Agenda item

A report of the Director of Finance was presented to provide information on items scheduled in the work plan for consideration at the current meeting  which were: internal controls and managing risks and the Fund’s approach to cyber security.

 

Internal Controls and Managing Risks

 

The Pensions Regulator’s recently published General Code of Practice provided the following very broad definition of Internal Controls:

 

“Internal controls refer to all the following:

 

•           the arrangements and procedures to be followed in the administration and management of the scheme;

•           the systems and arrangements for monitoring that administration and

            management, and

•           arrangements and procedures to be followed for the safe custody and security of the assets of the scheme.”

 

The Fund’s Risk Management Policy (attached at Appendix B to the submitted report) detailed the risk management strategy for the Fund, including:

 

•           The risk philosophy for the management of the Fund, and in particular attitudes to, and appetite for, risk.

•           How risk management is implemented.

•           Risk management responsibilities.

•           The procedures that are adopted in the Fund's risk management process.

•           The key internal controls operated by the Administering Authority and other parties responsible for the management of the Fund.

 

Effective risk management was an essential element of good governance in the LGPS.  By identifying and managing risks through an effective policy and risk management strategy, the Fund could:

 

•           Demonstrate best practice in governance.

•           Improve financial management.

•           Minimise the risk and effect of adverse conditions.

•           Identify and maximise opportunities that might arise.

•           Minimise threats.

 

In relation to understanding and monitoring risk, the Administering Authority aimed to:

 

•           Integrate risk management into the culture and day-to-day activities of the Fund.

•           Raise awareness of the need for risk management by all those connected with the management of the Fund (including advisers, employers and other partners).

•           Anticipate and respond positively to change.

•           Minimise the probability of negative outcomes for the Fund and its stakeholders.

•           Establish and maintain a robust framework and procedures for identification, analysis, assessment and management of risk, and the reporting and recording of events, based on best practice.

•           Ensure consistent application of the risk management methodology across all Fund activities, including projects and partnerships.

 

To assist in achieving these objectives in the management of the Fund, the

Administering Authority aimed comply with:

 

•           The CIPFA Managing Risk publication.

•           The Pensions Act 2004 and the Pensions Regulator's Codes of Practice as they relate to managing risk for public service pension schemes.

 

The Fund’s risk management process was in line with that recommended by CIPFA and was a continuous approach which systematically looked at risks surrounding the Fund’s past, present and future activities.  The main processes involved in risk management were identified as Risk Identification, Risk Analysis, Risk Control and Monitoring.

 

Progress in managing risks was monitored and recorded on the risk register, which would be provided at least annually to the Pension Fund Committee.  A copy of the Risk Register was attached at Appendix C to the submitted report.  The Pension Fund Committee would be provided with updates on a quarterly basis in relation to any changes to risks and any newly identified risks and a formal review would be carried out at least twice a year.

 

As a matter of course, the Teesside Pension Board will be provided with the same information that was provided to the Pension Fund Committee and would be able to provide comment and input to the management of risks.  In order to identify whether the objectives of this policy were being met, the Administering Authority would review the delivery of the requirements of the Policy on an annual basis taking into consideration any feedback from the Teesside Pension Board.

 

The risks identified were of significant importance to the Pension Fund. Where a risk was identified that could be of significance to the Council it would be included in the Risk Register.  The risk matrix was adapted from the one used by the Council and the External Auditor’s assessment of materiality.

 

It was queried whether the issuing of a Section 114 notice by a Council would be included in the Risk Register.  The Head of Pensions Governance and Investments commented that the risk on the Pension Fund would be low and it was incredibly unlikely that a Council would stop paying pension contributions.  Tax raising bodies were secure as if they went into administration they would still be underwritten by the Government.  Admission bodies were structured so that any liability would fall back on the original body.

 

There had been some pressure from local authorities to look at whether the Teesside Fund could look at reducing contribution rates because investments were doing well and liabilities had changed.  However, after consulting the Actuary and the Funding Strategy Statement it was decided that there was no scope to change rates in between valuations.

 

Cyber Security

 

The Fund was responsible for the personal data of over 80,000 scheme members, ongoing payments to almost 27,000 pensioners and maintaining secure financial records in relation to around £5 billion of assets.  All the Fund’s transactions were carried out electronically and all of its records were held electronically.  This meant cyber security – the security of those records, transactions and the systems that facilitated them – was of prime importance.

 

In maintaining secure systems and data, the Fund relied on the systems and processes the Council (as Administering Authority for the Fund) had in place, the security around some third-party systems (such as NatWest’s Bankline) and also in the systems in processes maintained by its key partners such as XPS Pensions Administration (‘XPS’) the outsourced pensions administrator.

 

The Council’s Information and Communication Technology (ICT) team had robust systems and procedures in place to ensure the Council’s network was secure and that access to it was strictly controlled.  Across the Council, staff were categorised according to the degree of contact they had with systems and data in the course of their daily work, and appropriate training was provided accordingly.  For example, staff who had regular contact with personal data and/or management of staff and/or had access to a broad range of network ICT applications were required to carry out advanced level data protection and cyber security training, and to have regular refresher training.

 

The Council had a robust business continuity plan, and each functional area was required to consider how it could continue to operate in the event of widespread network issue or unavailability.

 

The Fund maintained a business continuity plan setting out how it would continue to function in the event some, or all of its systems became unavailable.  The functionality relating to pension administration – the collection of contributions and the calculation and payment of benefits – was covered by XPS’s business continuity plan. The remaining functionality, such as the requirement to continue maintaining the Fund’s investments, making payments and receiving income appropriately was covered in the Fund’s business continuity plan, which was reviewed and (if necessary) updated twice a year.

 

The Fund relied on a number of external third-party software systems to carry out essential functions.  One of the most significant of these was the Bankline system provided by NatWest, which was used to facilitate payments to and from the Fund’s account.  These payments were both ongoing transactional payments, such as receipt of contributions and payment of benefits, as well as payments made and received in respect of the Fund’s investments.

 

Bankline was a secure system which could only be accessed using the smartcards and card readers allocated to each user.  The system was set up to allow further security to be applied by the organisation using it.  This security had been utilised to ensure every payment from the Fund required a different inputter and authoriser and every payment above £10 million required an additional authoriser.  Defined procedures had been set up and were followed in relation to payments, with a requirement for the inputter and authoriser to always check back to source documentation to verify amounts and account details.  In addition, there was an audit trail built into the Bankline software which recorded the details of who made any changes to the details set up on the system and when those changes were made.

 

XPS had a comprehensive approach to cyber security and had achieved certification under information security management standard ISO27001. Their approach was summarised in the Information Security Summary document included in Appendix D, which covered:

 

•           Information Governance and Risk Management

•           Infrastructure and Application Security

•           User Awareness and Phishing

•           Malware Prevention

•           Data Loss Prevention Controls

•           Secure Configuration

•           Access Control

•           Home and Mobile Working

•           Threat Intel and Monitoring

•           Incident Management

 

XPS also had comprehensive business continuity plans in place, which were summarised in Appendix D to the submitted report.  XPS carefully controlled access to data, ensuring users only had access to the minimum level of data they required to carry out their role.  Appendix D also included a copy of an Administration Update and Security presentation setting out some further aspects of XPS’s approach to cyber security.

 

Further updates on internal controls and managing risk and on cyber security would be provided to the Board as required or as scheduled in the Work Plan.

 

AGREED that the information provided was received and noted.