Agenda item

(To receive a report from Simon Oliver, Chief Technology Officer, which provides the Committee with an insight into the assurance status for Information Management Technology)

Consideration was given to a report which provided the Committee with an insight into the assurance status for Information Management Technology.  There were well established assurance maps which helped to focus work plans on the risks which would affect the successful delivery of the services and strategic objectives. 

In relation to Information Management, these services were either rated green or trending to green.  Those that weren't were where the Council was relying on an outsourced provider for services.

Maturity assessments had been undertaken, and IT services had been reviewed from a customer perspective and from an internal point of view.  These assessments demonstrated that the IT Service Provider was not fulfilling the contractual commitments in many areas.

There was a requirement for IT to deliver a different way of working, and it was currently unable to get those initiatives delivered in a timely manner.  The solutions which were being presented fell short of what was needed to bring the services to adequate levels, regardless of the levels committed to within the contract. 

In terms of service delivery, there were a number of initiatives which should prevent outages, which impact day to day service delivery.  The IT Service Provider was operating a reactive rather than pro-active service, which was against the standard industry methodologies which were contracted for. 

One of the strategic risks was the risk of cyber attacks.  This was also an ongoing national risk.  There were thousands of attempted malware attacks every day, and there was a need to ensure that the authority had the right skills available to identify and manage this risk, and had systems in place to minimise the risk.  It had been difficult for the Council to gain proposals for key technology solutions to mitigate the risks, as identified before and after two malware outages.

Members were provided with the opportunity to ask questions to the officers present in relation to the information contained within the report and some of the points raised during discussion included the following:

·         There was a need for the Audit Committee to have sight of the high level action plan which was in place to bring this risk under control.

·         It was noted that the authority was struggling to get a level of commitment from Serco to address the issues.

·         There was a need for the Executive to work to ensure that key members of IMT team staff were retained.  It was noted that workloads were excessive and there was a lack of capacity within the team due to the need to manage the IT Service Provider to ensure service levels did not worsen.

·         It was reported that there had been assurance from Serco that they would appoint an IT director.

·         One member commented that they sat on the Recovery Group, which did see the programmes and timescales for addressing the issues.  However, it was noted that the information presented to the Recovery Group had not been qualified by the IMT service.

·         It was reported that the authority had achieved recognised international standard ISO 27001:13 in November 2016 for cyber security, but the Council was unable to gain assurance that activities committed to were being undertaken.  This heightened the risk to Cyber Security.

·         The Committee would be kept informed of progress, but there may be a need for a confidential session so the issues could be explored fully.

·         It was noted that the inability to deliver transformational change, and the inability for Serco to provide accurate data was a risk, but it was not a strategic risk.

·         It was queried whether the public sector was able to manage these risks as stringently as the private sector would.  Members were advised that Lincolnshire had stronger IMT than other authorities in the country.

·         It was requested that the action plan was brought to the next meeting of the Audit Committee.

·         It was queried whether if continued poor delivery was an operational risk, was it a threat to other parts of the Council, and it was suggested that therefore this would be a major risk.  Members were advised that this was included in the Annual Governance Statement as a significant governance issue, and officers were currently working on updating the strategic risk register.

·         The contract did allow for the recovery of additional spend where Serco was in breach of contract and the additional Council spend was as a result of that breach.

·         The situation with IT had been raised by all directors as an issue.

RESOLVED

The Committee requested that the action plan to manage the areas of low assurance, indicated in the Combined Assurance report be brought back to the next meeting of the Audit Committee.