives. This is an area that was identified in the risk maturity matrix as requiring further development. Council does not have internal resource to lead this work and are recommending that we investigate options and report back to the June Audit and Risk Subcommittee.

 

Deep Dives

The Corporate System Champion facilitates risk owners to provide deep dives into each corporate risk in accordance with the following schedule (Table 3), initially focussing on the corporate risk with the highest pre-controls risk rating or where specifically requested due to increasing risk ratings.  The deep dive on workload and capability and operational capacity to manage events and directives is included as a separate agenda item.

 

Table 3.  Risk deep dive schedule.

#	Corporate Risk	November 2021	1st meeting 2022	2nd meeting 2022
2	Workload		√
3	Capability and operational capacity to manage events and directives		√
4	Changes in legislation & central government policy impacting council’s resources, budgets, and activities.			√
5	Cyber security			√

 

Response to COVID-19 Resurgence – Omicron Variant

Council’s Crisis Management Team (CMT) was activated in response to the announcement by the Government that New Zealand of the Covid-19 pandemic. The role of Council’s CMT is to lead Council’s internal response, ensure Council’s essential services remain operational, manage the changes to Council’s operations and service as required, and support staff well-being and safety during the crisis.

 

Following the Omicron announcement Council’s COVID Protection Framework and Communication Plan were reviewed and activated with staff being split into shifts/bubbles as a risk mitigation response and staff working from home where possible. Covid Business Continuity Plans per Group have been updated for the Omicron response with critical services identified and plans developed to manage these within each group.

 

The transitions have been managed smoothly and with resilience by staff.  Regular communications have been issued to staff with ongoing external communications managed through Council’s website and social media channels.  Health and safety protocols were frequently reviewed and updated as specific advice regarding the Omicron variant were received.

 

The Emergency Management readiness and response to the COVID-19 was to deactivated post lockdown and are now operating as business as usual. Communication to the community was achieved through the Civil Defence Emergency Management pages.

 

Covid 19 disruptions are predicted to have unfavourable impacts on a number of 2021/22 work programmes, resulting in the potential for non-achievement of some levels of service.

 

At the time of writing this report the CMT remains activate, proactively managing the response as Council prepares for and moves through the Protection Framework (Traffic Light System) and all the ever-changing requirements. Significant focus is on supporting the mental and physical well-being of staff throughout this time.

 

 

 

Attachment 1: Corporate Risks Summary ⇩

Attachment 2: Risk Management Policy ⇩

Attachment 3: Risk Management Framework ⇩   

30 March 2022Attachment 1

30 March 2022Attachment 2

30 March 2022Attachment 3

30 March 2022

 

TITLE:	Risk Deep Dive on workload and Capability and Operational capacity to manage events and directives
From:	Kym Ace, Corporate Systems Champion
Authorised by Group Manager/s:	Bruce Howse, Pou Taumatua – Group Manager Corporate Services, on 15 March 2022

 

There are risks that external and internal events are impacting the capability and operational capacity to manage events, directives, and workloads, which is resulting in our people feeling the pressure and may result in us being unable to deliver our LTP activities and services. The inherent risk is considered extreme (20).

This report presents a deep dive into the risks:

·    capability and operational capacity to manage events and directives; and

·    workload.

Potential causes of these risk include:

1.   Increase in requirements and workloads from central government

2.   High rate of change in our legislative operating environment

3.   Increased Covid-specific workload

4.   High rate of organisational growth

5.   Loss of key staff and difficulty finding replacements

6.   Increased workload to enable engagement with tangata whenua

7.   High workload from Councillors

8.   High expectations to complete work within required timeframes and to a very high standard

9.   Increase in staffing numbers and work programmes impacting support services

 

With mitigations in place the residual risk is considered Extreme (16).

 

1.        That the report ‘Risk Deep Dive on workload and Capability and Operational capacity to manage events and directives’ by Kym Ace, Corporate Systems Champion and dated 11 January 2022, be received.

 

 

Risk	Capability and operational capacity to manage events, directives, and workload There are risks that Northland Regional Council does not possess the capability and operational capacity necessary to provide the required response to internal and external events (including natural hazard, pollution, biosecurity, emergency events, pandemics and other business interruptions or Central Government direction).  This may result in the organisation being unable to deliver on LTP activities and services, and has a significant impact on the workload/s of our people.
Inherent Risk Score: Unmitigated	Likelihood: 5 (Frequent)	Consequence: 4 (Major)	Residual Risk: 16(Extreme)
Underlying Causes (threats):  How do you see these causes now – have they changed are there new causes?	Council’s staff are fundamental to the delivery of levels of service and achievement of targets prescribed in the Long Term Plan. Keeping their wellbeing at the centre of intention is critical to being able to achieve our levels of service and targets and deliver work programmes. Recently staff have observed and felt the impact of increased workload demands from internal and external events and business interruptions.  This has resulted in staff feeling unreasonable levels of pressure and becoming unwell. Potential causes include: 1.   Increased requirements and workload deliverables from central government, especially in a world of local government reform 2.   High rate of change in our legislative operating environment 3.   High rate of organisation growth 4.   Staff wanting to make a difference and make the most of the high volume of opportunities available in a changing environment 5.   Increased Covid-specific workload 6.   Loss of key staff and difficultly finding replacements 7.   Increased workload to enable engagement with tangata whenua 8.   High expectations to complete work within required timeframes and produce high quality work 9.   Increase in staffing numbers impacting support services
Current treatments: Are you assured that these treatments are effective, sustainable and evidenced?  Would you do more, or is the risk reduced?	1.           Business Resilience   Develop/review Council’s Business Continuity Plan (BCP) Framework to ensure that it supports preparedness to respond to events so that risks to people, property, and significant activities are minimised before, during and after an event. This Includes an analysis of resulting workload issues. BCP Policy and Framework have been developed and approved by OMT/ELT. Activity BCP plans are being developed. Seven of fifteen plans have been substantially completed. This work has been impacted by the Covid pandemic response planning requirements but is scheduled for January - March 2022 depending on Covid commitments. Once activity plans are complete the full package will be presented to ELT for approval.   Civil Defence and Emergency Management (CDEM). NRC has a lead role in CDEM group. The role of the group is to work in partnership with communities to ensure effective and efficient delivery of emergency management within Northland. Council employees are obligated to provide lead and support where necessary as part of their roles (subject to situation specific circumstances). Council staff are trained in specific emergency response roles and have processes and procedures that aim to both reduce the impact of incidents and (where possible) to maintain the provision of Council services. This is achieved by (but not limited to): -      Requiring each staff member to undertake CDEM induction and, when identified appropriate, encouraging them to attend a civil defence training course covering the types of hazards in the Northland region, roles and responsibilities, use of coordinated incident management system, and working within an Emergency Coordination Centre. This enables CDEM to have a pool of trained resources on standby in case of a significant event. -      Regular exercises of emergency management skills through participation in inter-agency /authority exercises and collaboration during events   Risk Management Framework Council’s Risk Management Framework includes policy, processes, support, tools, and templates. The framework details the expectations and best practice risk management behaviours across all levels of the business   These treatments impact the consequences of the risk by ensuring there is an organisational understanding of Council’s commitment to maintain and manage the on-going delivery of Council services during an incident   2.        Ensure planning processes, particularly the Long Term and annual plan, review the organisation structure and capacity of teams. This is a key element of annual and long term planning process. Te Kete Marika, which is managed by the corporate strategy team, requires new projects to include detailed consideration of staff impacts and requirements. Additionally, all proposals are considered as a whole by the team in conjunction with support service managers to ensure that support can be identified. This treatment impacts the consequences of the risk by ensuring there is adequate consideration of the structure and capacity of the organisation during planning activities, so Council can maintain and manage the on-going delivery of Council services.   An additional recommendation is that the overall rate of organisational change required to deliver on any plan, including cumulative numbers of staff and support required, is considered at ELT level during the initial strategic scoping phase of plan development, and re-evaluated regularly during the process, on the assumption that all proposals will be approved by council.   3.           Human Resources Plan The Human Resources plan guides the direction of Council’s people management including but not limited to: -      Succession, recruitment, and workforce planning -      Learning and development -      Initiatives -      Support requirements (inc. technology, market analytics and metrics). This treatment impacts the likelihood by providing the structure to implement pro-active actions associated with attracting, maintaining, and developing our people resource.   4.           Develop and analyse workload issues. Workload issues have been workshopped with ELT, HR/H&S team, the Wellbeing and Stress Groups. Potential mitigations have been identified and a workplan developed to address these including but not limited to: -      Analyse what we are doing – if it doesn’t help to achieve our goals do we need to do it? -      For specific areas perform a detailed work breakdown analysis of the role and capacity -      Identify where efficiency can be made whether through process or technology -      Provide time management, stress, and resilience training -      Review training needs of individuals -      Analysis of work distractions and see what can be removed -      Maintain and support the staff wellbeing steering group -      Review processes to identify efficiencies -      Actively promote and participate in the coordinated partnership efforts across the sector -      Better business planning through the LTP -strategic direction planning sessions with ELT and council -      Ensure appropriate management support to staff through e.g., PDP’s, regular meetings, and mentoring 5.           Managers and staff to develop and implement individual solutions to workload issues. To escalate and resolve roadblocks as necessary. This is a question in our performance development process which all staff undertake. 6.           Council in accordance with the significance and engagement policy engages and communicates potential changes and the associated risks with the public. This treatment impacts the likelihood of the risk by detailing and providing visibility to the community of potential impacts. 7.           Ensure that processes are documented for staff to follow. This treatment impacts the consequences of the risk by ensuring our people understand the expectations and the right way to do activities.   8.           Councillors, Managers and staff to consider the impact on resources ($, People, etc) of the work we take on and ensure that it aligns with the LTP Ensure that we have clear and defined boundaries around our capacity Ensure that we are focusing on our core functions and organisational objectives and not becoming distracted by side issues.
Recommendations of Management/  planned Treatments If more needs to be done, what do you suggest – and what are the limitations or constraints.	Recommendations include: 1.    Comply with and resource treatment options. 2.    Ensure proper project management (incl resource planning, workload allocation, costing) before we commit to directives from central government, councillors, and other funding sources. 3.    Ensure long term strategic and annual planning processes include frequent high-level analysis of capacity and support impacts, and that these are adhered to and championed by ELT.
Improvements to span of control: How will the implementation of planned treatments be effective in improving our ability to mitigate the risk?	The treatments will enable us to better manage workload and operational capacity risk, and endeavour to increase staff wellbeing. The proposed treatments are considered the most effective available to council to address this risk.

 

Target Residual Risk Score: Assumes all mitigations in place

Likelihood: 3 (Likely)

Consequence: 3 (Moderate)

Residual Risk: 9 (High)

 

 

 

 

Nil

30 March 2022

 

TITLE:	Health and Safety Update
From:	Beryl Steele, Human Resources Manager
Authorised by Group Manager/s:	Bruce Howse, Pou Taumatua – Group Manager Corporate Services, on 18 March 2022

 

This report is to inform the audit and risk subcommittee of the activities related to health and safety.

 

A summary of the activities include:

·        A list of the current health and safety priorities.

·        An update on the key tasks associated with the COVID-19 response.

·        An update on the highest health and safety risks.

·        An outline of the health and safety strategy outcomes, action plans and tracking.

 

1.        That the report ‘Health and Safety Update’ by Beryl Steele, Human Resources Manager and dated 2 December 2021, be received.

 

1.        Health and safety priorities

The key priorities in health and safety at the present time are:

·    Regularly reviewing and updating the COVID-19 response. See section 2 below for details.

·    Managing and monitoring staff workload, stress and mental wellbeing.

·    Finding a new Health & Safety Advisor

 

The first three priorities have not changed since the last update.

 

2.        COVID-19 response

The focus areas in the COVID-19 response for health and safety have been:

·    Ensuring we are compliant with government requirements.

·    Where there have been positive cases in NRC ensuring that appropriate action and safeguarding of staff, visitors and contractors is being taken.

·    Conducting role risk assessments for mandatory vaccination requirements.

·    Moving to requiring a vaccine pass to work in NRC offices and separating critical staff into work bubbles.

·    Supporting the wellbeing of staff through the changing COVID-19 landscape.

·    Working through how best to relocate staff back into the building after the peak of omicron is over.

·    Communicating updates to staff.

 

3.        Top health and safety risks

Table 1: Top health and safety risks and focus mitigations

COLOUR CODE THESE

Risk	Residual Score	Focus area for mitigation and notes
Working with Contractors	16	This has increased from a residual score of 8 to 16.  Some of our contractor documentation has expired or not being filed in the right place
COVID-19 pandemic	16	This has increased from 10 to 16.  This is due to the changing environment.  With omicron the potential of catching it is increased however the likelihood of death has decreased.
Dealing with aggressive people – psychological harm	10	No change.  We have had to delay our training for this and we have looked at moving most of it to being online.  This will start in a few weeks.
Extended workload/stress	9	A deep dive has been carried out.  We now need to see what we can put in place.  Workload was also highlighted in our stress survey.
Workplace bullying and harassment   Note: This due to potential risk, not high numbers	9	Psychological safety training will be commencing soon starting with ELT.  Delivering diversity, bullying and harassment.
Sedentary work – ergonomic harm	8	We continue to promote movement, completing workstation assessments.  The wellbeing group also promotes opportunities for wellbeing challenges that includes physical activities.
Working under the influence of drugs and/or alcohol	8	The drug and alcohol policy has been updated and distributed to staff.
Slips, trips, and falls	8	These continue to be due to work environments combined with inattention.  No mitigations at the present time apart from staff awareness.
Driving motor vehicles – accident and injury related	8	We continue to report on any incidents of speeding or any accidents.

 

Note: The top risks are identified by the residual risk scores. There risks are the highest after all controls have been put in place. Risk scores are between 1 and 25. 

 

The scores listed above represent the residual scores for each of these risks. This means that after all controls are in place, these nine risks have a high residual risk score. The focus area for mitigation column is what we are currently doing or looking into doing in order to further bring these scores down to their lowest possible point. The mitigations listed are not the current controls in place.

 

4.        Health and safety strategy priority outcomes

Please see attachment 1 for action plans for each out the key outcomes. Note that the timeframes on these outcomes have not been adjusted to include the COVID-19 workload, and as such some will be delayed.

 

 

5.        Stress Survey

The Stress Survey has been completed and the main area of concern highlighted was workload.  The report and actions plans are currently being finalised.

 

5.        Other updates of note

·    A new H&S committee has been elected.

·    Our H&S Advisor has left and we are currently trying to recruit for the role.  We have contracted the services of Construct Health Limited to assist us with investigations, reviewing contractor documentation and other pieces of work as required.

 

Guide to strategy reporting

The operational status of the strategy items are displayed using traffic light colours (green, yellow, red). The meaning of each status is defined below. See attachment 2 for the health and safety performance towards the strategy.

Attachment 1: Health and Safety strategy action plans ⇩

Attachment 2: Health and safety performance towards strategy ⇩   

30 March 2022Attachment 1

30 March 2022Attachment 2

30 March 2022

 

TITLE:	Insurance Summary 2021/2022
From:	Judith Graham, Corporate Services P/A
Authorised by Group Manager/s:	Bruce Howse, Pou Taumatua – Group Manager Corporate Services, on 15 March 2022

 

Council’s total insurance premium for 2021/22 is $458,052, this represents an 8.1% increase over the 2020/21 total insurance premium of $423,587.

 

A summary of council’s insurance renewals for 2021/22 is attached. 

 

That the report ‘Insurance Summary 2021/2022’ by Judith Graham, Corporate Services P/A and dated 11 January 2022, be received.

 

Nil.

 

Attachment 1: Insurance renewals summary ⇩   

30 March 2022Attachment 1

  

30 March 2022

 

TITLE:

Business with the Public Excluded

 

The purpose of this report is to recommend that the public be excluded from the proceedings of this meeting to consider the confidential matters detailed below for the reasons given.

1.              That the public be excluded from the proceedings of this meeting to consider confidential matters.

2.              That the general subject of the matters to be considered whilst the public is excluded, the reasons for passing this resolution in relation to this matter, and the specific grounds under the Local Government Official Information and Meetings Act 1987 for the passing of this resolution, are as follows:

Item No.	Item Issue	Reasons/Grounds
6.1	Confirmation of Confidentail Minutes - 24 November 2021	The public conduct of the proceedings would be likely to result in disclosure of information, as stated in the open section of the meeting -.
6.2	Cyber Security update	The public conduct of the proceedings would be likely to result in disclosure of information, the withholding of which is necessary to protect information where the making available of the information would be likely unreasonably to prejudice the commercial position of the person who supplied or who is the subject of the information s7(2)(b)(ii) and the withholding of which is necessary to prevent the disclosure or use of official information for improper gain or improper advantage s7(2)(j).

3.              That the Independent Financial Advisors be permitted to stay during business with the public excluded.

1.    Options

Not applicable. This is an administrative procedure.

2.    Significance and Engagement

This is a procedural matter required by law. Hence when assessed against council policy is deemed to be of low significance.

3.    Policy and Legislative Compliance

The report complies with the provisions to exclude the public from the whole or any part of the proceedings of any meeting as detailed in sections 47 and 48 of the Local Government Official Information Act 1987.

4.    Other Considerations

Being a purely administrative matter; Community Views, Māori Impact Statement, Financial Implications, and Implementation Issues are not applicable.