CAIRNGORMS NATIONAL PARK AUTHORITY

Draft MINUTES AUDIT & RISK COMMITTEE 27/11/2020

Draft MINUTES of MEETING of the AUDIT & RISK COMMITTEE of THE CAIRNGORMS NATIONAL PARK AUTHORITY

held via Lifesize Video Conference on 27 November 2020

Present:

Judith Webb (Chair)
Peter Argyle
Pippa Hadley
Janet Hunter
John Latham
Gaener Rodger (Vice Chair)

In Attendance:

Chris Brown, Azets
Stephanie Hume, Azets
John Boyd, Grant Thornton
Grant Moir, Chief Executive
David Cameron, Corporate Services Director
Danie Ralph, Finance Manager
Alix Harkness, Clerk to Board

Apologies: None.

1. Welcome and Apologies

The Chair noted there had been an initial meeting between members and auditors to review progress of work and any issues arising, and thanked auditors and committee members for attending.

2. Minutes of Previous Meeting

The Chair welcomed everyone to the meeting and apologies were noted.

3. The draft minutes of the 11^th September 2020 meeting were approved with no amendments.

4. Comment made that there was an inconsistency referring to Scott Moncrief now Azets and to ensure this rectified going forward. Chris Brown advised that the name change happened on 7^th September 2020 which was after the meeting papers were published.

5. Matters Arising

David Cameron, Director of Corporate Services, reported that movement on the outstanding actions listed at the end of the 12 June 2020 Audit & Risk Committee Minutes were:

a) At Para 23i): — Closed — Thanks to be given to the Finance team for their hard work despite challenging times (working remotely) to get the Annual Accounts ready for sign off.

b) At Para 32i) – Open — Director of Corporate Services to circulate the most up to date version of the External Audit Report to the Committee.

c) At Para 34i) –In Hand – Director of Corporate Services to investigate the £6 working from home allowance from HMRC. He reported that around 10 staff had signed up, people will get tax rebate from the sum rather than £6/ week. A Member suggested that the Staffing & Recruitment Committee consider whether the Authority do pay staff that £6. Director of Corporate Services provided reassurance that this was being looking at not just as an Authority but across all Scottish NDPB’s.

d) At Para 34ii) – In Hand – Director of Corporate Services potentially through the Staffing & Recruitment Committee to monitor the financial burden of working from home on staff in the winter months. He provided reassurance that while staff are being supported to make claims, any individual staff hardships are also on the Authority’s radar.

e) At Para 34iii) – In Hand – CEO to weave the need for Board cohesion and the challenges that working from home brings to the Board. CEO picked up on Board survey, and looking at staff survey interaction with the Board.

f) At Para 41i) – Closed — Clerk to the Board scheduled 15mins prior to this Audit & Risk Committee meeting for the Committee to have some time with the Auditors.

6. Declarations of Interest

There were no interests declared.

7. Risk Management (Paper 1)

David Cameron, Director of Corporate Services presented a Paper which presents an update of the Authority’s strategic risk register. The paper also sets out a specific consideration of the strategic risks around reputational management, following the Board’s consideration of these matters in September, with a view to update and rationalise the risks included in the risk register

8. The Audit & Risk Committee made the following comment:

a) Following discussion agreed the revision to reputational risks as suggested in the paper was appropriate for amendment in the strategic risk register;

b) Members sought clarity on the rationale for risk A19 (Resources & Staffing) also presented as greyed out and proposed to be removed. Director of Corporate Services confirmed that it was another risk with an ongoing downward trend over a few review cycles and a staff resource review taking place at present meant that it could reasonably come out at this stage.

9. The Audit & Risk Committee:

a) reviewed the updated strategic risk register and comment on any element of the Authority’s strategic risk management position;

b) considered whether there are any strategic risks potentially impacting on delivery of the Authority’s strategic objectives not covered by current risk management approaches;

c) agreed proposed amendments to the strategic risks on reputational management as set out in paragraph 7;

d) agreed that other risks flagged for deletion in Annex 1 are removed from the risk register.

10. Action Point Arising: None.

11. Business Continuity Planning Risk Register Review (Paper 2)

David Cameron, Director of Corporate Services presented a Paper which presents an update of the Authority’s risk management activities during the business continuity response to the COVID19 pandemic, within the context of the Authority’s approach to strategic risk management. He advised that Vicky Walker, Office Manager, who had helped prepare the paper, would be in attendance at the next meeting.

12. The Audit & Risk Committee made the following observations and comments:

a) New businesses ventures mainly in the food sector had cropped up as a result of covid, were these being captured? CEO advised that this work was being done through the Cairngorms Business Partnership and the Cairngorms Economic Forum and was not appropriate for this register. He advised that the number of new businesses does not offset the number of businesses especially in the Hospitality sector that are struggling. He added that work was being done through Growbiz and the CBP to support them.

b) Query around resources becoming overstretched. The CEO confirmed that the demands across the organisation were certainly exacerbated by a combination of the organisation’s internal responses to COVID restrictions, wider demands and proactive work led by the Authority to help address COVID and other impacts and forward planning for potential relaxation of restrictions in the Spring of 2021. A great deal of attention is being given to staff welfare and workloads and to prioritisation of activities and projects. Members noted that the longer high pressure working goes on, people would get worn down by the continued pressure. Director of Corporate Services agreed that the past few months had been hectic for many staff and there was a need to ensure a line was drawn in the capacity to continue with the range and extent of workloads and the need to reinforce with managers to be supportive of their teams in establishing reasonable, attainable workloads. The CEO also commented that an intent behind the management restructure is to bring added prioritisation into the Authority’s workloads.

c) The Chair asked about risk appetite to identify which we can take on, some things need to be realistic and where can really make a difference in mitigation. Director of Corporate Services agreed that this was a long standing action, to draw a risk appetite policy to take to committee. Risk appetite was also a factor relevant to the Authority’s engagement with and support of the Heritage Horizons bid. The Director of Corporate Services confirmed he will come back at a later date with thoughts on Risk Appetite for consideration by the Committee.

d) A member commented on the possible mental health impacts, were management aware how staff were coping with the huge workload while not being surrounded by colleagues or working in teams as part of their using coping mechanisms? Was staff welfare during the pandemic being taking into consideration and the impacts being monitored? CEO agreed that people sitting at home and not being part of team was recognised and had been addressed extensively in communication and action planning. For example, there was management support encouraging staff to have a chat with someone throughout the day; ‘Wellbeing Wednesdays’ communications; staff pub quizzes; a VC room for coffee breaks; diary management for homeworking guidelines had all been put in place. Management recognised that some people have thrived with home working and some people haven’t. Recognition that workload pressures was at times not evenly distributed with Corporate Services and Visitor services sides of the organisation perhaps feeling more pressurised than the Conservation side. The member observed that diary control was really important as was ensuring adequate gaps between meetings.

13. The Audit & Risk Committee:

a) Noted the update on the Authority’s risk management on our COVID19 business continuity responses as set out in this paper;

b) Reviewed the coverage of the risk register established in support of the Authority’s Business Continuity Planning and Management;

c) Considered the continued appropriateness of the approach to and focus of risk management while in the current BCP led operational circumstances.

14. Action Point Arising: None.

15. Internal Audit Progress Report (Paper 3)

Chris Brown, Azets presented a Paper which presents the Internal Audit Progress Report. He highlighted the following points:

a) They were a little bit behind where they had hoped to be, as a consequence of reviews being undertaken remotely and also starting the work for the year later than they would normally be starting because of the contract handover period.

b) The governance health check work and ongoing COVID business continuity management review will come to the next Committee meeting and as a result the agenda for the next Committee scheduled meeting would be very heavy.

c) A review of what would be reasonable and achievable by the end of the year would need to be carried out. Chris proposed sending completed reviews out to Committee members as they are finalised rather than all one week in advance of the next meeting. The underlying issued were around capacity problems for the staff team to support audit work in addition to ongoing work commitments; that there were far more reviews than in normal programmes previously agreed; therefore we are trying to do more with a static resource, or in fact less resource given the added pressures of home working and COVID responses.

d) Some prioritisation of where the Committee needs most assurance may be needed in finalising the audit plan for the year and scoping plans for ²¹⁄₂₂.

16. The Audit & Risk Committee made the following observations and comments:

a) The Chair commented that it would be helpful to have sight of the reports as and when they come out.

b) Comment made that it was good to have realistic expectations of what is likely to come to the Committee and it was important to have sufficient time for a meeting to go over papers.

c) Suggestion made to schedule an additional Audit & Risk Committee meeting at the end of January/early February 2021. Director of Corporate Services agreed with this suggestion and agreed to liaise with Azets regarding when they expect reports to be ready before seeking a date.

d) Director of Corporate Services added that he would also be bring papers on the lessons learned from the review on complaints handling process against board members.

e) CEO added that internal audits on outdoor access infrastructure could be pushed back into next year, so will need to look at the list with the auditors. The Director of Corporate Services also noted that it had been flagged at the outset of the year that a few of the internal audit plans would be budget and capacity dependent, notably on VAT review which had been split into two phases and outdoor access infrastructure. Again, there was scope to reduce the amount of work to be undertaken before the end of March.

f) Chris Brown advised that he was happy with that way forward.

17. The Audit & Risk Committee noted the recommendations in the report.

18. Action Point Arising:

i. Clerk to the Board to canvas for a date late January/early February 2021 to schedule an additional Audit & Risk Committee meeting.

19. Complaints Review including lessons learned review of handling Board Complaints (Oral)

David Cameron, Director of Corporate Services presented the complaints review including the lessons learned review of handling Board complaints. He made the following points:

a) No complaints had been logged in the last quarter.

b) As covered previously, his aim is to develop a paper early in New Year on the handling of complaints against Board members within the umbrella of the Authority’s complaints handling procedure and lesson learned.

c) Was working with the Chairs of both this Committee and Staffing & Recruitment Committee as regards impact on the Code of Conduct and the Authority’s approach to clearer definition of respective responsibilities of Executive and Non-Executive leaders.

20. The Audit & Risk Committee made the following observations and comments:

a) The Chair praised that there had been no complaints in the last quarter.

b) A member commented that they had been asked to provide transcripts of emails and other records held which made reference to a specific individual and then had not heard anything more. Director of Corporate Services advised that what was being described was the data subject request. He explained that under data protection regulation, everyone has a right to request access information about them held by an organisation. Normally we would respond to the requester and that ends the process. However we ought to have gone back and thanked everyone for help and informed them that the data request had been submitted. He reassured the Committee that an internal review of our processes around that would be carried out.

21. The Audit & Risk Committee noted the oral report.

22. Action Point Arising: None.

23. FOISA Handling Statistics (Oral)

David Cameron, Director of Corporate Services, presented an oral update on Freedom of Information and Subject Access Request Handling Statistics. He made the following points:

a) 13 requests had been made under Freedom of Information (FOI)

b) 15 requests under Environmental Information Requests (EIR).

c) 1 data subject access request.

d) 1 information request was not met in full, as we didn’t hold the information requested. This had been further appealed by the requester to the Scottish Information Commissioner (SIC) following internal review by the Authority. Further information on the outcome of this appeal would be presented to the Committee on decision by the SIC.

24. The Audit & Risk Committee noted the update.

25. Action Point Arising:

26. AOCB

Director of Corporate Services reported that last week the web hosts had been subjected to a cyber-attack. Some records people had left on our web contact form, some 2,500 email addresses, may have been accessed by the hacker. Of those roughly half were spam emails and the other half were valid. The staff team have used the self-assessment tool provided by the Information Commissioner and found that there was no need to report this incident. The Authority’s staff continued to investigate the matter internally, looking at whether we need to inform the people whose data was accessed. The CEO advised that this was not the CNPA servers, our website sits on a separate server and provided reassurance that this was nothing to do with the CNPA server.

27. A Member queried a recent spam email which only went to board members, was there thought to be a link to the recent cyber-attack? CEO advised that all Board emails are published and the recent phishing email was not linked to the web server hack.

28. The Vice-Chair commented that a couple of board members had issues accessing their cnpaboard email and suggested that we highlight the changing of passwords regularly as a good thing to do.

29. The Chair thanked the Committee for their contribution today and extended her thanks to the CNPA Staff and Auditors teams for the work presented at the meeting.

30. The meeting ended 10.40am.

Audit & Risk Committee: Outstanding Actions

Action	Status
Audit and Risk Committee induction pack	Open
Risk mitigation for LEADER Accountable Body role	Open

201127DraftAuCtteeMinsv10

CAIRNGORMS NATION­AL PARK AUTHORITY

Draft MINUTES AUDIT & RISK COM­MIT­TEE 27/11/2020

We want your feedback

CAIRNGORMS NATIONAL PARK AUTHORITY

Draft MINUTES AUDIT & RISK COMMITTEE 27/11/2020