Agenda of Risk and Audit Subcommittee Meeting

File Ref: 18/465

REPORT TO: Risk and Audit Subcommittee

MEETING DATE: Monday 2 July 2018

FROM: Chief Financial Officer

Bruce Allan

Financial Controller

Aaron Wilson

SUBJECT: 2017/18 Annual Report Update and Audit Plan

1.0 SUMMARY

1.1 The purpose of this report is to update the Subcommittee about progress being made on year-end issues.

1.2 The Council is required to give effect to the purpose of local government as prescribed by Section 10 of the Local Government Act 2002. That purpose is to meet the current and future needs of communities for good quality local infrastructure, local public services, and performance of regulatory functions in a way that is most cost–effective for households and businesses. Good quality means infrastructure, services and performance that are efficient and effective and appropriate to present and anticipated future circumstances.

1.3 This report concludes by recommending that the report be received

2.0 CURRENT SITUATION

2.1 2018 Audit Plan

2.2 Audit NZ have issued their 2018 Audit Plan and is attached as Attachment 1. The plan sets out the arrangements for this year’s audit and includes a summary of business risks and issues that they have identified and how they intend to respond to these during the audit. These business issues include:

· Fair value of infrastructural assets and other revalued assets

· Water Supply

· Opera House

· Reporting against mandatory measures

· Improving the Audit Process

· Risk of Management override of internal controls

2.3 Mr Stephen Lucy, Audit New Zealand Audit Director is unable to attend this meeting.

2018 Annual Report

2.4 Staff have completed the annual year end timetable for the 2018 year end. The timetable is inclusive of all the processes and requirements of the production of the Annual Report and requires a high degree of coordination across Council. The Local Government Act stipulates that the Annual Report must be adopted by Council by 31^st October each year, this year the date set down for Council approval is 25^th October. Other key dates for the audit process and outlined in the 2018 Audit Plan are:

Draft financial statements available for audit 31 August

Final Audit begins – audit on-site 3 September

Final financial statements available 21 September

Full Annual report available for Audit 1 October

Summary Annual Report available for Audit 1 October

2.5 Improvements have been made to reporting processes and systems over the past few years and Officers are confident of providing Audit with completed draft financial statements for audit on August 31^st prior to them arriving on-site. The Finance team has its full complement of accounting resources this year which should make the year end process more manageable than last year.

2.6 Every year there are revaluations of various classes of assets that are performed on a rotating basis on a set schedule. This year it is the Heritage and Cultural, Water infrastructure, along with Land and Buildings assets that will be revalued. The Land and Buildings revaluation is a significant piece of work and is well underway with the final valuation expected from Valuation Plus by 30th June.

2.7 There are no significant changes to Public Benefit Entity (PBE) reporting standards that are likely to materially affect the 2017 /18 Annual Report.

2.8 At this stage of the Annual Report process Officers are not aware of any additional issues that may give rise to technical discussions with Audit and judgements that will be required by Officers.

2.9 With the next Risk & Audit Subcommittee meeting scheduled for September 4^th, Officers will be working to have some preliminary financial statements available for the subcommittee to review. Obviously at this time anything presented will be unaudited and subject to change.

3.0 SIGNIFICANCE AND ENGAGEMENT

3.1 The matters within this report do not trigger the thresholds within Council’s significance and engagement policy.

4.0 RECOMMENDATIONS AND REASONS

A) That the report of the Chief Financial Officer titled “2017/18 Annual Report Update and Audit Plan” dated 2/07/2018 be received.

Attachments:

Audit Plan for the year ending 30 June 2018

FIN-07-01-18-401

File Ref: 18/516

REPORT TO: Risk and Audit Subcommittee

MEETING DATE: Monday 2 July 2018

FROM: Risk and Corporate Services Manager

Regan Smith

District Customer Services Manager

Greg Brittin

SUBJECT: Enterprise Risk Management Update June 2018

1.0 SUMMARY

1.1 The purpose of this report is to update the Subcommittee on Enterprise Risk Management activities and to present Bow Tie analysis for the following strategic risks; Loss of key staff, Officer error/omission, Failure to meet regulatory requirements, Legislative change, Facility failure and Failure to achieve business as usual performance.

1.2 This issue arises from adoption of the Strategic Risk Register by Council.

The Council is required to give effect to the purpose of local government as prescribed by Section 10 of the Local Government Act 2002. That purpose is to meet the current and future needs of communities for good quality local infrastructure, local public services, and performance of regulatory functions in a way that is most cost–effective for households and businesses. Good quality means infrastructure, services and performance that are efficient and effective and appropriate to present and anticipated future circumstances.

1.3 This report concludes by recommending that the report be received.

2.0 BACKGROUND

2.1 Council has adopted the Bow Tie risk assessment method to analyse the strategic risks adopted by Council on 31 July 2017.

2.2 The Bow Tie risk assessment method was selected by Council as it is an effective tool to demonstrate causal relationships in complex systems. A Bowtie diagram does two things. First of all, it gives a visual summary of all plausible accident scenarios that could exist around a certain Hazard. Secondly, by identifying control measures the Bow Tie displays what the organisation does to control those scenarios.

2.3 Bow Tie analysis of strategic risks and associated threats, consequences and control barriers, have been completed and reported to the Subcommittee for the following risks:

· Civil Defence Emergency (Risk #2).

· Health & Safety Incident (Risk #3).

· Infrastructure Service Failure (Risk #4)

· Ineffective Regulatory Oversight (Risk #5)

· Adverse Environmental Change (Risk #6)

· Demographic Change (Risk #7)

· Information Security Failure (Risk #8)

· Inadequate Available Funds (Risk #9)

· Economic Downturn (Risk #10)

· Biosecurity Failure (previously Risk #11) addressed within response to Economic Downturn.

· Procurement Failure (Risk #12)

· Corruption and Fraud Incident (Risk #13)

· Business Interruption (Risk #14)

3.0 CURRENT SITUATION

3.1 Initial Bow Tie risk analysis have been completed for the following strategic risks. Note; the Bow Tie diagrams are included for reference to show the scale of work. It is not intended that these be read as presented. The content of the analysis is summarised in the One Page summaries.

3.1.1 Water contamination (Risk #1) – updated: Water supply contamination risk focuses on Council’s responsibility to supply safe drinking water to the community. The risk covers all aspects of managing a water supply in compliance with statutory obligations and Council policy that might create potential for the water supply to carry source or network contamination to water users.

3.1.2 Risk assessment: The Water Contamination bow tie diagram (attached) was created from the detailed risk registers contained in the Water Safety Plans (WSP). This bow tie illustrates the complexity of the system and the extensive preventative controls in place. This process has validated the integrity of the WSP risk registers and identified potential areas for further improvement, particularly with regard to consequence mitigation controls.

3.1.3 Loss of key staff (Risk #15): Loss of key staff impacting service delivery. This risk encompasses the loss of skills and experience needed to deliver efficient services and minimise Council's legal liability due to process variation when key staff leave the organisation.

3.1.4 Risk assessment: The impact of a loss of knowledge or skills from staff leaving Council is managed by retention strategies for key staff and/or embedding the knowledge in organisation practices through cross training and documenting business process.

3.1.5 Officer error/omission (Risk #16): Council Officer (staff or elected member) errors or omissions leading to poor decisions that causes harm to people, create the potential for litigation or reputation damage.

3.1.6 It should be noted that the title of risk 16 was changed from Office Negligence to Officer Error/Omission during the bow tie risk analysis workshop. This change was made as it allowed a wider range issues to be taken in to account and avoided concerns regarding the legal interpretation associated with the term negligence.

3.1.7 Risk assessment: To avoid poor decision making a range of measures are used to ensure staff have the required knowledge to undertake allocated duties, as well as monitoring the execution of activities to detect variation.

3.1.8 Failure to meet regulatory requirements (Risk #17): Failure to meet legislative/regulatory requirements resulting in suspension of Council services. This risk includes the impact on existing services from losing certification for, or loss of central government trust, to deliver a role delegated to Local Government.

3.1.9 Risk assessment: The potential for failing to meet regulatory requirements is managed through a system of defined accountabilities delegated to staff for meeting regulatory obligations, which drives oversight, monitoring of the legislative landscape and documentation of require practices. This is also support by an open reporting culture to identify and address any issues found.

3.1.10 Legislative change (Risk #18): Legislation change that places additional demand on the community or Council resources. Legislative change risk covers the impacts of Central Government implementing new or amended legislation that increases community or Local Government responsibilities, or increases compliance obligations with which the community or Council much comply. Note: This differs from “ability to meet regulatory requirements” in that it refers to new obligations, rather than ability to continue deliver an existing role.

3.1.11 Risk assessment: Through a combination of participation in professional bodies, working with other local authorities and various avenues for monitoring the legislative environment, Council staff obtain early warning of pending legislative change to enable forward planning to avoid shocks.

3.1.12 Facility failure (Risk #19): Facility failure resulting in loss of community service. Facility failure risk covers a loss or degradation in service to the community from failure of community facing activities such as libraries, community centres, swimming pools, sport centres and cemeteries. Failures might be caused by problems with the physical buildings or assets, information technology system or personnel.

3.1.13 Risk assessment: Due to the fact that facilities are duplicate across Hastings, Flaxmere and Havelock North there is an inherent level of resilience within the delivery of community services. However, redirecting communities to an alternative site does still cause impacts on the community. Council also applies Asset Management Planning practices to the management of the buildings to implement renewals and undertakes scheduled maintenance to minimise disruption. Management of the programmes are overseen by a central team to improve coordination. As a result the risk of service interruption is reduced to possible.

3.1.14 Failure to achieve business as usual performance (Risk #20): Failure to deliver Council strategic objectives, projects or normal business service levels resulting in community dissatisfaction. Business as usual risk covers failure to deliver Council’s strategic objectives as stated in the Long Term Plan, including project work, as well as failure to achieve the specified service levels for normal business activities (i.e. consenting, animal control, libraries etc) under normal circumstances. This is intended to cover failure to deliver Council goals in the absence of other extraordinary events. Note: Failure to deliver under extraordinary or adverse conditions is covered by Business Interruption risk.

3.1.15 Risk assessment: Reliable delivery of business services is achieved through assigning clear accountability for outcomes combined with performance planning and KPI monitoring.

3.2 As a result of discussion during the Council workshop in May 2018 work is underway on defining Governance risk and associated mitigations. An update will be reported to Risk and Audit at the next meeting.

4.0 SIGNIFICANCE AND ENGAGEMENT

4.1 While consideration of risk is significant to efficient and effective operation of Council, changes to the risk register are not significant in terms of Council’s Significance and Engagement Policy and no consultation is required.

5.0 NEXT STEPS

5.1 The annual review of the Risk Management Framework is due, and will be reported at the next meeting.

5.2 The risk management rollout project effort will now be directed toward developing:

5.2.1 A risk based audit programme to provide assurance that strategic risk critical controls are providing the intended level of mitigation, and

5.2.2 An internal training and awareness campaign to ensure risk management is considered in operational decision making.

6.0 RECOMMENDATIONS AND REASONS

A) That the report of the Risk and Corporate Services Manager titled “Enterprise Risk Management Update June 2018” dated 2/07/2018 be received.

With the reasons for this decision being that the objective of the decision will contribute to meeting the current and future needs of communities for good quality local infrastructure, local public services and performance of regulatory functions in a way that is most cost-effective for households and business by:

i) Validating that risks in core business processes are effectively managed.

Attachments:

1	Policies, Procedures, Delgtns, Warrants & Manuals - Manuals - Risk Management - Governance Strategic Risk Register for Risk and Audit Subcommittee 2 July 2018	PMD-03-81-18-138
2	Policies, Procedures, Delgtns, Warrants & Manuals - Manuals - Risk Management - Governance Strategic Risk Summary Water Contamination for Risk and Audit Subcommittee 2 July 2018	PMD-03-81-18-139
3	Policies, Procedures, Delgtns, Warrants & Manuals - Manuals - Risk Management - Governance Strategic Risk Bow Tie Water Contamination for Risk and Audit Subcommittee 2 July 2018	PMD-03-81-18-140
4	Policies, Procedures, Delgtns, Warrants & Manuals - Manuals - Risk Management - Governance Strategic Risk Control List Water Contamination for Risk and Audit Subcommittee 2 July 2018	PMD-03-81-18-141
5	Policies, Procedures, Delgtns, Warrants & Manuals - Manuals - Risk Management - Governance Strategic Risk Summary Loss of Key Staff for Risk and Audit Subcommittee 2 July 2018	PMD-03-81-18-142
6	Policies, Procedures, Delgtns, Warrants & Manuals - Manuals - Risk Management - Governance Strategic Risk Bow Tie Loss of Key Staff for Risk and Audit Subcommittee 2 July 2018	PMD-03-81-18-143
7	Policies, Procedures, Delgtns, Warrants & Manuals - Manuals - Risk Management - Governance Strategic Risk Summary Officer Error or Omission for Risk and Audit Subcommittee 2 July 2018	PMD-03-81-18-144
8	Policies, Procedures, Delgtns, Warrants & Manuals - Manuals - Risk Management - Governance Strategic Risk Bow Tie Officer Error or Omission for Risk and Audit Subcommittee 2 July 2018	PMD-03-81-18-145
9	Policies, Procedures, Delgtns, Warrants & Manuals - Manuals - Risk Management - Governance Strategic Risk Summary Failure to Meet Regulatory Requirements for Risk and Audit Subcommittee 2 July 2018	PMD-03-81-18-146
10	Policies, Procedures, Delgtns, Warrants & Manuals - Manuals - Risk Management - Governance Strategic Risk Bow Tie Failure to Meet Regulatory Requirements for Risk and Audit Subcommittee 2 July 2018	PMD-03-81-18-147
11	Policies, Procedures, Delgtns, Warrants & Manuals - Manuals - Risk Management - Governance Strategic Risk Summary Legislative Change for Risk and Audit Subcommittee 2 July 2018	PMD-03-81-18-148
12	Policies, Procedures, Delgtns, Warrants & Manuals - Manuals - Risk Management - Governance Strategic Risk Bow Tie Legislative Change for Risk and Audit Subcommittee 2 July 2018	PMD-03-81-18-149
13	Policies, Procedures, Delgtns, Warrants & Manuals - Manuals - Risk Management - Governance Strategic Risk Summary Facility Failure for Risk and Audit Subcommittee 2 July 2018	PMD-03-81-18-150
14	Policies, Procedures, Delgtns, Warrants & Manuals - Manuals - Risk Management - Governance Strategic Risk Bow Tie Facility Failure for Risk and Audit Subcommittee 2 July 2018	PMD-03-81-18-151
15	Policies, Procedures, Delgtns, Warrants & Manuals - Manuals - Risk Management - Governance Strategic Risk Summary Business as Usual Failure for Risk and Audit Subcommittee 2 July 2018	PMD-03-81-18-152
16	Policies, Procedures, Delgtns, Warrants & Manuals - Manuals - Risk Management - Governance Strategic Risk Bow Tie Business as Usual Failure for Risk and Audit Subcommittee 2 July 2018	PMD-03-81-18-153

File Ref: 18/542

REPORT TO: Risk and Audit Subcommittee

MEETING DATE: Monday 2 July 2018

FROM: Manager Strategic Finance

Brent Chamberlain

Chief Financial Officer

Bruce Allan

SUBJECT: General Update Report and Status of Actions

1.0 SUMMARY

1.1 The purpose of this report is to update the Subcommittee on various matters including actions raised at previous meetings.

1.3 This report concludes by recommending that the report titled “General Update Report and Status of Actions” from the Manager Strategic Finance be received.

2.0 BACKGROUND

2.1 The Audit & Risk Subcommittee members requested that officer’s report back at each meeting with progress that has been made on actions that have arisen from the Audit & Risk Subcommittee meetings. Attached as Attachment 1 is the Audit & Risk Subcommittee Action Schedule as at 30 June 2018.

3.0 CURRENT SITUATION

3.1 Tech One Upgrade

3.1.1 Significant technology upgrades to core council systems is noted as a key operational risk to the organisation and hence the following brief update to the Subcommittee.

3.1.2 Stage 1 of the upgrade to the Technology One Finance Module is well under way and the different packets of work are transitioning from the test environment to live with relative smoothness.

3.1.3 Stage 2 (Procure to Pay) is also progressing with a recent trip to the Hawke’s Bay DHB and Wellington City Council to see their Technology One based Electronic Purchase Order systems in action and to pick up any learnings they have on this module through their own implementations. This current stage is all about mitigating implementation risks through thorough planning. Council’s Strategic Projects team will be utilised to manage these system improvement projects.

3.2 New Zealand Transport Agency Audit

3.2.1 Every two years the New Zealand Transport Agency (NZTA) undertake an audit of Council with the objective of providing assurance that NZTA’s investment in HDC’s land transport programme is being well managed and delivering value for money. The most recent audit was undertaken in April 2018 and the following comments were made in the executive summary of that report:

“Hastings District Council has a well-managed land transport programme that will be improved by accurately accounting for the cost of overheads associated with in-house professional services and completing documentation for road safety audits.

Council is mostly complying with the Transport Agency’s approved procurement procedures. However for five older contracts no late tender policy was in place. This is a Transport Agency requirement and has now been addressed.

Claims for funding assistance from the Transport Agency for the two financial years to 30 June 2017 were successfully reconciled to Council’s general ledger records.

Effective processes were evident for monitoring and managing the delivery of professional services and physical works contracts including regular site inspections.

Road safety audits for improvement projects are being commissioned from independent providers. However, there was incomplete documentation showing how Council is addressing the resulting recommendations from these audits.

Council needs to review the components and individual costs associated with each component that go into making up the cost multiplier and adjust it if required.”

3.2.2 This is a good outcome from this review. The relationship we have with NZTA is extremely important and it is critical that NZTA has confidence in HDC and that our processes and systems have credibility.

3.3 Treasury Update

3.3.1 In lieu of a formal quarterly treasury update, given this meeting is outside of the normal quarterly cycle, the following is a high level update on Treasury activity.

3.3.2 The table below shows Council is compliant with its Treasury Policy as at 30^th June 2018:

Measure	Compliance	Actual	Min	Max
Liquidity	ü	113%	110%	170%
Fixed debt	ü	73%	55%	95%
Funding profile: 0 – 3 years 3 – 5 years 5 years +	ü ü ü	48% 23% 29%	10% 20% 10%	50% 60% 60%
Net Debt as % Equity Net Debt as % Income Net Interest as % Income Net Interest as % Rates	ü ü ü ü	4% 64% 3% 5%	0% 0% 0% 0%	20% 150% 15% 20%

3.3.3 A further $7m has been borrowed from Local Government Funding Agency (LGFA) since the 1st May 2018 meeting to fund the current capital spend program.

3.3.4 No further interest rate swap transactions have been entered into.

3.3.5 Below is an update of how the Council is tracking with its capital spend program for the year:

3.3.6 Below is a forecast of Council’s debt requirements going forward, and the interest rate swap cover that Council has in place.

Note the delayed peak of $153m year 6, and the longer tail of debt than presented for LTP purposes. This reflects the reality (as shown in 3.2.3) that capital projects typically take longer than expected which delays the expenditure and associated debt.

4.0 SIGNIFICANCE AND ENGAGEMENT

This report does not trigger Council’s Significance and Engagement Policy and no consultation is required.

5.0 RECOMMENDATIONS AND REASONS

That the report of the Manager Strategic Finance titled “General Update Report and Status of Actions” dated 2/07/2018 be received.

Attachments:

Action Sheet 2 July 2018

CG-14-102

TRIM File No. CG-14-25-00047

HASTINGS DISTRICT COUNCIL

Risk and Audit Subcommittee MEETING

Monday, 2 July 2018

RECOMMENDATION TO EXCLUDE THE PUBLIC

SECTION 48, LOCAL GOVERNMENT OFFICIAL INFORMATION AND MEETINGS ACT 1987

THAT the public now be excluded from the following part of the meeting, namely:

10 2018/19 Insurance Renewal Programme

11 Internal Audit

12 IT Audit Plan & Control Review

The general subject of the matter to be considered while the public is excluded, the reason for passing this Resolution in relation to the matter and the specific grounds under Section 48 (1) of the Local Government Official Information and Meetings Act 1987 for the passing of this Resolution is as follows:

GENERAL SUBJECT OF EACH MATTER TO BE CONSIDERED

REASON FOR PASSING THIS RESOLUTION IN RELATION TO EACH MATTER, AND

PARTICULAR INTERESTS PROTECTED

GROUND(S) UNDER SECTION 48(1) FOR THE PASSING OF EACH RESOLUTION

10 2018/19 Insurance Renewal Programme

Section 7 (2) (h)

The withholding of the information is necessary to enable the local authority to carry out, without prejudice or disadvantage, commercial activities.

Commercial Sensitivity.

Section 48(1)(a)(i)

Where the Local Authority is named or specified in the First Schedule to this Act under Section 6 or 7 (except Section 7(2)(f)(i)) of this Act.

11 Internal Audit

Section 7 (2) (h)

The withholding of the information is necessary to enable the local authority to carry out, without prejudice or disadvantage, commercial activities.

The Internal Audit includes the review of commercial arrangements as part of the audit process.

Section 48(1)(a)(i)

Where the Local Authority is named or specified in the First Schedule to this Act under Section 6 or 7 (except Section 7(2)(f)(i)) of this Act.

12 IT Audit Plan & Control Review

Section 7 (2) (h)

The withholding of the information is necessary to enable the local authority to carry out, without prejudice or disadvantage, commercial activities.

The internal audit includes the review of commercial arrangements as part of the audit process.

Section 48(1)(a)(i)

Where the Local Authority is named or specified in the First Schedule to this Act under Section 6 or 7 (except Section 7(2)(f)(i)) of this Act.

Hastings District Council

Lyndon Road East, Hastings