Meetings
Corporate Risk
This page gives details of any meetings held which will, or did, discuss the matter, and includes links to the relevant Papers, Agendas and Minutes.
Note: Meeting Agenda can change at short notice. Particularly where future meeting dates are indicated more than a week in advance. Please check before planning to attend a Committee Meeting that the item you are interested in has not been moved.
Meeting: 11/01/2018 - Management Board (Item 9)
Corporate Risk Update
Minutes:
Gareth
Watts advised that the corporate risk register would be presented to ACARAC in
February and the Board agreed that there was no need for a deep dive review by
ACARAC on this occasion.
Meeting: 07/12/2017 - Management Board (Item 4)
Corporate Risk
Supporting documents:
- Restricted enclosure 4
- Restricted enclosure 5
- Restricted enclosure 6
- Restricted enclosure 7
- Restricted enclosure 8
- Restricted enclosure 9
Minutes:
Dave Tosh led the Board
through the regular review of existing and emerging corporate risks and the
updated register, inviting Heads of Service to advise of any
new corporate risks flagged by Risk Champions or changes to the register of
current risks.
In relation
to the existing risk around the Brexit process and implications of leaving the
EU, the Constitutional Change Steering Group met on 6 December and outlined the
plans of the Brexit Working Group to scenario plan in January, which would feed
into the risk register and corporate planning processes.
The Board
noted changes to the register following the last review, and discussed two new
risks outlined in the form of a Risk on a Page (ROAP). It was recognised that
the capacity review ROAP did not specify all the controls in place and Gareth
Watts and Kathryn Hughes were looking at whether to provide a more detailed
description, however, as a first level record it provided a focussed summary of
a risk and mitigations.
The ROAP
capturing the risk relating to harassment identified the current work in place
or underway, with longer term objectives to follow. Craig Stephenson described
the complexities of the work to align all strands under one code, and the
impacts on timescale and Assembly business, and these should be reflected in
the risk along with how they were being handled. The Board recommended wider
communication of the resources available via simple signage around the
building.
Management
Board agreed that both risks would be added to the corporate register.
The Board
discussed the management of the inter-related risks of reform and
constitutional change, capacity and financial pressures and noted that the
capacity review would assist in providing some answers. ACARAC had been
presented with a summary paper to provide them with assurance and the Committee
welcomed the paper being assured by the measures taken to manage such a complex
risk profile. The Board agreed the paper provided a useful aide memoire and
communication to staff.
ACTIONS:
·
Governance team to review ROAP
template;
·
Craig Stephenson to discuss
signage with the working group;
·
Anna Daniel to reframe the
document on managing inter-related risks to share with staff;
·
Dave Tosh, Gareth Watts and
Kathryn Hughes to review the inter-related risks to update and identify what
were now issues rather than risks.
Meeting: 23/10/2017 - Management Board (Item 5)
Corporate Risk
Supporting documents:
- Restricted enclosure 12
- Restricted enclosure 13
- Restricted enclosure 14
- Restricted enclosure 15
- Restricted enclosure 16
Minutes:
Gareth Watts
led the Board through the regular review of existing and emerging corporate
risks and the updated register. The Board noted that the high level risks
identified by the working groups on Assembly reform, Brexit and the Wales Act,
and the controls in place to manage them, had been reviewed and considered
satisfactory by the Constitutional Change Steering Group. The Board also noted
the change to the risk in relation to GDPR preparations.
Management
Board agreed to add the risk around accommodation needs to the corporate
register and that a ROAP on the Capacity Review be brought to a future meeting.
The Board
considered whether the current corporate risks adequately reflected the
combined impact of reform and constitutional change, inter-related with
capacity and financial pressures. The need to ensure proper understanding on the
financial situation within teams was noted.
ACTIONS:
·
Gareth’s team to collate the list
of controls already in place within the organisation to manage risk; and
·
Management Board members to use the
Board note to staff as a basis to discuss the process for managing risk and the
need for effective identification and reporting or risks at all levels of the
organisation.
Meeting: 18/09/2017 - Management Board (Item 5)
Corporate Risk
Oral
Item
Minutes:
Dave
Tosh reminded the Board that the start of the new term was an opportunity for
corporate risk registers to be updated across the organisation.
New
and changing risks should continue to be reported on a Service level, with Service
Heads and Risk Champions considering what should be flagged up for the
Corporate Risk Register, ahead of a formal Management Board review in October.
1.1 ACTION:
·
Management Board asked to review
and update their corporate risk registers ahead of formal consideration at the
23 October Management Board meeting.
Meeting: 20/07/2017 - Management Board (Item 8)
Corporate Risk
Supporting documents:
- Restricted enclosure 21
- Restricted enclosure 22
- Restricted enclosure 23
Minutes:
Management Board undertook
its regular review of the corporate risk register, which had been updated to
reflect the current status of risks.
At its meeting in June,
ACARAC had reviewed the summary risk register noting the movement in risks,
also receiving an update on the ongoing discussions at Management Board on the
combined impact of the risks being faced. Additionally, they had carried out a
critical examination of the organisation’s preparedness for the General Data
Protection Regulation due to come into force in May 2018. ACARAC were satisfied
with the action plan, commenting that it was well advanced compared to other
organisations.
The Board agreed the
changes and the recommendations proposed.
Meeting: 25/05/2017 - Management Board (Item 5)
Corporate Risk
Supporting documents:
- Restricted enclosure 26
- Restricted enclosure 27
- Restricted enclosure 28
- Restricted enclosure 29
Minutes:
Management
Board considered the current and emerging risks at corporate level, their
status and the inter-related nature of the risks to delivery of the strategic
priorities, constitutional change and reform.
The
Board identified a number of emerging risks, including the current consultation
on the renaming of the Assembly; the development of a Youth Parliament; planned
future accommodation projects; and the financial pressure on budgets in
delivering projects and strategies in a timely way.
The
Board agreed:
·
that
the corporate capacity risk be changed back to an active risk; and the residual
rating of the risk around the process of leaving the EU be changed to medium to
reflect where it was currently impossible to put mitigation plans in place;
·
to
update the risk around financial pressures and review options at a later date;
·
the
risks relating to security should be kept under close review with a note to
staff to assure them of such. Staff with particular concerns should speak with
the Head of Security;
·
a
note would be prepared for staff as guidance for the way to refer to the
Assembly until any change following the consultation was formally implemented.
Meeting: 02/03/2017 - Management Board (Item 6)
Corporate Risk
Supporting documents:
- Restricted enclosure 32
- Restricted enclosure 33
- Restricted enclosure 34
- Restricted enclosure 35
- Restricted enclosure 36
- Restricted enclosure 37
- Restricted enclosure 38
- Restricted enclosure 39
Minutes:
Dave
introduced the Corporate Risks paper, informing the Board that it was an
opportunity for them to review the Assembly’s existing and emerging corporate
risks.
The
Board agreed the recommendations to:
·
add the personal security and safety risk to the
Corporate Risk Register;
·
continue to monitor the personnel security risk at
service level;
·
add the General Data and Protection Regulation risk
to the Corporate Risk Register, with a target duration of until May 2018;
·
continue to monitor the Members’ awareness of
Safeguarding of children risk at service level, with a decision to be taken at
a future date as to which service should own the risk; and
·
further to consideration by ACARAC, that the
Assembly’s current and future accommodation needs risk be added to the
Corporate Risk Register.
The
Board also noted the following new or emerging risks:
·
Establishment of a Youth Parliament. Non informed
the Board that the Youth Parliament working group have considered the risks
associated with the project and will be doing so again at its next meeting;
·
the lack of strategic and co-ordinated interactions
with the media, which had been added to the service level register.
The
Board discussed adding a new risk to the Corporate Risk Register regarding
constitutional change. The intention would be for this to encapsulate a
collection of similar risks associated with the changes taking place, to
provide the Board with the overall oversight required.
ACTIONS:
·
Dave to work with Adrian, Anna and Non, to draft a
detailed note and circulate for wider discussion.
Meeting: 02/02/2017 - Management Board (Item 6)
Corporate Risk Update
Supporting documents:
- Restricted enclosure 42
- Restricted enclosure 43
- Restricted enclosure 44
- Restricted enclosure 45
- Restricted enclosure 46
- Restricted enclosure 47
- Restricted enclosure 48
Minutes:
Management Board reviewed the
Assembly’s existing and emerging corporate risks. The risk register reflected
the current status of risks and the changes agreed at 12 December 2016 meeting.
These were agreed but
an update was requested on designation of the estate in terms of security.
The Board agreed the
recommendations to
·
leave
the risk around changing the name of the Assembly on the corporate register,
but incorporating being proactive about encouraging those who were positive
about the changes to have their voices heard;
·
add
Cyber threats to the corporate register;
·
add
reputational risks around financial pressures to the corporate register but
reworded to be broader than the reform programme;
·
remove
risk on Wales Bill “settlement” from the corporate register and manage risks at
service level.
·
add
accommodation proposals to the corporate register. This would also be receiving
a critical examination at the Audit and Risk Assurance Committee on 6 February.
Meeting: 12/12/2016 - Management Board (Item 4)
Corporate Risk
Supporting documents:
- Restricted enclosure 51
- Restricted enclosure 52
- Restricted enclosure 53
- Restricted enclosure 54
- Restricted enclosure 55
Minutes:
Management Board considered the current and emerging risks
at corporate level and agreed recommendations to reclassify the bilingual
capacity risk so it was managed at service level along with the existing
service level risk relating to compliance with the Official Languages Scheme.
It was also agreed to change the status of two corporate risks to static risks,
for capacity and security of the estate. The changes were due to the controls
being robust, effective and regularly reviewed. It was agreed that new risks
would be created to monitor two other specified areas of security.
The Board identified a number of emerging risks relating to
pressures arising from future constitutional reforms, including: the current
consultation on the renaming of the Assembly, noting over 900 responses had
been received so far; the development of a Youth Parliament; planned future
accommodation projects; and the financial pressure on budgets in delivering
projects and strategies in a timely way.
ACTIONS: Dave Tosh and Nia Morgan to agree a form of words for a
risk relating financial constraints.
Non Gwilym, Anna Daniel and Lowri Williams to prepare a plan for
when risks may emerge around the capacity of the estate and future
accommodation needs, and liaise in relation to communications.
It was agreed that the risk relating to decisions of the
Remuneration Board could be removed from the register and that Management Board
would revisit the risks around provision of guidance on the safeguarding of
children and young people at the next review of corporate risks.
Meeting: 14/07/2016 - Management Board (Item 5)
Corporate Risk
Supporting documents:
- Restricted enclosure 58
- Restricted enclosure 59
- Restricted enclosure 60
- Restricted enclosure 61
Minutes:
Management Board considered the
current and emerging risks at corporate level and, in particular, the impact on
the organisation of the new Commission strategy and the emerging risks around
the EU referendum result. Although there were many uncertainties around the
effect of the result and the organisation was doing well on mitigation,
thinking ahead, being prepared and having the Commission committed to
resources, it would be prudent to include it as a corporate risk. The Board
agreed it was necessary to have a focussed discussion on potential risks, with
a view to avoiding having it remain on the register long term. It was agreed
that Anna Daniel would take the lead on assessing risks around the implications
of the referendum result.
The Board were asked to consider recommendations for
removing four risks from the corporate risk register given the effective
management, cessation or mitigation of the risks and, if so, whether they
should be monitored at service level. The Board agreed all four
recommendations.
Additionally, some changes to the
register to reflect the current status of risks were noted. Dave Tosh agreed to
review the wording of the risk relating to terrorist/weapons attack following
recent events (Ref: Sec009).
The Board considered the risk relating to decisions of the
Remuneration Board, which was being well managed and agreed to consider it
again at the next review. They also discussed the risk relating to senior
management changes.
Meeting: 20/06/2016 - Management Board (Item 7)
Risk Assessment Form - Senior Management Changes
Supporting documents:
- Restricted enclosure 64
Minutes:
The Board
agreed to dedicate the meeting to the discussion of absence management, so the
other items were postponed until the July meeting agenda.
Meeting: 14/04/2016 - Management Board (Item 9)
Corporate Risk
Supporting documents:
- Restricted enclosure 67
- Restricted enclosure 68
- Restricted enclosure 69
- Restricted enclosure 70
- Restricted enclosure 71
- Restricted enclosure 72
Minutes:
The current corporate risk register and dashboard were reviewed and it was
agreed that good progress had been made with the identification and active
management of corporate risks.
Chris Warner would provide a ‘risk on a
page’ (ROAP) on safeguarding for the Board to consider at its next review of
risk.
The Board discussed risks around the EU referendum and
guidance was currently being prepared for staff and Members as a matter of
priority. The ROAP was agreed.
The transition to the Fifth Assembly was imminent and
there were areas of concern around delivery of responsibilities. Heads were
asked to address these in their areas if and where flagged.
The Financial management ROAP was agreed with a few additions.
Meeting: 07/03/2016 - Management Board (Item 6)
Corporate Risks
Supporting documents:
- Restricted enclosure 75
- Restricted enclosure 76
- Restricted enclosure 77
- Restricted enclosure 78
- Restricted enclosure 79
Minutes:
Management Board considered the
current and emerging risks at corporate level and noted progress against
mitigation and current status of each risk.
Following the review of the
Corporate Capacity risk at Board and ACARAC, the risk description was updated
to reflect the feedback.
The
Board considered whether the risks around the transition to the Fifth Assembly
should be managed as a corporate risk and agreed that they were being managed
proactively within each strand and should continue there.
In
relation to the Voluntary Exit Scheme ‘Risk on a page’ report, Non Gwilym
advised that the media manager would review the lines to take.
The Bilingual capacity risk would
be updated to reflect risks around potential changes in requirements in the
Fifth Assembly.
The
matter of sickness absence was raised and it was agreed that the Board would
discuss this in more detail at a future meeting.
The safeguarding of children and vulnerable adults was also raised in relation
to the preparations needed to mitigate the risks around high turnover of
Members during transition to the Fifth Assembly.
Meeting: 25/01/2016 - Management Board (Item 9)
Corporate Risks
Supporting documents:
- Restricted enclosure 82
- Restricted enclosure 83
- Restricted enclosure 84
- Restricted enclosure 85
Minutes:
Management Board considered
the current and emerging risks at corporate level and noted key updates. The
Board were advised that the Audit and Risk Assurance Committee would be
reviewing how the risk around corporate capacity is managed at its next meeting
in February.
Dave Tosh presented a risk
occurrence report regarding changed arrangements to security vetting and
advised that discussions were taking place with South Wales Police regarding
future provision.
It was agreed that short
term risks in relation to the exit scheme should be added to the register.
Actions:
Dave Tosh and Sulafa Thomas to identify whether
there are risks relating to the transition to the Fifth Assembly that should be
added to the corporate register.
Heads of service to ensure that risk management
processes in their areas are being followed appropriately.
Meeting: 05/10/2015 - Management Board (Item 9)
Corporate Risk Update
MB
12-15 Paper 6 – Corporate Risk – cover paper
MB
12-15 Paper 6 – Corporate Risk Summary
Supporting documents:
- Restricted enclosure 88
- Restricted enclosure 89
Minutes:
Management Board reviewed the
register of corporate risks that had been revised following a previous Board
meeting where a full review of risks had been undertaken.
It was agreed that Gareth
Watts would discuss again with risk owners the scope and intention of their
risks and consider whether the wording effectively reflected that.
Meeting: 06/07/2015 - Management Board (Item 4)
Corporate Risk
Supporting documents:
- Restricted enclosure 92
- Restricted enclosure 93
Minutes:
The
Management Board had agreed to hold an extended discussion on the management of
corporate risk to take a comprehensive view of all existing risks, determine
which should remain and which could be closed, together with a forward look at potential
risks arising up to the end of the Fourth Assembly and beyond.
The
Board agreed several changes to the register:
·
That the residual rating for the
risk around corporate capacity should be raised to ‘high’, as capacity
pressures along with financial constraints would continue to grow;
·
Transition to Fifth Assembly -
Adrian Crompton and Sulafa Thomas to review risk and consider elements beyond
our control;
·
Anna Daniel and Kathryn Hughes to
adjust the Constitutional Change risk;
·
Anna Daniel and Non Gwilym to
consider the risk around negative perceptions of the Assembly;
·
Physical security - risk to be
adjusted to include protection from terrorist attacks;
The risk around information security was removed from the
corporate register and changed to a service risk, and Dave Tosh agreed to look
into a data protection query raised.
The Board agreed to remove a number of risks that had
either been delivered or work had been done to mitigate the risks.
Meeting: 01/06/2015 - Management Board (Item 6)
Corporate Risk update
Supporting documents:
- Restricted enclosure 96
- Restricted enclosure 97
- Restricted enclosure 98
- Restricted enclosure 99
- Restricted enclosure 100
- Restricted enclosure 101
Minutes:
The Board carried out their periodic review of the
Corporate Risk Register and whether there were any emerging risks of
corporate significance.
The Board agreed to remove the Business Continuity
risk, following further progress and the successful continuity exercise
undertaken in April. The risks would continue to be managed through the
Business Continuity Management System.
It was also agreed to remove the risk around the
use of social media due to the controls put in place. This risk would be
managed at service level.
The Board also considered the ‘static’ risks (those
that were always facing the Assembly but require a longer term focus). It was
noted that the Board needed to ensure the static risks and issues had
sufficient prominence.
Actions: It was agreed that when corporate risk was
discussed next, it would be placed first on the agenda to allow for a full
review, with a focus on where risks should be managed and which classified as
issues.
Meeting: 23/03/2015 - Management Board (Item 6)
Corporate Risk update - Paper 3 and Annexes
Supporting documents:
- Restricted enclosure 104
- Restricted enclosure 105
- Restricted enclosure 106
- Restricted enclosure 107
- Restricted enclosure 108
Minutes:
The Board carried out their periodic review of the
Corporate Risk Register and whether there were any emerging risks of
corporate significance.
The Audit and Risk Assurance Committee would be
looking at the risk around constitutional change at its meeting on 20 April.
Also, given the current threat level, the Committee questioned whether security
risks should be managed at a corporate level and would be considering this
further at its 8 June meeting.
Management Board considered the risk of
reputational damage from the St David’s Day announcements made on
constitutional change and agreed that the risk had passed and, as a result of
the preparation work done, the outcome had been good for the reputation of the
Presiding Officer and Assembly. It was agreed that constitutional change did
not need to be on the corporate register at this point.
The security issues had been responded to and
changes made to mitigate the risks, including a programme of vetting and the
Stay Safe video sessions for staff. It was agreed that it was not
currently a corporate risk, although the issue should be reviewed regularly to
consider whether anything had changed.
It was agreed that constitutional change would
nonetheless be an appropriate topic for the Audit and Risk Assurance Committee
to examine, covering the work that had been done to achieve the outcomes in the
St David’s Day announcements and to ensure that everything possible is being
done to prepare for future changes. Anna
Daniel would prepare a brief for this and attend the meeting.
Meeting: 02/02/2015 - Management Board (Item 6)
Corporate Risk update
Supporting documents:
- Restricted enclosure 111
- Restricted enclosure 112
- Restricted enclosure 113
- Restricted enclosure 114
- Restricted enclosure 115
Minutes:
The
Board carried out their periodic review of the corporate risk register
including a horizon scan for potential risks. They considered whether Programme
and Project Management should be raised as a corporate risk, but agreed that
there were sufficient controls in place and regular monitoring by Management
Board.
They
further considered and agreed that the Telephony project should be raised as a
corporate risk, in respect of there being a definitive deadline to exit the current
contract. Dave Tosh advised that amongst the many controls and mitigations,
discussions are currently underway with the supplier about options for
extending the contract if necessary.
Non Gwilym advised that social media was still a
corporate risk until an appointment was made to the Social Media Manager role,
but this should take place soon.
The Board reviewed the summary chart that plots the
likelihood and impact of each corporate risk and agreed it would be helpful to
revise the format.
Action: Dave Tosh and Kathryn Hughes to consider
alternative formats that would make the information more meaningful and present
with the next update.
Meeting: 06/11/2014 - Management Board (Item 6)
Corporate risk update - Paper 4 and annexes A-D
Supporting documents:
- Restricted enclosure 118
- Restricted enclosure 119
- Restricted enclosure 120
- Restricted enclosure 121
- Restricted enclosure 122
Minutes:
The
Board carried out their periodic review of the corporate risk register
including a horizon scan for potential risks. They agreed to remove the risks
around safeguarding children, ICT and the Official Languages scheme, since the
mitigating actions had reduced those risks to manageable levels allowing the
risks to sit at Service level.
The
risk around the matter of security was discussed, but it was agreed that
Management Board would consider whether to escalate the risk to corporate level
following the current review. The Board also agreed: to extend the corporate
capacity risk to summer 2015 to allow time for recruitment; to leave the risk
around the use of social media on the register until training on the policy had
been completed; and that Anna Daniel would prepare a risk analysis and consider
all the consequences of the risks around the decisions made by the Remuneration
Board.
The
Board considered whether, in future, an assessment of risk should be taken into
account on every decision paper and agreed it might be pertinent to include a
heading in paper templates to ensure it was covered and to provide an audit
trail. Virginia Hawkins would look at appropriate wording.