Agenda and minutes

Venue: Conference Room 4B - Tŷ Hywel. View directions

Contact: Liz Jardine 

Items
No. Item

1.

Introductions, apologies and declarations of interest

Minutes:

Apologies were received from Lowri Williams, Head of Human Resources.

There were no declarations of interest.

 

2.

Communication note to staff - Non Gwilym

Minutes:

Non Gwilym would draft a note of the Management Board discussion for the news page.

 

3.

Minutes of the Previous Meeting

Minutes:

The minutes of the 2 February Management Board meeting were agreed subject to an amendment to the wording of the corporate risk relating to the name change consultation.

 

4.

Activity on the Assembly Estate

Paper 2 – Activity on the Assembly Estate

Minutes:

Craig introduced the paper, on behalf of Natalie Drury-Styles, and asked the Board for comment.

The Commission’s Strategy for 2016-2021 highlights the importance of enabling and encouraging public engagement in the Assembly’s work. To align better with the Commission’s priorities, the paper suggested that the management of events on the estate move to a more pro-active, strategic and considered approach.

The Board discussed the paper, agreeing that this was priority issue for the current Commission. Ensuring that the right balance was struck between the range of events was emphasised, whilst being mindful of carefully managing stakeholder perceptions to any change in the arrangement and organising of events.

To allow sufficient time for further drafting to take place, the paper will be put to the Commission at its meeting on15 May.

 

5.

Cyber Security Awareness

Presentation

Minutes:

The Board welcomed Drew Evans and Paul Peters to the meeting.

Drew explained to the Board that 6 million user accounts worldwide had been breached in January 2017 alone and that the biggest threat to an organisation’s cyber security is often found from within, therefore raising awareness amongst staff is the most effective form of defence. The Board were informed of the impact any potential cyber incident could have on an organisation, ranging from data loss right through to wide scale business disruption. In addition, there could be longer term impacts to reputation and stakeholder confidence.

Since last September a wide ranging assurance exercise had been conducted to review the Assembly’s robustness to any potential cyber threat. Whilst steps have been taken to reduce the risk of a cyber-attack, Drew re-emphasised the importance of improving staff awareness with regards to tackling any threat.

Drew informed the Board of the upcoming Cyber Security Awareness Week taking place from 6-9 March. These sessions, aimed at staff, will consist of short awareness raising videos along with an opportunity to ask questions afterwards. It was felt that given the importance of the topic it should be compulsory for staff to attend these sessions.

The Board were introduced to Detective Inspector Paul Peters, from TARIAN, who delivered the second of the awareness raising presentations. Paul talked the Board through examples of some of the threats posed to organisations through the use of social engineering, phishing emails, ransomware threats and DDOS (Distributed Denial of Service) attacks.

ACTIONS: Management Board agreed to make attendance at an awareness session mandatory for all staff; Service Heads were asked to strongly encourage their staff to attend the awareness raising sessions taking place between 6-9 March.

 

6.

Corporate Risk

Minutes:

Dave introduced the Corporate Risks paper, informing the Board that it was an opportunity for them to review the Assembly’s existing and emerging corporate risks.

The Board agreed the recommendations to:

·                add the personal security and safety risk to the Corporate Risk Register;

·                continue to monitor the personnel security risk at service level;

·                add the General Data and Protection Regulation risk to the Corporate Risk Register, with a target duration of until May 2018;

·                continue to monitor the Members’ awareness of Safeguarding of children risk at service level, with a decision to be taken at a future date as to which service should own the risk; and

·                further to consideration by ACARAC, that the Assembly’s current and future accommodation needs risk be added to the Corporate Risk Register.

The Board also noted the following new or emerging risks:

·                Establishment of a Youth Parliament. Non informed the Board that the Youth Parliament working group have considered the risks associated with the project and will be doing so again at its next meeting;

·                the lack of strategic and co-ordinated interactions with the media, which had been added to the service level register.

The Board discussed adding a new risk to the Corporate Risk Register regarding constitutional change. The intention would be for this to encapsulate a collection of similar risks associated with the changes taking place, to provide the Board with the overall oversight required.

ACTIONS:

·                Dave to work with Adrian, Anna and Non, to draft a detailed note and circulate for wider discussion.

 

6.

Any other business

Minutes:

The latest Financial Management Report would shortly be circulated. Claire reminded the Board to ensure that their service areas provide a very accurate picture spend for the remainder of the financial year.