Meeting Venue:
Conference Room 4B - Tŷ Hywel
Meeting date: Thursday, 2 March 2017
Meeting
time: 11.00 -
12.30
Category |
Names |
Management Board Members: |
Claire Clancy, Chief Executive & Clerk of the Assembly Adrian Crompton, Director of Assembly Business Anna Daniel, Head of Strategic Transformation Non Gwilym, Head of Communications Nia Morgan, Director of Finance Mair Parry-Jones, Head of Translation and Reporting Service Mark Neilson, Head of ICT and Broadcasting Kathryn Potter, Head of Research Service Matthew Richards, Head of Legal Services Craig Stephenson, Director of Commission Services Sulafa Thomas, Head of Commission and Member Support Dave Tosh, Director of Resources Christopher Warner, Head of Policy and Legislation Committee Service Gareth Watts, Acting Head of Governance and Audit Siân Wilkins, Head of Chamber and Committee Service |
Management Board Staff: |
Ryan Bishop (Secretariat)
|
Others in attendance: |
Paul Peter, Detective Inspector for TARIAN Manon Antoniazzi Sian Thomas, Research Service Drew Evans, Head of Infrastructure & Operations Management |
Apologies were received from Lowri Williams, Head of Human Resources.
There were no declarations of interest.
Non Gwilym would draft a note of the Management Board discussion for the news page.
The minutes of the 2 February Management Board meeting were agreed subject to an amendment to the wording of the corporate risk relating to the name change consultation.
Craig introduced the paper, on behalf of Natalie Drury-Styles, and asked the Board for comment.
The Commission’s Strategy for 2016-2021 highlights the importance of enabling and encouraging public engagement in the Assembly’s work. To align better with the Commission’s priorities, the paper suggested that the management of events on the estate move to a more pro-active, strategic and considered approach.
The Board discussed the paper, agreeing that this was priority issue for the current Commission. Ensuring that the right balance was struck between the range of events was emphasised, whilst being mindful of carefully managing stakeholder perceptions to any change in the arrangement and organising of events.
To allow sufficient time for further drafting to take place, the paper will be put to the Commission at its meeting on15 May.
The Board welcomed Drew Evans and Paul Peters to the meeting.
Drew explained to the Board that 6 million user accounts worldwide had been breached in January 2017 alone and that the biggest threat to an organisation’s cyber security is often found from within, therefore raising awareness amongst staff is the most effective form of defence. The Board were informed of the impact any potential cyber incident could have on an organisation, ranging from data loss right through to wide scale business disruption. In addition, there could be longer term impacts to reputation and stakeholder confidence.
Since last September a wide ranging assurance exercise had been conducted to review the Assembly’s robustness to any potential cyber threat. Whilst steps have been taken to reduce the risk of a cyber-attack, Drew re-emphasised the importance of improving staff awareness with regards to tackling any threat.
Drew informed the Board of the upcoming Cyber Security Awareness Week taking place from 6-9 March. These sessions, aimed at staff, will consist of short awareness raising videos along with an opportunity to ask questions afterwards. It was felt that given the importance of the topic it should be compulsory for staff to attend these sessions.
The Board were introduced to Detective Inspector Paul Peters, from TARIAN, who delivered the second of the awareness raising presentations. Paul talked the Board through examples of some of the threats posed to organisations through the use of social engineering, phishing emails, ransomware threats and DDOS (Distributed Denial of Service) attacks.
ACTIONS: Management Board agreed to make attendance at an awareness session mandatory for all staff; Service Heads were asked to strongly encourage their staff to attend the awareness raising sessions taking place between 6-9 March.
Dave introduced the Corporate Risks paper, informing the Board that it was an opportunity for them to review the Assembly’s existing and emerging corporate risks.
The Board agreed the recommendations to:
· add the personal security and safety risk to the Corporate Risk Register;
· continue to monitor the personnel security risk at service level;
· add the General Data and Protection Regulation risk to the Corporate Risk Register, with a target duration of until May 2018;
· continue to monitor the Members’ awareness of Safeguarding of children risk at service level, with a decision to be taken at a future date as to which service should own the risk; and
· further to consideration by ACARAC, that the Assembly’s current and future accommodation needs risk be added to the Corporate Risk Register.
The Board also noted the following new or emerging risks:
· Establishment of a Youth Parliament. Non informed the Board that the Youth Parliament working group have considered the risks associated with the project and will be doing so again at its next meeting;
· the lack of strategic and co-ordinated interactions with the media, which had been added to the service level register.
The Board discussed adding a new risk to the Corporate Risk Register regarding constitutional change. The intention would be for this to encapsulate a collection of similar risks associated with the changes taking place, to provide the Board with the overall oversight required.
ACTIONS:
· Dave to work with Adrian, Anna and Non, to draft a detailed note and circulate for wider discussion.
The latest Financial Management Report would shortly be circulated. Claire reminded the Board to ensure that their service areas provide a very accurate picture spend for the remainder of the financial year.