Skip to content
Please be aware the content below has been generated by an AI model from a source PDF.

ARC Paper 9 Draft Governance statement

Cairngorms Nation­al Park Author­ity Audit and Risk Com­mit­tee Paper 9 19 June 2026

For decision

Title: Draft gov­ernance state­ment Pre­pared by: Louise Allen, Head of Fin­ance and Cor­por­ate Operations

Pur­pose

This paper presents the draft Gov­ernance Report, which forms part of the Annu­al Report and Accounts, to the Com­mit­tee for review and com­ment pri­or to inclu­sion in the draft papers sub­mit­ted for extern­al audit.

Recom­mend­a­tions

The Audit and Risk Com­mit­tee is reques­ted to: a) Review the draft Gov­ernance State­ment presen­ted with this paper. b) Sub­ject to any agreed amend­ments, approve the Gov­ernance State­ment for inclu­sion in the Park Authority’s draft Annu­al Report and Accounts for 202526.

Exec­ut­ive summary

  1. The con­tent of the Gov­ernance State­ment with­in the Park Authority’s Annu­al Report and Accounts has cer­tain pre­scribed ele­ments. With­in the required report­ing format, the con­tent of the state­ment has been updated for 202526 as presen­ted with this paper. Key areas of update are shaded in grey to help identi­fy new mater­i­al added and changes made.
  2. The Com­mit­tee is invited to review the draft state­ment and make any amend­ments pri­or to its inclu­sion in the doc­u­ments and work­ing papers sub­mit­ted for extern­al audit review of the 202526 accounts.

Gov­ernance Statement

Scope of responsibility

As Account­able Officer, I am respons­ible for main­tain­ing sound sys­tems of intern­al con­trol that sup­port the achieve­ment of Cairngorms Nation­al Park Authority’s policies, aims and object­ives, while safe­guard­ing the pub­lic funds and depart­ment­al assets for which I am per­son­ally respons­ible. These duties are in accord­ance with the Frame­work Agree­ment between the Park Author­ity and Scot­tish Gov­ern­ment and align with respons­ib­il­it­ies assigned to me in the Scot­tish Pub­lic Fin­ance Manu­al (SPFM).

The SPFM, issued by the Scot­tish Min­is­ters, provides guid­ance to the Scot­tish Gov­ern­ment and oth­er rel­ev­ant bod­ies on the prop­er hand­ling of pub­lic funds, and sets out the rel­ev­ant stat­utory, par­lia­ment­ary, and admin­is­trat­ive require­ments, emphas­ising the need for eco­nomy, effi­ciency, and effect­ive­ness, and pro­motes good prac­tice and high stand­ards of pro­pri­ety. As Account­able Officer, I am respons­ible for ensur­ing that the Park Authority’s intern­al con­trol sys­tems com­ply with the require­ments of the SPFM.

The Frame­work Agree­ment with Scot­tish Gov­ern­ment sets out the role of the Park Authority’s Board in provid­ing lead­er­ship and gov­ernance. The Frame­work Agree­ment is a stand­ard agree­ment between Scot­tish Gov­ern­ment and its devolved pub­lic bod­ies and came into force fol­low­ing approv­al by the Park Author­ity Board at its meet­ing on 26 May 2023.

The gov­ernance respons­ib­il­it­ies of the Board are sup­por­ted by Stand­ing Orders and a Code of Con­duct, both revised and adop­ted in 2024. Required addi­tions to the Code to handle Board involve­ment in quasi-judi­cial and reg­u­lat­ory decision mak­ing were agreed with the Stand­ards Com­mis­sion for Scot­land. The Board agreed a Gov­ernance Respons­ib­il­ity Frame­work” doc­u­ment in 2021, set­ting out the respect­ive roles and respons­ib­il­it­ies of the Board and its non-exec­ut­ive Board mem­bers and seni­or man­agers in decision mak­ing, to give added clar­ity and under­stand­ing to this aspect of the Park Authority’s gov­ernance. Our group of pro­fes­sion­al, seni­or staff advisors, com­ple­men­ted by appro­pri­ate Board train­ing and devel­op­ment pro­cesses, sup­port the good gov­ernance arrange­ments set out in the Stand­ing Orders and Code of Conduct.

As a pub­lic body, the Park Author­ity is com­mit­ted to access­ib­il­ity, open­ness, and account­ab­il­ity, and sup­ports the highest stand­ards in cor­por­ate governance.

Oth­er than the doc­u­ments referred to above and the resource alloc­a­tion let­ters issued to me over the course of the year; there were no oth­er writ­ten author­it­ies provided to me over the course of 202526.

The oper­a­tion of the Board and sub-committees

The Board com­prises 19 mem­bers: 7 appoin­ted by Min­is­ters fol­low­ing nom­in­a­tion by five Coun­cils with bound­ar­ies with­in the Nation­al Park, 7 appoin­ted by Scot­tish Gov­ern­ment through pub­lic appoint­ments pro­cesses, and 5 dir­ectly elec­ted with­in the wards of the Nation­al Park.

The Board there­fore reflects a blend of dif­fer­ent exper­i­ence, back­grounds and interests. The full Board meets reg­u­larly to con­sider strategy and per­form­ance against the cur­rent Cor­por­ate Plan. Meet­ings are sched­uled quarterly, with addi­tion­al meet­ings con­vened as required. To enable the Board to dis­charge its duties, all mem­bers receive appro­pri­ate and timely inform­a­tion in advance of meet­ings with all agen­das and papers also placed in the pub­lic domain. Meet­ings are open to the pub­lic, with the excep­tion of occa­sion­al meet­ings held in private for vari­ous reas­ons of busi­ness and com­mer­cial confidentiality.

To ensure that the Board devel­ops an under­stand­ing of the cur­rent and emer­ging issues, mem­bers also par­ti­cip­ate in inform­al dis­cus­sion ses­sions to con­sider evolving policy issues and pro­pos­als. These meet­ings are held in private to provide for early-stage dis­cus­sion and mem­bers’ learn­ing and devel­op­ment on a range of policy top­ics. The agreed stra­tegic dir­ec­tion of the Park Author­ity is dis­cussed and iden­ti­fied in full, open con­sid­er­a­tion at form­al meetings.

The Board has estab­lished sub-com­mit­tees: a Plan­ning Com­mit­tee (which deals with all aspects of the Park Authority’s stat­utory plan­ning respons­ib­il­it­ies), togeth­er with Com­mit­tees cov­er­ing Gov­ernance, Resources, Per­form­ance, and Audit and Risk. The com­mit­tee struc­ture aug­ments the gov­ernance of the Author­ity and enhances the Board’s assur­ance role, as the Authority’s scale of activ­it­ies and sup­port of sig­ni­fic­ant pro­grammes con­tin­ues to increase. The Gov­ernance Com­mit­tee remains in place to sup­port the Board and the Con­vener to main­tain over­sight of the effect­ive­ness of gov­ernance arrange­ments across the organ­isa­tion, includ­ing the effect­ive­ness of the com­mit­tee struc­ture itself. All com­mit­tees have del­eg­ated duties and respons­ib­il­it­ies, set out in terms of ref­er­ence agreed by the full Board, to over­see and scru­tin­ise the Park Authority’s deploy­ment and man­age­ment of resources. The oper­a­tion of the com­mit­tee struc­ture has con­tin­ued in place through­out the 202526 fin­an­cial year.

The record of attend­ance at Board meet­ings can be found in the Remu­ner­a­tion and Staff Report with­in the Annu­al Report and Accounts.

The Audit and Risk Committee

The Audit and Risk Committee’s role is to provide effect­ive gov­ernance over all aspects of the Park Authority’s intern­al man­age­ment con­trol sys­tems and the annu­al fin­an­cial accounts and audit. It also takes a lead in stra­tegic risk man­age­ment, ensur­ing that risks impact­ing on stra­tegic object­ives are iden­ti­fied and mit­ig­ated, and that risk man­age­ment is embed­ded through­out the Park Authority’s oper­a­tions. It is sup­por­ted by the Park Authority’s intern­al audit func­tion, delivered by wbg, and extern­al aud­it­ors, For­vis Maz­ars. Both the intern­al and extern­al aud­it­ors have inde­pend­ent access to the Com­mit­tee and to its Con­vener. The Com­mit­tee is tasked with mon­it­or­ing the oper­a­tion of the intern­al con­trol func­tion and bring­ing any mater­i­al mat­ters to the atten­tion of the full Board. Detailed reports of all audit reviews are made avail­able to both man­age­ment and the Committee.

The Com­mit­tee meets at least quarterly and reports to the Board on the adequacy and effect­ive­ness of the Park Authority’s intern­al con­trols, and more widely on its work in the pre­ced­ing year.

The Board has con­tin­ued a pro­cess of self-eval­u­ation of effect­ive­ness and gov­ernance. The Board main­tains a skills mat­rix based on self-eval­u­ation by mem­bers, and which is updated as new mem­bers are appoin­ted. A review of the skills mat­rix car­ried out in Novem­ber 2025 iden­ti­fied a require­ment for the future recruit­ment of Board mem­bers with know­ledge and under­stand­ing of:

  • organ­isa­tion­al fin­an­cial and risk man­age­ment, and
  • land­scape scale nature res­tor­a­tion and land­scape scale change management.

The Park Author­ity intends to carry out a full mem­ber sur­vey in late 2026 in order to identi­fy train­ing needs, and to guide mem­ber appointments.

Dur­ing the year, the Board held vari­ous work­shops to dis­cuss mat­ters of effect­ive­ness and gov­ernance, including:

  • Con­sid­er­a­tion of equal­ity duties in the pub­lic sec­tor (March 2025)
  • Dis­cus­sion of the Authority’s val­ues and cul­ture (May 2025)
  • Per­son­al use of social media (May 2025)
  • Board effect­ive­ness (August 2025)
  • Hori­zon scan­ning (Octo­ber 2025)

The Board has agreed a set of Cor­por­ate Per­form­ance Indic­at­ors to improve its over­sight of deliv­ery against key stra­tegic object­ives and the Park Authority’s Cor­por­ate Plan. A detailed per­form­ance report is sub­mit­ted to the Board annu­ally on deliv­ery against key per­form­ance indic­at­ors, along­side a review of stra­tegic risk man­age­ment. These mon­it­or­ing and con­trol mech­an­isms sup­port Board scru­tiny over deliv­ery of the Cor­por­ate Plan and Nation­al Park Part­ner­ship Plan priorities.

Peri­od­ic reports from inde­pend­ent intern­al and extern­al aud­it­ors form a key and essen­tial ele­ment in inform­ing my review as Account­able Officer of the effect­ive­ness of the sys­tems of intern­al con­trol with­in the Park Author­ity. The Board’s Audit and Risk Com­mit­tee also plays a vital role in this regard, through its con­sid­er­a­tion of audit recom­mend­a­tions arising from reviews of intern­al con­trol sys­tems, and its scru­tiny of pro­posed man­age­ment action to address any improve­ments required. The Audit and Risk Com­mit­tee also con­siders both a three-year plan for intern­al audit cov­er­age and annu­ally agrees an intern­al audit plan flow­ing from that three-year plan.

Shared ser­vices delivery

The Park Author­ity plays an import­ant role in provid­ing sup­port to loc­al com­munit­ies and organ­isa­tions, over a range of activ­it­ies, to help deliv­er the Nation­al Park Part­ner­ship Plan’s pri­or­it­ies. We have con­tin­ued to sup­port the Cairngorms Loc­al Action Group Trust in its lead­er­ship and deliv­ery of new Com­munity Led Loc­al Devel­op­ment fund­ing streams. Fol­low­ing com­ple­tion of the Devel­op­ment Phase of the Cairngorms 2030 Her­it­age Hori­zons Pro­gramme, and after a lengthy applic­a­tion pro­cess, in Janu­ary 2024 we were awar­ded £10.771m fund­ing by the Nation­al Lot­tery Her­it­age Fund to com­mence the Deliv­ery Phase of the Cairngorms 2030 pro­gramme. These have been sig­ni­fic­ant, community‑, and part­ner-led pro­grammes of activ­ity. Our man­age­ment and intern­al con­trol struc­tures ensure that sup­port for these com­munity-based deliv­ery entit­ies is sep­ar­ated from the core activ­it­ies of the Author­ity, while ensur­ing that our sup­port helps them achieve best prac­tice” in their operations.

The Author­ity also under­takes a range of shared ser­vice arrange­ments with oth­er pub­lic body part­ners. Over the course of the year, we have worked with the Scot­tish Land Com­mis­sion, provid­ing payroll ser­vices, togeth­er with advice and sup­port on human resource and organ­isa­tion­al devel­op­ment mat­ters. We have also col­lab­or­ated on a range of shared ser­vice deliv­ery with Loch Lomond and the Trossachs Nation­al Park Author­ity (LLT­NPA). We have received sup­port from LLT­NPA on IT infra­struc­ture main­ten­ance and devel­op­ment, shared licence agree­ments for plan­ning sys­tems, and data back-up and secur­ity arrange­ments. In addi­tion to these more form­al shared ser­vices with LLT­NPA, both Nation­al Park Author­it­ies con­tin­ue to col­lab­or­ate closely on areas of shared policy interest.

Intern­al audit

The intern­al audit func­tion is an integ­ral ele­ment of scru­tiny of the Park Authority’s intern­al con­trol sys­tems. wbg were appoin­ted as the Park Authority’s intern­al aud­it­ors in 2025, fol­low­ing an open pro­cure­ment pro­cess, and have under­taken a com­pre­hens­ive assess­ment of key intern­al con­trol sys­tems since their appoint­ment. Dur­ing the year to 31 March 2026, wbg have repor­ted to the Audit and Risk Com­mit­tee on the fol­low­ing reviews:

Gov­ernance & risk

  • Cor­por­ate gov­ernance arrangements

Oper­a­tion­al

  • Imple­ment­a­tion of a new fin­ance system
  • Pro­ject ini­ti­ation processes
  • Grant admin­is­tra­tion and management
  • Fol­low up on pre­vi­ous recommendations
  • IT dis­aster recov­ery (advis­ory review car­ried out in April 2026)

All recom­mend­a­tions made by wbg are con­sidered, giv­en man­age­ment responses, which are con­sidered by the Audit and Risk Com­mit­tee, and imple­men­ted as appropriate.

Extern­al audit

Extern­al aud­it­ors are appoin­ted for us by the Aud­it­or Gen­er­al for Scot­land through Audit Scot­land. Audit Scot­land appoin­ted For­vis Maz­ars to the role with effect from the com­mence­ment of the audit of the 202223 annu­al accounts. We con­tin­ue to devel­op our rela­tion­ship with For­vis Maz­ars, who review key sys­tems in order to form a view on the effect­ive­ness of con­trol arrange­ments, and to sup­port their audit opin­ion on the fin­an­cial state­ments. No non-audit work was under­taken by For­vis Maz­ars, and con­sequently, no fees were paid oth­er than the agreed fee for extern­al audit work.

Best value

The Audit and Risk Com­mit­tee con­tin­ues to mon­it­or the Authority’s adher­ence to Scot­tish Gov­ern­ment Best Value guidelines and our approach to con­tinu­ous improve­ment. Since the launch, in 202324, of our Organ­isa­tion­al Devel­op­ment and People Strategy 2024, we have con­tin­ued to improve our work pro­cesses, organ­isa­tion­al envir­on­ment, and deliv­ery of ser­vices. The res­ults of our 2025 staff sur­vey have informed the deliv­ery of con­tinu­ous organ­isa­tion­al improve­ment as part of our Cor­por­ate Plan to 2027.

Risk man­age­ment

We have a risk man­age­ment strategy in accord­ance with guid­ance issued by Scot­tish Min­is­ters to identi­fy actu­al and poten­tial threats that may pre­vent us from deliv­er­ing our stat­utory pur­pose, and also to identi­fy appro­pri­ate mit­ig­a­tion actions.

The Board recog­nises the import­ance of risk man­age­ment and con­tin­ues to mon­it­or the Park Authority’s Stra­tegic Risk Register, with­in its estab­lished risk appet­ite, for areas of the 202327 Cor­por­ate Plan. This approach sup­ports deliv­ery of our Cor­por­ate Plan objectives.

The Stra­tegic Risk Register records risks, action taken to mit­ig­ate the iden­ti­fied risks and seni­or management’s respons­ib­il­ity for lead­ing on each risk and its mit­ig­a­tion. The Stra­tegic Risk Register is reviewed by the Exec­ut­ive Man­age­ment Team at least four times each year and updated by the full Board and the Audit and Risk Com­mit­tee as part of each quarterly cycle of meetings.

The Audit and Risk Com­mit­tee, with the Seni­or Man­age­ment Team, leads on embed­ding risk man­age­ment pro­cesses through­out the Park Author­ity. Both groups con­sider the man­age­ment of stra­tegic risk in line with the Risk Strategy to ensure that the required actions are appro­pri­ately reflec­ted and incor­por­ated in oper­a­tion­al deliv­ery plans.

Data secur­ity

Pro­ced­ures are in place to ensure that inform­a­tion is being man­aged in accord­ance with legis­la­tion and that data is held accur­ately and securely. The Park Author­ity has exper­i­enced no repor­ted nor recor­ded instances of data loss in the year to 31 March 2026.

We con­tin­ue to review our digit­al prac­tices and infra­struc­ture to ensure they remain fit for pur­pose and that all reas­on­able steps are taken to min­im­ise the risk of data loss or com­prom­ise of sys­tems due to Cyber Attacks. Dur­ing the year, the Park Author­ity worked towards renew­al of its accred­it­a­tion under the Cyber Essen­tials Plus scheme.

The Authority’s Seni­or Man­age­ment Team approved an IT and Data Man­age­ment Strategy in 2021. The strategy described our trans­ition toward cloud-based ser­vice infra­struc­ture. This strategy will be reviewed and refreshed in 2026.

Busi­ness continuity

The Author­ity imple­men­ted its Busi­ness Con­tinu­ity Plan (BCP) pro­cesses in 2020, in response to the COVID19 pan­dem­ic. The BCP pri­or­it­ised the main­ten­ance and evol­u­tion of sys­tems to sup­port dis­persed work­ing while main­tain­ing max­im­um focus on deliv­ery of the Authority’s stra­tegic outcomes.

The Park Author­ity has now adop­ted hybrid work­ing arrange­ments, with the major­ity of our staff work­ing part-time from home and dis­persed loc­a­tions, and part-time in the office. Our Board also holds both hybrid and full face-to-face pub­lic meetings.

A revi­sion of the Busi­ness Con­tinu­ity Plan is pri­or­it­ised for 202627.

Louise Allen louiseallen@​cairngorms.​co.​uk 21 May 2026