†††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††† 112†††††††††††††††††††††††††††††††††††††††††††††††††††††† 01 March 2017
Finance and Performance Committee
30 January 2017
Report no: FPC2017/1/73
Risk and Assurance
Strategic Risk Register
Purpose of Report
1.†††††††† The purpose of this report is to update the Committee on risk and assurance actions and activities to maintain and improve Councilís internal control framework and to present the Strategic Risk Profile.
That the Committee:
(i)†††††††† notes the information in this report; and
(ii)††††††† notes the Strategic Risk Profile 2016 as approved by the Strategic Leadership Team, attached as Appendix 1 to the report.
2.†††††††† The Risk and Assurance Manager provides an update twice a year on the actions taken to maintain and improve Councilís assurance and risk management framework. The preceding Risk and Assurance Update was presented to the Finance and Audit Committee meeting held on 13 July 2016.
Strategic Risk Profile
3.†††††††† Strategic risks are those that affect the achievement of Councilís strategies, strategic objectives, key goals and strategic execution.
4.†††††††† This profile considers each key strategy and provides a high level snapshot of strategic risk context, plans and treatment actions.
5.†††††††† Attached as Appendix 1 to the report is the annual Strategic Risk Profile for 2016 for Council as approved by the Strategic Leadership Team (SLT) and Risk Management Working Group.
6.†††††††† The risk profile now includes a risk status update key to show movements in risk status or risk ranking from the previous profile. The risk status update provides an indication of a decrease, no change or increase in the risk ranking, which is derived from a combination of consequence and likelihood assessments for the risk based on the risk ranking matrix.
7.†††††††† Leisure and Wellbeing strategic risk rating has decreased (improved) in light of strategic community facilities projects being completed and positive progress of community programmes and initiatives that enhance the lives of our communities.
8.†††††††† Organisation strategic risk rating has increased as we have a greater awareness of health and safety exposures and plans are in place to address identified areas that require attention and improvement.
9.†††††††† Natural Hazards strategy rating remains HIGH. Following the Kaikoura earthquakes on 14 November 2016, a number of actions are underway to address our susceptibility to, resilience and preparedness for natural hazards. Also refer to the Risk Management Working Group activities below for details.
10.†††††† The annual Strategic Risk Profile was last presented to the Finance and Audit Committee on 23 November 2015.
11.†††††† The payroll internal audit report was issued on 21 October 2016. The overall objective of this review was to determine the adequacy and effectives of controls and systems in place to manage their operations, and to identify any improvement opportunities. Audit work aimed to avoid gaps and overlaps with other sources of assurance.
12.†††††† Payroll internal audit opinion on management control is that it is effective. The control framework is appropriate and effective. Controls are appropriately designed and executed as intended. Overall processes are controlled. The following two low rated findings were raised:
i.††††††† Monitoring of patterns for casual and temporary staff; and
ii.†††††† Document and test service continuity plan.
13.†††††† The Internal Audit Plan 2016-2018 was approved by SLT on 5 December 2016. Planning for the first two reviews is underway for i) high level review of the official information requests process and ii) Community Funding and Grants internal audit.
14.†††††† Monitoring processes are in place to track and follow up findings raised in internal audits to ensure corrective actions are cleared as the resolution date falls due.
15.†††††† Monthly reporting continues to assess compliance with legislative and regulatory requirements. To date for the 2016/2017 year there has been one significant breach in relation to a response to an official information request response not meeting the statutory timeframe.
Risk Management Working Group
16.†††††† The Risk Management Working Group (RMWG) has met twice since the 13 July 2016 update provided to the Finance and Audit Committee.
17.†††††† Last month a workplace security assessment for the Laings Road administration building reception area was undertaken by the Health and Safety Manager and Health and Safety Consultant. The assessment was based on the guidelines in the judgement from the prosecution of the Ministry of Social Development by WorkSafe New Zealand following the shootings in the Ashburton Work and Income Office in September 2014. WorkSafe have also issued guidelines to manage risk in customer service areas, a fact sheet on best practice in developing plans, so far as is reasonably practicable, to ensure the health and safety of workers, and ensure that others are not put at risk.
18.†††††† OPSEC Solutions, external consultant, completed workplace security risk assessments of the Walter Nash Centre, Taita and the Computer Clubhouses at the Naenae and Taita sites.
19.†††††† A total of 24 council sites having had workplace security assessments since October 2014. Progress updates on remedial actions are provided directly to SLT.
20.†††††† Security of the Pavilion server room has been strengthened and is considered adequate with the installation of security cameras in addition to the changing of access locks and a PIN.
21.†††††† In October 2016 the RMWG reviewed and updated the key service priorities for council services. This forms part of the service continuity framework and prioritises the areas/services for recovery following a disruption event. Priority rankings have been communicated to Divisional Managers.
22.†††††† An emergency power test at the Laings Road administration building is scheduled for 3 March 2017. The planned test will ensure minor issues have been cleared from the two unexpected power outages since staff moved back into the refurbished building.
23.†††††† The Chief Financial Officer took up the role of Crisis Manager in September 2016. A Crisis scenario is being investigated and may form part of the emergency power testing in March 2017.
24.†††††† Coordinated Incident Management System (CIMS) training continues to take place approximately six weekly and is run by Wellington Regional Emergency Management Office (WREMO) staff.
25.†††††† The Divisional Manager, Regulatory Services and the Regional Manager/Group Controller of WREMO will provide a separate briefing on the WREMO 12 month update to the Community Services Committee to be held on 2 March 2017.
26.†††††† All sites have emergency evacuation plans in place and drills are held regularly.
27.†††††† Staff Receiving of Gifts policy was reviewed by the RMWG (no significant changes) and SLT approved the updated policy on 5 December 2016.
28.†††††† The risk management system has been reviewed. The document, previously approved by Council, is being finalised by SLT.
29.†††††† Responsibilities and supporting processes of the risk management framework are reinforced regularly. Processes are in place for escalation outside of the regular reporting channels on any emerging operational risks or issues. Managersí reported on operational risk in January 2017.
30.†††††† In making this recommendation, the Risk and Assurance Manager has considered the purpose of local government in section 10 of the Local Government Act 2002. The Risk and Assurance Manager believes that this recommendation falls within the purpose of the local government in that it provides the Finance and Performance Committee with information to support their governance role. It does this in a way that is cost-effective because it provides assurance on the effective and efficient management of risks within Council.
Strategic Risk Profile 2016
Author: Enid Davids
Risk and Assurance Manager
Approved By: Joycelyn Raffills
General Manager, Governance and Regulatory