231124ACRPaper5InternalAuditHealthandSafety
Cairngorms National Park Authority
Internal Audit Report 2023⁄24
Health and Safety
November 2023
Page 2
Cairngorms National Park Authority Internal Audit Report 2023⁄24 Health and Safety
- Executive Summary — 1
- Management Action Plan — 4
- Appendix A – Definitions — 13
| Audit Sponsor | Key Contacts | Audit team |
|---|---|---|
| David Cameron, Deputy Chief Executive | Kate Christie, Head of Organisational Development Mark Pocock, Facilities Manager | Elizabeth Young, Partner Stephanie Hume, Senior Audit Manager Aidan Farrell, Internal Auditor |
Page 3
Executive Summary
Conclusion
We confirmed that Cairngorms National Park (CNPA) have a Health and Safety Policy in place that clearly articulates the roles and responsibilities of staff and the requirement to comply with the Health and Safety and Work Act (1974). Further, we identified that management has clearly outlined the training required for staff, both at induction (where a checklist is provided) and as refresher training on an ongoing basis. We also note all the policies and procedures are held in one easy to access location for staff on an intranet page.
We also identified a number of opportunities to strengthen the control environment. These include the need to bring up to date a number of the policies and procedures, improve the completion rates for staff training and ensure the Accident Log is kept up to date. Further, we noted that at present there is no reporting into the Senior Management Team on health and safety related activities prior to information being reported into the governance structure. Given the work some CNPA staff undertake they are likely to be at a higher risk than office-based workers, therefore it is essential to have robust Health and Safety arrangements in place to protect them.
Background and scope
The primary piece of legislation covering occupational health and safety in the United Kingdom is The Health and Safety at Work Act (1974). The primary aim of the act is to secure the health, safety and welfare of people at work.
The general provisions of the Act impose a duty on all employers to ensure, as far as is reasonably practicable, the safety of their employees at work by maintaining safe plans, safe systems of work, and safe premises and also by ensuring adequate instruction, training and supervision.
To ensure compliance with relevant legislation, it is vital that CNPA have appropriate policies and procedures in place and that there is awareness among all levels of CNPA’s staff regarding health and safety arrangements.
In accordance with the 2023/2024 Internal Audit Plan, we reviewed the operation and reporting on health and safety policies and procedures.
Page 4
Control assessment
| Colour | Priority |
|---|---|
| Yellow | 4 |
| Amber | 1 – 3 |
- There are clear health and safety policies and procedures in place that have been aligned with legislation and are being adhered to by staff.
- Roles and responsibilities for ensuring compliance with health and safety legislation are clearly defined within the policies and procedures, with appropriate training provided to all staff, both at induction and on an ongoing basis.
- A robust process is in place to record health and safety incidents, including identification and implementation of corrective action where necessary.
- Monitoring and reporting arrangements allow management and the Board to confirm that health and safety policies and procedures are followed consistently across the organisation and identify systematic issues or trends.
Improvement actions by type and priority
(Diagram showing bars for Control Design and Control Operation, graded 1 – 4)
Six improvement actions have been identified from this review, four of which relate to the design of controls. See Appendix A for definitions of colour coding.
Page 5
Key findings
Good practice
- We confirmed CNPA has a Health and Safety Policy in place that clearly articulates the respective roles and responsibilities within the organisation for ensuring compliance with the Health and Safety at Work Act (1974).
- The Health and Safety Policy is supplemented by a number of additional supporting policies and procedures tailored to cover health and safety considerations in role/person specific circumstances e.g. First Aid, Lone Working and DSE. We confirmed all health and safety documentation is centrally available to staff via the staff intranet (Eolas).
- We confirmed CNPA has clearly articulated the health and safety training required at induction and for refresher training.
- We confirmed a Health and Safety Committee is in place and meets quarterly, with minutes provided to the Resources Committee to provide assurance over its activities.
Areas for improvement
We have identified a number of areas for improvement which, if addressed, would strengthen CNPA’s control framework. These include:
- Ensuring the Health and Safety Policy and all supporting policies are subject to regular review.
- Reminding line managers of the importance of ensuring that all new starts complete all new start training and management ensuring the completion rates of induction training are monitored and reported to the Health and Safety Committee.
- Ensuring the Accident Register is updated for all incidents on an ongoing basis.
- Ensuring there is regular reporting to the Senior Management Team on the activities surrounding health and safety.
These are further discussed in the Management Action Plan below.
Impact on risk register
The CNPA corporate risk register (January 2023) included the following risks relevant to this review:
- Reputation: One-off high-profile incidents and/or vociferous social media correspondents have an undue influence on the Authority’s positive reputation.
As a result of the findings of our review, in particular the low completion rates for health and safety training both at induction and at refresher training management should consider whether the current wording and rating of this risk requires amendment.
Acknowledgements
We would like to thank all staff consulted during this review for their assistance and co-operation.
Page 6
Management Action Plan
Control Objective 1: There are clear health and safety policies and procedures in place which have been aligned with legislation and are being adhered to by staff.
1.1 Health and Safety Policies and Procedures
We reviewed six key health and safety policies and procedures and identified that none had been reviewed within the past 12 months:
- The Health and Safety Policy was last reviewed in March 2022.
- The DSE Policy was last reviewed in March 2019.
- The First Aid was last reviewed in January 2019.
- The Control of Substances Hazardous to Health Policy was adopted in September 2016 and has not been signed off for review since.
- The Permit to Work Procedure had no documented review date.
Risk
There is a risk that policies and procedures are no longer reflective of current legislation or best practice due to not being under regular review, resulting in inconsistent processes and potential harm to staff.
Recommendation
We recommend that the Health and Safety Policy and all supporting policies are subject to regular review to ensure that they reflect the current legislative requirements, the health and safety risks currently posed to staff and the range of activities that staff are involved in. In addition management should ensure all policies and procedures include version control and that the Health and Safety Committee monitors progress in this area to ensure appropriate scrutiny and oversight.
| Management Action | Grade 3 (Design) |
|---|---|
| We accept this recommendation, and will implement a review schedule, and will update all policies with a version control table. Given the number of policies and resource constraints, this will be a staggered review. | |
| Action owner: Facilities Manager | Due date: April 2024 |
Page 7
Control Objective 2: Roles and responsibilities for ensuring compliance with health and safety legislation are clearly defined within the policies and procedures, with appropriate training provided to all staff, both at induction and on an ongoing basis.
2.1 Health and Safety Induction Training
We confirmed all new staff are required to undertake health and safety training as part of their induction. The requirement for training is communicated to line managers and staff members through the induction checklist. We confirmed the checklist requires induction training through the ELMS system and covers the following areas:
- Introduction to Health & Safety
- Managing Health & Safety (Managers)
- Fire Safety
- Driving Safety
- Manual Handling
- DSE
- Office Safety
We confirmed the checklist requests new starts to commence their ELMS training during week one and specific that it should be completed by the end of their first month. We selected a sample of ten new starters within the past two years and identified the following:
- Five (50%) new starters had completed all health and safety training.
- Five (50%) new starters had only partially completed the health and safety training. Of these five we confirmed four were over the month deadline for completion of training, ranging from four months to eight months overdue.
Risk
There is a risk staff may encounter injury at work due to failing to complete the necessary health and safety training resulting in potential harm, reputational damage and possible financial penalties.
Recommendation
We recommend line managers are reminded of the importance of ensuring that all new starts complete all new start training on a timely basis. In addition, management should ensure the completion rates of induction training are monitored and reported to the Health and Safety Committee.
| Management Action | Grade 3 (Operation) |
|---|---|
| New start induction checklist provides details of mandatory training. Line managers are expected to implement and monitor this checklist. Induction checklist will be updated with more robust reminders about this training. HR team will also provide SMT with quarterly reports on ELMS training completion. | |
| Action owner: Head of Organisational Development | Due date: End March 2024 |
Page 9
2.2 H&S Refresher Training
We conformed that every two years CNPA requires all staff to undertake health and safety refresher training on ELMS covering the following areas:
- Introduction to Health & Safety
- Managing Health & Safety (Managers)
- Fire Safety
- Driving Safety
- Manual Handling
- DSE
- Office Safety
Additionally, CNPA offer additional training such as first aid and legionella training alongside specialised training for their park rangers.
We selected a sample of 13 staff and sought to confirm the extent to which they had completed refresher training within the last two years and identified that:
- Seven (54%) staff had completed their training.
- Six (46%) had not fully completed the training at the time of fieldwork.
Management confirmed that line managers receive email notifications of the training outstanding for their staff for courses launched through the ELMS certification programme, they are also able to log into the system and view the training logs for staff. It is the responsibility of line managers to chase staff completion rates.
Risk
There is a risk staff may encounter injury at work or fail to adhere to processes due to failing to complete the necessary health and safety training resulting in potential harm, reputational damage and possible financial penalties.
Recommendation
Management should ensure the completion rates of refresher training are monitored and reported to the Health and Safety Committee.
| Management Action | Grade 3 (Operation) |
|---|---|
| We accept this action. Completion rates will also be reported quarterly to SMT to support management scrutiny and enforcement of training requirements | |
| Action owner: Head of Organisational Development | Due date: End March 2024 |
Page 11
Control Objective 3: A robust process is in place to record health and safety incidents, including identification and implementation of corrective action where necessary.
3.1 Investigations
We confirmed the Incident and Accident Recording Form includes a section for completion by the Safety Advisor on whether an investigation was required and if so, what action was taken as a result of the investigation. From our review of the three incidents during 2023 we identified:
- One had no information recorded on whether an investigation was required or not, and if so, what action was taken.
- One outlined the actions taken from the investigation.
- One noted no investigation was required but did not note why this conclusion was reached.
Further, from discussions with staff we noted there is no formal process in place for undertaking investigations if these are required, and those charged with the management of health and safety have not had formal investigation training. In addition, we note the number of incidents is very low in comparison to other organisations and suggests that perhaps staff are not recording all incidents and near misses.
Risk
There is a risk incidents are not investigated as a result of a lack of a formal process in place resulting in actions not being taken to address incidents.
Recommendation
Management should ensure the Accident Recording Forms include detail on the investigation undertaken, and where an investigation is not undertaken the reason for this. In addition, management should consider whether further investigation training is required for staff involved in reviewing incidents.
| Management Action | Grade 3 (Design) |
|---|---|
| The process for investigation is that the A&IR is tabled and discussed at the quarterly H&SC meetings. We acknowledge none of this committee have had specific “investigation” training but expect that the IOSH training does sufficiently cover this. We will nevertheless research if there is a specific “investigation” training available, that is appropriate and proportionate. We would state that we do not believe low levels of reports suggest some accidents are not being recorded — the period 2020 — 2021 covered lockdown with minimal numbers accessing the office and currently the average number in the building is 50%. Nevertheless, we will note to table a reminder staff of the A&IR policy and procedure on one of our staff newsletters | |
| Action owner: Head of Organisational Development | Due date: End March 2024 |
Page 13
3.2 Accident Register
We confirmed that CNPA has an Accident Register template in place that provides a range of details including, date of incident, person reporting the incidence, category of person reporting the incident (i.e. employee, contractor etc), location, category (e.g. near miss, minor, moderate etc), description of injury, cause etc. Management noted and we confirmed that this template has not been utilised since 2019. Whilst we confirmed that staff completed an Incident and Accident Recording Form for all incidents in 2023 there is no central, amalgamated record of all incidents to enable an overall review of incidents, trends and recurring issues.
Risk
There is a risk that CNPA do not identify patterns in incidents as a result of failing to record all incidents in one log over time resulting in systemic corrective action not being taken as required.
Recommendation
Management should ensure the Accident Register is updated for all incidents on an ongoing basis. The register should be presented to the Health and Safety Committee on a regular basis to allow oversight of any patterns in incidents across years. Management should also consider what information is required to be held on this register for example the extent of personal data in comparison to what is appropriate under data protection.
| Management Action | Grade 2 (Design) |
|---|---|
| Accept – Register is currently too detailed so we will streamline it and update is going forward. H&SC already have oversight of all A&IRs as they scrutinise each report, but we can also ensure that the A&I Register is a standing item on the H&SC agenda. | |
| Action owner: Head of Organisational Development | Due date: June 2024 |
Page 14
Control Objective 4: Monitoring and reporting arrangements allow management and the Board to confirm that Health and Safety policies and procedures are followed consistently across the organisation and identify systematic issues or trends.
4.1 Reporting to Senior Management
We confirmed the Health and Safety Committee meet on a quarterly basis with the minutes of the meeting reviewed by the Resources Committee. At present there is no reporting to the Senior Management Team on updates relating to health and safety prior to information being presented to within the governance structure.
Risk
There is a risk the Senior Management Team are not made aware of updates relating to health and safety processes prior to information being presented to the governance structure due to of a lack of reporting resulting in managers being unable to take timely action to address issues.
Recommendation
Management should ensure there is regular reporting to the Senior Management Team on the activities surrounding Health and Safety including details on completion rates for training and overall trends in incidents (linked to MAP 2.1,2.2,3.2)
| Management Action | Grade 2 (Design) |
|---|---|
| We accept the importance of reporting to SMT. H&SC minutes will be circulated to SMT, and we will table training records at a quarterly SMT meeting. | |
| Action owner: Head of Organisational Development | Due date: End March 2024 |
Page 15
Appendix A – Definitions
Control assessments
| Code | Definition |
|---|---|
| R | Fundamental absence or failure of key controls. |
| A | Control objective not achieved — controls are inadequate or ineffective. |
| Y | Control objective achieved — no major weaknesses but scope for improvement. |
| G | Control objective achieved — controls are adequate, effective and efficient. |
Management action grades
| Grade | Definition |
|---|---|
| 4 | Very high risk exposure — major concerns requiring immediate senior attention that create fundamental risks within the organisation. |
| 3 | High risk exposure — absence / failure of key controls that create significant risks within the organisation. |
| 2 | Moderate risk exposure — controls are not working effectively and efficiently and may create moderate risks within the organisation. |
| 1 | Limited risk exposure — controls are working effectively, but could be strengthened to prevent the creation of minor risks or address general house-keeping issues. |
Page 16
© Azets 2023. All rights reserved. Azets refers to Azets Audit Services Limited. Registered in England & Wales Registered No. 09652677. VAT Registration No. 219 0608 22. Registered to carry on audit work in the UK and regulated for a range of investment business activities by the Institute of Chartered Accountants in England and Wales.