Audit and Risk Committee Paper 3 - procurement lessons learned

Draft Audit and Risk Com­mit­tee Paper 3 12 Septem­ber 2025 Page 1 of 5

For dis­cus­sion

Title: Pro­cure­ment Approaches: Les­sons Learned Pre­pared by: Dav­id Camer­on, Deputy Chief Executive

Pur­pose This paper draws togeth­er reflec­tions on the les­sons learned in identi­fy­ing and tak­ing steps to rec­ti­fy the con­trol improve­ments required in the Park Authority’s pro­cure­ment con­trols. The paper is presen­ted at the request of the Com­mit­tee and fol­low­ing reflec­tion by officers involved in the devel­op­ment and imple­ment­a­tion of the pro­cure­ment action plan which fol­lowed the intern­al audit review of the Park Authority’s pro­cure­ment controls.

Recom­mend­a­tions The Board is asked to: α) Dis­cuss and com­ment on the les­sons learned from col­lect­ive hand­ling of the Park Authority’s approach to devel­op­ing intern­al con­trols on pro­cure­ment as set out in this paper.

Stra­tegic context

1. Our recent focus on urgent need for improve­ment in form­al pro­cure­ment con­trols comes in the midst of a time of sig­ni­fic­ant expan­sion in the scale and breadth the Park Authority’s oper­a­tions. Our ranger ser­vice, peat­land action deliv­ery team, nature recov­ery fund­ing and Cairngorms 2030 pro­gramme among oth­er areas of devel­op­ment have brought the Park Author­ity to a pos­i­tion of total funds under man­age­ment in excess of £16 mil­lion in ²⁰²⁴⁄₂₅, which is more than double the total income in ²⁰²⁰⁄₂₁. The increas­ing organ­isa­tion­al scale brought increases in pro­cure­ment activ­ity in terms of both volume of activ­ity and breadth in the range of pro­cure­ment requirements.

2. This sig­ni­fic­ant increase in activ­ity came at a time when the Park Authority’s cor­por­ate teams were also heav­ily involved in man­aging busi­ness con­tinu­ity pro­cesses, our organ­isa­tion­al responses to the impacts of the COVID19 pandemic,

Draft Audit and Risk Com­mit­tee Paper 3 12 Septem­ber 2025 Page 2 of 5

and our organ­isa­tion­al trans­ition­ing to hybrid work­ing from an entirely dis­persed work­force dur­ing the pandemic.

1. Recog­niz­ing this pos­i­tion and the poten­tial issues cre­ated by organ­isa­tion­al growth for pro­cure­ment, an intern­al audit was com­mis­sioned to sup­port board and man­age­ment to under­stand the pos­i­tion and help provide focus for expec­ted improve­ments in the con­trol environment.

2. While sev­er­al urgent recom­mend­a­tions were iden­ti­fied and acted on, there were no spe­cif­ic instances of pro­cure­ment activ­it­ies hav­ing caused any sig­ni­fic­ant issues for the Park Author­ity: there were no alleg­a­tions of breach of pro­cure­ment require­ments and officer advice had been suf­fi­cient to cov­er the organization’s activ­it­ies in the absence of more form­al con­trol systems.

Stra­tegic policy consideration

1. The fol­low­ing reflec­tions and les­sons learned are drawn from our work on pro­cure­ment over the course of the last two years: α) There is sig­ni­fic­ant bene­fit to ensur­ing that intern­al audit resources are dir­ec­ted appro­pri­ately toward areas of highest risk. In tak­ing this approach, there needs to be a con­sidered approach when deal­ing with audit reports which may con­tain urgent recom­mend­a­tions for action.

b) In devel­op­ing new areas of deliv­ery, con­sid­er­a­tion should be giv­en to wider organ­iz­a­tion­al con­sequences in terms of the resource and devel­op­ment of skills needed to sup­port those deliv­ery areas. This is an ongo­ing pro­cess, as some­times con­sequences of new deliv­ery are only fully under­stood after deliv­ery commences.

c) The com­mit­ment, know­ledge and good­will of staff remains a key ele­ment of suc­cess­ful deliv­ery by the Park Author­ity. Pro­fes­sion­al engage­ment of all staff ensured that appro­pri­ate actions were taken to safe­guard the organ­iz­a­tion and meet require­ments until the design of con­trol pro­ced­ures could catch up with ser­vice delivery.

d) While there is an appro­pri­ate focus across gov­ern­ment on the size of the pub­lic sec­tor work­force, and in par­tic­u­lar the levels of cor­por­ate sup­port ser­vices, there is a need to also con­sider the staff resourcing required by organ­iz­a­tions to dis­charge their leg­al respons­ib­il­it­ies and wider expectations

Draft Audit and Risk Com­mit­tee Paper 3 12 Septem­ber 2025 Page 3 of 5

of gov­ern­ment. Pro­cure­ment reg­u­la­tions present com­plex leg­al require­ments and require spe­cial­ist, qual­i­fied, know­ledge­able staff. There is a dif­fi­cult bal­ance to be struck in man­aging work­force size and appro­pri­ately cov­er­ing legis­lat­ive require­ments such as employ­ment law, fin­an­cial reg­u­la­tions, Free­dom of Inform­a­tion and procurement.

e) Devel­op­ment of shared ser­vices between pub­lic bod­ies has been an effect­ive and effi­cient con­trib­ut­or to address­ing ser­vice require­ments, both in terms of deliv­er­ing pro­cure­ment activ­it­ies and also in provid­ing pro­fes­sion­al ment­or­ing and sup­port for spe­cial­ist staff who would oth­er­wise be in a ​‘team of one’ in terms of know­ledge and exper­i­ence groups.

f) The quantum of time and resources required in devel­op­ment and man­age­ment of shared ser­vices should not be under­es­tim­ated. Many organ­isa­tions in the cur­rent fund­ing cli­mate do not carry sur­plus capa­city and indeed are typ­ic­ally car­ry­ing more work­loads than they are able to ser­vice. Con­sid­er­able man­age­ment time can be con­sumed in search­ing and nego­ti­at­ing viable shared ser­vices options. Reli­ance on a shared ser­vice delivered by a third party may also res­ult in a depend­ency which can restrict con­trol over pro­ject timetables.

g) Pro­fes­sion­al ment­or­ing of staff through third party organ­iz­a­tions offers an excel­lent route to ensure pro­fes­sion­al staff who are in single mem­ber or small teams have wider sup­port from know­ledge­able pro­fes­sion­als in their own field of expertise.

h) Effect­ive man­age­ment and deliv­ery of func­tions through shared ser­vices also requires a suf­fi­ciently informed and exper­i­enced ​‘cli­ent man­age­ment’ func­tion. There needs to be adequate time and exper­i­ence of pro­cure­ment with­in the Park Author­ity to ensure effect­ive over­sight of pro­cure­ment activ­ity being delivered on our behalf by oth­er third parties, and ensure ques­tions and com­mis­sions are appro­pri­ately drawn up.

i) There is an effect­ive gov­ernance sys­tem in place with­in the Park Author­ity cov­er­ing terms of ref­er­ence for com­mit­tees which set out those com­mit­tees’ del­eg­ated respons­ib­il­it­ies, with the option to escal­ate issues by excep­tion to the full board.

j) As with any policy envir­on­ment, pro­cure­ment and any oth­er intern­al con­trol ele­ment needs to be worked on and embed­ded as part of the organization’s cul­ture rather than simply seen as an isol­ated pro­cess or con­trol sys­tem, in

Draft Audit and Risk Com­mit­tee Paper 3 12 Septem­ber 2025 Page 4 of 5

order to ensure adequate intern­al com­mu­nic­a­tion takes place and that pro­cure­ment is con­sidered by all staff at the right time in their work.

k) Sig­ni­fic­ant pro­cure­ment exer­cises are likely to have a size­able, demand-led call on budgets for pro­fes­sion­al advice, such as leg­al sup­port and wider pro­fes­sion­al input. Pro­ject budgets and / or cent­ral budget pro­vi­sions need to be adjus­ted to reflect the scale of pro­cure­ment pipelines in any year.

l) The wider invest­ment in and devel­op­ment of improved inform­a­tion man­age­ment sys­tems has been a cru­cial under­pin­ning in improv­ing our capa­city to imple­ment effect­ive pro­cure­ment con­trols, enabling an under­stand­ing of pro­cure­ment pipeline and also estab­lish­ing a con­tract register to enhance sub­sequent con­tract management.

m) The col­lect­ive work between the Audit and Risk Com­mit­tee and seni­or officers estab­lished an appro­pri­ate and con­struct­ive gov­ernance, scru­tiny and deliv­ery dynam­ic and report­ing process.

1. A sig­ni­fic­ant and wider devel­op­ment with­in the Park Author­ity as a ​‘les­son learned’ from exper­i­ence in hand­ling pro­cure­ment is our new approach to pro­ject ini­ti­ation. This approach requires all pro­ject ideas to be logged in a cent­ral sys­tem and an apprais­al under­taken to estab­lish what wider pro­fes­sion­al sup­port and expert­ise a pro­ject may require, wheth­er pro­cure­ment, com­munity engage­ment, leg­al advice etc. The approach in turn encour­ages early engage­ment between pro­ject man­agers and pro­fes­sion­al advisers to inform every­one of poten­tial pipeline work­loads and take early advice on pro­ject design to ensure compliance.

2. The Park Author­ity has also been using ​‘tri­al and test’ approaches to learn from early exper­i­ence how best to design intern­al con­trol sys­tems on the basis of pre­lim­in­ary evid­ence from a small num­ber of pilot exercises.

3. Both these wider devel­op­ments seek to allow ser­vice devel­op­ments to pro­gress without sig­ni­fic­ant delay, while pre­vent­ing sig­ni­fic­ant organ­isa­tion­al expos­ure to unman­aged risks or to unex­pec­ted wider liabilities.

Stra­tegic risk management

1. The Park Author­ity is a dynam­ic, respons­ive organ­isa­tion which has had great suc­cess over recent years in secur­ing addi­tion­al fund­ing for invest­ment in the

Draft Audit and Risk Com­mit­tee Paper 3 12 Septem­ber 2025 Page 5 of 5

Cairngorms and deliv­ery of the Nation­al Park Part­ner­ship Plan (NPPP) object­ives. As noted in the stra­tegic con­text sec­tion of this paper, our ranger ser­vice, peat­land action deliv­ery team, nature recov­ery fund­ing and Cairngorms 2030 pro­gramme has brought the Park Author­ity to a pos­i­tion of total funds under man­age­ment in excess of £16 mil­lion in ²⁰²⁴⁄₂₅, which is 110% of the total income in ²⁰²⁰⁄₂₁. Growth at this scale and pace, while in keep­ing with the Park Authority’s object­ives of income diver­si­fic­a­tion, and a rel­at­ively open risk appet­ite for expan­sion sup­port­ing deliv­ery of NPPP pri­or­it­ies, will inev­it­ably put sig­ni­fic­ant pres­sure on the capa­city of rel­at­ively fixed cent­ral sup­port ser­vices and their capa­city to build con­trol frame­works in advance of tak­ing on some commitments.

1. Over­all, the risk approach appears to remain appro­pri­ate. How­ever, as sig­ni­fic­ant organ­isa­tion­al change is recog­nised, a fuller risk assess­ment of con­sequent impacts and sup­port require­ments is warranted.

Implic­a­tions

1. There are no new stra­tegic resource implic­a­tions sug­ges­ted by this paper.

2. The paper does high­light the require­ment for adequate resource to be alloc­ated to essen­tial cor­por­ate sup­port func­tions and this may have implic­a­tions for future con­sid­er­a­tion of budget devel­op­ment or in respond­ing to con­sid­er­a­tion of poten­tial for future effi­ciency saving.