Glasgow Life Risk Management & Business Continuity Planning. Final Report

Transcription

1 Glasgow Life Risk Management & Business Continuity Planning Final Report INTERNAL AUDIT October 2014 Glasgow City Council Internal Audit 1

2 Glasgow Life Risk Management & Business Continuity Planning Table of Contents Section No Section Title 1 Introduction and Background 2 Audit Remit 3 Audit Opinion 4 Conclusions 5 Recommendations Action Plan Deleted: 6 Deleted: Detailed Findings, Conclusions and Recommendations Glasgow City Council Internal Audit 1

3 Glasgow Life Risk Management & Business Continuity Planning 1. Introduction and Background As part of the agreed programme of work for 2014/15, Internal Audit has undertaken a review of the risk management and business continuity planning (BCP) arrangements in place at Glasgow Life. 2. Audit Remit The purpose of the audit was to gain assurance that Glasgow Life has effective arrangements in place for managing the risks facing the organisation and ensuring suitable arrangements are in place to continue service delivery during or following a serious incident or disaster. 3. Audit Opinion Based on the audit work carried out a reasonable level of assurance can be placed upon the control environment. The audit has identified some scope for improvement in the existing arrangements and 3 recommendations which management should address. 4. Conclusions Based on the audit work carried out the main conclusions reached during the audit were as follows: A Risk Management Policy has been documented and is used to assist senior management to identify, monitor and control risk. The risk register is regularly reviewed and reported to both the Audit Committee and Board. Mitigating actions have been identified and implemented (for the top 5 risks which formed part of the review) to reduce the likelihood and/or impact of risk. The top 5 risks are reported to the Board on a regular basis. The GL Audit Committee has not yet approved the Risk Management Policy therefore may not be aware of, or agree with the planned approaches to risk management across the organisation. It should be noted that this is planned for December Disaster Recovery Plans are in place for all GL locations. Although not all locations have been tested, testing has been undertaken at the major venues and any unique venues in the past few years. Not all possible major events are covered in all individual locations Disaster Recovery Plans, increasing the risk that the plan will lack sufficient detail to allow business to continue during a period of adverse circumstances. All GL individual Disaster Recover Plans vary in content and structure. This could lead to vital information being omitted from the document. Glasgow City Council Internal Audit 2

4 5. Recommendations Resulting from the conclusions, 3 recommendations for improvement, 2 rated medium priority and 1 rated low priority were identified. These recommendations and the organisation s responses are shown below. Glasgow City Council Internal Audit 3

5 Title of the Audit: Glasgow Life Risk Management and Business Continuity Planning High Key controls absent, not being operated as designed or could be improved. Urgent attention required. Risk Ratings for Recommendations Medium Less critically important controls absent, not being operated as designed or could be improved. Low Lower level controls absent, not being operated as designed or could be improved. No. Audit Recommendations Priority Accepted Comments (if appropriate) Officer Responsible for Implementation Key Control: An adequate Risk Management Policy is in place which is reviewed annually and approved by the Board. Timescale for Implementation 1 Glasgow Life must ensure that the Medium Yes Will be covered by updated Risk Management Policy is Nov/Dec Audit approved by the Audit Committee. The Committee every year policy should be reviewed annually and any changes approved by the Audit Committee. (paragraph 6.1.9). Key Control: Business Continuity arrangements are in place, tested and updated. Martin Booth Dec GL should consider drafting a template Disaster Recovery Plan for use by each location to ensure consistency across the organisation with particular reference to the Mitchell Library. The template should include the various events which could disrupt the running of each location. (paragraph 6.2.9). Medium Yes Kathryn Greehy Mar 2015 Glasgow City Council Internal Audit 4

6 Title of the Audit: Glasgow Life Risk Management and Business Continuity Planning (continued) No. Audit Recommendations Priority Accepted Comments (if appropriate) Key Control: Business Continuity arrangements are tested and updated. Officer Responsible for Implementation Timescale for Implementation 3 GL should consider updating their BCP testing timetable to ensure that all venue types are tested within a 3/ 4 year period. A report outlining the previous 3 years testing and the next years testing plan should be reported to the Audit Committee for approval. (paragraph ). Low Yes Kathryn Greehy Dec 2014 Glasgow City Council Internal Audit 5

7 Glasgow City Council Internal Audit Deleted: 6. DETAILED FINDINGS, CONCLUSIONS and RECOMMENDATIONS Based on the audit work undertaken, the following areas were found to be satisfactory: A Risk Management Policy has been documented and is used to assist senior management to identify, monitor and control risk. The risk register is regularly reviewed and reported to the Audit Committee and Board. Mitigating actions have been identified and implemented (for the top 5 risks which formed part of the review) to reduce the likelihood and/or impact of risk. The top 5 risks are reported to the Board on a regular basis. 6.1 Risk Management Policy Findings The Glasgow Life Risk Management Policy was last updated in February 2014 to bring the document in line with revisions to the risk scoring matrix by Glasgow City Council. The policy covers the aims and objectives of the risk strategy, risk scoring, risk monitoring and the risk responsibilities of staff at all levels within the organisation. The updated Risk Management Policy has not been approved by the Audit Committee or Board. The auditor was advised by the Assistant Business Support Manager that the 3rd Audit Committee meeting of each year deals with policy matters and that the Risk Management Policy will be taken to the Audit Committee meeting scheduled for 2nd December 2014 for approval. Conclusion The GL Audit Committee has not yet approved the Risk Management Policy therefore may not be aware of, or agree with the planned approaches to Risk management across the organisation. It should be noted that this is planned for December Recommendation Glasgow Life must ensure that the updated Risk Management Policy is approved by the Audit Committee. The policy should... [1]

8 Page 6: [1] Deleted Martin Booth 12/8/ :24:00 AM 6. DETAILED FINDINGS, CONCLUSIONS and RECOMMENDATIONS Based on the audit work undertaken, the following areas were found to be satisfactory: A Risk Management Policy has been documented and is used to assist senior management to identify, monitor and control risk. The risk register is regularly reviewed and reported to the Audit Committee and Board. Mitigating actions have been identified and implemented (for the top 5 risks which formed part of the review) to reduce the likelihood and/or impact of risk. The top 5 risks are reported to the Board on a regular basis. 6.1 Risk Management Policy Findings The Glasgow Life Risk Management Policy was last updated in February 2014 to bring the document in line with revisions to the risk scoring matrix by Glasgow City Council. The policy covers the aims and objectives of the risk strategy, risk scoring, risk monitoring and the risk responsibilities of staff at all levels within the organisation. The updated Risk Management Policy has not been approved by the Audit Committee or Board. The auditor was advised by the Assistant Business Support Manager that the 3rd Audit Committee meeting of each year deals with policy matters and that the Risk Management Policy will be taken to the Audit Committee meeting scheduled for 2nd December 2014 for approval. Conclusion The GL Audit Committee has not yet approved the Risk Management Policy therefore may not be aware of, or agree with the planned approaches to Risk management across the organisation. It should be noted that this is planned for December Recommendation Glasgow Life must ensure that the updated Risk Management Policy is approved by the Audit Committee. The policy should be reviewed annually and any changes approved by the Audit Committee. 6.2 Business Continuity Plan Findings Glasgow Life has also recently updated its Corporate BCP and the individual Disaster Recovery Plans for each of the venues. The Corporate BCP and individual Disaster Recovery Plans are reviewed on an annual basis and updated when required. The Corporate BCP was last updated in April 2014.

9 6.2.2 There is an annual programme for desktop testing and reviewing Business Continuity Plans in place across the organisation, with the testing of 1 or 2 categories of venues each year. The results of the testing are used to inform the plans of other similar venues across the GL estate In the past few years the major venues and unique venues, such as Glasgow Museum Resource Centre, have been tested The auditor was advised that there are over 50 venues within GL and each location has its own Disaster Recovery Plan. A sample of 4 venue Disaster Recovery Plans was chosen to confirm that they sufficiently detail how the various business functions across the organisation should be performed in the event of a major business interruption. The Disaster Recovery Plans selected were - Glasgow Royal Concert Hall (GRCH), Emirates arena, the Mitchell Library and Scotstoun Leisure Centre From reviewing the 4 Disaster Recovery Plans, the auditor found the Mitchell Library Disaster Recovery Plan to be inadequate for the purpose of BCP as the various events which could disrupt the running of the business had not been documented. The auditor also noted that each of the 4 Disaster Recovery Plan varied in structure and content and there was no set template followed. Conclusions Disaster Recovery Plans are in place for all GL locations. Although not all locations have been tested, testing has been undertaken at the major venues and any unique venues in the past few years Not all possible major events are covered in all individual locations Disaster Recovery Plans, increasing the risk that the plan will lack sufficient detail to allow business to continue during a period of adverse circumstances All GL individual Disaster Recover Plans vary in content and structure. This could lead to vital information being omitted from the document. Recommendations GL should consider drafting a template Disaster Recovery Plan for use by each location to ensure consistency across the organisation with particular reference to the Mitchell Library. The template should include the various events which could disrupt the running of each location GL should consider updating their BCP testing timetable to ensure that all venue types are tested within a 3/ 4 year period. A report outlining the previous 3 years testing and the next years testing plan should be reported to the Audit Committee for approval.