Agenda and minutes

Members are asked to declare any interests in the items under consideration and in doing so state:

(1) the type of interest concerned either a

(a)   personal interest

(b)   prejudicial interest

(c)    disclosable pecuniary interest (DPI)

and

(2) the nature of the interest concerned

If any member requires advice on declarations of interests, they are advised to contact the Head of Democratic Governance in advance of the meeting.

There were no declarations of interest on this occasion.

To agree the minutes of the last meeting of the Audit Committee held on 8 November 2018 as a true and correct record.

The Committee agreed that the minutes of the meeting held on 8 November 2018 be signed by the Chairman as a true and correct record subject to the following amendments:

1.      (minute 3) Reference to ‘Anchorsholme Park’ should read ‘East Pines Park’.

2.      (minute 4) ‘Mrs Mills provided assurance’ should be changed to ‘Mrs Mills advised’

3.      (minute 4) ‘However, the Committee was reassured that the scheme was collaborative in nature’ should read ‘However, the Committee still had cause for concern overall about the level of Public Health integration.’

To consider the actions being implemented to address the audit recommendations relating to events risk management. 

The Committee considered the actions being implemented to address the audit recommendations relating to events risk management.

Mr Alan Cavill, Director of Communications and Regeneration,Philip Welsh, Head of Tourism and Communications and Mr Chris Pope, Events Manager presented the report. Improvements to events management paperwork were reported.

In response to a question from Members about how the Council works with smaller organisations who were not able to meet the standards expected for event organisation, Mr Pope explained that despite only being a small team, where possible, help and advice would be given to such organisations to ensure they continue to be fully compliant with all the relevant legislation and requirements. He added that currently, this was sustainable and allowed for a greater number and diversity of events to be added to the calendar. In answer to a question about standard procedures for events and whether the same paperwork requirements were appropriate for different sized events, it was noted that large events were covered by standard procedures but those were not always relevant to smaller scale events.

Members expressed concerns that a policy on the use of licensing agreements to protect the Council’s interests in relation to events held on Council land had yet to be completed. It was reported that contingency planning had already been undertaken to mitigate the risk in the interim and it was anticipated that event sign off processes across the Council would be reviewed by the end of May 2019. Ultimately, Mr Welsh said that the Council would always seek to work with smaller organisations to enable the event to be safe, rather than decline the event immediately.

Mrs Greenhalgh, Head of Audit and Risk, explained that she was satisfied with the measures put in place to address the Priority One recommendations and added that work was currently underway on Priority Two and Three recommendations.  

Members asked why there had been a delay in the service reporting progress of the priority one recommendations to the Head of Audit and Risk.  Mr Cavill, Director of Communication and Regeneration, explained that the priority had been to focus on the Crowded Places work.  Members recommended in cases such as this the service should contact the Head of Audit and Risk to discuss and agree a mutually acceptable approach.

To consider progress within the Annual Governance Statement for 2017/2018.

Mr Mark Towers, Director of Governance and Partnerships, introduced the report and explained that the Annual Governance Statement represented a review of the system of internal control within the Council and a significant part of this was the action plan designed to further enhance the governance framework.  

In terms of mid-term progress, it was reported that many actions had either already been implemented or would be fully implemented by the financial year-end. Some of those actions already implemented included updates to the Council’s website to increase user traffic, completion of a resident’s survey to assess views of the Council and embedding of a new performance management framework with outcome based indicators across the Council.

The Committee discussed the Council’s channel shift process designed to improve overall service delivery by better signposting the Council’s services via the website and wherever possible allowing residents to access those services directly through the website. It was reported that telephone and face to face services continued to be monitored to assess whether efficiencies could be made through a move towards greater online provision. Improvements were noted within the leisure services department where a move to online booking and cancellation of fitness classes and the use of sports facilities had freed up some staff capacity. In addition, regarding the resident’s survey, the data collected was in the process of being analysed and the results would influence the budget setting process and resource allocation based on the priorities and concerns of residents.

Given the importance the Council had placed on channel shift, a recommendation was proposed that further consideration about it be undertaken by the Tourism and Economic Resources Scrutiny Committee. Mr Thompson offered to provide a presentation on the topic to members in order to provide a more detailed overview of where the process was up to and what it had achieved so far.  

To note the update on how the Council safeguards against cyber risks. 

Mr Tony Doyle, Head of ICT Services, provided the Committee with an annual update in relation to the actions the Council was taking to reduce cyber risks and how it was adapting to the changing threat landscape to protect staff, services and end users.

It was reported that it had been a difficult year so far and cybercrime remained a national priority for the Government. In a 12 month period, the Council had blocked over 21 million attacks on its website and over 15,000 malware attacks. Through regular testing, analysis and innovation, the ICT department continued to work to mitigate cyber risks. Employee awareness of cyber issues had been aided by the roll out of a staff learning programme in December 2018. It was acknowledged that 780 members of staff had so far completed the training and that it was hoped all remaining staff would complete this by 31 January 2019. A test email sent by the ICT department to all staff to test responses to a fake ‘scam email’ recently had resulted in less than 1 per cent of staff clicking the dummy malicious link which it was believed indicated that the training had anecdotally been very effective. This test had also evidenced the effectiveness of spam email reporting and quarantine procedures.

Following a question about capacity to deal with emerging threats to ICT security, Mr Doyle advised that his team was continually developing their specialist cyber skills and expertise and had recently made appointments to enable more specialism in this area. However, he acknowledged that capacity was always a potential issue but this was somewhat mitigated with the Network and Security Partnership the Council has with TNP (The Network People) when dealing with the volume of threats described. In response to a query about penetration testing and the potential of risk given the importance the Council had placed on General Data Protection Regulation compliance, Mr Doyle reported that in addition to staff GDPR and cyber skills training, the department regularly carried out vulnerability scans and had developed new processes to assess and evaluate data security risks as part of Data Privacy Impact Assessment.  This was as well as working regularly with specialist third party penetration testers to assess their compliance with the regulations and to minimise the risk of breaches.

Mr Doyle concluded by outlining measures for the year ahead that included continuing to scan the horizon for emerging cyber threats, rolling out Windows 10 software across the Council and working with Senior Officers to minimise the risk of cyber threats especially ransomware targeted at those individuals. In addition, the use of cloud based systems would supplement the Council’s hard storage facilities and government issued resources would be used to further supplement the Council’s own cyber risk response.

To consider the controls being implemented to manage the strategic risk relating to service failure.

The Committee considered progress on individual risks identified within the Council’s Strategic Risk Register related to service failure.

Sub-Risk: Failure of a service provider in high risk contracted areas such as social care and waste management

Mr Thompson, Director of Resources, reported that in terms of potential service failure specifically related to domestic waste, a number of mitigation measures were in place and the Council continued to work with the contractor to ensure a smooth transition to bring the domestic waste service back under the Council umbrella. So far, a Project Board and Working Group had been set up and tenders had been completed for the Layton depot works. In addition, acquisition of new refuse collection vehicles and supply of ICT software had been completed and TUPE arrangements for staff would commence in April 2019.

In response to questions about the transition of domestic waste collections and associated risks, Mr Thompson advised that the Net Risk score had been reduced as the initial uncertainty over the changes had given way to a smooth and largely uneventful project and it was anticipated that the move would allow for greater control and by extension a reduced risk.

Regarding the risk of Adult Services failure, Mrs Smith, Director of Adults’ Services, provided assurances that in-house capacity had been retained especially in high risk service areas. Added to this, it was anticipated that continual horizon scanning of providers would identify future risks suitably early to allow effective mitigation. Prioritisation of team workloads, regular team meetings and individual work plans would ensure effective and in-depth monitoring of regulated and non-regulated care. Support for care businesses, liaison with care providers and development of robust contingency plans were also key mitigation measures.

When asked about why waste collection and adult services had been put together on the risk register, Mrs Greenhalgh, Head of Audit and Risk, advised that the risk related to the potential failure of a high risk service provider and the actions detailed in the risk register were being taken to reduce this risk. Mrs Greenhalgh agreed to consider how this was presented in the risk register.

Sub Risk: Loss of key infrastructure and resource which results in Council services not being delivered.

In addition to the existing measures in place to mitigate this risk and in particular, the risk associated with the Council’s data centres, the Committee was informed that alongside the two data centres currently in operation , discussions with Microsoft to investigate the feasibility of utilising a cloud based storage solution were underway. In response to a question about the data centres as a long term requirement, the Committee noted that the cost and risk associated with using a third party data storage solution would be higher than maintaining an in house asset.

An annual review of planned property maintenance had been initiated and agreed with the Corporate Asset Management Group, it was reported that the Head of Property Services had prioritised backlog maintenance and begun a separate review of leisure sites,  ...  view the full minutes text for item 6.

To note the date and time of the next meeting of the Committee as 7 March 2019, commencing at 6pm.

The date and time of the next meeting of the Committee was noted as 7 March 2019 at 6pm in Committee Room A, Town Hall, Blackpool.