Wednesday 4 December 2024
MICROSOFT TEAMS 10:00 – 13:00
(Private discussion 13:00-13:15)
ARC Members
- Anne Moises NRS Non-Executive Director
- Tim Wright NRS Non-Executive Director
ARC Attendees
- Alison Byrne NRS, CEO
- NRS, Director of Corporate Services & Accountable officer
- NRS, Director of Digital & Delivery (until break)
- NRS, Director of Information and Records Services (until break)
- NRS, Chief Financial Officer
- Internal Auditor – Scottish Government
- Internal Audit Manager – Scottish Government
- Engagement Director for NRS – Grant Thornton
- Engagement Manager – Grant Thornton
- NRS, Head of NRS Business Management
- NRS, Corporate Business Assurance Manager
- NRS, Business Management (Secretariat)
Apologies
- Maggie Waterston (Chair) NRS Non-Executive Director
- NRS, Director of Census Statistics
- Head of Census PMO
- Internal Audit Manager – Scottish Government
1. Welcome, Introductions and Apologies. Declaration of Interests & Matters Arising
1.1 Anne Moises welcomed everyone to the meeting. Apologies were noted as listed above.
1.2 There were no declarations of interests or matters arising.
2. Meeting held on 28 August 2024
2.1 The minutes were approved and would be published on the NRS website.
2.2 A review of actions was undertaken. The action tracker would be updated accordingly.
2.3 Tim Wright asked if the Oracle Cloud recruitment freeze had impacted on Non-Executive Director (NXD) recruitment. The Director of Corporate Services & Accountable officer advised that NXD recruitment was not impacted and that following feedback from Tim Wright on the induction plan the onboarding process and introduction pack would be updated and shared with NXDs for their input ahead of new NXDs starting.
2.4 NXDs requested an update on action A24/24 - BMU to arrange a meeting between NXDs, CEO and The Director of Corporate Services & Accountable officer prior to ARC to discuss the ARC Checklist of Improvement Actions. The Director of Corporate Services & Accountable officer confirmed that a meeting would be set up now that new CEO had been appointed.
2.5 NXDs requested a meeting be arranged to discuss outline and drafting of an NRS governance statement. The Director of Corporate Services & Accountable officer confirmed a meeting would be arranged early 2025.
Action 27/24: Meeting with NXDs to be arranged to discuss outline and drafting of a NRS governance statement. Action Owner: The Director of Corporate Services & Accountable officer / CEO
3.1. Update on new NRS Risk Register and Risk Framework
3.1.1 The Director of Corporate Services & Accountable officer and Corporate Business Assurance Manager introduced the NRS Risk Dashboard to the meeting and covered the following key points below:
- NRS Risk Management was now in line with SG Risk Framework
- The Risk Register had been reviewed and an Issues Log had been created as part of the refresh work. The Issues Log would be presented to ARC at the next meeting
- This work had enabled the Executive Management Board (EMB) to provide more focus on strategic issues
- Further work was required around risk mitigation and risk scoring as the new process was rolled out
- The Corporate Business Assurance Team had attended various NRS boards to learn more about organisational risks and promote the risk refresh work
- The Corporate Business Assurance Team were meeting with the Scottish Courts and Tribunals Service and Education Scotland early in 2025 to see how they escalated risks and see if there was another layer of assurance that could be added to the risk process
- A draft responsibility assignment matrix (RACI matrix) and data flow information diagram would be presented to ARC at a future meeting
- NRS Data Flow information was being reviewed to identify any risks
- The Cyber Risk was being reviewed to explore how risk scoring could be reduced
- A corporate risk was being developed around the NRS Climate Change Strategy
- Regular risk deep dives were being introduced into NRS cadence for 2025
3.1.2 Alison Byrne noted the risk refresh work provided a baseline to develop a risk appetite statement and helped NRS to ensure they were taking a consistent approach towards risk management. Alison advised that the EMB agenda would be refreshed early 2025 to allow more time for strategic discussion, risk and issues deep dives.
3.1.3 Anne Moises asked if NRS were aligning with SG updates to the risk framework, how risks were being managed locally, and if the risk framework would be adopted consistently across NRS. The Corporate Business Assurance Manager advised NRS had fully adopted the SG risk framework. The Corporate Business Assurance Manager advised NRS teams were using local risk registers and that NRS had streamlined risk management by encouraging NRS boards to use local risk registers and adopt the Corporate Risk Register where possible. The Director of Digital & Delivery advised NRS had adopted all SG risk controls and had also maintained additional local controls around the local cyber risk management and NRS Operational Risk Forum. The Director of Digital & Delivery advised this work had helped to improve NRS risk culture and proactivity towards risk management.
3.1.4 Tim Wright suggested further narrative would be helpful to incorporate within the risk register to provide ARC with assurance that risks were moving towards the path to green. The Director of Corporate Services & Accountable officer noted Tim’s suggestions and advised the challenge was that the path to green timeline was lengthy for a lot of NRS corporate risks but that NRS were looking how risk mitigation and narrative could be developed further.
3.1.5 Anne Moises asked where the risk narrative would be captured around risk scoring not changing due to risk tolerance. The Director of Corporate Services & Accountable officer advised the risk register would be developed to capture risk tolerance and that future EMB risk deep dives would help to develop the narrative around this. Alison Byrne advised collective sessions were planned on risk appetite to help NRS to set risk tolerances. Alison noted the narrative captured against each risk would set this out and include target dates for key actions. Tim Wright noted inherent risks linked closely with NRS risk appetite.
3.1.6 SG Internal Auditors asked if the Future Archive Services risk was included in the NRS issues log. The Director of Corporate Services & Accountable officer confirmed this was on the NRS risk issues log.
3.2. NRS Risk Dashboard
3.2.1 Members noted the NRS Risk Dashboard.
3.2.2 Tim Wright requested further information around why the cyber risk appetite scoring was high and eager. Tim interpreted this scoring as NRS being prepared to take on significant levels of risk in order to mitigate this risk. Tim expected this appetite to be cautious scoring. Alison Byrne advised a risk appetite session was planned for early 2025 to explore NRS risk appetite and tolerances further. Alison advised risk tolerances may change following these sessions. The Corporate Business Assurance Manager advised the scoring was high due to the D&G NRS CR cyber-attack and would be reviewed when risks were split into potential and future cyber-attacks.
4. Update on Data Sharing and Information Governance workstreams
4.1 Alan Ferrier provided an update on Data Sharing workstreams with the key points below:
NRS had developed five key workstreams to co-ordinate the actions and improvements in response to the NHS D&G cyber incident:
- NHSCR level: NHSCR Recovery, Future of NHSCR
- NRS organisational level: IG Organisational Actions, Data Sharing and Flows, Data Maturity
4.2 Tim Wright asked how project actions and activities had emerged. Alan Ferrier advised that lessons learned were highlighted by the incident and pre-existing work had also been accelerated. Alan advised NRS were placing greater importance on cyber resilience and that some workstream actions required resource and investment across multiple partners.
4.3 The Director of Information and Records Services provided an update on IG workstreams with the key points below:
- Information governance policies were up to date
- The project provided clarity around work required for data sharing agreements
- Successful funding bid made for discovery work on formal and informal data sharing improvements
- NRS were updating their data sharing policy
- New data sharing procedures being developed, including application form, risk profile
- New matrix, security assurance questionnaire and review processes under development
- Expanded data agreements and arrangements register
- Sharing arrangements and agreements were being reviewed
- Main tranche of Delivery plan discovery work from Jan to Apr 2025
- Reviews of known, active data sharing agreements from Jan 2025
- Consultation on revised policies and procedures from Feb to May 2025
- Training and awareness for NRS staff in June 2025
4.4 Anne Moises asked if data sharing work was being tracked as a risk on a local risk register. The Director of Information and Records Services confirmed this was on the IRS local risk register.
5. Progress Report: Future Archive Services
5.1 The Director of Digital & Delivery provided an update on Future Archive Services with the key points below:
- A Programme Manager had been appointed
- NRS were in the process of recruiting two Business Analysts
- Deloitte contract awarded to assist with wider project strategy and Target Operating Model (TOM)
- NRS Programme Board established and would have oversight of the work
5.1.1 Tim Wright requested early sight of the Future Archive Services project timeline and milestones. The Director of Digital & Delivery advised that the Future Archive Services Project Manager would look to develop a roadmap and would share this with ARC once available. The Director of Digital & Delivery offered to arrange a future session with NXDs on Future Archive Services.
Action 28/24: The Director of Digital & Delivery to share Future Archive Services Project Plan with ARC. Action Owner: The Director of Digital & Delivery
Action 29/24: The Director of Digital & Delivery to arrange a session with NXDs on Future Archive Services Project. Action Owner: BMU/ The Director of Digital & Delivery
5.3 SG Internal Auditor suggested NRS bring in Triple PA external assurance for the Future Archive Services work. The Director of Digital & Delivery confirmed the Delivery team would follow up on this suggestion.
Action 30/24: The Director of Digital & Delivery advised the Delivery team would consider Triple PA external assurance for the Future Archive Services work. Action Owner: The Director of Digital & Delivery
5.4 Anne Moises noted the importance of managing SME workloads. The Director of Information and Records Services agreed one of the biggest risks was management of SME workloads.
5.5 The Director of Information and Records Services advised the current focus was to develop a business case for a new Digital Archiving Preservation system as the current system would be unable to deal with digital data at scale. The Director of Information and Records Services advised many providers of digital preservation systems had hidden costing models so NRS were recruiting a contractor to move this work forward as a priority. The Director of Information and Records Services advised a business case would be developed and approved by EMB by end of April 2025 with a target date to bring in new system to be operational early 2026. The Director of Digital & Delivery advised NRS had re-prioritised IT resources to assist with this work as a priority and were engaging with DAO colleagues.
5.6 Tim Wright noted NRS requirement for a technical architect / expertise and asked if NRS had engaged with external innovation and academia organisations such as Civtech Scotland and Interface. The Director of Information and Records Services advised NRS had done this in the past and has started discussions with SG Digital around the use of AI.
5.7 Anne Moises requested how NRS were going to evaluate and cost the proposals obtained for a Digital Preservation System and how NRS would consider solutions pre ingestion work. Anne also asked if NRS had a Technical Design Architect. The Director of Information and Records Services advised NRS needed to build their own pre-ingest work and depositors needed an exit strategy for the systems they were currently using. The Director of Information and Records Services advised NRS were in dialogue with stakeholders sending data to NRS. Assets end NRS needed to have discussions around a portal.
5.8 Anne Moises noted the Digital Preservation System was a tactical project and asked if NRS had mechanisms in place to capture learning which could be fed into the longer term strategic Digital Archiving Program project. The Director of Information and Records Services confirmed that most of the discovery work, assumptions and decisions were made with the longer-term strategic project in mind.
5.9 The Director of Information and Records Services provided and update on the NRS archive storage environments project. The Director of Information and Records Services advised NRS were looking to stabilize NRS archive storage environments and were treating records affected by mould. The Director of Information and Records Services advised a proposal for a treatment area was being reviewed with procurement and costings underway.
5.10 The Director of Digital & Delivery and The Director of Information and Records Services left the meeting.
6.1. Census 2022 update
6.1.1 The Director of Corporate Services & Accountable officer provided an update on Census 2022 with the key points below:
- NRS publication of a multivariate data on 27 November 2024 had received positive feedback
- Census General Draft Report was progressing well, with plan to finalise document by 9 December 2024 and final report to be published 17 December 2024
- Engagement with Scottish Government around report prior to publication 17 December
- Benefits Realisation progressing well with a number of channels through which to gather case studies. Benefits realisation paper was being developed for the next NRS Programme Board
- NRS were aligning with Office for Statistical Regulation (OSR) phase 3 assessment ‘how well the statistics have met user needs’ with a summary paper to Programme Board in March 2025
- The Census 2022 program would close March 2025
6.1.2 Tim Wright requested more detail around the benefits realisation case studies. The Director of Corporate Services & Accountable officer advised NRS were looking to develop a statement of benefits. The Director of Corporate Services & Accountable officer advised Census 2022 had a wide audience and wide use of statistics. The Director of Corporate Services & Accountable officer advised there were a wide range of case studies to draw down and NRS were arranging benefits engagement sessions with user groups to get a better understanding of how groups used Census data to develop a wider statement of benefits in collaboration with users. The Director of Corporate Services & Accountable officer advised this work would also help to measure the value of Census data and inform SG policy and communities.
6.2. Update on Future of Population Statistics (FoPS) (oral)
6.3 The Director of Corporate Services & Accountable officer provided an update on FoPS with the key points below:
- The FoPS Strategic Outline Business Case would be presented to EMB for formal approval following confirmation of the SG budget position in December 2024
- An Outline Business Case was planned in 2026, followed by Full Business Case in 2027
- NRS were continuing engagement with SG to raise awareness of the FoPS programme
- Feedback from SG was that the FoPS business case was robust but no funding had been allocated in the SG budget for 2025-26 for FoPS
- NRS advised SG there was a delivery risk if no funding was allocated for FoPS
- Alternative options for FoPS had also been presented to SG
- Focus for FoPS planning and risk register including contingency planning if funding not successful
- NRS would continue to fund Census 2022 into 2025-26 to retain skilled resources and ensure NRS could transition to FoPS programme once funding programme secured with ministers
- NRS had to prioritise this over other spending commitments
- NRS Delivery were working on a multi-year roadmap
- Staff Sessions were arranged to brief staff on the current budget position
- NRS were monitoring the direction of other countries regarding FoPS
6.4 Anne Moises agreed the NRS business case was robust and hoped that funding would be secured early so planning could begin and the lessons learned from the last Census be taken on board. Anne noted it would be extremely challenging to recruit the same level of skills in future if NRS could not retain the current level of skills and expertise. Anne advised NRS to call on NXDs if support was required.
6.5 Alison Byrne thanks NXDs for their support and gave thanks to NRS teams for their tremendous work and effort towards developing a robust business case. Alison advised NRS would be advising SG around future risks if funding was not provided and the tremendous expertise and value of the Census team was lost.
6.6 Tim Wright asked what the timescales were for future Census funding. The Director of Corporate Services & Accountable officer advised early years funding for the Census 2022 was also challenging and had impacted on the delivery plan for the Census 2022. The Director of Corporate Services & Accountable officer advised admin-based model would allow for a flatter more regular funding model. The Director of Corporate Services & Accountable officer advised NRS were continuing negotiations with SG and would advise there was a delivery risk if no funding was allocated for FoPS.
7. Service Delivery Performance, sustainability and KPIs
7.1 Jane Milne introduced the paper with the following key points below:
- NRS were developing a performance framework around Operational Service Delivery and Customer Service Delivery which would report into ARC and Customer Operations Board (COB)
- NRS had been developing Operational KPIs over the last two years and had reached end of the first year of KPI reporting bring together a lot of different reporting from across the organisation. KPI reporting had doubled in this time
- COB would review KPIs and take direct action on KPIs
- For example NRS registration KPI introduced desk instructions and KPI moved from 80% to 100%
- Temp staff were brought into to improve KPIs for IRS catalogue
- NRS were in the process of developing shared service level KPIs
- NRS were monitoring new KPIs in Q2
- COB deep dive on KPIs arranged for January 2025
- NRS Strategy, TOM and Vision were being reviewed
7.2 Anne Moises noted ARC would be updated on KPIs at the next meeting to understand how KPIs were measured.
7.3 Tim Wright noted KPIs would be useful for EMT monitoring and useful for strategic decision making from a governance standpoint where NRS could identify significant deviation from normal performance.
7.4 Alison Byrne noted the work would be important in developing strategic KPI’s to align with future NRS Strategic objectives.
8.1 NRS Financial Report: Financial Performance and Achievement of Financial Targets
8.1.1 The Chief Financial Officer presented NRS Financial Performance and Achievement of Financial Targets. Members noted the 2024/25 forecast outturn position at October 2024 (Period 07).
8.1.2 ARC noted the implementation of Oracle Cloud had impacted the financial accuracy of reported values. ARC noted due diligence had been carried out and noted caveat around the accuracy of the reported numbers which would be corrected in line with SG incident management response. ARC noted NRS did not consider any movement in future months to be of material value or to impact on NRS decision making. The Chief Financial Officer advised a planning and priority session was scheduled with EMB for 25th January 2025.
8.1.3 Tim Wright asked if Oracle Cloud teething issues could affect annual audit work. The Chief Financial Officer advised finance were manual reporting and resourcing adjusted so unlikely to impact annual audit work. The Chief Financial Officer advised concerns around NRS assets were recorded on the local risk register and Corporate Issues log.
8.2 Financial Sustainability: Update on Fees, Charges and income (FCI) project
8.3 The Chief Financial Officer introduced the paper with the following key points below:
- FCI program stood up October 2024 with key objectives to achieve full cost recovery for all NRS products and services, increase income generation for NRS and ensure NRS were a self-sustainable organisation
- Discovery and planning stage had been completed and EMB had approved the FCI project to move into Delivery stage
- NRS would start to see material additional income from 2025-26 as project life cycles were completed
8.4 Anne Moises asked how this work linked in with wider government shared services strategy, appetite and mechanisms. The Chief Financial Officer advised NRS had developed the FCI project in response to wider public service reform and future financial landscape. Alison Byrne advised NRS were working with other public bodies to identify key strategic priorities in response to the long-term fiscal outlook for public finances.
8.5 Tim Wright suggested there was potential to explore external perspectives on where revenue generation and partnerships could be developed and if there was potential to combine assets. Tim also suggested potential for entrepreneurial opportunities for collaboration. For example, Geovation Scotland which is a collaboration between Registers of Scotland and Ordnance Survey which exists to accelerate property and location innovation in Scotland.
9. External Audit update
Grant Thornton provided an update on external audit work with the key points below:
- Grant Thornton would be seeking an additional audit fee due to the additional audit work to map two sets of journals in 2024-2025
- Annual Audit Plan for financial year 2024-2025 would be presented at the next ARC
- This would provide an understanding of the entity and review key business areas including income, expenditure, evaluations, journals and IT systems linking into SEAS and Oracle
- Planning to undertake early testing procedures around income, expenditure, journals and payroll for the first six months of the year
9.1 ARC noted the update.
10. Internal Audit progress reports on active/follow-up audits
10.1 SG Internal Auditors introduced the Internal Audit progress reports for 2024/25 on active/follow-up audits with the key points below:
- On track to deliver the audit plan for this year
- At planning stage for next year’s audit activities
- Meeting next week to review audit work for next year
- Further training available for NXDs through Government Internal Audit Agency (GIAA)
- Oracle Cloud had also impacted on audit work
- EY would audit the Oracle programme at the end of Q4 including hypercare and phase 2
- Noted the Water Industry Commission for Scotland independent review highlighted a number of key issues such as poor governance, lack of challenge and scrutiny at Audit and Risk Committees and Boards and a culture of poor controls within that organisation
- SG reviewing whistleblowing review policy and procedures
- Governance report provided to ARC on delivery of audit plan
10.2 Anne Moises requested further information around the internal audit report comments around NXDs scrutiny and ARC minutes. SG Internal Auditors advised there wasn’t sufficient documentation providing evidence to see that there had been sufficient scrutiny from the details in ARC minutes.
10.3 Tim Wright noted that NXDs role was advisory questioning rather than a formal scrutiny role. Tim also noted that future NRS NXD recruitment would be improved following feedback from and future NXD recruitment would ensure a good balance of support and challenge that matched NRS business requirements.
10.4 The Head of NRS Business Management advised the feedback around minuting had been taken on board and a template was being developed to include an executive summary for meeting papers. The Head of NRS Business Management confirmed a list of NXD Self Improvement Actions were also being taken forward.
11. NRS Audit Recommendations Status Report
11.1 The Director of Corporate Services & Accountable officer advised NRS were managing resources and were working with leads to close audit recommendation actions. Anne Moises requested timescales for closure.
Action 31/24: The Director of Corporate Services & Accountable officer to provide timescales for closure of actions from audit recommendation action report. Action Owner: Director of Corporate Services & Accountable officer
11.3 SG Internal Auditor advised Global Intel Audit Standards would be updated in 2025 which would impact on SG audit procedures.
12. Committee Reports - To Note and Questions
NRS Governance Report
12.1 The Committee noted the report.
12.1.1 Anne Moises asked if mock exercises were being simulated by NRS to test incident response plans and business continuity framework. The Director of Corporate Services & Accountable officer advised once the new BCP was in place NRS would carry out regular testing on a rolling basis.
12.1.2 Anne Moises asked how the NRS business continuity plan captured services delivered by other organisations that were critical to NRS such as Oracle and Scots. The Director of Corporate Services & Accountable officer advised work was ongoing to link in with SG SGORR from an IT perspective and systems delivery perspective to develop NRS BCP planning and support arrangements around this.
12.1.3 Tim Wright asked about the Ancestry Ireland vs ICO tribunal. The Director of Corporate Services & Accountable officer provided a short update noting that this was a live legal case and would update the ARC once it was concluded.
NRS Portfolio report
12.2 The Committee noted the report.
NRS Assurance update
12.3 The Committee noted the report.
13. To Note: ARC Forward Look for year ahead
13.1 The Forward Look was noted by all Committee members.
14. AOB & Date of Next Meeting
14.1 The date of the next meeting was noted as 26 February 2025.
End
