Agenda and minutes

1.1 The Chair welcomed everyone to the meeting and noted apologies from Mark Neilson, Head of ICT and Clare James, Audit Wales.  

1.2 No interests were declared.

ARAC (23-05) Paper 1 – Minutes of 12 June 2023
ARAC (23-05) Paper 2 – Summary of actions

2.1 The minutes of the 12 June meeting had been formally approved out of committee and published on the website.

2.2 Two informal meetings were held on 3 and 18 July 2023. No minutes or actions were captured.  

2.3 The Committee noted the progress against actions from the previous meeting.

ARAC (23-05) Paper 3 – Governance & Assurance update report 

3.1 The Chair thanked Kathryn Hughes and Victoria Paris for their efforts in ensuring the governance, assurance and audit activities were taken forward and invited them to highlight any significant points from the update report.

3.2 Kathryn highlighted the following in relation to governance and assurance (G&A) activity:

·         The programme of annual ‘Governance Matters’ meetings with each Head of Service had been completed. These meetings served as a useful reminder of areas identified for focus in the previous year’s assurance statements and to discuss any issues or concerns.

·         The service planning cycle had been refreshed and two-year plans had been drafted by each service area. The current Corporate Delivery Plan would be refreshed into a two-year Corporate Plan.

3.3 In response to questions from the Committee, it was agreed that a diagram would be shared showing the relationship between the updated planning structures and mechanisms.

3.4 Victoria provided a comprehensive update on all internal audit activity, including the reports previously circulated to Committee members. The following points were highlighted:

·         The scope for the Cyber Security audit had been agreed and the fieldwork was scheduled to commence in February. 

·         The scope of the review of Project and Programme Governance had yet to be defined. This would be an advisory review and a further update would be provided at the April meeting.

·         The audit of the Communication and Engagement Strategy planned for this year had been postponed to 2024-25. An informal review would be undertaken to provide the Committee with the necessary assurances and to inform the scope of a future audit. It was agreed that an update would be provided at the February meeting.

3.5 The Chair noted that he was working with the clerking team to re-design the repository of information shared with Committee members.

Actions

·         Ed Williams to provide a briefing/diagram on updated corporate planning structures (covering the relationships between Corporate Plan, MTRF, service plans and the Portfolio Management Group).

·         Arwyn Jones to provide an update on the review of the Communication and Engagement Strategy at the February meeting.

ARAC (23-05) Paper 4 – Business Continuity

4.1 The Chair welcomed Lee Glover and Steve Connors to the meeting. 

4.2 Steve praised the Commission’s approach to business continuity (BC) and the focus on critical business activities.

4.3 Steve highlighted the reliance on third parties and how the BC plans produced by the Commission must dovetail with critical service providers. He also highlighted the need for an organisation wide BC exercise.

4.4 The Committee questioned how the Commission would plan for a longer lasting event, and sought Validera’s thoughts on this, as well as horizon-scanning and the re-introduction of functions that were not identified as a high priority. 

4.5 Steve congratulated the Commission on the planning before Covid which proved extremely useful but noted that priorities, as well as the recovery time of some services, changed over time. He recommended that the actions taken by the Commission be written into future plans to ensure these reactions and lessons were not lost.

4.6 Officials agreed that BC should be more strategic. The recommendations highlighted in the audit were being taken forward and discussions were already underway regarding a BC exercise. The BC function sat within the G&A team who were advising management on activities and risks. The BC Forum continued to meet on a regular basis with BC champions within each service area. 

4.7 The Committee thanked Steve for his presentation and would welcome a further update on progress against recommendations at the February meeting.

ARAC (23-05) Paper 5 – EQA

5.1 The EQA report had been circulated to Committee members on 20 October.

5.2 Officials had been pleased with the opinion of general conformance with Public Sector Internal Audit Standards and Treasury Management IAQAF. The recommendations had been accepted by management.

5.3 The Committee raised concerns over the future structure of the Governance & Assurance team. Ed described a period of assessing the functions of the team and the opportunity to consider options for an appropriate structure to deliver those functions, particularly since the arrival of the new Chief Finance Officer. A consultation would be undertaken on proposals for the structure and views of the Committee would be sought.

Oral item

6.1 Lee Glover updated the Committee on the reviews being carried out on internal audit standards. The new Global Internal Audit Standards, which were due to be issued in January 2024, would feed into updates to the Public Sector Internal Audit Standards (PSIAS) which would be supplemented with detailed guidance on their implementation in due course. There were no changes of substance expected on how internal audit activity should be undertaken.

ARAC (23-05) Paper 6 – Internal Audit

7.1 Further to an action at the 27 April ARAC meeting, Victoria presented an outline of internal audit work undertaken over the past five years broken down by Directorate. She also provided the Committee with an update on outstanding internal audit recommendations.

7.2 Covid had significantly impacted internal audit activity but it was clear that in recent years, since the pandemic, a balance between the three Directorates had been achieved.

7.3 Victoria described the process of establishing the future audit programme which would involve discussing priorities with individual Directors.   

7.4 The Committee welcomed this update and encouraged officials to prioritise resources on the outstanding audit recommendations. It was agreed that recommendations older than six months would be presented to the Committee biannually.

Action

·         Clerking team to ensure updates on outstanding audit recommendations (over 6 months) are presented twice yearly.

Oral item

8.1 The Chair welcomed Anthony Veale to the meeting who had replaced Ann Marie Harkin as the Executive Audit Director on the Senedd Commission account. 

8.2 Kate Innes outlined how the lessons learned session with Audit Wales had highlighted a number of reasons why an interim audit had not been completed during the 2022-23 process. These were primarily related to communication, lack of substantive interim audit due to resource implications within Audit Wales and the introduction of the new audit standards, especially as the Senedd Commission was one of the first organisations to be audited using these new standards. Anthony provided assurance around planning and processes to minimise the chance of any delays to finalising the audit of accounts, such as those caused by their use of external expertise to review the audit of pensions.

8.3 Kate welcomed the candour of Audit Wales and encouraged them to raise any issues as early as possible. Audit Wales would start the interim audit early in 2024 and Kate agreed to keep the Committee updated on any slippage to the timetable.

ARAC (23-05) Paper 7 – Audit Wales update   

9.1 Anthony Veale informed the Committee of the likely 6.4% increase in the audit fee following the usual consultation exercise, and the proposal to undertake work on a similar timescale to 2022-23. Recruitment and retention was an ongoing challenge for Audit Wales but Anthony was hopeful it would not impact the audit of the Commission’s accounts, adding that they would be considering their audit delivery strategy across all clients in the coming months.

9.2 The government financial reporting manual (FReM) had not changed significantly, but the team were horizon scanning and would inform Kate of any changes.

9.3 By mid-February the Finance team would have prepared period 10 with the documents ready for the interim audit by the third week of February. 

9.4 The Committee thanked Audit Wales for the update and reiterated the need to be kept informed of any delays to the timetable.

9.5 Anthony also outlined the wider public sector work and reports of interest included in the paper, which included links to further information.

ARAC (23-05) Paper 8 – Cyber Security Assurance Report

10.1 The Chair welcomed Jamie Hancock, Tim Bernat and Chris Weaver to the meeting and invited Jamie to outline any highlights from the report.  

10.2 Jamie highlighted the work being carried out on network infrastructure to further strengthen resilience. Tim described how the Security Operations Centre (SOC) and additional resource for investigating and dealing with incidents allowed an increased focus on preventative measures to manage cyber-security threats. 

10.3 Tim also outlined the Cyber Security event, held over two days at the Pierhead in November. It had been well attended and included a number of high-profile speakers with representatives from all four UK parliaments and the National Cyber Security Centre.

10.4 In response to questions from Committee members, a wider discussion then focussed on ransomware attacks. The team described the risks and consequences of an attack on the Commission and the role of cyber incident response plans in mobilising immediate action to contain an incident and to assess the extent of the damage. The team also described the need for organisation-wide focus on communication and staff wellbeing around any attacks or data breaches, for example, which had been incorporated into response plan documentation. It was suggested that, whilst ICT could facilitate the assessment of risk appetite, this should also involve input from the SIRO.

10.5 The Committee questioned the establishment of the SIRO group and sought assurance that risks were being appropriately addressed, including the risks relating to Artificial Intelligence (AI). Matthew Richards, recently appointed as SIRO, referred to two groups which had been established: one, chaired by Arwyn Jones, to consider the opportunities of generative AI and the other, chaired by Matthew, to consider the risks. He would be progressing the establishment of a SIRO group in the new year and agreed to update the Committee at its February meeting. 

10.6 The Chair thanked the team for their comprehensive report and update.

Action

·         Matthew Richards to provide an update on the SIRO group at the February meeting.

ARAC (23-05) Paper 9 – Update on 2023-24 Financial Position and 2024-25 Budget

11.1 Kate described the challenges and processes around securing in-year savings. She informed the Committee that the forecast out-turn position at the end of October was £93,000, which equated to 0.003% underspend of the approved operational budget against a target of 1.5%. This small surplus is as a result of needing to manage significant budgetary pressures due to cost of living costs, as well as the required savings handed back at the start of the financial year totalling over £1.2 million. Any surplus would be used by bringing forward essential building maintenance.

11.2 Kate and Manon described how decisions were made to secure savings to accommodate the request from Unions to deliver an in-year cost of living payment to staff, in line with other public sector organisations. This had included consultations at a political level and consideration of risks to the Commission if the proposal had been rejected. They also outlined the challenges the Commission had faced as a consequence, particularly around pausing projects and recruitment to fill vacancies.

11.3 Leanne Baker confirmed this had not appeared to have caused an impact on staff turnover rates which had remained consistent over the last 3 months, and vacancy rates had actually decreased. She added that flexible start dates had facilitated a more strategic approach to recruitment. 

11.4 Kate agreed to keep the Committee informed by sharing information relating to financial and workforce planning.

11.5 The Committee noted the losses and special payments contained within the finance update paper.

Oral update

12.1 The Chair noted the Commission’s appearances at the Finance Committee on 5 and 12 October and the Public Accounts and Public Administration Committee (PAPAC) on 12 October. Committee reports and Commission responses had been provided in advance of the meeting, along with links to Senedd.tv for the committee scrutiny sessions.

12.2 Kate confirmed that the final budget had been debated in plenary on 15 November 2023 and approved. The Finance Committee had been presented with details of the cost of living payment and the implications for staff and projects.  Kate also informed the Committee that the triennial review of Civil Service pension contributions would require a supplementary budget; HMT confirmed this would be funded. Information on the impact was not available from GAD in time for this to be included in the budget.

12.3 Resources would be carefully planned and managed through the Commission’s Medium-Term Resourcing Framework and would be informed by service planning and consultation on any savings before allocating budgets.

12.4 Ken Skates expressed his thanks to the Finance team for their efforts during the budget planning process and for their support for the scrutiny sessions.

12.5 The Chair encouraged officials to continue sharing information as it became available.

ARAC (23-03) Paper 10 – Departure Summary

13.1 The Committee noted four departures from normal procurement procedures and raised no concerns.

Oral updates

Senedd Reform Programme

14.1 The Chair invited Siwan Davies to provide an update on the Senedd Reform Programme (SRP). Siwan provided assurance that the programme was going to plan and made reference to the following in her update:

·         The Welsh Government had introduced the Senedd Cymru (Members and Elections) Bill in September, which was currently going through the Stage 1 Senedd Committee scrutiny process. This would be followed by Stage 2 and 3 scrutiny by the Senedd, with Royal Assent expected in June 2024.

·         The Commission had been subject to scrutiny on the cost implications of Senedd Reform (as included in the Regulatory Impact Assessment) at Finance Committee and Reform Bill Committee evidence sessions in November.

·         A second Bill relating to gender quotas was expected to be introduced in December 2023.

·         The Independent Remuneration Board had launched a series of thematic reviews. The Commission was in dialogue with the Board in relation to its review of the regulatory framework to agree resources, simplification, governance and clarification of roles and responsibilities. The Commission was due to consider this in spring 2024.

·         The Joint Assurance Board and the Welsh Government’s Senedd Electoral Reform Delivery Board, both of which had senior Commission representation, were meeting regularly.

·         The Senedd Reform Programme Board continued to monitor the programme-level risks and a review of the Senedd Reform corporate risk would be carried out early in 2024.

·         Plans for transition to the Seventh Senedd were being developed in line with capacity, capability and workforce planning and the Corporate Delivery Plan.

14.2 In response to questions about the timetable, particularly around adapting buildings to accommodate additional Members, Siwan and Ed outlined the planning process and timescales with a view to starting work when the Bill had received Royal Assent. It was anticipated that work would be completed by January 2026.

Ways of Working Programme

14.3 The Chair invited Ed to provide a brief update on the Ways of Working Programme. Ed  outlined the development of planning assumptions, plans, options and proposals to deliver the key live projects underpinning the overall programme. This would involve:

·         development of business cases for decisions by the Commission;

·         the development of planning assumptions for adapting Tŷ Hywel office space by 2026;

·         the procurement process for design support for the Siambr 2026 project;

·         the plans to finalise the Strategic Outline Case for the Bay 32 project; relating to future accommodation when the lease on Ty Hywel ended; and 

·         the process for presenting options and securing decisions from the Commission on proposals to deliver the programme.

14.4 The Chair asked officials to keep the Committee informed of progress and the management of risk, particularly in relation to costs and timing of the procurement.

ARAC (23-05) Paper 11 – Corporate Risk
ARAC (23-05) Paper 11 – Annex A - Summary Corporate Risk Register
ARAC (23-05) Paper 11 – Annex B – Corporate Risks plotted

15.1 The Committee noted the Commission’s Corporate Risk Register and discussed how Independent Advisers might add value to the assessment of emerging risks such as those relating to the impact of political decision making.

15.2 The discussion focused on physical security risks, given the change to the risk landscape across the UK. Ed provided assurance on the management of risk by the Security team in conjunction with the Police and the Independent Remuneration Board in relation to Members of the Senedd. A programme of risk assessments had been completed and enhanced security measures put in place for Members’ homes and constituency offices. Guidance had also been refreshed in relation to engagement activities. Ed agreed to consider what information to share with the Committee on the management of security risks.

ARAC (23-05) Paper 12 – Corporate Risk - Dignity & Respect
ARAC (23-05) Paper 12 – Annex A Corporate Risk - Dignity & Respect

16.1 The Chair welcomed Matthew Richards and Richard Thomas to the meeting. 

16.2 Matthew informed the Committee that the original Dignity and Respect policy was launched in 2019.

16.3 In 2022, the Commission surveyed all staff to determine their awareness of the policy and their willingness to report incidents. Fewer cases were being reported in the Senedd but one area that needed attention was the preparedness of Members’ staff to report incidents.

16.4 On 16 November 2023, the Standards of Conduct Committee launched an inquiry into dignity and respect and the Committee’s consultation was due to close on 22 January 2024. The Independent Remuneration Board had also been consulted.

16.5 Matthew also responded to questions from the Committee on the time the complaints process takes and how the timescale could deter potential complainants. Matthew explained that those against whom complaints were made were permitted a full opportunity to set out their position and any evidence which can unfortunately prolong the process. The Committee appreciated the legal issues involved and wanted to ensure that there was sufficient support in place for those making complaints.

16.6 Matthew then described the re-launch of the availability of contact officers (available to Commission staff and Members’ staff), with posters being displayed around the Senedd estate as well as sharing an anti-bullying campaign on the staff intranet. HR had delivered mandatory dignity and respect training for all staff with some party groups also rolling out this training.

16.7 Commission staff had been surveyed in 2023 as part of the annual Commission staff wellbeing survey. The results were yet to be analysed. Once available, they would be shared with Committee members.   

Action

·         Clerking team to share results of the most recent Dignity and Respect Survey when available and provide an update on the outcome of the Standards Committee consultation in due course.

Oral item

17.1 Matthew Richards informed the Committee that there had been a number of data breaches, none of which he felt were a particular cause for concern. The Chair agreed that the details could be shared with Committee members outside of the meeting.

ARAC (23-05) Paper 13 – current ToR

18.1 The Committee noted its Terms of Reference and agreed that no changes were necessary.

ARAC (23-05) Paper 14 – Forward Work Programme

19.1 The Committee requested that the ways in which the Commission might use Artificial Intelligence, and the associated risks, be added to the forward work programme. 

Action

·         Clerking team to add Artificial Intelligence (AI) to the forward work programme for the July meeting.

20.1 No other business was raised. 

Next meeting was scheduled for 19 February 2024.