Scope
of responsibility
As Information Commissioner
and Accounting Officer, I have responsibility for maintaining
a sound system
of internal
control that supports the achievement of the policies, aims
and objectives I set for my Office, whilst safeguarding the
public funds and assets for which I am personally responsible,
in accordance with the responsibilities assigned to me in
Government Accounting.
The purpose of the system
of internal control
The system of internal control
is designed to manage risk to a reasonable level rather than
to eliminate
all risk
of failure to achieve the policies, aims and objectives I
set
for my Office; it can therefore only provide reasonable
and not absolute assurance of effectiveness. The system of
internal
control is based on an ongoing process designed to identify
and prioritise the risks to the achievement of the policies,
aims and objectives I have set, to evaluate the likelihood
of those risks being realised and the impact should they
be realised, and to manage them efficiently, effectively
and economically. Unless noted otherwise the system of
internal control has been in place for the year ended 31
March 2004
and up to the date of approval of the annual report and
accounts, and accords with Treasury guidance.
Capacity to
handle risk
Each year a risk workshop is conducted involving
managers from across all areas of activity within my Office.
The
workshop is facilitated by an external consultant and is
used as an
opportunity to provide guidance and training to staff on
the management of risks, as well as identifying the key
risks facing my Office.
The key risks arising from
the Risk Workshop are identified for active management and
members
of my Management Board
assume personal responsibility for the management of these
key risks that could affect the achievement of the objectives
I have set for my Office. Key risks which emerge at other
times, for example, as a result of internal audit, are
subject to the same management regime.
Risks that could
affect the achievement of my objectives have been reviewed
by my Management Board on a regular
basis throughout 2003-2004. The main risks currently being
actively
managed result from the significant change and growth that
my Office has and will continue to experience. The risks
are:
Information Technology: The organisation is currently ‘rolling
out’ a significant programme of IT developments
including a new casework and enquiry handling system,
electronic
service delivery channels, electronic records management
system and
a fully networked IT service to the devolved offices
in Northern Ireland, Scotland and Wales. The risk is
that
a failure of,
or delay in, the planned enhancements will impede the
efficiency of my office and service delivery.
Freedom
of information: As January 2005, the date for full
implementation of the Act draws nearer, there is a risk
that the challenge of implementing FOI legislation effectively
will not have been met. To succeed my Office has to
give
adequate explanation to the public to allow them to
exercise their rights to information and to public authorities
to allow them to meet their obligations to provide that information.
I need to have approved, where appropriate, the publication
schemes which have been submitted to me. I also have
to have in place a management system and staffing to meet the as
yet unknown demands of FOI casework. In addition I
need
to work closely with the Scottish Information Commissioner to
ensure that our respective responsibilities are appropriately
understood and discharged.
Staffing and personnel: Staff
numbers are continuing to grow in preparation of FOI casework. It is important
that
staff pay and conditions remain competitive in order to attract
and retain the skills required for our work. The risk
is that otherwise I shall be unable to meet the staffing demands
of the FOI team and maintain my data protection work.
Reputation:
It is important for my Office to maintain public confidence. The risk to the
reputation of my office is
such that, as a regulator, I could find myself unable to carry
out my data protection and freedom of information duties
effectively.
Effective Management: This is a time of significant
change for my office, including freedom of information, significant
IT enhancements, the development of devolved offices,
and internal reorganisation. The risk is that ineffective management
will result in the failure of one or all of these processes.
As with all change it is essential therefore to manage
the process well to ensure success.
Business Continuity: My office needs an
integrated and up to date business continuity plan for the IT and business
functions of the office. My staff and I need to understand
the potential impact on our business, put in place
measures commensurate with the risk, and test those plans
regularly.
The risk is that without such preparation I shall be
unable to respond effectively in time of unexpected challenge
or disaster.
The risk and control framework
The
main processes in place embedding risk management within
the activity of the organisation are:
a Management Board which
now meets six times a year to consider the strategic
direction of my Office,
comprising both my
Deputy Commissioners, my Legal Adviser, my Director
of Personnel and Finance, and my Director of Marketing and
Communications.
In addition I have been able to enhance the composition
of the Management Board with the appointment of four Non-Executive
Board Members. The Board first met in its re-constituted
form on 2 February 2004;
an Executive Team of senior managers
which (since February 2004) meets usually on a weekly
basis to consider operational
issues. Prior to this change my Management Board met
formally once a month and informally most other weeks.
the production of a Corporate
Plan covering a three year period which is updated annually, which sets out
the strategic objectives of my Office, which is translated
into an annual
Business Plan to articulate the detailed tasks and
activities to be undertaken by each of the teams within
my Office
for the coming year;
regular reports by internal audit to standards defined
in the Government Internal Audit Manual which include their
independent opinion on the adequacy and effectiveness
of
the Office’s internal controls, together with recommendations
for improvements where necessary;
an Audit Committee which
meets four times a year to monitor the operation of
internal controls. For most of 2003-2004
the Audit Committee was chaired by myself and comprises
my previous Management Board and one independent external member.
It was attended by other members of my staff and representatives
from the external and internal auditors. In March 2004
the new Management Board accepted my proposal to re-constitute
the Audit Committee in line with the latest Guidance
from HM Treasury. The new Audit Committee has clear terms of
reference and is now chaired by one of my Non-Executive Board Members.
The two other members are a second Non-Executive Board
Member and one of my Deputy Commissioners. I and other members of
my senior staff and representatives from the external
and internal auditors will attend meetings.
Review of effectiveness
As
Accounting Officer, I have responsibility for reviewing the
effectiveness of the system of internal control. My
review of the effectiveness of the system of internal control
is
informed by the work of the internal auditors and the executive
managers within my Office who have responsibility for the
development and maintenance of the internal control framework,
and comments made by the external auditors in their management
letter and other reports. I have been advised of the result
of my review of the effectiveness of the system of internal
control by my Management Board and the Audit Committee
and a plan to address weaknesses and ensure continuous
improvement
of the system is in place. All recommendations made by
my internal auditors have been considered by the Audit
Committee
and the Committee is informed of progress toward implementing
the outstanding recommendations at each meeting. I am able
to report that there were no material weaknesses in the
Office’s
system of internal controls which affected the achievement
of my aims and objectives.
As mentioned in last year’s
statement, in view of the recent growth and increased responsibilities
facing
my Office
I have strengthened Corporate Governance in the year by
adding four Non Executive Board Members to my Management
Board and
re-constituting my Audit Committee with two Non-Executive
Board Members, one of whom has succeeded me as chair to
the Committee. I am also bringing forward plans to replace
the
current system of monitoring risks with a formal risk register.
Following
the expiry of the current contract for provision of Internal
Audit services on 31 March 2004, I have carried
out a tendering process and am contracting with Price
Waterhouse Coopers for the coming five year period.
I have
also introduced improvements to the corporate planning
process to ensure the three year Corporate Plan
is a more
relevant document for identifying my strategic objectives,
and introduced a system of quarterly meetings with
each team within my Office to monitor progress against my
annual Business
Plan.
Richard Thomas
Information Commissioner
7th June 2004
