Meetings

Gareth Watts advised that the corporate risk register would be presented to ACARAC in February and the Board agreed that there was no need for a deep dive review by ACARAC on this occasion.

Dave Tosh led the Board through the regular review of existing and emerging corporate risks and the updated register, inviting Heads of Service to advise of any new corporate risks flagged by Risk Champions or changes to the register of current risks.

In relation to the existing risk around the Brexit process and implications of leaving the EU, the Constitutional Change Steering Group met on 6 December and outlined the plans of the Brexit Working Group to scenario plan in January, which would feed into the risk register and corporate planning processes.

The Board noted changes to the register following the last review, and discussed two new risks outlined in the form of a Risk on a Page (ROAP). It was recognised that the capacity review ROAP did not specify all the controls in place and Gareth Watts and Kathryn Hughes were looking at whether to provide a more detailed description, however, as a first level record it provided a focussed summary of a risk and mitigations.

The ROAP capturing the risk relating to harassment identified the current work in place or underway, with longer term objectives to follow. Craig Stephenson described the complexities of the work to align all strands under one code, and the impacts on timescale and Assembly business, and these should be reflected in the risk along with how they were being handled. The Board recommended wider communication of the resources available via simple signage around the building.

Management Board agreed that both risks would be added to the corporate register.

The Board discussed the management of the inter-related risks of reform and constitutional change, capacity and financial pressures and noted that the capacity review would assist in providing some answers. ACARAC had been presented with a summary paper to provide them with assurance and the Committee welcomed the paper being assured by the measures taken to manage such a complex risk profile. The Board agreed the paper provided a useful aide memoire and communication to staff.

ACTIONS:

·                Governance team to review ROAP template;

·                Craig Stephenson to discuss signage with the working group;

·                Anna Daniel to reframe the document on managing inter-related risks to share with staff;

·                Dave Tosh, Gareth Watts and Kathryn Hughes to review the inter-related risks to update and identify what were now issues rather than risks.

Gareth Watts led the Board through the regular review of existing and emerging corporate risks and the updated register. The Board noted that the high level risks identified by the working groups on Assembly reform, Brexit and the Wales Act, and the controls in place to manage them, had been reviewed and considered satisfactory by the Constitutional Change Steering Group. The Board also noted the change to the risk in relation to GDPR preparations.

Management Board agreed to add the risk around accommodation needs to the corporate register and that a ROAP on the Capacity Review be brought to a future meeting.

The Board considered whether the current corporate risks adequately reflected the combined impact of reform and constitutional change, inter-related with capacity and financial pressures. The need to ensure proper understanding on the financial situation within teams was noted.

ACTIONS:

·                Gareth’s team to collate the list of controls already in place within the organisation to manage risk; and

·                Management Board members to use the Board note to staff as a basis to discuss the process for managing risk and the need for effective identification and reporting or risks at all levels of the organisation.

Oral Item

Dave Tosh reminded the Board that the start of the new term was an opportunity for corporate risk registers to be updated across the organisation.

New and changing risks should continue to be reported on a Service level, with Service Heads and Risk Champions considering what should be flagged up for the Corporate Risk Register, ahead of a formal Management Board review in October.

1.1     ACTION:

·         Management Board asked to review and update their corporate risk registers ahead of formal consideration at the 23 October Management Board meeting.

Management Board undertook its regular review of the corporate risk register, which had been updated to reflect the current status of risks.

At its meeting in June, ACARAC had reviewed the summary risk register noting the movement in risks, also receiving an update on the ongoing discussions at Management Board on the combined impact of the risks being faced. Additionally, they had carried out a critical examination of the organisation’s preparedness for the General Data Protection Regulation due to come into force in May 2018. ACARAC were satisfied with the action plan, commenting that it was well advanced compared to other organisations.

The Board agreed the changes and the recommendations proposed.

Management Board considered the current and emerging risks at corporate level, their status and the inter-related nature of the risks to delivery of the strategic priorities, constitutional change and reform.

The Board identified a number of emerging risks, including the current consultation on the renaming of the Assembly; the development of a Youth Parliament; planned future accommodation projects; and the financial pressure on budgets in delivering projects and strategies in a timely way.

The Board agreed:

·                that the corporate capacity risk be changed back to an active risk; and the residual rating of the risk around the process of leaving the EU be changed to medium to reflect where it was currently impossible to put mitigation plans in place;

·                to update the risk around financial pressures and review options at a later date;

·                the risks relating to security should be kept under close review with a note to staff to assure them of such. Staff with particular concerns should speak with the Head of Security;

·                a note would be prepared for staff as guidance for the way to refer to the Assembly until any change following the consultation was formally implemented.

Dave introduced the Corporate Risks paper, informing the Board that it was an opportunity for them to review the Assembly’s existing and emerging corporate risks.

The Board agreed the recommendations to:

·                add the personal security and safety risk to the Corporate Risk Register;

·                continue to monitor the personnel security risk at service level;

·                add the General Data and Protection Regulation risk to the Corporate Risk Register, with a target duration of until May 2018;

·                continue to monitor the Members’ awareness of Safeguarding of children risk at service level, with a decision to be taken at a future date as to which service should own the risk; and

·                further to consideration by ACARAC, that the Assembly’s current and future accommodation needs risk be added to the Corporate Risk Register.

The Board also noted the following new or emerging risks:

·                Establishment of a Youth Parliament. Non informed the Board that the Youth Parliament working group have considered the risks associated with the project and will be doing so again at its next meeting;

·                the lack of strategic and co-ordinated interactions with the media, which had been added to the service level register.

The Board discussed adding a new risk to the Corporate Risk Register regarding constitutional change. The intention would be for this to encapsulate a collection of similar risks associated with the changes taking place, to provide the Board with the overall oversight required.

ACTIONS:

·                Dave to work with Adrian, Anna and Non, to draft a detailed note and circulate for wider discussion.

Management Board reviewed the Assembly’s existing and emerging corporate risks. The risk register reflected the current status of risks and the changes agreed at 12 December 2016 meeting. These were agreed but an update was requested on designation of the estate in terms of security.

The Board agreed the recommendations to

·                leave the risk around changing the name of the Assembly on the corporate register, but incorporating being proactive about encouraging those who were positive about the changes to have their voices heard;

·                add Cyber threats to the corporate register;

·                add reputational risks around financial pressures to the corporate register but reworded to be broader than the reform programme;

·                remove risk on Wales Bill “settlement” from the corporate register and manage risks at service level.

·                add accommodation proposals to the corporate register. This would also be receiving a critical examination at the Audit and Risk Assurance Committee on 6 February.

Management Board considered the current and emerging risks at corporate level and agreed recommendations to reclassify the bilingual capacity risk so it was managed at service level along with the existing service level risk relating to compliance with the Official Languages Scheme. It was also agreed to change the status of two corporate risks to static risks, for capacity and security of the estate. The changes were due to the controls being robust, effective and regularly reviewed. It was agreed that new risks would be created to monitor two other specified areas of security. 

The Board identified a number of emerging risks relating to pressures arising from future constitutional reforms, including: the current consultation on the renaming of the Assembly, noting over 900 responses had been received so far; the development of a Youth Parliament; planned future accommodation projects; and the financial pressure on budgets in delivering projects and strategies in a timely way.

ACTIONS: Dave Tosh and Nia Morgan to agree a form of words for a risk relating financial constraints.

Non Gwilym, Anna Daniel and Lowri Williams to prepare a plan for when risks may emerge around the capacity of the estate and future accommodation needs, and liaise in relation to communications.

It was agreed that the risk relating to decisions of the Remuneration Board could be removed from the register and that Management Board would revisit the risks around provision of guidance on the safeguarding of children and young people at the next review of corporate risks.

Management Board considered the current and emerging risks at corporate level and, in particular, the impact on the organisation of the new Commission strategy and the emerging risks around the EU referendum result. Although there were many uncertainties around the effect of the result and the organisation was doing well on mitigation, thinking ahead, being prepared and having the Commission committed to resources, it would be prudent to include it as a corporate risk. The Board agreed it was necessary to have a focussed discussion on potential risks, with a view to avoiding having it remain on the register long term. It was agreed that Anna Daniel would take the lead on assessing risks around the implications of the referendum result.

The Board were asked to consider recommendations for removing four risks from the corporate risk register given the effective management, cessation or mitigation of the risks and, if so, whether they should be monitored at service level. The Board agreed all four recommendations.

Additionally, some changes to the register to reflect the current status of risks were noted. Dave Tosh agreed to review the wording of the risk relating to terrorist/weapons attack following recent events (Ref: Sec009).

The Board considered the risk relating to decisions of the Remuneration Board, which was being well managed and agreed to consider it again at the next review. They also discussed the risk relating to senior management changes.

The Board agreed to dedicate the meeting to the discussion of absence management, so the other items were postponed until the July meeting agenda.

The current corporate risk register and dashboard were reviewed and it was agreed that good progress had been made with the identification and active management of corporate risks.

Chris Warner would provide a ‘risk on a page’ (ROAP) on safeguarding for the Board to consider at its next review of risk.

The Board discussed risks around the EU referendum and guidance was currently being prepared for staff and Members as a matter of priority. The ROAP was agreed.

The transition to the Fifth Assembly was imminent and there were areas of concern around delivery of responsibilities. Heads were asked to address these in their areas if and where flagged.

The Financial management ROAP was agreed with a few additions.

Management Board considered the current and emerging risks at corporate level and noted progress against mitigation and current status of each risk.

Following the review of the Corporate Capacity risk at Board and ACARAC, the risk description was updated to reflect the feedback.

The Board considered whether the risks around the transition to the Fifth Assembly should be managed as a corporate risk and agreed that they were being managed proactively within each strand and should continue there.

In relation to the Voluntary Exit Scheme ‘Risk on a page’ report, Non Gwilym advised that the media manager would review the lines to take.

The Bilingual capacity risk would be updated to reflect risks around potential changes in requirements in the Fifth Assembly.

The matter of sickness absence was raised and it was agreed that the Board would discuss this in more detail at a future meeting. The safeguarding of children and vulnerable adults was also raised in relation to the preparations needed to mitigate the risks around high turnover of Members during transition to the Fifth Assembly.

Management Board considered the current and emerging risks at corporate level and noted key updates. The Board were advised that the Audit and Risk Assurance Committee would be reviewing how the risk around corporate capacity is managed at its next meeting in February.

Dave Tosh presented a risk occurrence report regarding changed arrangements to security vetting and advised that discussions were taking place with South Wales Police regarding future provision.

It was agreed that short term risks in relation to the exit scheme should be added to the register.

Actions:

Dave Tosh and Sulafa Thomas to identify whether there are risks relating to the transition to the Fifth Assembly that should be added to the corporate register.

Heads of service to ensure that risk management processes in their areas are being followed appropriately.

MB 12-15 Paper 6 – Corporate Risk – cover paper

MB 12-15 Paper 6 – Corporate Risk Summary

Management Board reviewed the register of corporate risks that had been revised following a previous Board meeting where a full review of risks had been undertaken.

It was agreed that Gareth Watts would discuss again with risk owners the scope and intention of their risks and consider whether the wording effectively reflected that.

The Management Board had agreed to hold an extended discussion on the management of corporate risk to take a comprehensive view of all existing risks, determine which should remain and which could be closed, together with a forward look at potential risks arising up to the end of the Fourth Assembly and beyond.

The Board agreed several changes to the register:

·                That the residual rating for the risk around corporate capacity should be raised to ‘high’, as capacity pressures along with financial constraints would continue to grow;

·                Transition to Fifth Assembly - Adrian Crompton and Sulafa Thomas to review risk and consider elements beyond our control;

·                Anna Daniel and Kathryn Hughes to adjust the Constitutional Change risk;

·                Anna Daniel and Non Gwilym to consider the risk around negative perceptions of the Assembly;

·                Physical security - risk to be adjusted to include protection from terrorist attacks;

The risk around information security was removed from the corporate register and changed to a service risk, and Dave Tosh agreed to look into a data protection query raised.

The Board agreed to remove a number of risks that had either been delivered or work had been done to mitigate the risks.

The Board carried out their periodic review of the Corporate Risk Register and whether there were any emerging risks of corporate significance.

The Board agreed to remove the Business Continuity risk, following further progress and the successful continuity exercise undertaken in April. The risks would continue to be managed through the Business Continuity Management System.

It was also agreed to remove the risk around the use of social media due to the controls put in place. This risk would be managed at service level.

The Board also considered the ‘static’ risks (those that were always facing the Assembly but require a longer term focus). It was noted that the Board needed to ensure the static risks and issues had sufficient prominence.

Actions: It was agreed that when corporate risk was discussed next, it would be placed first on the agenda to allow for a full review, with a focus on where risks should be managed and which classified as issues.

The Board carried out their periodic review of the Corporate Risk Register and whether there were any emerging risks of corporate significance.

The Audit and Risk Assurance Committee would be looking at the risk around constitutional change at its meeting on 20 April. Also, given the current threat level, the Committee questioned whether security risks should be managed at a corporate level and would be considering this further at its 8 June meeting.

Management Board considered the risk of reputational damage from the St David’s Day announcements made on constitutional change and agreed that the risk had passed and, as a result of the preparation work done, the outcome had been good for the reputation of the Presiding Officer and Assembly. It was agreed that constitutional change did not need to be on the corporate register at this point.

The security issues had been responded to and changes made to mitigate the risks, including a programme of vetting and the Stay Safe video sessions for staff.  It was agreed that it was not currently a corporate risk, although the issue should be reviewed regularly to consider whether anything had changed.

It was agreed that constitutional change would nonetheless be an appropriate topic for the Audit and Risk Assurance Committee to examine, covering the work that had been done to achieve the outcomes in the St David’s Day announcements and to ensure that everything possible is being done to prepare for future changes. Anna Daniel would prepare a brief for this and attend the meeting.

The Board carried out their periodic review of the corporate risk register including a horizon scan for potential risks. They considered whether Programme and Project Management should be raised as a corporate risk, but agreed that there were sufficient controls in place and regular monitoring by Management Board.

They further considered and agreed that the Telephony project should be raised as a corporate risk, in respect of there being a definitive deadline to exit the current contract. Dave Tosh advised that amongst the many controls and mitigations, discussions are currently underway with the supplier about options for extending the contract if necessary.

Non Gwilym advised that social media was still a corporate risk until an appointment was made to the Social Media Manager role, but this should take place soon.

The Board reviewed the summary chart that plots the likelihood and impact of each corporate risk and agreed it would be helpful to revise the format.

Action: Dave Tosh and Kathryn Hughes to consider alternative formats that would make the information more meaningful and present with the next update.

The Board carried out their periodic review of the corporate risk register including a horizon scan for potential risks. They agreed to remove the risks around safeguarding children, ICT and the Official Languages scheme, since the mitigating actions had reduced those risks to manageable levels allowing the risks to sit at Service level.

The risk around the matter of security was discussed, but it was agreed that Management Board would consider whether to escalate the risk to corporate level following the current review. The Board also agreed: to extend the corporate capacity risk to summer 2015 to allow time for recruitment; to leave the risk around the use of social media on the register until training on the policy had been completed; and that Anna Daniel would prepare a risk analysis and consider all the consequences of the risks around the decisions made by the Remuneration Board.

The Board considered whether, in future, an assessment of risk should be taken into account on every decision paper and agreed it might be pertinent to include a heading in paper templates to ensure it was covered and to provide an audit trail. Virginia Hawkins would look at appropriate wording.