210203AuCtteePaper2Annex1Covid Recovery FINAL
Cairngorms National Park Authority
Internal Audit Report 2020⁄21
COVID-19 Recovery
December 2020
Contents:
- Executive Summary
- Management Action Plan
- Appendix A – Definitions
Audit Sponsor:
David Cameron, Director of Corporate Services
Key Contacts:
- Vicky Walker, Office Services Manager
- Kate Christie, Head of Organisational Development
- Francoise van Buuren, Head of Communications and Engagement
Audit Team:
- Chris Brown, Partner
- Stephanie Hume, Audit Manager
- Lorna Munro, Internal Auditor
Executive Summary
Conclusion
We have confirmed that the Cairngorms National Park Authority (CNPA) was able to adapt quickly and mobilise its staff before lockdown came into effect and has engaged with staff regularly to ensure both practical issues related to remote working and mental health are addressed.
However, we identified that CNPA had only partially implemented its business continuity planning approach, with a number of key steps still to be completed, and whilst CNPA has responded quickly to issues being raised, lessons are not currently being captured in a single document to ensure all necessary actions are being taken.
Background and Scope
All public sector organisations have been required to act decisively in response to COVID-19 to enable core operations to continue with minimal disruption. This has included enacting business continuity plans, increasing remote working and use of technology, revising budgets and communicating with stakeholders. This review considered the approach to the transition and any lessons learned, including in comparison to other organisations.
Control Assessment
- 1. Business Continuity Plans: Were enacted at the outset of COVID-19 with management effectively transitioning staff to a remote working environment. (Yellow)
- 2. Communication with Staff: Is being undertaken in a timely and effective manner to ensure their ongoing wellbeing, and that key messages are being shared timeously. (Green)
- 3. Lessons Learned: Are identified and documented with relevant processes and working arrangements updated accordingly. (Yellow)
Improvement Actions by Type and Priority
(Diagram showing improvement actions by type and priority – Grade 1, 2, 3 & 4)
Three improvement actions have been identified from this review, two of which relate to the operation of the controls in place. See Appendix A for definitions of colour coding.
Key Findings
Good Practice
- CNPA were in a strong position to respond to the emerging pandemic as they had recently planned for remote working as part of the BCP development process.
- A governance group was quickly initiated at the beginning of the pandemic, comprising key staff from operational support functions such as HR and IT.
- Appropriate escalation routes are in place to ensure that issues were raised with the Management Team in a timely manner.
- There has been responsive and flexible decision-making, with a focus on staff wellbeing.
- Management have communicated with staff on a frequent basis using a range of formal and informal routes, latterly reacting to feedback from staff regarding over-communication by streamlining information through the ‘all staff weekly’ Friday update and the Wellbeing Wednesday email.
Areas for Improvement
We have identified some areas for improvement which, if addressed, would strengthen CNPA’s control framework:
- Completing the BCP cycle, to ensure that sufficient information is available to management and staff to enable a smoother transition to and from ‘emergency working’.
- Implementing a centralised and co-ordinated method to capture, record, risk assess and prioritise lessons learned.
These are further discussed in the Management Action Plan below.
Impact on Risk Register
The CNPA corporate risk register (November 2020) included the following risks relevant to this review:
- A22: Business Continuity Plans are inadequate to deal with significant impacts to normal working arrangements and result in service failure.
Acknowledgements
We would like to thank all staff consulted during this review for their assistance and co-operation.
Management Action Plan
Control Objective 1: Business Continuity Plans were enacted at the outset of COVID-19 with management effectively transitioning staff to a remote working environment. (Yellow)
1.1 BCP Cycle
The CNPA Business Continuity Plan identifies an eight-stage implementation process; however, at the commencement of the COVID-19 pandemic, CNPA was still working through stages two to five with various key functions/services, where focus was on identifying minimum service delivery, undertaking risk assessments, identifying contingencies, and refining the draft Business Continuity Plan. As such, the plan had not been fully tested with staff prior to the pandemic.
From discussions with management and review of evidence provided, we noted that having the BCP not fully in place prior to the pandemic is one of the main root causes of several issues identified during fieldwork:
- Remote working practicalities had not been sufficiently scoped and tested, including IT and communication.
- The BCP did not sufficiently address recovery plans and timelines.
- The understanding by staff undertaking risk assessments was not wholly sufficient, as evidenced by the apparent confusion between a recovery and continuity plan, and presumption that all services had delivery plans in place and reliance could be placed on these. The underpinning service plans were not fully developed and this impacted the effectiveness of the planned response.
- The BCP does not include any links to or identification of key policies, forms and templates to be used. In addition, the existing policies reviewed did not include sufficient information to support the enacted BCP, e.g. no minimum standards of communication in the Work Life Balance Policy.
- The terms of reference for the steering group did not provide sufficient detail or the wording was ambiguous:
- The scope wording did not have sufficient detail to determine which activities would be undertaken by the group and which by other services in the organisation.
- It does not define the group’s role in providing assurance to the Board, on the management of the incident and the steps to be taken towards full or partial business recovery.
- There was no indication of the frequency of meetings.
- There was no indication of who must be present to ratify any decisions/actions.
- Resources being provided by the group were not sufficiently detailed.
Risk: There is a risk the organisation does not implement BCP actions effectively as a result of plans not being fully developed or tested, leading to staff members having difficulty working remotely and unexpected and/or negative impacts on business operations.
Recommendation: Management should:
- Continue to work through the BCP cycle.
- Ensure staff have a sufficient knowledge of the BCP process and terminology to adequately complete the stages associated with risk assessments.
- Expand the BCP content in relation to the governance structure and scope, in line with the points identified above.
Management Action: Recommendation agreed. We will work through the BCP cycle and adapt documentation to cover the points raised in this finding. (Grade 2 — Operation)
- Action owner: Office Services Manager
- Due date: 31 July 2021
Control Objective 2: Communication with staff is being undertaken in a timely and effective manner to ensure their ongoing wellbeing, and that key messages are being shared timeously. (Green)
2.1 Communications Strategy
As the CNPA Business Continuity Plan was not sufficiently developed, the communications strategy evolved as the pandemic progressed:
- In the week prior to lockdown an all-staff meeting was held, with 70% of staff able to attend. An all-staff email was issued to ensure the remaining staff were advised on the actions taking place.
- Initially, there was no specific format or frequency of communications, with each Service and Line Manager communicating as they thought appropriate. Following a staff survey in May 2020, a more streamlined approach to communications was taken with a single weekly e‑Bulletin issued to all staff. This covered a range of services including HR and cross-organisational operational related issues such as policies on leave, sickness and building access. We note these are highlighted at the start of each bulletin.
- Staff receive a Wellbeing Wednesday email, which focuses on mental and personal health aspects. The email directs staff to support across a range of topics including money management, mental health and keeping in touch with colleagues. The staff survey indicated that these had been well received.
- The staff survey also indicated that there were inconsistencies in the approach to keeping in touch with Line Managers. With no baseline standard and remote working being new for many, the need for training was identified. An on-line session was organised to support managers in managing remotely.
- In addition to the staff survey there have been a range of methods for staff to highlight issues with management including virtual drop-in sessions, a staff suggestion scheme, Employee Assistance Scheme and a Staff Consultative Forum continuing to operate.
As outlined, we note that CNPA has been very responsive and have been quick to implement decisions and new policies. However, whilst the approach has been flexible, had the BCP cycle been completed then these issues may not have arisen or have been addressed more quickly (Linked to MAP 1.1).
Risk: There is a risk the organisation does not implement BCP actions effectively as a result of plans not being fully developed or tested, leading to staff members having difficulty working remotely and unexpected and/or negative impacts on business operations.
Recommendation: An outline communication strategy should be developed, which includes centralised and non-centralised channels, as well as support for staff who are unable to access systems.
Management Action: Recommendation agreed. We will design and implement a communications strategy and plan within the Business Continuity Plan completion process, drawing from extensive learning over the last 9 months. (Grade 1 — Operation)
- Action owner: Office Services Manager
- Due date: 31 July 2021
Control Objective 3: Lessons learned are identified and documented with relevant processes and working arrangements updated accordingly. (Yellow)
3.1 Lessons Learned Methodology and Framework
From the evidence provided it was clear that lessons learned are being regularly identified, addressed and implemented within the organisation. However, there is currently no centralised and coordinated method to capture these lessons to ensure they are recorded, risk assessed, prioritised, actioned, and communicated. Further, we note that a lack of an action log will result in management being unable to review all changes made during the pandemic once over to ensure all policies and procedures are updated accordingly.
In addition, although the approach taken has been responsive and we identified one example where an issue was transferred to the BCP risk register, we were unable to confirm whether there were any gaps, whether resources were used efficiently and risks were being adequately addressed.
Risk: There is a risk that identified lessons learned are not managed and documented in an effective manner, resulting in a lack of oversight of all changes made at the end of the incident, policies and procedures not being updated and potentially issues being repeated in the future.
Recommendation: Management should:
- Seek to document the lessons learned to date and any future lessons learned to inform the end of event de-briefing.
- Develop a lessons learned action log template for inclusion in the final BCP.
Management Action: Recommendation agreed. We will develop a lessons learned action log for inclusion in the BCP and populate a lessons learned log from an early review of the COVID BCP response period. (Grade 2 — Design)
- Action owner: Office Services Manager
- Due date: 31 March 2021
Appendix A – Definitions
Control Assessments
- R: Fundamental absence or failure of key controls.
- A: Control objective not achieved – controls are inadequate or ineffective.
- Y: Control objective achieved – no major weaknesses but scope for improvement.
- G: Control objective achieved – controls are adequate, effective and efficient.
Management Action Grades
- 4: Very high risk exposure – major concerns requiring immediate senior attention that create fundamental risks within the organisation.
- 3: High risk exposure – absence/failure of key controls that create significant risks within the organisation.
- 2: Moderate risk exposure – controls are not working effectively and efficiently and may create moderate risks within the organisation.
- 1: Limited risk exposure – controls are working effectively, but could be strengthened to prevent the creation of minor risks or address general house-keeping issues.
© Azets 2021. All rights reserved. Azets refers to Azets Audit Services Limited. Registered in England & Wales Registered No. 09652677. VAT Registration No. 219 0608 22. Registered to carry on audit work in the UK and regulated for a range of investment business activities by the Institute of Chartered Accountants in England and Wales.