Agenda and minutes

Venue: Conference Room 4B - Tŷ Hywel. View directions

Contact: Liz Jardine 

Items
No. Item

1.

Introductions, apologies and declarations of interest

Minutes:

Apologies were received from Elisabeth Jones (Director of Legal Services), Mark Neilson (Head of ICT) and Gareth Watts (Acting Head of Governance and Audit).

There were no declarations of interest.

 

2.

Communication note to staff - Siân Wilkins

Minutes:

Siân Wilkins would draft a note of the Management Board discussion for the news page.

 

3.

Minutes from the previous meeting - 20 June

Minutes:

The minutes of the 30 June Management Board meeting were agreed as a correct record, excepting a clarification on the wording of item 4.1 relating to sickness absence. 

 

4.

Cyber security

Minutes:

Alison Bond was welcomed to the meeting to deliver a short video and discussion on key information and cyber security issues, an area of increasing importance to the management and protection of Assembly information and one that ACARAC has requested be scrutinised.

The Assembly, like most organisations was extremely dependent on its information and systems but, with the number and type of attacks threatening information increasing, the potential risks to reputation, confidence, disruption and compliance were high. The Board were informed that restricting access and protecting information assets was central to cyber security.

It was recognised that, generally, the Assembly was very security conscious, with many tools and controls in place. It was, however, important to remind staff about security of email and the use of computers and the network, including the storage of restricted papers prior to destruction and during disposal.

Alison outlined the guidance in relation to malicious emails and that these emails can appear very sophisticated, meaning constant vigilance was needed. A message was also going to Members and their staff in relation to security of emails, computers and the network. The Board discussed other threats and how to mitigate the risks through user awareness, being mindful of assets, assessing and managing risk and being vigilant. Alison advised that the privacy impact assessment had been very intensive around the Assembly’s use of cloud services.

Alison would write to Heads to undertake an exercise, in their roles as Information Asset Owners, to identify and test the robustness of controls around their most important and sensitive assets.

5.

Corporate Risk

Minutes:

Management Board considered the current and emerging risks at corporate level and, in particular, the impact on the organisation of the new Commission strategy and the emerging risks around the EU referendum result. Although there were many uncertainties around the effect of the result and the organisation was doing well on mitigation, thinking ahead, being prepared and having the Commission committed to resources, it would be prudent to include it as a corporate risk. The Board agreed it was necessary to have a focussed discussion on potential risks, with a view to avoiding having it remain on the register long term. It was agreed that Anna Daniel would take the lead on assessing risks around the implications of the referendum result.

The Board were asked to consider recommendations for removing four risks from the corporate risk register given the effective management, cessation or mitigation of the risks and, if so, whether they should be monitored at service level. The Board agreed all four recommendations.

Additionally, some changes to the register to reflect the current status of risks were noted. Dave Tosh agreed to review the wording of the risk relating to terrorist/weapons attack following recent events (Ref: Sec009).

The Board considered the risk relating to decisions of the Remuneration Board, which was being well managed and agreed to consider it again at the next review. They also discussed the risk relating to senior management changes.

6.

Archive strategy

Minutes:

Chris Warner introduced a proposal to develop an archiving strategy, working closely with the National Library of Wales, to create a coherent and accessible archive for the long-term preservation of all the Assembly’s records that would complement the broader policies for information management and data protection and join up with the objectives of the MySenedd programme.

Management Board acknowledged the strategic importance of developing an Assembly archive strategy and agreed the proposed actions to deliver the project.

7.

Corporate Induction

Minutes:

The Board welcomed Hayley Rees (HR Training Officer) to present proposals for the refreshed Corporate Induction Programme following the agreed improvements that had been developed and implemented in the initial four pilot sessions.

The induction had been reduced from two days to one day, replacing some of the content with a signposting DVD and including an introduction by a member of Management Board. Feedback had been ongoing with adaptations and improvements each time. It was planned that it would link into a Management Development programme.

The Board agreed all the recommendations with a request for HR to consider how we could further inspire people about the importance of the institution and future of Wales.

 

Winding up the meeting

7.

Any other business

Minutes:

It was noted that the Commission’s Strategy for the Fifth Assembly had been launched and that an intranet message had been prepared to highlight the change to the mission statement. The Heads were asked to advise their teams that they should instigate any necessary changes to literature, internet references and email signatures, etc.

The LLywydd had issued a thought piece around reform of procedural matters. A paper on potential proposals for changing the Assembly’s name would be presented to Commissioners at their meeting on 19 September.

The Annual Report and Accounts had been laid and work was now underway to prepare for the Public Accounts Committee’s evidence session on 19 September.

The Management Board would next meet informally on the first day of the new term, 9 September, with a formal meeting on 10 October for the annual capacity planning session.