Agenda of Risk and Assurance Committee - Thursday, 2 December 2021

Item No.	Subject of each matter to be considered	Reason for passing this resolution in relation to each matter	Grounds under Section 48(1) for the passing of this resolution	When the item can be released into the public
9.1	Public Excluded Risk and Assurance Committee Minutes - 21 October 2021	As noted in the relevant Minutes.	As noted in the relevant Minutes.	To remain in public excluded.

Risk and Assurance Committee Minutes

21 October 2021

Risk and Assurance Committee

Open Minutes

Commencing: Thursday 21 October 2021, 09:30 am

Venue: Regional House, 1 Elizabeth Street, Tauranga and via Zoom

Chairperson: Cr David Love

Deputy Chairperson: Bruce Robertson

Members: Cr Bill Clark

Cr Stuart Crosby

Cr Andrew von Dadelszen

Cr Te Taru White

Chairman Doug Leeder (Ex Officio)

In Attendance: Councillors: Paula Thompson, Jane Nees, Matemoana McDonald, Lyall Thurston and Kevin Winters

Staff: Mat Taylor – General Manager Corporate; Namouta Poutasi – General Manager, Strategy and Science; Debbie Hyland – Finance & Transport Operations Manager; Jessica Easton – Legal and Commercial Manager; Andy Dixon – Treasury & Tax Specialist; Yvonne Tatton – Governance Manager; Steven Slack – Risk & Assurance Manager; Aaron Huggins – Principal Internal Auditor; Nicola Green Principal Advisor, Policy & Planning; Zhivan Alach – Organisational Performance Manager; Tobias Fransson – Performance Analyst and Merinda Pansegrouw – Committee Advisor

External Presenters: Leon Pieterse and Anton Labuschagne – Audit New Zealand

Declaration of Public Recording

Committee members and the public were reminded that the public section of the meeting was being recorded and would be made available on the Bay of Plenty Regional Council website following the meeting and archived for a period of three years as noted on page 4 of the agenda.

Recordings of Meeting: Risk & Assurance Committee - 21 October 2021 - YouTube

Risk and Assurance Committee - 21 October 2021 - Part Two - YouTube

1. Order of Business

Members agreed to the reordering of items to accommodate external presenters from Audit New Zealand for items 8.5 “Audit New Zealand Final Management Report on Long Term Plan 2021-2031” and 8.6 “2020/21 Draft Annual Report Review”.

2. Declaration of Conflicts of Interest

None.

3. Minutes

Minutes to be Confirmed

3.1

Risk and Assurance Committee Minutes - 10 June 2021

Resolved

That the Risk and Assurance Committee:

1 Confirms the Risk and Assurance Committee Minutes - 10 June 2021 as a true and correct record.

Love/Robertson

CARRIED

4. Reports

Information Only

4.1

Committee Chairperson's Report

General Manager, Corporate Mat Taylor presented the report, updating members on the Risk and Assurance Committee’s activities and the updated Risk and Assurance Work Programme for 2021.

Items for Staff Follow Up:

· To consider including auditing of the delivery of Provincial Growth Fund (PGF) and other Crown Infrastructure Partnership Funding Streams as a future workstream

· To consider a stronger reporting mechanism to capture the impacts of the Covid-19 pandemic in terms of business interruption/reporting/looking ahead in the context of “living with Covid-19 in the future”.

Resolved

That the Risk and Assurance Committee:

1 Receives the report, Committee Chairperson's Report.

Love/Robertson

CARRIED

4.2

Chairman's Discretionary Fund 2020/21

General Manager, Corporate Mat Taylor presented the report.

Chairman David Love stated that, in his capacity as Chairman of the Board of Management for Classic Flyers and being involved in the Rotary Club supporting the Rotary Youth Driver Awareness (RYDA), he had been advised that he had no conflict of interest to declare for this item.

Resolved

That the Risk and Assurance Committee:

1 Receives the report, Chairman's Discretionary Fund 2020/21.

Love/Robertson

CARRIED

4.3

Expenditure and Koha Report for the year ended 30 June 2021

Presented by Debbie Hyland – Finance & Transport Operations Manager and Andy Dixon – Treasury & Tax Specialist, assisted by Jessica Easton – Legal and Commercial Manager.

Key Points:

· Redacted information in the report related to the names of private individuals rather than associations/public entities

· Confirmed that Toi Moana’s expenditure system/payments processes had been extensively reviewed by Audit New Zealand.

Key Point - Members:

· Noted that the payment of $1.8 m to Otago Regional Council related to the implementation of the Regional Integrated Ticketing System (RITS).

Key Points - Staff:

· Had implemented a contracts model since August 2021 that allowed the tracking of contracts against spending and financial systems; provided transparency of what was happening across the organisation; enabled the tracking of spending against contractors/contracts and suppliers. All new contracts would be uploaded to provide greater reporting capability/visibility over all of Council’s spending in future

· A formal policy “Te Mana O Te Koha (Koha Guidelines)” guiding the payment of koha was in place and had been applied.

Items for Staff Follow Up:

· Un-redacted version of the item’s attachment “Expenditure and Koha Report for the year ended 30 June 2021” to be provided to Committee Members via electronic mail

· In future, redacted information to be provided to Committee Members in the public excluded part of the agenda of meetings

· A copy of Council’s Koha Payment Policy “Te Mana O Te Koha (Koha Guidelines)” to be distributed to Committee Members.

Resolved

That the Risk and Assurance Committee:

1 Receives the report, Expenditure and Koha Report for the year ended 30 June 2021.

Love/Robertson

CARRIED

4.4

Summary of Councillors' Expenditure July 2020 - June 2021

Presented by Governance Manager Yvonne Tatton.

Key Points - Staff:

· Confident that a robust checking procedure was in place to ensure payments were correct

· In terms of Council policy, the “Good Decision Making Certification”/RMA-certification was deemed as Council related business

· The variance in payment between $950 and $990 for communication allowance related to the issuing of printers based on an earlier policy which had since been amended

· The Elected & Appointed Members Allowances & Expenses Policy clarified that, “Council business” related to seminars, training courses and conferences where members attended as an official representative on the Council’s behalf and with the approval of the Chairman. “Professional development” referred to where a Councillor attended a conference/seminar that was of interest to them, but not essential to the representation or business of Council.

Resolved

That the Risk and Assurance Committee:

1 Receives the report, Summary of Councillors' Expenditure July 2020 - June 2021.

Love/Robertson

CARRIED

4.5

Essential Freshwater Policy Programme Risks

Presented by Nicola Green Principal Advisor, Policy & Planning, supported by Namouta Poutasi – General Manager, Strategy and Science.

Key Points:

· Outlined the significant risks for the Essential Freshwater Policy Programme relating to legislated obligations, environmental outcomes, progressing partnerships with Māori, and relationships

· Risks had been presented to the Strategy and Policy Committee who had referred them to the Risk and Assurance Committee for information

· Was confident that staff had actions in place to minimise/mitigate risks where possible

· Changes to risks over time:

o Timeframes: review of deadline for notification to be reviewed by the Strategy and Policy Committee at its next meeting

o Overseer: Government’s position had since been released and staff was investigating alternative options for consideration of a future replacement tool.

Key Points - Members:

· Endorsed the referral of the Essential Freshwater Policy Programme risks from the Strategy and Policy Committee to the Risk and Assurance Committee as good corporate governance

Key Point - Staff:

· Project Lead Team was continuously reviewing the risks of the programme as part of best practice project management principles.

Items for Staff Follow Up:

· Verify if Waikato Regional Council was currently using Overseer as a tool and provide feedback to Committee Members accordingly.

Resolved

That the Risk and Assurance Committee:

1 Receives the report, Essential Freshwater Policy Programme Risks.

Love/Robertson

CARRIED

4.6

Local Government Official Information and Meetings Act 1987 - Annual Report 1 July 2020 to 30 June 2021

Presented by Legal and Commercial Manager Jessica Easton.

Items for Staff Follow Up:

· Future annual reports to the Risk and Assurance Committee on Local Government Official Information and Meetings Act 1987 (LGOIMA) to include a breakdown of staff resources spent on LGOIMA requests

· Future LGOIMA annual reports to include a schedule detailing the nature of the LGOIMA requests

· In the interim, available information on staff resources spent on LGOIMA requests for the July 2020 to June 2021 period to be provided to Committee Members informally

· Provide a breakdown of requests received from iwi-based organisations as part of future LGOIMA annual reports; in the meantime informally advise Committee Members of this information for the July 2020 to June 2021 period.

Resolved

That the Risk and Assurance Committee:

1 Receives the report, Local Government Official Information and Meetings Act 1987 - Annual Report 1 July 2020 to 30 June 2021.

Love/Robertson

CARRIED

4.7

Internal Audit Status Update and 2020/21 Annual Report

Presented by Principal Internal Auditor Aaron Huggins.

Key Points - Members:

· Expressed appreciation for the significant progress made in closing internal audit reviews/actions.

Key Points - Staff:

· Confirmed that the Internal Audit scope of work/reporting on Information Communication and Technology (ICT) Security would include taking into account a culture of cyber security/clear role and responsibilities/holistic risk management and incident management

· Security actions would be aligned with requirements from the New Zealand Information Security Manual (NZISM) as directed by the Government Communications Security Bureau (GCSB).

Resolved

That the Risk and Assurance Committee:

1 Receives the report, Internal Audit Status Update and 2020/21 Annual Report.

Love/Robertson

CARRIED

10:20 am - The meeting adjourned.

10:45 am - The meeting reconvened.

4.8

2020/21 Draft Annual Report Review

Presented by Debbie Hyland - Finance & Transport Operations Manager, Zhivan Alach, Organisational Performance Manager and Tobias Fransson, Performance Analyst.

Audit Director Leon Pieterse and Audit Manager Anton Labuschagne, Audit New Zealand (Audit NZ) attended to response to questions relating to the audit process.

Key Points:

· Draft Annual Report 2020/21 for the Bay of Plenty Regional Council Toi Moana contained the draft financial and non-financial performance results of the Council for the year ended 30 June 2021 and consolidated financial statements for the Council Group which included 100% Council-owned subsidiary (Quayside Holdings) and majority owned Council-owned subsidiary (Toi Moana Trust)

The Draft was submitted to the Risk and Assurance Committee in its role to receive and review the draft Annual Report. In the meantime Audit NZ’s auditing process was ongoing.

Key Points – Audit NZ:

· Auditing was progressing well with all aspects on track to finalise the process for planned adoption by Council on 10 November 2021

· However, a possible lag in process due to staff shortage remained a risk, and would continue to keep Council informed

· Currently reviewing the Statement of Service Performance (SSP)/Patronage evidence reporting requirements – technical clearance.

Key Points - Staff:

· Confirmed that total expenditure for staff (including contractors and consultants) was within the allocated budget.

Resolved

That the Risk and Assurance Committee:

1 Receives the report, 2020/21 Draft Annual Report review.

Love/Robertson

CARRIED

4.9

Audit New Zealand Final Management Report on Long Term Plan 2021-2031

Presented by Finance & Transport Operations Manager Debbie Hyland.

Audit Director Leon Pieterse and Audit Manager Anton Labuschagne, Audit New Zealand (Audit NZ) were available to respond to any questions.

Resolved

That the Risk and Assurance Committee:

1 Receives the report, Audit New Zealand Final Management Report on Long Term Plan 2021-2031.

Love/Robertson

CARRIED

5. Public Excluded Section

Resolved

Resolution to exclude the public

1 Excludes the public from the following parts of the proceedings of this meeting as set out below:

The general subject of each matter to be considered while the public is excluded, the reason for passing this resolution in relation to each matter, and the specific grounds under section 48(1) of the Local Government Official Information and Meetings Act 1987 for the passing of this resolution are as follows:

Item No.	Subject of each matter to be considered	Reason for passing this resolution in relation to each matter	Grounds under Section 48(1) for the passing of this resolution	When the item can be released into the public
5.1	Public Excluded Risk and Assurance Committee Minutes - 10 June 2021	As noted in the relevant Minutes.	As noted in the relevant Minutes.	To remain in public excluded.
5.2	Infrastructure Insurance Review - Flood Risk Assessment	Withholding the information is necessary to enable any local authority holding the information to carry on, without prejudice or disadvantage, negotiations (including commercial and industrial negotiations).	48(1)(a)(i) Section 7 (2)(i).	On the Chief Executive's approval.
5.3	Legal Services - Annual Report 1 July 2020 to 30 June 2021	Withholding the information is necessary to maintain legal professional privilege; Withholding the information is necessary to enable any local authority holding the information to carry out, without prejudice or disadvantage, commercial activities; Withholding the information is necessary to enable any local authority holding the information to carry on, without prejudice or disadvantage, negotiations (including commercial and industrial negotiations).	48(1)(a)(i) Section 7 (2)(g); 48(1)(a)(i) Section 7 (2)(h); 48(1)(a)(i) Section 7 (2)(i).	To remain in public excluded.
5.4	Legislative Compliance - Annual Report 1 July 2020 to 30 June 2021	Making the information available would be likely to prejudice the maintenance of the law, including the prevention, investigation, and detection of offences, and the right to a fair trial; Withholding the information is necessary to maintain legal professional privilege.	48(1)(a)(i) Section 6 (a); 48(1)(a)(i) Section 7 (2)(g).	To remain in public excluded.
5.5	Completed Audit Reviews (Q4 FY20/21)	Withholding the information is necessary to prevent the disclosure or use of official information for improper gain or improper advantage.	48(1)(a)(i) Section 7 (2)(j).	To remain in public excluded.
5.6	Key Risk Register	Withholding the information is necessary to prevent the disclosure or use of official information for improper gain or improper advantage.	48(1)(a)(i) Section 7 (2)(j).	On the Chief Executive's approval.

Love/Robertson

CARRIED

6. Public Excluded Business to be Transferred into the Open

6.1

Item 9.5 - Completed Audit Reviews (Q4 FY20/21)

Tabled Document 1 - Public Excluded Item 9.5 released into the Open (Report and Attachments 1 and 2): Objective ID A3964755

Resolved

That the Risk and Assurance Committee:

1 Confirms that the report “Completed Audit Reviews (Q4 FY20/21)” and its attachments be release into the Public.

Love/Robertson

CARRIED

12:30 pm – the meeting closed.

Confirmed

Cr David Love

Chairperson, Risk and Assurance Committee



Report To:	Risk and Assurance Committee
Meeting Date:	2 December 2021
Report Writer:	Aaron Huggins, Principal Internal Auditor
Report Authoriser:	Mat Taylor, General Manager, Corporate
Purpose:	To provide an update on the internal audit program and the audit plan.

Internal Audit status update

Executive Summary

This report provides an update on the status of internal audit activities as at 30 September 2021 and includes:

· The status of internal audit reviews in the current year;

· The status of follow up of internal audit recommendations and management actions to 30 September 2021.

Recommendations

That the Risk and Assurance Committee:

1. Receives the report, Internal Audit status update.

1. Introduction

This report provides the quarterly update on internal audit activity undertaken by internal audit staff and external assurance specialists as part of Bay of Plenty Regional Council’s co-sourced internal audit approach. It includes:

· The status of internal audit reviews in the current year;

· The status of follow up of internal audit recommendations and management actions to 30 September 2021.

1.1 Alignment with Strategic Framework

The Way We Work

We continually seek opportunities to innovate and improve.

2. Internal Audit Work Plan 2021/22 Status

Based on the Internal Audit Work Plan 2020/21 the following table summarises the status of internal audit reviews for 2020/21.

Review	Field work	GM Sponsor	Status	Status of Internal Audit
Review	Field work	GM Sponsor	Status	Planning /Scope	Fieldwork	Draft Report	Mgmt Actions	Final Report
Project management	BOPRC	Corporate	In Progress	In Progress
Business continuity management	BOPRC	Chief Executive	In Progress	In Progress
Pest management plan	BOPRC	Integrated Catchments	In Progress	In Progress
Risk management	Co-Source	Corporate	In Progress	In Progress
Laboratory services – benefits realisation	BOPRC	Regulatory Services	In Progress	In Progress
Post-COVID funding readiness	BOPRC	Integrated Catchments	In Progress	In Progress
Compliance process	BOPRC	Regulatory Services	In Progress	In Progress
Payroll	BOPRC	People & Leadership	In Progress	In Progress
ICT Security Review (20/21)	BOPRC	Corporate	Complete	Complete	Complete	In Progress

The ICT Security Review (from the 2020/21 Internal Audit Plan) is nearing completion, and is expected to be presented at the next Risk and Assurance Committee meeting. We note that during the course of the review the Digital team continue to proactively address identified issues where they present potential security gaps.

3. Internal Audit Follow Up

Internal Audit has reviewed all open management actions as part of the follow up work in the 2020/21 Work Plan.

Management actions

At the start of the quarter (1 July 2021) there were 44 open management actions.

During the quarter four actions were closed and no actions were added. The total of actions open as at 30 September 2021 is 41, the majority of these relate to Policy Framework (ten), Fraud Risk Assessment (nine), and Consents (six).

Figure 1 Open management actions (as at 30 September 2021)

Fraud Risk – Both the Finance and Payroll teams continue to work with an external vendor to implement system changes.

Of the open actions 10 are past their original due date. The overdue actions relate predominately to Asset Management (four) and Procurement (two). Workplans are underway in the relevant teams to address these actions during the financial year.

Improvement actions

For framework reviews which have identified continuous improvement actions, these actions will be disclosed separately to give assurance to the Risk and Assurance committee that these actions continue to be monitored to ensure BOPRC’s frameworks improve and develop.

At the start of the quarter (1 July 2021) there was 1 open Health & Safety improvement action. These were previously reported as ‘other’, and refer to recommendations made by KPMG in 2018 for BOPRC to incorporate into its Health & Safety continuous improvement work programme which is ongoing.

Figure 2 Open Health & Safety improvement actions (as at 30 September 2021)

4. Considerations

4.1 Risks and Mitigations

The matters addressed in this report are of a procedural nature.

4.2 Climate Change

The matters addressed in this report are of a procedural nature and there is no need to consider climate change impacts.

4.3 Financial Implications

There are no material unbudgeted financial implications and this fits within the allocated budget.

5. Next Steps

To note the Internal Audit status update (as at 30 September 2021).



Report To:	Risk and Assurance Committee
Meeting Date:	2 December 2021
Report Writer:	Steven Slack, Risk & Assurance Manager
Report Authoriser:	Mat Taylor, General Manager, Corporate
Purpose:	To provide an update on the proposed changes to the Key Risk Register

Key Risk Register

Executive Summary

Council’s Key Risk Register provides risk related information for our most significant and high profile risks.

Risks in relation to the Long Term Plan 2021-2031 Community Outcomes are identified, and these strategic risks are included in the Key Risk Register.

A workshop with the Risk and Assurance Committee was held on 21^st October and the recommended changes in the way risks are reported are outlined in this report, to then be incorporated in future Key Risk Register reporting.

Recommendations

That the Risk and Assurance Committee:

1 Receives the report, Key Risk Register

1. Introduction

Council’s risk management framework was adopted in 2012.

The risk management framework includes a process for producing a Key Risk Register which records the most significant risks for Council.

On 21 October 2021 the Risk and Assurance Committee had a workshop on the current Key Risk Reporting process and on the basis of this workshop several changes in the ways of reporting risks have been recommended.

These recommendations included:

· Inclusion of Risk Velocity, to identify risks that can escalate quickly

· Opportunities, to identify positive impacts that risks and issues can lead to

· Revolving emerging and operational risks, to keep risks current and fresh

This report will outline the proposed changes to carry forward into how the Key Risk Register is reported from 2022.

1.1 Alignment with Strategic Framework

The Way We Work

We continually seek opportunities to innovate and improve.

2. Key Risks Register Recommendations

2.1 Risk Velocity Classification

Some risks are ongoing risks for BOPRC. While they require active monitoring their status is unlikely to change significantly over the short to medium term. Other risks may emerge that require a strategic focus for a limited time. Risk ‘velocity’ refers to the time for the risk to impact on the organisation. It is an estimate of the timeframe within which a risk may occur. Risk velocity will used at BOPRC to determine the reporting frequency for the Leadership Team and the Risk & Assurance Committee.

It is proposed that the following categories be used to determine the risk velocity of risks on the Key Risk Register.

Risk velocity	Expected timeframe for risk escalation	Reporting frequency
Very High	Very rapid, little or no warning, instantaneous	· Daily monitoring by General Manager · Weekly update to Leadership Team; escalate significant changes more frequently if required · Update RAC of significant changes as required, otherwise quarterly.
High	Days/weeks	· Weekly monitoring by GM · Update LT on a weekly basis of significant changes · Update RAC of significant changes as required, otherwise quarterly.
Medium	1 to 2 months	· Fortnightly monitoring by GM · Monthly update to LT · Update RAC of significant changes as required, otherwise quarterly.
Low	3 to 6 months	· Monthly monitoring by GM · Quarterly update to LT (as required) · Update to RAC if required, otherwise every six months
Very Low	Over 6 months	· Quarterly monitoring by LT · Update to RAC if required, otherwise Annually

The velocity of the risk is a key factor to determine how often the risk is monitored by Management and reported to the Leadership Team and Risk and Assurance Committee, with those risks with higher velocity reported more often than those that are only likely to materialise in a longer timeframe. If there is a significant change in the risk it will be elevated to the Risk and Assurance Committee.

2.2 Opportunity

One of the Risk Management Framework developments that was raised and discussed at the Workshop was to include a broader focus on risks and opportunities that are presented when issues arise.

These opportunities will be incorporated in risk reporting to management and governance so that an understanding of issues and risks, and why certain mitigating actions are taken, can be incorporated when making decisions on risk appetite.

2.3 Emerging or Operational Risks

Another improvement suggested at the Risk and Assurance Committee Workshop was to incorporate in to each Key Risk Register (on a revolving basis), risks that are emerging or represent a significant operational program or project.

Whilst a number of risks within the risk register are long term in nature, incorporating these emerging and operational risks will allow the Risk and Assurance Committee to have oversight of a broader range of risks, including those related to significant operational activities.

These risks are presented in detail at other committees and forums, however, including these within the Key Risk Register on a rotating basis ensures that the Risk and Assurance Committee has oversight.

Key Emerging / Operational Risk – Example for future reporting

			*Inherent Score*
Description	What’s the Risk?	Owner	Likelihood	Impact	Total
COVID-19 response	COVID-19 impacts on our ability to deliver for our communities	Leadership Team (Chief Executive)	5	5	25
Risk Velocity			Very High
COVID-19, both where the virus is and the Government requirements surrounding it can change rapidly, with shifts in alert levels happening with very little notice. As the country transitions to having COVID-19 in the community, these changes are likely to accelerate before they start to stabilise.
Opportunity
· Develop resiliency in face of a very challenging environment. · Develop our People Leaders in responding to change, managing their teams in times of uncertainty and adapting to ever changing situations · Trial new ways of working and technology to support the new ways of working · Improve and test business continuity plans
			*Current Score*
What are we doing about the risk?			Likelihood	Impact	Total
Mitigating Actions and Controls I. Leadership The Leadership Team formally reviews the current situation with COVID-19 each week, and provides regular updates to staff with direction for action when required. II. Guidance We continually monitor the COVID-19 situation and Government updates to provide guidance to staff as to how to keep safe from COVID-19, updating this guidance when new information becomes available. III. Encouraging Vaccination BOPRC has encouraged staff and councillors to get vaccinated, providing support for both staff and their families to access vaccination centres so that the effects of COVID-19 on our communities, services, and our staff are minimised. IV. Business Continuity Planning BOPRC has continually updated its business continuity planning, including trialling different settings across the organisation so as to be prepared in both changing alert levels, frameworks and exposure risk to ensure that these plans can enable operations to continue.			4	3	12

3. Conclusion

This report highlights the Council’s key changes to the Key Risk Register reporting risks along with reporting of two current emerging or operational risks, both to highlight these risks, but also illustrate how the risks will look if the recommended changes in Key risk reporting is adopted.

4. Considerations

4.1 Financial Implications

There are no material unbudgeted financial implications and this fits within the allocated budget.

5. Next Steps

Any Risks identified by the committee will be reviewed and assessed and changes adopted will be incorporated in future Key Risk Register reporting.

Chairperson	Cr David Love
Deputy Chairperson	Bruce Robertson (Independent)
Members	Cr Bill Clark Cr Stuart Crosby Cr Andrew von Dadelszen Cr Te Taru White
Ex Officio	Chairman Doug Leeder
Quorum	Three members, consisting of half the number of members
Meeting frequency	Quarterly

A Healthy Environment
Freshwater for Life
Safe and Resilient Communities
A Vibrant Region
The Way We Work	We continually seek opportunities to innovate and improve.