Agenda and draft minutes

To receive any apologies for absence.

An Apology for absence was received from Simon Roach.

To disclose any pecuniary, other registrable or non-registrable interest as set out in the adopted Code of Conduct.  In making their decision councillors are asked to state the agenda item, the nature of the interest and any action they propose to take as part of their declaration.

If required, further advice should be sought from the Monitoring Officer in advance of the meeting.

No declarations of disclosable pecuniary interests were made at the meeting.

Representatives of town or parish councils and members of the public who live, work, or represent an organisation within the Dorset Council area are welcome to submit either 1 question or 1 statement for each meeting.  You are welcome to attend the meeting in person or via MS Teams to read out your question and to receive the response. If you submit a statement for the committee this will be circulated to all members of the committee in advance of the meeting as a supplement to the agenda and appended to the minutes for the formal record but will not be read out at the meeting. The first 8 questions and the first 8 statements received from members of the public or organisations for each meeting will be accepted on a first come first served basis in accordance with the deadline set out below.

All submissions must be emailed in full to john.miles@dorsetcouncil.gov.uk by 8.30 am on Wednesday 17 July.

When submitting your question or statement please note that:

· You can submit 1 question or 1 statement.

· A question may include a short pre-amble to set the context.

· It must be a single question and any sub-divided questions will not be permitted.

· Each question will consist of no more than 450 words, and you will be given up to 3 minutes to present your question.

· When submitting a question please indicate who the question is for (e.g., the name of the committee or Portfolio Holder)

· Include your name, address, and contact details.  Only your name will be published but we may need your other details to contact you about your question or statement in advance of the meeting.

· Questions and statements received in line with the council’s rules for public participation will be published as a supplement to the agenda.

· All questions, statements and responses will be published in full within the minutes of the meeting. 

There was no public participation.

To receive a report by Marc Eyre, Service Manager for Assurance.

The Service Manager for Assurance, Marc Eyre introduced and summarised the report. The committee requested a periodic update on Emergency Planning, and this was the first time an Annual Emergency Planning report had been presented. The significant impacts globally following the Covid Enquiry and CrowdStrike reinforced the need for strong business continuity arrangements.  It was noted that the CrowdStrike issue had only a minor impact on the Council in terms of small external provider provision. The Emergency Planning Team had responded to approximately 1 incident per week over the last 12 months. The team regularly debriefed incidents, to ensure that organisational lessons were learnt.  Work had been done alongside local resilience partners to improve community resilience, with recruitment of a pan-Dorset Community Resilience Liaison Officer. The report identified a number of priorities such as, improving training compliance rates, further improvement of business continuity arrangements, and delivery of statutory exercises.

Cllr Haynes informed the Committee that last winter there were considerable incidences of flooding and was alarmed to find that officers that had been sent out to discuss potential measures to deal with flooding in villages did not understand the extent of flooding. She raised concerns about how flooding was being recorded and the potential for unreported flooding, as numerous houses were flooded but she had been told by officers only two houses had been impacted.

Cllr Todd referenced Pg 9 of the report, section 2.6 and 6.5. He raised that gold and silver officers receive refresher training every 3 years. Gold was standing at 54% completion and silver at 65%. He inquired how benchmarks compared to other similar organisations and how completion rates could be improved.

In response to Cllr questions, the Service Manager for Assurance informed that he would take away Cllr Haynes questions and raise them with the appropriate officers. He highlighted that the Community Resilience Liaison Officer was trying to get out to communities more and work with them to develop their resilience plans. In response to Cllr Todd’s questions, the Council operated a different gold and silver regime to other authorities and so would be difficult to compare. He added that there would be a paper coming to the Senior Leadership Team in August in which the numbers would be reviewed and aimed to reduce numbers of officers down which would assist training compliance.

Cllr Monks called for greater communication with Town and Parish Councils in order to deal with incidences on the ground level.  The Service Manager agreed to liaise with the Local Resilience Forum to understand hit rates on the Dorset Prepared website.

To receive a report by Marc Eyre, Service Manager for Assurance.

Marc Eyre presented the Annual Fraud and Whistleblowing Report. He provided some past context and highlighted the benchmarking and baseline work and the progress of the fraud management arrangements maturity. The key outstanding action was around training particularly about stronger training for higher risk roles. The paper summarised whistleblowing activity which had increased from 7 last year to 14 within the last financial year. This doubling was attributed to the policy becoming more visible.

The Co-opted Member, Mr Roach submitted questions to the Committee.  Paragraph 23/1.2.5 Culture and Awareness. In the outstanding action why are “Services identified with highest risk exposure to fraud” only “encouraged” and not mandated to undertake fraud and whistleblowing training?  If they have high risk exposure, encouraging them seems too soft an approach.

The Service Manager for Assurance responded to questions from the Committee. In terms of progress being made, 40% was still showing as amber but within the 40% there were a small number of actions such as, training which crossed over a number of criteria. For training, SWAP had been developing an E Learning Module as the present module was quite generic. He agreed with Mr Roach’s comment that training requirement should be mandatory for those higher fraud risk areas and agreed to liaise with the Learning and Development Team.

In response to Cllr Haynes questions regarding comparing benchmarking to other authorities. The Service Manager for Assurance informed that SWAP had undertaken a baseline review which looked across a range of SWAP partners to compare maturity of arrangements.

To receive a report by Marc Eyre, Service Manager for Assurance.

Marc Eyre presented the Annual Information Governance Report. He summarised and presented the highlights of the report. Mandatory training levels remained lower than what the service wanted at 73% for cyber and 84% for data protection but noted that there had been some improvements to figures since the report was issued. Cyber remained one of the Councils most significant risks. There had been 82% reduction in technical vulnerabilities on devices since introduction.

From a performance perspective, just below target of 90% of Freedom of Information Requests and there were some capacity challenges, but the service was improving by automation work. For Subject Access Requests, response rates had improved.  The number of data breaches increased from 295 to 376 last year with 20 meeting the criteria for escalation to the Information Commissioners Office. 73% of those breaches related to email.  It was noted that a change to Microsoft licensing arrangement could provide technical capability to reduce the risk.

Mr Roach submitted question: Pg 35- Oct, Nov, Dec were months with relatively low numbers of FOI and EIR requests so why were they also the worst in terms of response time?

Marc Eyre responded that it could be a range of things like one service area receiving a number of FOI requests on a single subject based on local or national publicity. Issues of absence either across the corporate team or to individual service areas also impact. 

Mr Roach submitted question: Para 3.5.2 says that Data protection compliance training is at 84% vs 95% target and Cyber security training compliance at 73%.  Para 4.7 says that this training is mandatory. What are the consequences for those not completing?  If these are not defined and communicated, they should be.  Those requiring training should not have the option to self-opt out.

In response Marc Eyre informed that training rate compliance had been a challenge. Training rates were below the 95% compliance rate set out in the NHS Data Security and Protection toolkit, which was compulsory to enable access to health data sets.  An improvement action plan was in operation. He informed that there was a paper going to the Senior Leadership Team next month from the Learning and Development Team, which would look more widely across data protection and cyber training, in addition to wider mandatory training. One of the recommendations within the report would be to consider further actions needed to improve compliance. One of the considerations would be to remove system access for those that had not completed training. 

The Committee noted the resources challenges and recognised that this may require further focus.  It was agreed that a further report should be presented back to the Committee to present progress.

To receive a report by Chris Swain, Risk Management and Reporting Officer.

The Risk Management and Reporting Officer, Chris Swain presented the Quarterly Risk Management Update. On the 15th of January, the level of compliance for risk updates was around 41%. Which improved to 90% in April and today compliance was now over 92%. The last time risk was presented to Audit and Governance on the 15^th of April, Mr Roach (co-opted member) flagged that despite the overall improvement of compliance a significant percentage of the higher risks were still overdue, including 29% in Children’s, 60% in Place and 62% in Corporate Development. The report presented showed 100% compliance with risks rated high and very high, except for Place which at the time of writing was engaging with a risk pilot to re-evaluate all risks in the directorate, which was now 100% compliant. The exercise was the first step to standardising risk at Dorset Council including coaching around risk articulation, risk assessment and risk recording. His aspirations were to undergo a continuous cycle of plan, implement, measure and learn to improve compliance and improve the quality of risk information. The risk register now benefits risk owners by sending automated reminders that are sent directly 14 days and 7 days prior to and on the day a risk becomes overdue, including direct links to the risk that requires attention. 

To receive a report by Sally White, Assistant Director for SWAP.

The Principal Auditor SWAP Internal Auditor Services, Angie Hooper presented the SWAP Update Report for the 2024/25 financial year. SWAP offered a reasonable interim opinion and had not identified any significant corporate risks. Since the last update report there had been no limited assurance opinions reports issued. With regard to the actions to the response to the Climate Emergency Audit, SWAP continued to keep in contact with the Corporate Director, Transformation and Digital and his team and planned to undertake another formal follow-up in early 2025.  A follow up of premises health and safety audit had been undertaken and reported that 2 out of the 3 outstanding actions including the priority 1 action had now been implemented, with a revised implementation date for the remaining priority 2 action. SWAP believed that sufficient action had been taken by the service to mitigate the significant corporate risk so will no longer be formally reporting this to the Committee.  All priority 1’s and 2’s from all of SWAP’s audits would now be reported. 24 actions had passed their original due dates where a revised date had been agreed and 12 overdue actions where either the original date or revised date had passed. The number of overdue actions and revised timescales remained high, but SWAP was in contact with officers to ensure actions were implemented.

SR Comments: Pg 72 and 76- The revised dates for priority 2 actions seem mostly be in the region of 6 months to a year later than the original date.  Those extensions seem excessively large to me.

SR Questions: Pg 72 and 76- My contention is that if the priority 2 actions can be extended by many months and as much as a year, the owners cannot truly believe the risks are that significant.  Can SWAP please comment?  Have we got a mismatch (passively expressed by long implementation timelines) in assessment of the significance of the risks between SWAP and auditees/action owners? 

In response to questions, the Assistant Director for SWAP Internal Audit Services, Sally White informed that there had been a couple of Audits where the actions had been quite complex and had taken a bit longer to complete than previously anticipated. Additionally, there had been changes in structure and staffing that had potentially delayed the implementation. SWAP had continued to highlight their concerns around the speed of implementation, both at senior management level and at committee. However, only the service managers themselves would be able to explain in detail regarding why an action had been delayed. Senior Leadership Team had a performance indicator regarding overdue actions and asked for information where the date had been extended. She added that the committee might want to consider that they also have a role in questioning service managers where implementation of actions had been delayed.

The Executive Director for Corporate Development, Aidan Dunn responded to questions. He highlighted that there were some good points and the importance of accountability of officers. He added that some recommendations may at first  ...  view the full minutes text for item 24.

To consider the work programme for the Committee.

To consider any items of business which the Chairman has had prior notification and considers to be urgent pursuant to section 100B (4) b) of the Local Government Act 1972. The reason for the urgency shall be recorded in the minutes.

Minutes of the Audit and Governance Meeting Held on 8th July 2024 were confirmed.

No Meetings held from the Audit and Governance Sub-Committee.

To move the exclusion of the press and the public for the following items in view of the likely disclosure of exempt information within meaning of paragraph x of schedule 12 A to the Local Government Act 1972 (as amended).

The public and the press will be asked to leave the meeting whilst the item(s) of business is considered.

There are no exempt items scheduled for this meeting.

There was no exempt business.