Transparency data

RSH ARAC minutes - 19 October 2020

Updated 29 January 2021

Applies to England

PUBLIC MINUTES of the Audit and Risk Assurance meeting

on Monday 19 October 2020 at 11am

MS Teams Meeting (no members were together, and the meeting was deemed to have been held in Beckenham, Kent - the location of the Chair).

4 - Remote and virtual participation
4.1. Any member may validly participate in a meeting through the medium of conference telephone, video conferencing or similar form of communication equipment, provided that all persons participating in the meeting are able to hear and speak to each other throughout such meeting, or relevant part thereof. A member so participating shall be deemed to be present in person at the meeting, and shall accordingly be counted in a quorum and entitled to vote.
4.2. A meeting shall be deemed to take place where the largest group of those members participating is assembled or, if there is no group which is larger than any other group, where the Chair of the meeting is.

Members

• Liz Butler - Chair
• Richard Hughes
• Ceri Richards

Invited officers

• Fiona MacGregor - Chief Executive
• Richard Peden - Interim Director, Finance and Corporate Services
• Maria Craig - Director of Internal Audit, Homes England
• Paul Scott - Head of Internal Audit, Homes England
• Sajid Rafiq - NAO
• Sarah Dickinson - NAO
• Tom Onions - NAO
• Abi Kudus - Finance Business Partner MHCLG

In attendance

• John O’Mahony - Assistant Director, Corporate Services and Performance - for item 5
• Sam Collenette - Head of DPIAC - for item 6
• Steve Lawrie - Head of Digital - for item 6
• Christine Kitchen - Committee Secretary

1. Welcome and apologies

01/10/20 The Chair welcomed everyone to the meeting. There were apologies from Jo Chiverton (MHCLG) and Emma Tarran.

2. Declarations of Interest

02/10/20 There were no new declarations of interest

3. Minutes of previous meeting - 19 June 2020

03/10/20 The confidential and public minutes were APPROVED.

4. Matters arising

04/10/20 Members NOTED the updates provided by management on the matters arising. FM confirmed that the “blue-sky thinking” on the strategic risk register will be scheduled following clarity of the impact of the White Paper. It was AGREED that this discussion would be scheduled with Board and/or ARAC. Management to consider topics for in-depth reviews at ARAC for the January 2021 meeting. FM/RBP

5. Strategic Risk Register

05/10/20 JOM joined the meeting and RBP presented the paper. He reminded members that due to the move to home working due to C-19 lockdown, our response was to re-focus and re-prioritise our work to allow the sector to focus on front line services in response to the crisis and continue to protect tenants and to ensure we were sighted on any impacts on financial viability. The last review of the risk register was at the end of quarter 1 in July, when REG considered the inherent and current likelihood and impact of the risks identified in the register. This resulted in the top 7 out of 14 risks remaining above appetite.

06/10/20 The quarterly review by RRG on 22 September focussed in particular on:

a. how internal or external changes since the last review have impacted onthe risk scores;

b. the range of controls for each risk and their effectiveness; and,

c. whether the further actions continued to be appropriate and whetheractions needed to be added or revised.

07/10/20 Members NOTED the updates on Risk rank 1 (change in Government policy) and 2 (stakeholder perceptions). For Risk rank 3 (sufficient resources) RBP advised that the majority of the resource review posts have now been filled. MC confirmed that the approach to dealing with the impact of C-19 had been agreed with the AO as a topic for an internal audit review.

08/10/20 It was noted that the scores for Risks rank 4 (unable to manage governance and financial viability standard failure), 6 (keeping pace with sector changes) and 7 (data collection and analysis) had not changed as a result of the uncertainty of the impact of C-19 on the sector and the decision to defer the completion of regulatory returns such as the SDR and FFR.

09/10/20 Risk rank 5 (consumer regulation), RBP expanded on the rationale for the RRG proposal and REG agreement to bring both the inherent and current likelihood scores down one point to 5/3 and 5/2 respectively. The results of the CORS survey have been stable and have demonstrated that matters related to the consumer standards and tenant safety are being managed reasonably well by providers. This risk has now been brought back to appetite on the SRR.

10/10/20 Members discussed the measures in place to deal with a sequence of adverse events or a number of provider failures at the same time. RBP advised that operational staff have had initial training on how to deal with I&E provider failure cases and could be drafted in to provide additional support if needed. FM added that we can identify potential problems with individual providers through the data analysis we carry out. However, if there are systemic macroeconomic issues facing the sector, we would have to work with the Department and government to consider solutions. The impact of multiple financial failure is a topic we discuss with MHCLG. It was suggested that we try and draw this out in the narrative on multiple failure on the SRR.

11/10/20 There was a discussion regarding the financial and lender markets. Assurance was given, (and confirmed by RH) that the markets have remained open for business and rates have remained competitive. Lenders are comfortable with the sector as well regulated and the sovereign downgrade by Moody’s has not been reflected in provider downgrades. FM added that some other financial pressures are being reported on leaseholders accessing mortgages for tall buildings. We are aware of these issues for the providers we regulate and will continue to monitor the situation through our stakeholder engagement.

12/10/20 The Chair enquired about how we are managing the risks around staff mental and physical wellbeing whilst staff are working from home. RBP described all the measures we have had in place and continue to offer staff. These include regular team meetings and more recently conversations with ADs on any issues within their teams. Staff have been offered access to equipment, to make their home working areas compliant with H&S standards. MC added that capacity and workforce resourcing is captured in Risk 3 on the SRR and the paper and risk map show how well the RSH monitor these risk areas.

6. Information Risk

13/10/20 SC and SL joined the meeting and RBP presented the paper.

14/10/20 RBP stated that the RSH does not hold a lot of personal data, other than personnel records. We do hold some email and contact details for people who have contacted us for a range of regulatory enquiries.

15/10/20 Only minor data breaches have been identified. These have been reported to the DPIAC team who provide advice on remedial action which is taken immediately. There have been no personal data breaches which have required reporting to the Information Commissioner’s Office. The SIRO and REG would be alerted immediately should any breach be reportable i.e. likely to affect the rights and freedoms of data subjects. There is evidence of a strong culture of transparency and honesty amongst staff and understanding of the need to flag issues. The paper sighted members on the areas of information risk where we have guidance which was adopted from HCA. Work is in progress to adapt this guidance to relate specifically to RSH systems and staff. The paper also set out for members the approach taken to manage risk with third party relationships in relation to GDPR, EU processes, the impact of privacy shields with the USA, and the impact leaving the EU could have on information sharing. We work closely with Homes England who provide the RSH with our IT infrastructure and benefit from the robustness of their processes which have ISO 27001 accreditation. Home England is responsible for disaster recovery in relation to Digital Services and we continue to work with them on disaster recovery testing plans.

16/10/20 RSH now has its own dedicated DPO and her team are developing various training sessions for teams across the organisation and have developed screening questions to indicate if a Data Protection Impact Assessment is required.

17/10/20 Members were given assurance that our systems for picking up data breaches are working well. SL reiterated that staff awareness was good in the RSH. Internally our processes are also robust and our control over user system access rights allow us to resolve issues quickly and safely. SC echoed what RBP and SL had said and in respect of the danger of internally instigated breaches, she gave assurance that our systems will be able to pick up any unusual activity. The training her team are delivering will reinforce to staff the importance of DP and IT and reviewed guidance will support the training of spotting and reporting data breaches. SC reported that to date this year there have been 8 self-reported breaches. The Chair suggested that it would be beneficial for Board members to also receive this training, and SC confirmed that she would include them in the training programme. SC

18/10/20 RBP confirmed when asked that guidance has been issued to staff on the importance of security of equipment and data with staff working at home. SL confirmed that in the event of a theft of RSH equipment, we have the capability to wipe all data held on the device.

7. Internal Audit Annual Report and Opinion

20/10/20 PS introduced the report which provided an IA formal opinion on the adequacy and effectiveness of the framework of governance, risk management and control in operation in the RSH during 2019-20. The review provided a total of two moderate and nine low priority findings raised across all reports. He reported that their overall opinion was a Substantial level of assurance for the year.

21/10/20 Members NOTED that the IA undertook five reviews. PS reported that during the audit of the commissioned 2019-20 IA reviews, the team observed the effective operation of existing control processes at the RSH.

22/10/20 Risk Management arrangements: PS commented on the robust processes for monitoring risk in the organisation and the high quality of reporting and the link to assurance mapping is excellent as IA find this key for the focus of their work. The SRR is a live document in the organisation and the quality of discussions around the SRR is very good.

23/10/20 System of Internal Control was reviewed and independently tested for the areas identified and commissioned in the initial IA work plan of reviews for 2019-20. Three of the Internal Audit reviews completed provided a Substantial level of assurance with a number of low priority recommendations raised for management to consider. The remaining two reviews (IT SLA and Budget Monitoring) provided a Moderate level of assurance and contained two moderate and three low recommendations to strengthen arrangements. PS stated that the IT SLA draft report had been shared with the Board in June by the RSH Executive Team but had not formally been presented to ARAC for comments to IA until now due to timing of meetings.

24/10/20 Governance: PS reported that this was not a specific area of audit this year but had been reviewed in 18-19 providing a Substantial level of assurance. PS stated that as far as he was aware there had been no material change in the Governance arrangements within RSH since the review. The IA team also gain insight via their attendance at ARAC. PS advised that MC was in conversation with the CEO/AO to consider whether observation of other governance meetings could further strengthen their sources of assurance for the 2020/21 audit year.

25/10/20 AK asked whether the risk of insolvency would be picked up in IA reviews. RBP advised that there was a low risk of insolvency for the RSH. The status of the RSH as a going concern will be covered by the NAO audit of the organisation.

26/10/20 The Chair thanked MC and PS for a very comprehensive audit opinion. MC thanked the CEO and teams involved in the various reviews for their co-operation.

8. NAO update

27/10/20 SD started by thanking RBP and his team for their co-operation and quick responses to queries raised by the NAO during the audit process. She reported that the audit had gone well and there were no major areas of concerns, other than a few minor identified misstatements and client agreed adjustments which have been addressed. There are a few suggestions in the disclosures in the Annual Report which apply best practice seen by the NAO across Government for example on the remuneration report. SD confirmed that the final draft report of the RSH accounts was being reviewed and comments will be fed back to the finance team.

28/10/20 SD advised of a couple of minor points on the Management Letter in relation to payroll and journals, but other than these the final audit completion report will be issued to RSH by 22 October to be considered at the meeting on 26 October. Once signed-off by RSH ARAC and Board and signed by the AO, the NAO will follow finalisation process to have the Annual Report and Accounts laid before Parliament.

29/10/20 The Chair thanks SR and SD for their report.

9. Forward Planner

30/10/20 Members NOTED the forward planner. SD advised that it was likely that the timetable for the external audit is likely to be the same as it was this year and it was unlikely that it would move back to a pre-recess timetable. The Chair asked for confirmation that the proposed timing of the submission of the ARA would not reflect badly on the RSH and asked that the messaging around the reasons for the timing was clear. SR advised that there were a number of other NAO clients who had also had their ARA delayed this year due to C-19 and also delays of pension schemes being signed off.

31/10/20 FM confirmed that topics for in-depth assurance reports will be worked up by management and discussed with ARAC.

32/10/20 In light of the likely slippage of the external audit process, the proposed meeting dates for 2021 will be reviewed by RBP and the Board Secretary and re-issued to members. RBP/CK

10. Any Other Business

None.

Date of next meeting: 26 October 2020

A confidential session of the ARAC members and the internal and external auditors followed.