CAIRNGORMS NATIONAL PARK AUTHORITY

Approved MINUTES AUDIT & RISK COMMITTEE 03/05/19

Approved MINUTES of MEETING of the AUDIT & RISK COMMITTEE of THE CAIRNGORMS NATIONAL PARK AUTHORITY

held in Grant Room, Am Fasgadh, Highland Folk Museum, Newtonmore on 3 May 2019

Present:

Peter Argyle
Janet Hunter
John Latham
Dr Gaener Rodger (Vice Chair)

In Attendance:

Claire Robertson, BDO via telephone conference
Grant Moir, Chief Executive
David Cameron, Director of Corporate Services
Danie Ralph, Finance Manager
Alix Harkness, Clerk to the Board
John Kirk, Board Member

Apologies:

Judith Webb
John Boyd, Grant Thornton

Election of Committee Vice-Chair

David Cameron highlighted that according to Standing Orders following the revision of Board membership on Committees and Groups at the December 2018 Board meeting, the Election of Committee Vice-Chair was due to take place. He therefore asked for nominations for the Vice-Chair of the Committee.
Nominations were made. Janet Hunter nominated Gaener Rodger and this was seconded by Peter Argyle. Gaener Rodger accepted this nomination. Members present confirmed that Gaener Rodger take on the role of Committee Vice-Chair. There being only one nomination, it was declared that Gaener Rodger be appointed as Vice-Chair.
Action:
- Gaener Rodger to take the position of Vice-Chair of the Audit & Risk Committee to last until the next 3 year revision of committee memberships.

Welcome and Apologies

Everyone was welcomed to the meeting by the Vice-Chair and the apologies were noted.
The Vice-Chair extended the Audit & Risk Committee’s thanks to Dave Fallows for his hard work on this Committee over the years. David Cameron agreed to pass these thanks on to him.
Action:
- David Cameron to pass the Audit & Risk Committee’s thanks onto Dave Fallows.

Minutes of Previous Meeting

The draft minutes of the 8 March 2019 meeting were approved subject to the following amendment:
- At 24i: will be dealt within the Board Terms of Reference paper, (Paper 5 on today’s agenda).
The draft minutes of the 29 March 2019 meeting were approved with no amendments.

Matters Arising

David Cameron reminded the Committee that at the last meeting they had agreed the final proposed Internal Audit Plan for 2019/2020 so that the two items scheduled for spring 2019 could begin. He explained the following points:
- He is happy from authority perspective with the proposals set out in the plan, which will cover off areas like expenses claims. This is an administratively heavy area, which as well as covering regularity of expenses claims, David intended that the audit included an advisory element to cover practise used in other organisations to learn how to modernise and possibly simplify process.
- The Committee will be asked to endorse this change in scope in the internal audit plan for ²⁰¹⁹⁄₂₀ subsequently on the agenda.
David Cameron reported that movement on the outstanding actions throughout and listed at the bottom of the 8 March 2019 Audit & Risk Committee Minutes are:
- Audit & Risk Committee member training – Open – Option to hold half day session on a Thursday afternoon prior to Friday Board session, 13 June prior to 14 June Board was suggested as a possible date. Doodle poll of potential future dates to be arranged as the Chair cannot make 13^th June. David Cameron agreed to let LLTNP know once a date had been set to invite their Audit & Risk Committee members along if they are available.
- Audit & Risk Committee member induction pack – Open – Delayed until after the member training has taken place.
- Risk Mitigation action for LEADER Accountable Body role – Open – will write to Scottish Government within the next month.
- Planning Consent Complaint dating from 2017 which had been escalated to the SPSO, DC to report back to Committee when resolved – Open – An update from the Ombudsman had been received regarding planning advice. It was hoped to be in the position to close the complaint towards the end May early June.
- Governance statement amended to reflect Committee’s assurance role — Open — will be reflected in the final accounts.
- David Cameron apologised for the sporadic issue of papers for this meeting. Suggestion made from member to find a way of naming the papers differently to make it easier to differentiate between them. David Cameron advised he would consider this.
- The Vice Chair advised that the feedback from ombudsman would be welcome. David Cameron agreed that the feedback would be brought back to this Committee. The Vice Chair added that any positive feedback would be nice to share with staff, to help morale. This was agreed by David Cameron who added that any complaint received whether upheld or not, it was normal practise to see if anything could be learned from it to improve the system.

Actions:
- David Cameron to consider naming the papers differently so that they can easily be differentiated.
- Feedback from the Ombudsman to be brought back to the Committee when available.

Internal Audit Review: Business Continuity (Paper 1)

Claire Robertson presented a Paper which presents the internal auditor’s report on the Authority’s business continuity planning.
The Audit & Risk Committee made the following comments and observations:
- David Cameron advised that business continuity planning could be around an internal or external disaster such as catastrophic weather or indoor flooding. It was about scenario planning around each theme of possibility, so that a response plan for each scenario is in place.
- Was this similar to resilience plans that Local Authorities have? Grant Moir advised that it was slightly different e.g. If the computer servers were to crash how would the Authority get it back working and in what timescale? This type of instance was what was meant by disaster recovery. He added that they were looking to recruit to a post with responsibility for this work this built into it.
- Members questioned the Authority’s insurance provisions and coverage for significant events? David Cameron explained that the main difference to many other organisations is that the Authority is a Non Departmental Public Body (NDPB), therefore, unlike Local Authorities for example, we don’t have external insurance policies in place other than those that are statutory and legal (e.g. for pool cars etc.). Rather, the Authority “self-insures” and covers the cost of actions following events and seek reimbursement from Government. Grant Moir advised that the Authority work closely with Loch Lomond & Trossachs National Park (LLTNP) on many aspects of back up and cover for events that would otherwise be covered by insurances, and therefore we are quite well served.
- Could it be clarified how much staff resources is required in dealing with these areas of activity? Grant Moir explained that when someone leaves the organisation, they look at the role and plug any priority gaps. David highlighted that we have a relatively small IT and facilities team with those staff covering their own areas of business continuity as part of their core roles.
- David Cameron added that in looking at the IT Strategy and business continuity, cloud based strategies are expensive however they could limit the risk of service loss from local events, for example electrical shortage in the server room, therefore it is timely to look at longer term IT development strategies now within the context of wider business continuity evaluations.
- Comment made that a number of recommendations with deadlines against them have been identified reassurance sought that resources are in place to meet them. David Cameron agreed and advised that some of the recommendations specifically in terms of the new post, with a July deadline may slip into August September.
- Note that it would be good practise to review the disaster plan annually, could it be explained why the staff training was not scheduled to take place until 2020 which seemed a long way away? David Cameron explained that the deadline of February 2020 had been set to allow time to achieve other recommendations, it would allow sufficient time to go over with staff the entirety of changes as a holistic grouping. In terms of testing, how regularly we test the entirety of our building, bring the server down and go through process of starting it back up, doesn’t merit doing it annually: the disruption doing it annually doesn’t match up to the risk. There was a balance between overall risk and resource. Claire Robertson added that so long as key details such as contacts, updating name changes either through resignations and/or names of partners is carried out regularly in the interim, leaving the disaster recovery testing for 30 months would be satisfactory.
- Were paper copies of the disaster recovery plan stored off line? Grant Moir confirmed that paper copies were kept offsite however further thought would have to go into how this could be accessed.
- Suggestion made to bring an interim progress report on Business Continuity to the next meeting for the Committee to review. This was agreed.
The Audit & Risk Committee:
- Considered the internal auditor’s findings on the Authority’s arrangements for business continuity;
- Endorse the management responses to recommendations for action raised by the internal auditor.
Action:
- Interim progress report on Business Continuity to be brought to the next meeting for the Committee to review.

Internal Audit Review: Audit Recommendations Follow Up (Paper 2)

Claire Robertson presented a Paper which presents the internal audit review of the Authority’s progress in implementing agreed actions in response to previous audit recommendations.
David Cameron added that there had been a number of recommendations around IT and IT security. He explained that the Authority had to undertake Scottish Government security cyber plus accreditation which had to take priority over these recommendations to meet government reporting deadlines.
In discussion the Audit & Risk Committee made the following comments and observations:
- With reference to page 22, where it is dated 2012 it should read 2018.
- Contentment that the Authority’s Senior Management Team were on the case and appropriate action being taken on audit recommendations approved by the Committee.
The Audit and Risk Committee considered the internal auditor’s findings on the Authority’s progress in implementing the actions to address previous audit recommendations and endorsed the management responses to actions which remain implemented or are currently partially implemented.
Actions: None.

²⁰¹⁸⁄₁₉ Internal Audit Plan (Paper 3)

Claire Robertson presented Paper 3 which presents the internal auditor’s Annual Audit Plan for the audit of the ²⁰¹⁸⁄₁₉ accounts.
Claire noted the point highlighted by David earlier in the meeting on the proposed audit of expenses claim systems and indicated that with the agreement of the Committee the scope for this work would be amended to include a wider advisory element to consider system simplifications, modernisation and digitisation.
The Audit & Risk Committee:
- Approved the Annual Internal Audit Plan for ²⁰¹⁸⁄₁₉
- Approved the broadening of the scope for the review of expenses claim systems to include an advisory element on system simplification and modernisation.
- Approved the Internal Audit Charter as set out in Appendix VI of the Internal Audit Plan.
Action: None.

Risk Register Review (Paper 4)

David Cameron presented an update of the Authority’s strategic risk management and a commentary on management’s review of action taken and current risk status. He asked that the Committee consider removing the risks which had shown a consistent reducing risk level, greyed out in the document, from the register as not currently posing a significant strategic risk to delivery of objectives. He highlighted that he had added risks around workforce management on pages 8 and 9.
Grant Moir highlighted risk VII Cairngorm and Glenmore Strategy. He explained that the Authority should know more about the funicular soon although work will go on for foreseeable future.
In discussion the Audit & Risk Committee made the following comments and observations:
- Could it be clarified whether the risks were issues or actual risks? Grant Moir advised that Cairngorm Mountain was a risk to the economy in the Strath and wider, and therefore is a reputational risk to the CNPA. The entries in the register were strategic risks with potential impacts on the Authority if not managed and mitigated. David explained that the Authority did not operate a separate issues log.
- With reference to risk A3, 3 red arrows now that the local elections that took place in March 2019 were complete, would the red rating improve? David Cameron confirmed that it would become green in time to reflect declining risk. However, at this point in time, only a few weeks after the direct elections to the Board, there was still a strategic risk posed by the high level of change in Board membership and hence the risk rating of managing the potential impacts of strategic leadership change had not yet declined.
- Surprise portrayed with risk A1. Grant Moir explained that public sector finances are reduced year on year, the Authority have been good at bringing in Heritage Lottery Funding (HLF). Risk A1 is the correlation between our budget from Scottish Government (SG) and what the Authority have managed to bring in.
- With funding coming in for projects at what point, with potential budget cuts, would the Authority cease to be able to perform effectively? Grant Moir advised that annually the Authority have scenarios to work out based on potential 5%, 10% cut to budget. From experience when you get over 10% budget cuts there is no capacity to finance and effective operational plan to contribute to National Park Partnership Plan delivery and the Authority needs to consider significant staffing reductions. The Authority have done well to maintain our budget and have done just as well in finding other money. David Cameron added that SG grant in aid funding would not likely increase to fund the Authority’s path maintenance responsibilities, therefore income diversification is required to fund that together with other ‘new’ budget pressures, e.g. The Cairngorms Trust as a charitable body is a mechanism through which we hope the stakeholders in the National Park are able to get that funding. An additional example of income diversification is National Parks UK who are funding travel grants for children through their corporate sponsorship activities.
- Path maintenance: what is the intent underpinning this risk? David Cameron advised that as an Authority we want to see the path network maintained so that work to rebuild the paths repeatedly from scratch is avoided.
- With reference to risk A16 it was noted that it had changed from amber to red with the expectance for it to remain red for a while, the need for the Board to keep a close eye on it.
- Comment made that it would be interesting for the Authority to learn from the OATS experience of running a car park facility that appears financially encouraging.
- Should there be a risk around business continuity planning? David Cameron agreed that it would be worthwhile having a separate risk around this. He acknowledged that the risks associated with business continuity planning and IT needed more thought as to how they would interact with each other.
- Concern raised that it was too soon to remove risk A8. David Cameron explained his concerns around having too many risks, he advised that if it looked like it was becoming a risk again it could be reinstated. Suggestion made that risk A8 fits neatly into risks A14 and A15 which are still valid and outstanding. David Cameron advised that from a management perspective there was no reason it should not be removed.
The Audit & Risk Committee considered the update presented on the Authority’s Strategic Risk Register and agreed the following amendments and additions to the register:
- A risk around business continuity planning to be added and the risks association with IT to be amended to reflect this addition.
- Greyed risks to be removed.
Action:
- Amendments to Risk Register as detailed in paragraph 27a and b.

Complaints Log (Oral)

David Cameron reported that there had been no complaints received by the Authority since the last update on this subject to the Committee in March 2018.
The Audit & Risk Committee commended this update.
Action: None.

Terms of Reference Review (Paper 5)

David Cameron presented the Audit & Risk Committee’s terms of reference.
The Audit and Risk Committee considered the terms of reference for the Audit & Risk Committee and considered the following amendments to be made to the scope and remit of the committee’s oversight:
- The addition of the words ‘to provide assurance’ to the detail of the terms of reference.
Actions:
- Make addition to Audit & Risk Committee terms of reference as detailed in paragraph 33a.

Any Other Competent Business

There were no items.

Date of Next Meeting

6 September 2019, location – tbc.
Meeting closed 10.25 hours

Audit & Risk Committee: Outstanding Actions

Action	Status
Audit and Risk Committee member training	Open
Audit and Risk Committee induction pack	Open
Risk mitigation action for LEADER Accountable Body role	Open
letter to Scottish Government as outlined in paper to Committee 31 August 2018
Planning Consent Complaint dating from 2017 which had been escalated to the SPSO, DC to report back to Committee when resolved (23 November 2018)	Open

190503 Approved ARC Minute

CAIRNGORMS NATION­AL PARK AUTHORITY

Approved MINUTES AUDIT & RISK COM­MIT­TEE 03/05/19

Elec­tion of Com­mit­tee Vice-Chair

Wel­come and Apologies

Minutes of Pre­vi­ous Meeting

Mat­ters Arising

Intern­al Audit Review: Busi­ness Con­tinu­ity (Paper 1)

Intern­al Audit Review: Audit Recom­mend­a­tions Fol­low Up (Paper 2)

2018⁄19 Intern­al Audit Plan (Paper 3)