CDPS Audit & Risk Committee (ARC) – January 2025

John-Mark Frost (JMF) – Chair 
Samina Ali (SA)
Andrea Gale (AG)  
Jonathan Pearce (JP) 
Ben Summers (BS)
 

Guests:

Jonathan Maddock (JMa) – TIAA

CDPS staff:

Myra Hunt (MH) – CEO
Phillipa Knowles (PK)
Kath Morgan (KM)

Secretariat:
Jon Morris (JM)

The meeting opened at 14:00

1.1 The Chair welcomed Members to the meeting. Apologies for absence were received from Harriet Green.

1.2 The ARC approved the minutes of the meeting held on 23 October 2024 as a true and accurate record but asked for added clarification before publication regarding the cumulative/long-term affordability of the approved Pay Review.

1.3 The action log was received, and members raised no specific concerns or queries on progress.

1.4 Members confirmed that there were no items to be discussed which were not represented on the agenda.

2.1 MH and KM presented the finance report to the ARC, with MH noting that the excess cash balance (above the permitted 2% of total grant for end-of-year) will be managed by CEOs and SLT through Q4 to ensure compliance with WG’s Framework Agreement.

2.2  Redacted – Commercially sensitive.

2.3 KM opened the floor for questions and comments on the Q3 finance paper.

2.4 Members discussed the under-utilisation of the staff training budget, noting the underspend in the quarter and year-to-date. KM identified difficulty in encouraging staff to utilise their training budgets, which could be from a range of reasons, including either not wanting/needing training for their role, not having capacity to take time out or identifying the budget is not high enough for their needs. PK discussed that the current Succession Planning piece will help guide staff development.

2.5  ARC members identified that the reported figures for “Financial YTD Expenditure for % spend variance” is not clear and either needs to be recalculated or relabelled.

ACTION: Kath to review % Spend variance column to ensure clarity and informational value for ARC members.

2.6 JP offered to review format of the report to make it more indicative for spend in quarter vs. Cash per quarter.

2.7  Members questioned CDPS’s confidence that we will achieve the increased spend in this quarter against the previous three quarters. MH explained that delivery costs are significantly higher due to the need to bring in contractors in place of staff following staff turnover in the last quarter.

2.8 Tech Consultancy – CDPS has procured the services of The PSC to bring in strategic Technical advice. The intention is that CDPS will be able to build out our standards offer and expand our bank of reusable assets. The PSC have been working at the heart of government for a number of years, and one of their consultants, Antonio, has published quite extensively on AI, and they have been advising on the design of GDS’s restructuring. The PSC will be interviewing stakeholders, interviewing executive members and working with CDPS to generate workable options and models for us, particularly around how CDPS’s positioning should be going forward, especially in our work around AI.

2.9 Since the departure of CDPS’s Head of Technology, various SLT members have taken ownership of different aspects of our AI work, and consequently it's being embedded in our services in different ways. It is therefore a key strategic decision to bring in this consultancy to holistically consider how we should take forward our work on technology; focusing on AI, focusing on reusable assets and building out our standards offer. We need to consider whether or not we attempt to recruit a subsequent Head of Technology, or whether that becomes a Head of Data and Technology role, what kind of level it should be at and more broadly: How to develop CDPS in these areas.

2.10 ARC members were concerned that the level of spend is relatively small and would like to see the scope of work.

ACTION – MH to send procurement docs to BS for review and discussion

Decision – ARC decided to approve the Q3 Finance report.

3.1  MH introduced the draft budget, noting that the budget will need to be iterated as CDPS is not permitted to plan for a budget deficit or to include a carry-forward from the previous year.

3.2  KM noted no larger swings in levels of fundings by team for next year compared to this, though she and MH noted the move to specialising in a Standards Team in addition to the CDPS structure.

Decision – ARC decided they were happy with the content of the report, but that this was not for approval at this stage.

4.1  JM presented the risk paper, introducing the hot topics from the Operational Risk Register and the whole Strategic Risk Register, explaining the changes on both from feedback received at October’s ARC meeting.

4.2  MH addressed that Strategic Risk 5 was currently in review following the linkages with the findings from the Critical Friend Review and potential changes to CDPS’s remit making it difficult to allocate a numeric risk at this time.

4.2 JMF suggested that renaming Operational Risk 3 from “Poor control of financial expenditure” to “Insufficiently tight control of financial expenditure to hit the maximum 2% carry forward at year end” would be more representative of the risk to be monitored and controlled. This suggestion was accepted by all.

ACTION – JM to rename Operational Risk 3 from “Poor control of financial expenditure” to “Insufficiently tight control of financial expenditure to hit the maximum 2% carry forward at year end"

4.3  ARC questioned how CDPS were monitoring effectiveness of Key Controls and Forms of Assurance. JM and JMa explained that Risk Management Controls was in the Internal Audit schedule being proposed by TIAA and encouraged ARC members to feed into the decision-making process for identifying risks to tes.

4.4  Members suggested a deep dive on one Strategic Risk at each ARC meeting to ensure thorough review and avoid glossing over risks. Members also noted that all Strategic Risks were currently owned by the CEOs and recommended the CEOs discuss delegating some responsibility to SLT members as co-owners.

ACTION – CEO to prepare rolling series of Strategic Risk deep-dives for quarterly ARC meetings.

ACTION – CEO to review strategic risks with SLT to agree co-owners.

4.5  ARC members accepted the Risks paper and were content that the CEO and SLT were managing the risks effectively.

5.1 JM presented a paper explaining the rationale, decision-making process and additional costs involved in obtaining additional services from BCC IT, CDPS’s Managed IT Service Provider. The Paper included a draft Contract Change Notice (CCN), for which CDPS was seeking approval before implementing with the supplier.

5.2  The additional services to be included in the contract were: Microsoft Copilot licenses for CDPS staff to trial, rollout of monthly Vulnerability scanning for all CDPS endpoints, DMARC Email validation, and an additional clause in the BCC/CDPS Terms of Service regarding notification of Cyber incidents.

5.3  Members raised the question of data security with the use of an AI solution. JM explained the monitoring and pre-rollout considerations, including DPIA, which had been undertaken, assuring members of CDPS’s ability to mitigate the current risks.

5.4  BS sought clarification around the vulnerability scanning of endpoints and remediation of any identified issues. JM explained that the remediation of identified vulnerabilities was now a KPI for BCC with CDPS, and was discussed at every Contract Management session. JM confirmed that he receives a full copy of the vulnerability scanning report and is able to confirm closeout of potential issues with BCC.

5.5  JM explained that the current CCN gives scope for 11 Copilot licences at this time, but that from February CDPS may wish to extend the number significantly as more users join our trial. As Copilot licences are a fixed price regardless of third-party (non-Microsoft) supplier, JMF suggested that approval for a future CCN could be achieved via correspondence rather than at an ARC meeting.

Decision – ARC were content that CDPS was acting appropriately with the proposed CCN, and were happy for the changes to be implemented.

6.1  There were no new items identified in the Fraud Register for discussion and consideration by the ARC.

7.1  JMa introduced the SICA report and progress against the annual plan. There were no comments or queries from ARC members.

7.2  JMa introduced the results of the one audit conducted during Q3, Wellbeing. JMa noted that the audit had achieved an assessment of “Substantial Assurance”, the highest possible grade, indicating strong processes and support for staff wellbeing. ARC members had no comments or concerns on the audit and noted that CDPS should be proud of achieving such good results.

7.3  JMa presented the internal audit plan and audit strategy for the next three years, highlighting the flexible nature of the plan and the ability to adjust based on emerging risks and organisational needs.

7.4  Committee members questioned why Key Financial Controls (KFC) was being assessed during every financial year. JMa explained that KFC was performed each year, but that the scope was on a three-year rolling cycle. Each year specialises by looking at two or three areas of KFC, covering all financial controls during those three-years.

ACTION – JMa to provide more details on the three-year scope of the KFC audits to JP.

ACTION – JMa to split the KFC audit to multiple lines in the plan, with a brief description of scope for each.

Decision – The committee approved the internal audit plan and the updated internal audit charter, which includes new sections and enhancements in line with global internal audit standards.

7.5  JM gave an update on outstanding internal audit recommendations. PK expanded on Business Continuity, noting the plans for business continuity training and testing, with a report to be provided to the Audit and Risk Committee in April.

8.1  JM reminded members that as per their agreement in April 2024, CDPS’s draft Financial Regulations will be returning in April 2025 with changes reflecting the fully in-housed finance function.

8.2  Members requested that they be able to review CDPS’s staff churn at a future meeting.

ACTION – PK to prepare a paper on CDPS Staff churn for consideration at a future ARC meeting.

ANY OTHER BUSINESS

8.3      There were no items raised by any attendee.

9.1  In-camera session between ARC members and JMa. No CDPS staff attended, and the discussion was not noted.

The meeting closed at 15:50