Meetings

ACARAC (01-20) Paper 10 – Corporate Risk

ACARAC (01-20) Paper 10 – Annex A -  Summary Corporate Risk Register

ACARAC (01-20) Paper 10 – Annex B – Corporate Risks plotted

10.1     The Committee received an update from Dave on the status of the Commission’s Corporate Risks and were invited to comment.

10.2     The Committee noted that, despite lack of movement in the risk ratings, there was continued effort going into managing the risks, some of which the Commission had little or no influence over. Dave provided assurance that the risks were regularly monitored at appropriate levels.

10.3     The Committee welcomed progress on mitigation actions to strengthen controls where possible, including the appointment of a Safeguarding Officer.

10.4     It was agreed that the wording of the Brexit risk would be reviewed and that consideration would be given to assessing the risks around the UK constitutional landscape post-EU exit.

10.5     The Committee discussed ways in which the Commission were planning to respond to the changing wider constitutional landscape, particularly in terms of engagement work. Manon indicated that Executive Board had held Sixth Assembly planning sessions that looked at various potential scenarios and their ramifications. In addition, Commission staff had been invited to take part in a number of staff sessions looking at how the organisation might need to respond to those different scenarios should they be realised.

10.6     The Chair suggested that further discussions over the Committee’s role in the continued monitoring of these constitutional risks be discussed at a future horizon scanning session.

Action: (10.5) Share outcomes of discussions on the strategy for the Sixth Assembly.

ACARAC (03-19) Paper 10 – Corporate Risks

ACARAC (03-19) Paper 10 – Annex A -  Summary Corporate Risk Register

ACARAC (03-19) Paper 10 – Annex B – Corporate Risks plotted

9.1        Gareth Watts presented the paper which outlined movements on the Commission’s Corporate Risk Register and invited the Committee members to comment.

9.2        Committee members sought clarity on the actions being taken to mitigate the risks around compliance with GDPR and DPO issues. Gareth explained that whilst the current arrangement for cover by the Public Service Ombudsman’s office was to end shortly, steps were being taken to secure further resources. He also outlined progress on mitigation through the launch of a series of awareness raising videos produced for Commission staff.

9.3        The Committee were informed that, whilst the safeguarding risks in relation to the Youth Parliament were being successfully mitigated, the wider risks around safeguarding across Commission services were being assessed.

9.4        There was a discussion around capacity and resources to deliver on the Commission’s goals whilst not increasing the staffing budgets. It was noted that the risks around capacity would continue to be closely monitored.

9.5        In terms of the risks around pressures on accommodation, Dave explained that the issue of capacity had been an historic one, but with an increase in the number of Assembly Members looking unlikely to occur during the fifth or sixth Assemblies, the immediate pressure to increase accommodation capacity had diminished. He assured the Committee that the risk would continue to be carefully monitored.

ACARAC (02-19) Paper 12 – Brexit Corporate Risks

9.1        The Chair welcomed Kathryn Potter and Carys Evans to the meeting. The Committee appreciated the continued uncertainty around Brexit but welcomed the information presented. 

9.2        Kathryn, Carys and Siwan responded to questions raised by the Committee which focused on how the work was being resourced, the implications to the Assembly’s Standing Orders and the role of the scrutiny committees. 

9.3        The Committee were encouraged by the Commission’s approach to managing this complex area and the resilience in deploying resources from other service areas.  They also welcomed the use of academics and the knowledge that staff were gaining from these experts.

9.4        An overview of the work being undertaken to consider the corporate impact of Brexit was also provided by Gareth Watts and Dave Tosh.  They summarised the key areas of procurement and supply chains, HR and ICT considerations and outlined the work that had been done to date.

9.5        The Committee agreed to return to Brexit risks as a substantive item at a future meeting.   

Actions

–      (9.2) Siwan to update the Brexit corporate risk with latest details around capacity and resources following consideration by the Assembly Commission.

–      (9.4) Clerking team to add Brexit to the FWP as a substantive item to be discussed when appropriate.

ACARAC (02-19) Paper 11 – Corporate Risk

ACARAC (02-19) Paper 11 – Annex A – Summary Corporate Risk Register

ACARAC (02-19) Paper 11 – Annex B – Summary Corporate Risks plotted

8.1        The Committee noted changes to the Corporate Risk Register.  They were pleased with the progress made in terms of Youth Parliament but agreed with Dave that the safeguarding element and GDPR compliance were long term risks that would need to be monitored on a regular basis.

ACARAC (01-19) Paper 10 – Dignity and Respect risk

8.1        The Chair welcomed Craig Stephenson to the meeting. The Committee noted the progress made as a result of reviewing the dignity and respect arrangements, as presented in the paper.

8.2        Craig advised that a mystery shopper exercise, which was one of the recommendations in a report by the Assembly’s Standards of Conduct Committee (SCC), had been carried out. The results of this exercise were being used to inform further improvements and a formal report on implementing the recommendations made to the Assembly Commission would be presented to the SCC in April. Further reports around complaints procedures and the Code of Conduct for Assembly Members, due to be published in the summer, would also be considered. The Dignity and Respect Survey would also be repeated annually.

8.3        Craig also clarified that hyperlinks to political party procedures would only be included after they had been reviewed by the SCC.

8.4        The Committee asked if there had been any lessons for the Assembly from the collapse of a Scottish Parliament enquiry and how we would measure whether enough was being done collectively to address the issues. Craig described how the SCC was working with other administrations when reviewing complaints procedures. Manon added that dignity and respect had also been discussed in detail at a recent Quadrilateral meeting of Speakers and Clerks from the UK Parliaments. Regular reviews and surveys would be carried out to make sure the results of the reviews were embedded in the culture of the organisation and messages would be reinforced through learning pathways, leadership training and regular dissemination of messages.

ACARAC (01-19) Paper 9 – Corporate Risk

ACARAC (01-19) Paper 9 – Annex A – Summary Corporate Risk Register

ACARAC (01-19) Paper 9 – Annex B – Summary Corporate Risks plotted

7.1     The Committee noted changes to the Corporate Risk Register following the Executive Board’s review in January. In response to questions from the Chair, the Committee noted the following details.

7.2     The Welsh Government had drafted a business case to address future accommodation needs which was being considered by Ministers. Short-term pressure on space remains a risk as this was not likely to be resolved before 2024. Dave also advised that discussions were ongoing with the new owners of Tŷ Hywel about the lease.

7.3     The risk around safeguarding for the Welsh Youth Parliament (WYP) was reducing as mitigating controls, based on external advice, were now in place. Craig agreed to take account of a comment around inability to make direct contact with the WYP members. Other risks in relation to the WYP which were being considered included those around taking forward actions as a result of its deliberations.

7.4     Turnover rates were partly attributable to recruitment campaigns at the Welsh Government which provided continuity around terms and conditions and pensions for staff. Whilst the turnover figures were not yet a cause for concern it was noted that this had resulted in some loss of skills.

7.5     In terms of Brexit it was noted that demands on legal resources were presenting a challenge both for the Assembly and the Welsh Government.

7.6     Strategies for engagement around the Assembly reform work were a key priority and this was due to be considered by the Commission’s Remuneration, Engagement and Workforce Committee.

7.7     The Committee noted that the number of significant risks was in part due to the inability to substantially influence or control their impact, and that they were being mitigated as much as possible with the resources available.

ACARAC (01-19) Paper 8 – Issue Management

6.1     In response to questions from the Chair, Dave advised that the Risk Management System would be ready to capture issues by the end of April and that the corporate issue spreadsheet, as presented in the paper, was to be populated in the meantime. He also explained that, although he had confidence in the escalation of issues at a service and project level, this work would introduce consistency and facilitate more timely reporting. The Chair asked for an update at a future meeting.

Actions

–       (6.1) Issues element of the Risk Management System to be developed by the end of April.

–       (6.1) Clerking team to add issue reporting to the forward work programme for a future meeting. 

ACARAC (05-18) Paper 11 – Corporate Risk

ACARAC (05-18) Paper 11 – Annex A – Summary Corporate Risk Register

ACARAC (05-18) Paper 11 – Annex B – Summary Corporate Risks plotted

3      

4      

5      

6      

7      

8      

9      

10      

11      

11.1     Dave highlighted changes to the Corporate Risk Register following the Executive Board’s review in October.  The Youth Parliament safeguarding risk  had recently been proposed as a corporate risk, and the project team had engaged the NSPCC to provide external assurance of the draft induction manual.

11.2    There had been delays in securing staff DBS clearances, but the project had now focused applications on a priority basis and DBS checks for all staff working directly with young people will be conducted in December and January. The Assembly had accepted that the critical rating of this risk would remain unchanged due to the nature of the work involved. 

11.3    The previous Dignity and Respect risk had been replaced by a new risk focussed on the potential loss of confidence in the Dignity and Respect regime, and a series of actions are underway to improve and embed the desired Dignity and Respect culture.  The Committee thanked Dave and Manon for this update and requested that the new Dignity and Respect risk (CAMS-R-95) be critically examined in February.

Action

–      Clerking team to arrange for a critical examination of the Dignity and Respect risk at the February meeting. 

Oral update on inter-related risks around Assembly reform

3      

4      

5      

6      

7      

8      

9      

10      

11      

12      

12.1     The Chair welcomed Anna Daniel and Matthew Richards to update the Committee on the work being undertaken as part of the Assembly reform programme.  Their focus had been on stakeholder engagement and scenario planning for additional Assembly Members.  Anna described their approach as being agile to ensure that they could react to unforeseen incidents. 

12.2     Whilst welcoming the associated public consultation, the Committee noted that there was a relatively low response rate of 1830, and that this would require ongoing scrutiny.  They thanked both Anna and Matthew for the comprehensive update and would welcome further updates in future. 

Oral update on CAMS32 (Dignity and Respect policies and procedures)

3      

4      

5      

6      

7      

8      

9      

9.1     Craig updated the Committee on the management of risks around the Commission’s and the Assembly’s Dignity and Respect policies and procedures. A report based on an anonymised Dignity and Respect Survey was due to be published on 19 June which was expected to attract some media attention. 

9.2     The Standards of Conduct Committee was yet to provide its recommendations on an enquiry into political party policies and procedures which would help inform future policy. The Secretariat would continue to update the Committee when appropriate. 

9.3     The Committee concluded that they believed the Commission had responded honestly, positively and promptly to the issues that had arisen, and recognised the importance of the work in train to evidence its commitment to providing an open and inclusive culture that is free from bullying, harassment and discrimination.  

ACARAC (03-18) Paper 10 - Corporate Risks

 ACARAC (03-18) Paper 10 – Annex A - Corporate Risks Summary Report

 ACARAC (03-18) Paper 10 – Annex B - Corporate Risks plotted

3      

4      

5      

6      

7      

8      

8.1     Dave introduced this item as an interim update pending a full review of corporate risks by the Executive Board in July. 

8.2     Nia hoped to remove FS3 (increased financial pressure due to uncertainty around sufficient future resources) by July but discussions were ongoing with the Finance Committee and the Commission about future funding due to changes in the treatment of the Remuneration Board’s Determination underspend. 

ACARAC (02-18) Paper 6 – Corporate Risks

ACARAC (02-18) Paper 6 – Annex A – Corporate Risks Summary Report

ACARAC (02-18) Paper 6 – Annex B – Corporate Risks plotted

6         

7         

8         

8.1        Dave informed the Committee that it was now the responsibility of the Executive Board to review the Commission's Corporate Risk Register and that individual corporate risks were now owned by Directors. Directors would commission and challenge the quarterly risk reports from their Heads of Service, which would feed into discussions at Executive Board meetings.

8.2              The Committee noted the changes and movements highlighted in the paper and discussed the ratings of the Corporate Risks and adequacy of the controls. Regarding the Capacity Review risk, more quantitative data, including benchmarking with other legislatures, would be gathered to inform decisions by the Steering Group in phase two of the review.

8.3              The Committee highlighted the number of ‘red’ rated risks, particularly compared with a year ago, but accepted this was appropriate given the impact of, and limited control the Commission had over risks including GDPR for Assembly Members and Brexit. Dave confirmed that all risks were regularly reviewed and that the scenario planning sessions on Brexit and Assembly Reform helped ensure the Commission was as informed and prepared as possible with the resources available.

12.0   See above.

ACARAC (05-17) Paper 14 – Corporate Risks

ACARAC (05-17) Paper 14 – Annex A - Corporate Risks Summary Report

ACARAC (05-17) Paper 14 – Annex B - Corporate Risks plotted

Item 12 – Critical examination of one identified or emerging risk

ACARAC (05-17) Paper 15 – Managing the Commission’s Inter-related Corporate Risks

ACARAC (05-17) Paper 15 – Annex A - inter-related risks and common mitigation

3      

4      

5      

6      

7      

8      

9      

10      

11      

11.1     The Committee welcomed Anna Daniel, who had been involved in the drafting of the paper on the inter-related risks.

11.2     The Committee noted the current status of the Commission’s corporate risks and analysis of how the combined impact of the inter-related risks were being managed.  Dave described how the Capacity Review work was driving the focus of the inter-related risks.  He also explained that, despite the strength of the controls in place, the impact ratings on most of the risks remained high and a number of events were beyond the Commission’s control, for example Assembly reform and Brexit.

11.3    Anna described the scenario planning for Brexit and the training scheduled for Assembly Members and AMSS prior to the new powers under the Wales Act coming into force in April 2018.

11.4    The Chair welcomed this level of analysis which he had rarely seen elsewhere, and appreciated the complexity of the risk landscape and the limited control the organisation had in some areas.

ACARAC (03-17) Paper 15 – GDPR Risk  

8     

9     

10     

11     

12     

13     

14     

14.1    The Committee welcomed Alison Bond to the meeting and informed her that the detailed action plan demonstrated that the Commission’s preparations were more advanced than in other organisations. 

14.2    Alison shared with the Committee her high level short and long term actions, explaining how these were mitigating the risk of not being prepared for the new Regulation as far as possible in advance of guidance which was due to be produced by the ICO in the autumn.  She also explained how the working group would identify further risks and issues, and test new processes in advance of GDPR coming into force in May 2018.

14.3    Although the advisory audit report was positive, she asked Committee members to consider and share details of any contacts from other organisations, with whom she could engage.     

Action

-         ACARAC members to share relevant GDPR contacts with the Information Governance Manager.

ACARAC (03-17) Paper 14 - Corporate Risks

ACARAC (03-17) Paper 14 – Annex A - Corporate Risks Summary Report ACARAC (03-17) Paper 14 – Annex B - Corporate Risks plotted Corporate Risks Report

8     

9     

10     

11     

12     

13     

13.1    Dave informed the Committee that the Management Board had reviewed the register on 25 May, and risk owners had reviewed their risks again ahead of this paper being presented to the Committee.  The Committee were asked to note the changes to the register.

13.2    Dave reported that discussions were ongoing between relevant Management Board members to ensure a co-ordinated and strategic approach to the cumulative impact of constitutional and other corporate risks.  This approach was proving beneficial and responses to the risks would be discussed further at a forthcoming Management Board away day.  The Committee welcomed the documentation of the inter-related risks at Annex C of the paper. 

13.3    The Committee thanked officials for presenting details of their review and updates to the corporate risks register and noted the elevated severity of the Cyber Threat and Brexit risks.  They also suggested re-wording the cyber security risk.   

Action

-         Dave to consider re-wording risk around cyber security (ICT16).

ACARAC (02-17) Paper 14 – Corporate Risks

ACARAC (02-17) Paper 14 – Annex A – Corporate Risks Summary Report

ACARAC (02-1\7) Paper 14 – Annex B – Corporate Risks plotted

13     

14     

14.1    The Commission’s Corporate Risk Register had been thoroughly reviewed by the Management Board at meetings in February and March, which had resulted in a number of new risks being added. The Chair commended the due diligence applied to identifying, capturing and closely monitoring the most significant risks facing the Commission.

14.2    Discussions around the wider change agenda, including communication and engagement in relation to all of the corporate changes (constitutional and electoral reform, wider engagement and Brexit) were ongoing between relevant Management Board members to ensure a strategic and co-ordinated approach. 

ACARAC (02-17) Paper 15– Constitutional Change Risks 

13     

14     

15     

15.1    Anna and Adrian were present for this item. Discussions focused on the challenges regarding the public perception of corporate and constitutional changes. 

15.2    Committee members welcomed the clear explanation of such a complex area, the analysis of the individual risks and the on-going discussions around the interdependency and combined impact of these.      

9.0     Item 10 - Critical examination of one identified risk – Proposals to investigate additional accommodation 

ACARAC (01-17) Paper 11 – Additional Accommodation 

9.1        Dave led a discussion on the on-going work around assessing the Assembly’s current and future accommodation needs, the timescales involved and the specialist advisors who have been involved in the various options being considered.

9.2        The Committee urged officials to fully document and evidence the steps taken to determine the additional accommodation needs and the potential options for the future, in order to reassure stakeholders.   

9.0        Item 9 - Corporate Risks Report

ACARAC (05-16) Paper 13 - Corporate Risks

ACARAC (05-16) Paper 13 – Annex A - Corporate Risks Summary Report

ACARAC (05-16) Paper 13 – Annex B - Corporate Risks plotted

9.1        The Committee felt that the management of risks in the organisation was strong. In response to comments about the lack of movement on the risk ratings, Dave advised that the risks were being continually monitored and that the Management Board would review the corporate risk register in full in December.

9.2        Officials responded as follows to a number of specific questions from Committee members:

·                     Dave assured the Committee that strict controlled access would be in place for contractors working on the ground floor refurbishment.  

·                     Dave and Adrian Crompton confirmed that the risk around corporate capacity was regularly reviewed by the Management Board. 

·                     Adrian provided assurance on the preparations being carried out to mitigate the risks around leaving the EU as far as possible at this stage.  Practical steps included the restructuring of support for Assembly committees to accommodate the new External Affairs and Additional Legislation Committee and the establishment of a Constitutional Change Group, made up of senior officials who were meeting on a monthly basis.  The risk would be continually monitored to take account of developments.

9.3        The Committee endorsed the approach of documenting such risks to provide clarity and transparency on their management.

16.0     Revised Risk Management Policy

ACARAC (05-16) Paper 20 – Risk Management Documentation – Cover Paper

ACARAC (05-16) Paper 20 – Part 1 Risk Management Policy

ACARAC (05-16) Paper 20 – Part 2 Risk Management Process

16.1    The Committee was pleased with the comprehensive Risk Management Policy and Process documents and that arrangements for risks and issues were captured in one document.  The Committee suggested that templates included as annexes were populated with examples.  

ACARAC (03-16) Paper 9 – Corporate Bilingual Capacity

10.1    Craig Stephenson introduced his paper which invited the Committee to provide their views on the management of the risk on corporate bilingual capacity.

10.2    Craig described the advancements of Machine Translation and the on-going commitment from Microsoft to continuously increase the translation vocabulary.  Well established links with other public sector bodies meant that they were also feeding text into the system, which would further increase the accuracy of the translation and therefore people’s confidence in using the facility.

10.3    He also described improvements implemented since the launch of the Official Languages Scheme in 2013, such as the provision of bilingual briefings for Assembly Committees and the flexible approach adopted by the multi-skilled Translation and Reporting Service.  Positive feedback had also been received on the use of integrated clerking teams. 

10.4    Feedback from Members and the results of the forthcoming language preference exercise would further inform plans and the capacity needed to provide bespoke services in the language of choice.  

10.5    The Committee thanked Craig for the informative discussion and wished him well in taking this forward.  

ACARAC (03-16) Paper 8 - Corporate Risks

ACARAC (03-16) Paper 8 – Annex A - Corporate Risks Summary Report

ACARAC (03-16) Paper 8 – Annex B - Corporate Risks plotted

9.1     The Committee welcomed the report and the planned review of risks at the Management Board in July, which would take into account the new Assembly Commission’s priorities and objectives.

9.2     Claire outlined the scope and scale of the Commission’s current exposure to risks.  She emphasised the effort that went into managing the risks in order to maintain such high standards and quality of delivery.  The Committee agreed that this was particularly important at the start of a new Assembly in terms of building and maintaining credibility and trust of the Llywydd, Commissioners and Assembly Members. 

Actions

-        Kathryn Hughes to ensure risks around replacing the Finance system alongside recruitment of a new Finance Director were adequately captured.

-        Dave Tosh to provide details to the Committee on the approved option and timescale for the CCTV project.  

ACARAC (32) Paper 18 - Financial Management Risk

ACARAC (32) Paper 18 - Annex A - ROAP for Financial Management Risk

17.1     Dave introduced the examination of the risk on Financial Management.  This was a critical time for the organisation with the finalisation of the annual accounts, presenting the budget strategy to the new Commission, and the finance system replacement project, but he assured the Committee that a skilled team and robust support were in place.

ACARAC (32) Paper 17 - Corporate Risks

ACARAC (32) Paper 17 – Annex A - Corporate Risks Summary Report

ACARAC (32) Paper 17 – Annex B - Corporate Risks plotted

16.1     The Committee welcomed the report and noted two new risks that had been added since the February meeting.  The Chair also commented on the maturity of Corporate Risk Register review process, whereby risk severities are regularly reviewed and risks added and removed as appropriate. 

16.2     Officials agreed with the Committee’s suggestion that the combined impact of imminent changes at a senior level was potentially significant. The next year would see the departure of the Commission’s Chief Executive and Clerk, the appointment of a new Permanent Secretary, Presiding Officer and Commissioners, and the potential for other senior level changes.  It was agreed that the Risk Manager would review whether an appropriate risk should be added to the Commission’s Corporate Risk Register. 

16.3     It was also agreed to further assess the risk of implementing a replacement finance system whilst recruiting a new Finance Director.

16.4     In response to comments from Committee members that risk severities were largely unchanged, Kathryn explained that the impact or likelihood of the risks might have changed but not the overall risk severity rating.  She planned to add these to future reports. 

Action

-        Kathryn Hughes to facilitate consideration of whether a new corporate risk was needed to reflect the potential impact of significant changes at a senior level.

-        Kathryn Hughes and Nia Morgan to revisit the combined risks of implementing a replacement finance system whilst recruiting a new Finance Director.

ACARAC (31) Paper 18 – Corporate Capacity

14.1     Dave introduced the examination of the risk on corporate capacity.  Management Board review the corporate capacity planning process on a six monthly basis and the Business Efficiency Review would feed into this work. 

14.2     The Committee questioned the objectives of the Voluntary Exit Scheme and the plans for the money that could be saved.      

14.3    Dave confirmed that the Fifth Assembly would pose unknown challenges for the future.  New powers and potential budget constraints could also be demanding from a management perspective, which is why a review of current skills, efficiency and effectiveness is so important.   

14.4    Claire had recently attended a meeting with the Independent Parliamentary Standards Authority (IPSA) in Westminster.  It was evident from discussions that the Assembly Commission was fortunate to have a strong and positive working relationship with the Remuneration Board.  The world class committee work of the current Assembly term would need to take account of the way Members of the Fifth Assembly wished to work.  

ACARAC (31) Paper 15 - Corporate Risks Report

ACARAC (30) Paper 16 – Annex A - Corporate Risks Summary

ACARAC (30) Paper 17 – Annex B - Corporate Risks plotted

13.1     Dave presented the risk paper with no major changes to report.  At a meeting on 25 January the Management Board were presented with the arrangements for the Fifth Assembly transition, where risks and issues were being managed through specific work-streams. 

13.2     Dave agreed to revise the wording contained in the risk around reputation in relation to perceptions of Commission staff during transition to the Fifth Assembly (ref CAMS20).        

13.3     The Committee welcomed the Commission’s mature way of reviewing the risk register and the insertion of a table showing the direction of travel but questioned the static profile of the risks.

13.4    Claire appreciated the comments regarding the maturity of the organisation in reviewing service and corporate risks, and added that maintaining a static profile took a great deal of effort from across the organisation to ensure the controls were as effective as they could be.  Mitigating actions and controls were monitored regularly which provided Claire, management and ACARAC with the necessary level of assurance.  

Action

-        Consider wording of risks around reputation in relation to perceptions of Commission staff during transition to the Fifth Assembly (ref CAMS20).

ACARAC (30) Paper 14 - Risks around Constitutional Change

15.1     Anna Daniel presented a paper to the Committee on the risks related to constitutional change.  The future size of the Assembly depended on the Draft Wales bill, and her team were supporting the Presiding Officer in developing alternative proposals to the draft.

15.2     Hugh Widdis reflected on the implications of the Assembly continuing with 60 Assembly Members for a further two terms and the Committee recommended that plans should be prepared to understand the implications of this. 

15.3   The Committee praised the Strategic Transformation Team for their thorough analysis of this risk and concluded that public engagement was critical and that the Assembly should manifest its value to the people of Wales.  Mitigating actions should ideally cover a broader scope than only constitutional change. 

ACARAC (30) Paper 13 - Corporate Risks Report

ACARAC (30) Paper 13 – Annex A - Corporate Risks Summary

ACARAC (30) Paper 13 – Annex B - Corporate Risks plotted

14.1     The Chair remarked that he was pleased a thorough review of risks had taken place and welcomed the additions to the corporate register. 

14.2     The Committee questioned where the Cyber Security risk sat in the Commission’s risk framework.  Dave highlighted controls that were in place to test our threat levels, which were reviewed twice yearly.  He also received regular updates and threat alerts from the National Government report schemes.

14.3    The Committee concluded that the potential threat to corporate and personal information and to the reputation of the organisation warranted the Management Board considering the risk around Cyber Security again.

14.4    In future, risk trends would be reflected on the corporate risk diagram.  

Actions

-        Management Board to re-assess Cyber Security risk.

-        Corporate risks plotted – ensure summary of trends is captured.

ACARAC (30) Paper 7 - NAWC outline 15-16 final

6.1        The Committee were pleased to see the draft 2015-16 audit plan at this earlier stage.  The WAO had worked closely with Nicola and Claire to produce the plan. 

6.2        The Committee discussed the audit of Assembly Members’ expenses and office costs.  Officials agreed to provide further information on this and the check points already in place with Members’ Business Support.  Nicola stated that audits on Members expenses were in addition to the other work agreed in the plan, and these audits provided extra assurance and transparency.  These specific audits would continue until the end of the Fourth Assembly.     

6.3        Ann-Marie confirmed that the overall audit fee should remain unchanged, although had not been formally agreed as yet.  To avoid the delays the Assembly Commission experienced last year, the WAO plan to commence their audit work a week earlier.

6.4        The Chair welcomed this update from the WAO and was encouraged by the collaborative working between the Finance team and the Head of Internal Audit.

Action

-        Nicola to describe the checkpoints already in place with regards to AM expenses Audit. 

ACARAC (28) Paper 10 - Corporate Risk Report

ACARAC (28) Paper 10 – Annex A - Corporate Risk Summary

ACARAC (28) Paper 10 – Annex B - Corporate Risks plotted

9.1        Dave and Claire provided feedback on the recent business continuity exercise carried out by the strategic response and tactical teams.  Lessons learned from the mock mobilisation of the incident response plan were being captured.  Initial discussions had identified the need to test the plan further, involving Assembly Members, Commissioners and external stakeholders.

9.2        The Committee was reassured by the results and welcomed plans to involve Assembly Members and Commissioners in future exercises.   Committee members stressed the importance of flexibility in the approach to enable officials to adapt to the circumstances and constraints of particular incidents.      

9.3        The Committee considered the Commission’s Corporate Risk Register, noted the movements and questioned the low number of risks remaining.  Committee members also suggested that consideration should be given to capturing risks with a potentially high impact, such as the Fifth Assembly transition and constitutional change.

9.4        Dave Tosh assured the Committee that the Management Board would shortly carry out a full review of current and emerging risks, to include static risks.              

Actions

-        Following a discussion at Management Board, an updated risk register, taking into consideration the areas highlighted by the committee to be presented at the November meeting.

ACARAC (28) Paper 11 – Transition to the Fifth Assembly

ACARAC (28) Paper 11 – Annexes 1-4

10.1     Sulafa Thomas explained the approach being adopted, which was to treat much of the transition as business as usual, but with clear visibility across the full range of work.  Work streams had been identified and the leads were working on estimating the resource requirements.  Lessons learnt from the transition to the Fourth Assembly had been examined and Sulafa welcomed the offer of discussing past election experiences with Hugh Widdis.

10.2     The Committee was content with the detail presented in the papers, and the clear dependencies and interactions listed, but in light of recent project management experiences, to define the project, (including roles and responsibilities) in accordance with the Commission’s standardised methodology.      

Actions

-        Define role and responsibilities of SRO for the Fifth Assembly Transition.

ACARAC (27) Paper 12 – Corporate Risk Report

ACARAC (27) Paper 12 - Annex A - Corporate Risk Summary Report

ACARAC (27) Paper 12 - Annex B – Corporate Risks plotted

ACARAC (27) Paper 13 – Constitutional change 

9.1        There were no risk severity uplifts.  The Chair welcomed the strategic risk review planned by Management Board. 

9.2        Anna Daniel presented the detailed examination of constitutional change.  She noted that strong productive relationships were in place with key stakeholders.  

9.3        David Melding commented that the work was being performed to an exceptionally high standard and the paper presented a clear picture of the situation. 

9.4        Hugh Widdis questioned whether the risks around the proposed model of powers were being managed.  Anna confirmed that her team were raising awareness on this issue and were working closely with the Wales Governance Centre, with an event planned in May.   

9.5        Committee Members offered their support as appropriate and suggested further independent challenge, for example from the Institute for Government, Cabinet Office or other legislatures.              

Actions

-        Pursue other sources of independent challenge and advice including the Institute for Government and other legislatures. 

1.0     

2.0     

3.0     

4.0     

5.0     

6.0     

7.0     

8.0     

9.0     

10.0     

11.0     

12.0     

12.1    Eric asked Dave to focus his update on specific areas, namely the security vetting risk, the Business Continuity exercise and Programme and Project Management. 

12.2    Angela suggested that officials considered the inclusion of two risks at a corporate level:

a.    potential reputational damage of decisions made in Westminster around constitutional change; and

b.   Security risks, taking into account the Security Vetting audit and wider security risks given the heightened UK threat levels.

12.3    Dave responded to these points as follows:

i)             Security was a static risk (i.e. a risk organisations would always face) and the Management Board would agree the best way for static risks and issues to be captured and monitored.  This would be shared with the Committee.  In the meantime, security risks were being managed at a service level.

ii)           Programme and Project Management risks had recently been discussed by Management Board and the Directors’ Board.  It was felt that the risk did not need to be managed at a corporate level given the strengthened controls and on-going implementation of governance arrangements. In terms of capacity, the governance arrangements had also enabled Heads of Service to be confident when resourcing projects.  Dave agreed to provide a summary of the improvements in programme and project governance at the April meeting

iii)          A corporate Business Continuity exercise was planned for 24 April although the specific scenarios were yet to be established.   

12.4    Claire responded to the points around the escalation of the risks around Westminster decisions and security and would review with the Management Board whether these should be added to the Corporate Risk Register. 

Actions

-        Summarise security vetting risk profile, including risks associated with implementing Internal Audit recommendations.

-        Clerking team to add detailed consideration of security risks to future meeting agenda.

-        Dave to provide an update on Programme and Project Management governance improvements at the April meeting.

8.1        The Committee was asked to consider the risks around reaction to the decisions of the Remuneration Board, the controls in place, and what more could be done to further mitigate the risk.

8.2        Anna Daniel introduced the paper and told the Committee that she expected the risk rating to increase in the short term as the Board looked at issues such as pensions and the employment of family members.

8.3        The Committee commented on the importance of communication and the significance of stakeholder management.  They also felt that it was essential for each party to understand each other’s remit.  Hugh Widdis suggested contacting other legislatures to see how they dealt with similar risks.

7.1        Kathryn Hughes presented the item to the Committee and confirmed that the corporate risks had been considered in light of the new Commission strategic priorities.  She highlighted that the social media risk was due to be discussed at the Management Board on the 23 June, with the potential of raising it to a corporate risk and that Lowri Williams, Head of HR was presenting proposals on capacity planning to the Investment Board on 16 June.

7.2        Following the discussion on fraud, Committee members questioned why fraud was not on the risk register.  Kathryn confirmed that is was being managed at a service level.  The Commission’s assurance mapping would also capture these types of static risk when it had been fully developed.

7.3        Committee members agreed that at future meetings, current issues should also be discussed and they welcomed the work being done on assurance mapping which would be presented in the autumn.  Recognising the importance of this work, the Chair encouraged its early completion.