|
|
|
AGENDA
Audit & Risk Committee meeting
Monday, 17 November 2025
|
|
I hereby give notice that a Audit & Risk
Committee meeting will be held on:
|
|
Date:
|
Monday, 17 November 2025
|
|
Time:
|
9.30am
|
|
Location:
|
Tauranga City Council Chambers
L1 – 90 Devonport Road,
Tauranga
|
|
Please note that this
meeting will be livestreamed and the recording will be publicly available on
Tauranga City Council's website: www.tauranga.govt.nz.
|
|
Marty Grenfell
Chief Executive
|
Terms of reference – Audit & Risk Committee
Common
responsibility and delegations
The following common responsibilities and delegations apply
to all standing committees.
Responsibilities of standing committees
· Establish priorities and guidance on programmes relevant to the Role
and Scope of the committee.
· Provide guidance to staff on the development of investment options
to inform the Long Term Plan and Annual Plans.
· Report to Council on matters of strategic importance.
· Recommend to Council investment priorities and lead Council
considerations of relevant strategic and high significance decisions.
· Provide guidance to staff on levels of service relevant to the role
and scope of the committee.
· Establish and participate in relevant task forces and working
groups.
· Engage in dialogue with strategic partners, such as Smart Growth
partners, to ensure alignment of objectives and implementation of agreed
actions.
· Confirmation
of committee minutes.
Delegations to standing committees
· To make recommendations to Council outside of the delegated
responsibility as agreed by Council relevant to the role and scope of the
Committee.
· To make all decisions necessary to fulfil the role and scope of the
Committee subject to the delegations/limitations imposed.
· To develop and consider, receive submissions on and adopt
strategies, policies and plans relevant to the role and scope of the committee,
except where these may only be legally adopted by Council.
· To consider, consult on, hear and make determinations on relevant
strategies, policies and bylaws (including adoption of drafts), making
recommendations to Council on adoption, rescinding and modification, where
these must be legally adopted by Council.
· To approve relevant submissions to central government, its agencies
and other bodies beyond any specific delegation to any particular committee.
· Engage external parties as required.
Terms of reference – Audit & Risk Committee
Membership
|
Chair
|
Independent (to be
appointed)
|
|
Deputy chair
|
Cr Steve Morris
|
|
Members
|
Deputy Mayor Jen Scoular
Mayor Mahé Drysdale (ex officio)
Rohario Murray - Tangata Whenua Representative
|
|
Non-voting members
|
(if any)
|
|
Quorum
|
Half of the members
present, where the number of members (including vacancies) is even;
and a majority of the members present, where the number of members
(including vacancies) is odd.
|
|
Meeting frequency
|
Quarterly
|
Role
The role of the Audit and Risk Committee is:
· To
assist and advise the Council in discharging its responsibility and ownership
of health and safety, risk management, internal control, and financial
management practices, frameworks and processes to ensure that these are robust
and appropriate to safeguard the Council’s staff and its financial and
non-financial assets.
Scope
· Oversee
Council’s relationship with the external auditor.
· Review
with the external auditor, before the audit commences, the areas of audit focus
and the audit plan.
· Review
with the external auditor, representations required by elected representatives
and senior management for the purposes of the audit.
· Receive
and review the external auditor’s report on the audit and
management’s responses to any issues raised.
· Make
any recommendations necessary to the Office of the Auditor-General regarding
the appointment or re-appointment of an external auditor.
· Review
and approve an annual internal audit plan, including the integration of that
plan with Council’s risk profile, and monitor the implementation of that
plan.
· Review
the reports of the internal audit function, in particular considering findings,
conclusions, and recommendations and management’s response to such.
Make any recommendations to Council on such as the Committee considers
appropriate.
· Review,
approve and monitor the implementation of Council’s Risk Management
Policy, including regular review of the corporate risk register.
· Review
reporting of new or emerging risks as needed.
· Review
the effectiveness of risk management and internal control systems including all
material financial, operational, compliance, and other managerial controls.
· Review
the effectiveness of health and safety policies and processes to ensure a
healthy and safe workplace for representatives, staff, contractors, visitors
and the public.
· Assist
elected representatives and the Chief Executive to discharge their statutory
roles as ‘officers’ in terms of the Health and Safety at Work Act
2015.
· Monitor
compliance with laws and regulations as appropriate.
· Review
and provide advice on policies relevant to the Committee’s role
including, but not limited to, policies addressing fraud, protected
disclosures, and conflicts of interest.
· Review
and monitor policy and processes to manage responsibilities under the Local
Government Official Information and Meetings Act 1987 and the Privacy Act 2020
and any actions from any Office of the Ombudsman's report.
· Review
and monitor current and potential litigation and other legal risks.
Power
to Act
· To
make all decisions necessary to fulfil the role, scope and responsibilities of
the Committee subject to the limitations imposed.
· To
establish sub-committees, working parties and forums as required.
Power
to Recommend
· To
Council and/or any standing committee as it deems appropriate.
|
Audit & Risk Committee meeting Agenda
|
17 November 2025
|
7 Confirmation
of minutes
7.1 Minutes
of the Audit & Risk Committee meeting held on 21 July 2025
File
Number: A18637253
Author: Caroline
Irvin, Governance Advisor
Authoriser: Sarah
Holmes, Team Leader: Governance & CCO Support Services
|
Recommendations
That the Minutes of the
Audit & Risk Committee meeting held on 21 July 2025 be confirmed as a
true and correct record.
|
Attachments
1. Minutes
of the Audit & Risk Committee meeting held on 21 July 2025
|
 Audit & Risk
Committee meeting minutes
|
21 July 2025
|
|
|
|
MINUTES
Audit & Risk Committee meeting
Monday, 21 July 2025
|
Order of
Business
1 Opening karakia. 3
2 Apologies. 3
3 Public forum.. 3
4 Acceptance of late items. 3
5 Confidential business to be transferred into the open. 3
6 Change to order of business. 4
7 Confirmation of minutes. 4
7.1 Minutes of the Audit & Risk Committee meeting held on 19 May
2025. 4
8 Declaration of conflicts of interest 4
9 Business. 4
9.1 Health, Safety and Wellbeing Quarterly Report: Q4 April to June 2025. 4
9.2 Status Update on actions from prior Audit & Risk Committee
meetings. 5
9.3 2025 Interim Audit Results. 5
9.4 LGOIMA and Privacy Requests - 2024/25 Quarter 4 and Annual Report 6
10 Discussion of late items. 6
11 Public excluded session. 6
11.1 Public Excluded Minutes of the Audit & Risk Committee meeting
held on 19 May 2025. 6
11.2 Annual Report 2024/25 - Complex Transactions and Proposed Treatment 7
11.3 Risk Register - Quarterly Update. 7
11.4 Digital/Cyber Risk Quarterly Report 7
11.5 Internal Audit & Assurance - Quarterly Update. 7
11.6 Litigation Report Update. 7
Confidential Attachment 2 9.2 - Status Update on actions from prior Audit & Risk Committee
meetings 7
12 Closing karakia. 8
Resolutions transferred into the open section
of the meeting after discussion. 8
11.3 Risk Register - Quarterly Update. 8
11.5 Internal Audit & Assurance - Quarterly Update. 9
MINUTES OF Tauranga City
Council
Audit & Risk Committee meeting
HELD AT THE Tauranga City
Council Chambers, L1, 90 Devonport Road, Tauranga
ON Monday, 21 July 2025 AT
9:30 AM
|
MEMBERS
PRESENT:
|
Cr Steve Morris
(Chair), Mayor Mahé Drysdale, Deputy Mayor Jen Scoular, Tangata Whenua
Representative Ms Rohario Murray
|
|
ALSO
PRESENT:
|
Cr Rod Taylor,
Cr Glen Crowther, Cr Rick Curach, Cr Martin Rozeboom (online)
|
|
IN
ATTENDANCE:
|
Marty Grenfell
(Chief Executive), Paul Davidson (Chief Financial Officer), Alastair McNeill
(General Manager: Corporate Services), Jan Pedersen (Head of People,
Performance and Culture), Brad Harris, (Health, Safety & Wellbeing
Business Partner), Ken Renz (Chief Digital Officer), Kath Norris (Team
Leader: Democracy Services), Clare Sullivan (Team Leader: Governance
Services), Caroline Irvin (Governance Advisor)
|
Timestamps are
included at the start of each item and signal where the agenda item can be
found in the recording of the meeting held on 21 July 2025 at Council You
tube site.
1 Opening
karakia
Cr Steve Morris opened the meeting with a
karakia.
2 Apologies
Nil
3 Public forum
Nil
4 Acceptance of
late items
Nil
5 Confidential
business to be transferred into the open
Nil
6 Change to
order of business
Nil
7 Confirmation
of minutes
8 Declaration
of conflicts of interest
Nil
9 Business
TIMESTAMP: 5.40 minutes
|
9.1 Health,
Safety and Wellbeing Quarterly Report: Q4 April to June 2025
|
|
Staff Brad Harris, Health, Safety & Wellbeing Business Partner
Jan Pedersen, Head of People, Performance and
Culture
ACTIONS
·
That more information is included in the
executive summary of the report such as specific/noted topics and
management/staff views on these items.
·
That the monitoring of the proposed changes to
the Health and Safety Act at Work Act 2015 is placed further up in the report
as well as a timeline and how it could be happening.
|
|
Committee Resolution AR/25/0/2
Moved: Cr
Steve Morris
Seconded: Deputy Mayor Jen Scoular
That the Audit
& Risk Committee:
(a) Receives the
report "Health, Safety and Wellbeing Quarterly Report: Q4 April to June
2025".
Carried
|
TIMESTAMP: 21:45 minutes
|
9.2 Status Update
on actions from prior Audit & Risk Committee meetings
|
|
Staff Alastair McNeil, General Manager Corporate Services
|
|
Committee Resolution AR/25/0/3
Moved: Mayor
Mahé Drysdale
Seconded: Deputy Mayor Jen Scoular
That the Audit
& Risk Committee:
(a) Receives the
report "Status Update on actions from prior Audit & Risk Committee
meetings".
(a) Attachment 2 can be transferred into
the open once the report that generated this action is released from public
excluded.
Carried
|
TIMESTAMP: 24.12 minutes
|
9.3 2025
Interim Audit Results
|
|
Staff
Sheree Covell, Treasury & Financial
Compliance Manager
Paul Davidson,
Chief Financial Officer
ACTION
·
That staff provide Councillors with a copy of
the elected members expenses and travel policy regarding paying for any
events and travel undertaken, as well as a view as to how this applies to
staff and where to look to ensure policy is being followed.
|
|
Committee Resolution AR/25/0/4
Moved: Ms
Rohario Murray
Seconded: Mayor Mahé
Drysdale
That the Audit
& Risk Committee:
(a) Receives the
report "2025 Interim Audit Results".
(b) Notes the
recommendations contained within the report to Council by Audit NZ including
recommendations from the previous audit.
(c) Notes the
management responses and supports on going implementation of improvements as
required.
Carried
|
At 10.05am, Cr
Rick Curach and Cr Glen Crowther entered the meeting.
TIMESTAMP: 35:26 minutes
10 Discussion of late items
Nil
11 Public excluded session
Resolution to exclude the public
|
Committee
Resolution AR/25/0/6
Moved: Mayor
Mahé Drysdale
Seconded: Deputy Mayor Jen Scoular
That the public be excluded from the
following parts of the proceedings of this meeting.
The general subject matter of each matter
to be considered while the public is excluded, the reason for passing this
resolution in relation to each matter, and the specific grounds under section
48 of the Local Government Official Information and Meetings Act 1987 for the
passing of this resolution are as follows:
|
General
subject of each matter to be considered
|
Reason
for passing this resolution in relation to each matter
|
Ground(s)
under section 48 for the passing of this resolution
|
|
11.1
- Public Excluded Minutes of the Audit & Risk Committee meeting held on
19 May 2025
|
s7(2)(a) - The
withholding of the information is necessary to protect the privacy of
natural persons, including that of deceased natural persons
s7(2)(b)(i) -
The withholding of the information is necessary to protect information
where the making available of the information would disclose a trade secret
s7(2)(j) - The
withholding of the information is necessary to prevent the disclosure or
use of official information for improper gain or improper advantage
|
s48(1)(a) -
the public conduct of the relevant part of the proceedings of the meeting
would be likely to result in the disclosure of information for which good
reason for withholding would exist under section 6 or section 7
|
|
11.2
- Annual Report 2024/25 - Complex Transactions and Proposed Treatment
|
s7(2)(h) - The
withholding of the information is necessary to enable Council to carry out,
without prejudice or disadvantage, commercial activities
|
s48(1)(a) -
the public conduct of the relevant part of the proceedings of the meeting
would be likely to result in the disclosure of information for which good
reason for withholding would exist under section 6 or section 7
|
|
11.3
- Risk Register - Quarterly Update
|
s7(2)(j) - The
withholding of the information is necessary to prevent the disclosure or
use of official information for improper gain or improper advantage
|
s48(1)(a) -
the public conduct of the relevant part of the proceedings of the meeting
would be likely to result in the disclosure of information for which good
reason for withholding would exist under section 6 or section 7
|
|
11.4
- Digital/Cyber Risk Quarterly Report
|
s7(2)(a) - The
withholding of the information is necessary to protect the privacy of
natural persons, including that of deceased natural persons
s7(2)(b)(i) -
The withholding of the information is necessary to protect information
where the making available of the information would disclose a trade secret
|
s48(1)(a) -
the public conduct of the relevant part of the proceedings of the meeting
would be likely to result in the disclosure of information for which good
reason for withholding would exist under section 6 or section 7
|
|
11.5
- Internal Audit & Assurance - Quarterly Update
|
s7(2)(j) - The
withholding of the information is necessary to prevent the disclosure or
use of official information for improper gain or improper advantage
|
s48(1)(a) -
the public conduct of the relevant part of the proceedings of the meeting
would be likely to result in the disclosure of information for which good
reason for withholding would exist under section 6 or section 7
|
|
11.6
- Litigation Report Update
|
s7(2)(a) - The
withholding of the information is necessary to protect the privacy of
natural persons, including that of deceased natural persons
s7(2)(g) - The
withholding of the information is necessary to maintain legal professional
privilege
s7(2)(i) - The
withholding of the information is necessary to enable Council to carry on,
without prejudice or disadvantage, negotiations (including commercial and
industrial negotiations)
|
s48(1)(a) -
the public conduct of the relevant part of the proceedings of the meeting
would be likely to result in the disclosure of information for which good
reason for withholding would exist under section 6 or section 7
|
|
Confidential
Attachment 2 - 9.2 - Status Update on actions from prior Audit & Risk
Committee meetings
|
s7(2)(j) - The
withholding of the information is necessary to prevent the disclosure or
use of official information for improper gain or improper advantage
|
s48(1)(a) the
public conduct of the relevant part of the proceedings of the meeting would
be likely to result in the disclosure of information for which good reason
for withholding would exist under section 6 or section 7
|
Carried
|
At 10.32am the meeting adjourned.
At 10.51am the meeting resumed in public
excluded.
At 12.15pm the meeting resumed in open.
12 Closing karakia
Ms Rohario Murray closed the meeting with a
karakia.
Resolutions transferred into the open section of
the meeting after discussion
|
11.3 Risk
Register - Quarterly Update
|
|
Staff Chris Quest,
Manager: Risk & Assurance
Chris Smith, Risk & Business Continuity
Advisor
Alastair McNeil, General Manager: Corporate Services
Actions
·
That staff provide information to the Audit
and Risk Committee and the other elected members on the process prior to, and
during, an emergency management event, to know when they may be needed to
make a declaration, how frequently they would be updated and when they could
be stood down.
|
|
Committee
Resolution AR/25/0/7
Moved: Cr
Steve Morris
Seconded: Mayor Mahé
Drysdale
That the Audit
& Risk Committee:
(a) Receives the
report "Risk Register - Quarterly Update".
(b) Notes that
the report can be transferred into the open section of the meeting at the
conclusion of this meeting.
(c) Notes that
the attachment is to remain in the public excluded to prevent the disclosure
or use of official information for improper gain or improper advantage.
Carried
|
|
Attachments
1 Risk
Register - Quarterly Update
|
|
11.5 Internal
Audit & Assurance - Quarterly Update
|
|
Staff Jon Hobbs, Audit & Assurance Lead
Alastair McNeil, General Manager: Corporate Services
|
|
Committee Resolution AR/25/0/8
Moved: Cr
Steve Morris
Seconded: Deputy Mayor Jen Scoular
That the Audit
& Risk Committee
(a) Receives the
report "Internal Audit & Assurance - Quarterly Update".
(b) Notes that
the report can be transferred into the open section of the meeting at the
conclusion of this meeting.
(c) Notes that
the attachments are to remain in the public excluded to prevent the
disclosure or use of official information for improper gain or improper
advantage.
Carried
|
|
Attachments
1 Internal
Audit & Assurance - Quarterly Update
|
The meeting closed at 12.17pm.
The minutes of this meeting were
confirmed as a true and correct record at the Audit & Risk Committee
meeting held on 17 November 2025.
|
Audit & Risk Committee meeting Agenda
|
17 November 2025
|
8 Declaration
of conflicts of interest
|
Audit & Risk Committee meeting Agenda
|
17 November 2025
|
9 Business
9.1 Status
Update on actions from prior Audit & Risk Committee meetings
File
Number: A19217925
Author: Anahera
Dinsdale, Governance Advisor
Authoriser: Alastair
McNeil, Acting COFO - Commercial & General Counsel
Please
note that this report contains confidential attachments.
|
Public Excluded Attachment
|
Reason why Public Excluded
|
|
Item 9.1 - Status
Update on actions from prior Audit & Risk Committee meetings - Attachment
2 - Actions from Audit & Risk Committee - Public Excluded as at 10
November 2025
|
s7(2)(j) - The
withholding of the information is necessary to prevent the disclosure or use
of official information for improper gain or improper advantage.
|
Purpose of the Report
1. This report provides
a status update on actions requested during previous Audit & Risk Committee
meetings.
|
Recommendations
That the Audit &
Risk Committee:
(a) Receives the report
"Status Update on actions from prior Audit & Risk Committee
meetings".
(b) Attachment 2 can be
released when the full report is reviewed.
|
Background
2. This is a recurring
report provided to each Audit & Risk Committee meeting. The next report
will be to the meeting in 2026.
3. The attached update
includes all open actions and actions completed since the last report on 21
July 2025. Once reported, completed actions are archived and made available in
the Stellar library[1].
discussion
4. A summary of
outstanding and recently-closed actions is provided in the table below:
|
Status of actions
|
No. actions
|
|
Closed (completed
since the last report)
|
11
|
|
In progress
|
2
|
|
Pending (waiting
on something)
|
6
|
|
To be actioned
|
1
|
|
Total actions
included in this report
|
20
|
5. The full status
update information is provided as Attachment 1 (12 actions from
public agenda items) and Attachment 2 (8 actions from public
excluded agenda items).
Attachments
1. Actions
from Audit & Risk Committee - Open as at 10 November 2025 - A19323495 ⇩ 
2. Actions from
Audit & Risk Committee - Public Excluded as at 10 November 2025 - A19323045
- Public Excluded
|
Audit
& Risk Committee meeting Agenda
|
17
November 2025
|
|
Audit
& Risk Committee meeting Agenda
|
17
November 2025
|
9.2 Risk
Appetite Report - November 2025
File
Number: A19327673
Author: Chris
Smith, Risk and Business Continuity Advisor
Authoriser: Alastair
McNeil, Acting COFO - Commercial & General Counsel
Please
note that this report contains confidential attachments.
|
Public Excluded Attachment
|
Reason why Public Excluded
|
|
Item 9.2 - Risk
Appetite Report - November 2025 - Attachment 2 - Impact on Corporate Risk
Register
|
s7(2)(j) - The
withholding of the information is necessary to prevent the disclosure or use
of official information for improper gain or improper advantage.
|
|
Item 9.2 - Risk
Appetite Report - November 2025 - Attachment 3 - Analysis TCC vs Other NZ
Councils
|
s7(2)(c)(i) - The
withholding of the information is necessary to protect information which is
subject to an obligation of confidence or which any person has been or could
be compelled to provide under the authority of any enactment, where the
making available of the information would be likely to prejudice the supply
of similar information, or information from the same source, and it is in the
public interest that such information should continue to be supplied.
|
Purpose of the Report
1. The purpose of this
report is to present the preliminary outcomes from the Risk Appetite Workshop,
including risk appetite statements for each of the council’s key risk
categories. Additionally, the report benchmarks Tauranga City Council’s preliminary
risk appetite against that of other major New Zealand councils.
|
Recommendations
That the Audit &
Risk Committee:
(a) Receives the report
"Risk Appetite Report - November 2025".
(b) Endorses the risk appetite
statements as outlined in Attachment 2 of this report.
(c) Commences a 12-month
reporting cycle of Tauranga City Council’s risk against the preliminary
risk appetite statements to further define tolerance levels and consequences
(d) Attachment 2 to remain
in public excluded permanently.
(e) Attachment 3 to remain
in public excluded permanently.
|
Executive Summary
2. This report presents
the outcomes of the August 2025 Risk Appetite Workshop and provides preliminary
risk appetite statements for consideration by the Audit & Risk Committee.
3. Key points for the
Audit & Risk Committee’s attention:
(a) Risk appetite profile: The
Council’s preliminary risk appetite is cautious in critical areas
such as health and safety, legal compliance, and technology (cybersecurity),
and moderate in areas supporting strategic objectives, including
finance, service delivery, and reputation. There is no appetite to take on high
levels of risk.
(b) Out-of-appetite risks: based on
a desktop exercise of applying preliminary appetite positions to the corporate
risk register, finance, technology, and health & safety risks would be
assessed as exceeding Council’s preliminary appetite. Should the current
position be accepted as final, these areas would require focused oversight,
targeted mitigation, and regular reporting until residual risk is brought
within appetite.
(c) Governance alignment: the
preliminary framework was developed with Council and Audit & Risk Committee
member participation, achieving consensus and alignment with sector best
practice.
(d) Next steps: the Audit &
Risk Committee is invited to endorse the preliminary risk appetite position and
corresponding risk appetite statements, support further refinement following
executive feedback, and recommend formal adoption and integration into the
council’s Risk Management Framework.
This
will provide the opportunity for reporting enhancements and the introduction of
explicit ‘out-of-appetite’ markers and development of a risk
appetite dashboard in quarterly reports – strengthening oversight and
ensuring timely escalation of key risks.
4. The Audit & Risk
Committee’s attention is particularly drawn to the need for robust
oversight of out-of-appetite risks and the importance of embedding the new risk
appetite framework into operational practice to support effective governance
and decision-making.
Background
5. Workshop overview
(a) On 4 August 2025, Tauranga City
Council held a closed workshop with elected members, senior leaders and the
Risk & Assurance team. The session, aligned with Council policy and ISO
31000:2018, focused on defining risk appetite across thirteen risk consequence
categories. The Office of the Auditor General’s guidance on risk appetite
also informed the process.
(b) Key outcomes:
(i) All risk categories were
rated as low or moderate appetite; none were assigned “high”.
(ii) Minimal risk tolerance
was agreed for health and safety, legal compliance, and reputation, reflecting
sector standards.
(iii) Moderate appetite was
accepted for financial, strategic, and operational risks, supporting innovation
and prudent progress.
(iv) Technology (cybersecurity)
risks were set at low appetite, prioritising robust safeguards.
(c) Consensus was reached through
structured discussion, resulting in a preliminary risk appetite profile that
will guide future decision-making and formal adoption.
6. The workshop
established a preliminary risk appetite framework that mirrors the
Council’s strategic vision – encouraging positive risk-taking for
community benefit, while protecting what matters most: people, finances, legal
compliance, and reputation.
7. Comparative review
of risk appetite – Tauranga City Council preliminary position vs. Other
NZ Councils:
(a) To provide meaningful context
for the preliminary risk appetite, we undertook a benchmarking exercise with
peer councils – refer to confidential attachment 3. Risk appetite levels
were compared across thirteen common risk categories using a simplified scale
(none/low/moderate/ high).
(b) This approach draws on
published risk management policies and reports; and aligns with international
frameworks (ISO 31000) and Office of the Auditor-General guidance, supporting
shared learning and sector best practice.
8. Risk Appetite
differences - examples
(a) Financial: all five Councils
are conservative on financial risk. Tauranga City Council’s preliminary
position is moderate, focusing on prudence and sustainability. Our
interpretation is that major metropolitan Councils maintain a low-risk appetite
for matters affecting sustainability. While others are slightly more open to
moderate risk in controlled scenarios.
(b) Regulation – external:
Tauranga City Council’s preliminary position accepts minor, promptly
resolved breaches of external regulations, while comparison Councils enforce
strict legal compliance with little or no tolerance for breaches.
(c) Service delivery: the initial
stance for service delivery is moderate, allowing limited risk in service
disruptions to support innovation, provided essential services are protected
and prolonged outages are avoided. Most peer councils maintain a low-risk
appetite.
(d) Environmental: the preliminary
risk appetite is moderate with caveats, allowing minor reversible impacts if
necessary for a project. But no tolerance for irreversible harm. Major
metropolitan Councils publicly state low appetite, but in practice all councils
prioritise environmental stewardship and caution.
9. Overall, the
preliminary risk appetite profile is broadly consistent with national standards
and the approaches adopted by peer councils. The Council’s preliminary
position reflects sector norms, with low appetite in critical areas such as
health and safety, legal compliance, and technology (cybersecurity), and
moderate appetite in areas supporting strategic and community objectives. This
alignment provides a foundation to consider formal endorsement of risk appetite
statements that are both externally credible and suitable for operational
implementation across the organisation.
10. Establishing risk
appetite statements creates a unique opportunity for Council to also define
opportunity statements. By adopting a moderate preliminary position on
strategic and opportunity-driven risks, Tauranga City Council can pursue
innovation and organisational change through calculated risk-taking. Over time,
this approach enables the development of clear opportunity guardrails, ensuring
progress is balanced with prudent oversight.
Statutory Context
11. This report is prepared in
accordance with Tauranga City Council’s risk management policy, which
requires the Council to define and periodically review its risk appetite. This
approach aligns with ISO 31000:2018 (Risk Management Guidelines) and incorporates
guidance from the Office of the Auditor-General, which emphasizes the
importance of clearly articulated risk appetite to support effective governance
and decision-making by local authorities.
STRATEGIC ALIGNMENT
12. This contributes to the
promotion or achievement of the following strategic community outcome(s):
|
Contributes
|
|
We are an inclusive city
|
ü
|
|
We value, protect and enhance the environment
|
ü
|
|
We are a well-planned city
|
ü
|
|
We can move around our city easily
|
ü
|
|
We are a city that supports business and education
|
ü
|
13. The recommended risk appetite
statements directly support Tauranga City Council’s community outcomes.
By developing a balanced and prudent approach to risk, the appetite framework:
(a) Contributes to an inclusive
city by ensuring decisions consider the wellbeing and safety of all residents.
(b) Supports the protection and
enhancement of the environment through careful management of environmental
risks.
(c) Promotes well-planned city
development by enabling innovation while maintaining robust safeguards.
(d) Facilitates ease of movement
around the city by supporting reliable service delivery and infrastructure
planning.
(e) Encourages a city that supports
business and education by allowing for calculated risks that foster economic
growth and learning opportunities.
Options Analysis
14. An options analysis is not
required for this report, as the recommended risk appetite framework is based
on sector benchmarking, statutory guidance, and consensus from the
Council’s recent workshop, with no alternative approaches identified for
consideration at this stage.
Financial Considerations
15. Not applicable.
Legal Implications / Risks
16. The report provides a
preliminary risk appetite profile, which, once adopted, may have broad legal,
governance, and operational implications for the council’s risk
management practices.
Consultation / Engagement
17. Consultation or wider
engagement is not required for this report, as it presents preliminary risk
appetite statements for internal governance consideration only and does not
propose changes to policy or service delivery at this stage.
Significance
18. The Local Government Act 2002
requires an assessment of the significance of matters, issues, proposals and
decisions in this report against Council’s Significance and Engagement
Policy. Council acknowledges that in some instances a matter, issue,
proposal or decision may have a high degree of importance to individuals,
groups, or agencies affected by the report.
19. In making this assessment,
consideration has been given to the likely impact, and likely consequences for:
(a) the current
and future social, economic, environmental, or cultural well-being of the
district or region
(b) any persons who are likely to be
particularly affected by, or interested in, the matter.
(c) the capacity of the local authority
to perform its role, and the financial and other costs of doing so.
20. In accordance with the
considerations above, criteria and thresholds in the policy, while the issue
itself is of high significance, the decision proposed in this report is
assessed as having low significance under Council’s policy.
ENGAGEMENT
21. Taking into consideration the
above assessment, that the matter is of low significance, officers are of the
opinion that no further engagement is required prior to Council making a
decision.
Next Steps
22. Staff to review, if necessary,
amend, and include the preliminary risk appetite statements in the risk
management framework.
23. Staff
to develop a 12-month Tauranga City Council risk reporting cycle based on
preliminary risk appetite statements to clarify tolerance levels and
consequences.
Attachments
1. Risk
Appetite Statements - A19149483 ⇩
2. Impact
on Corporate Risk Register - A19149481 - Public Excluded
3. Analysis TCC vs
Other NZ Councils - A19149482 - Public Excluded
|
Audit
& Risk Committee meeting Agenda
|
17
November 2025
|
|
Audit
& Risk Committee meeting Agenda
|
17
November 2025
|
9.3 Policy
Review - Conflicts of Interest Policy
File
Number: A18072115
Author: Chris
Quest, Manager: Risk & Assurance
Sharon Herbst,
Policy Analyst
Authoriser: Alastair
McNeil, Acting COFO - Commercial & General Counsel
Purpose of the Report
1. To endorse a revised
Conflicts of Interest Policy.
|
Recommendations
That the Audit &
Risk Committee:
(a) Receives the report
"Policy Review - Conflicts of Interest Policy".
(b) Endorses the updated policy (Attachment
One).
|
Executive Summary
2. The Audit & Risk
Committee (the Committee) is asked to endorse a revised Conflicts of Interest
Policy (the policy) for the Executive to consider and adopt.
3. Tauranga City
Council (the council) has obligations and responsibilities under the Local
Government Act 2002, the Local Government Official Information and Meetings Act
1987, the Privacy Act 2020, and guidance from the Office of the Auditor-General
to ensure that actual, potential, and perceived conflicts of interest are
identified, disclosed, and managed in a transparent and consistent manner.
4. The policy and two
accompanying procedures (the Conflict of Interests Procedure and the Senior
Leader Interests Register Procedure) were last reviewed in 2023. Since then,
the introduction of a new online portal and centralised interests register has
prompted a full review of the policy and supporting procedures. The review has
incorporated process improvements implemented since the last revision; these
improvements include those arising from recommendations from external bodies
such as Audit NZ.
5. The revised policy
continues to align with the Office of the Auditor-General’s guidance by
promoting early disclosure, transparent decision-making, and structured
management of conflicts of interest. It reflects best practice through clear
definitions, digital tools, and a consistent, accountable approach across the
organisation.
6. The policy and the
accompanying procedures are internal administrative documents that outline the
approach to managing workers’ conflicts of interest and are approved by
the Executive[2].
We are seeking endorsement of the draft policy[3].
The procedures are operational documents and as such are not being brought to
the Committee for advice. Once the policy is endorsed it will be presented to
the Executive for final revisions and adoption alongside their review of the
updated procedure documents.
7. Failure of the
Executive to review the policy may increase our risk of non-compliance,
reputational damage, and operational inefficiency.
8. There are no direct
financial implications in adopting or endorsing these documents.
Background
9. The policy has been
reviewed by the Risk and Assurance team and changes are recommended. Feedback
has been gathered from our People Performance and Culture, Building Services,
Takawaenga and Governance teams. The Executive have endorsed the draft policy.
10. The updated policy (Attachment
One) is enhanced by introducing clearer definitions, digital tools, and a
more structured, collaborative approach to managing conflicts of interest. They
also enhance cultural safety, align with Te Ao Māori principles, and
ensure consistency across teams and procedures.
11. The procedures have also been
reassessed alongside the policy to ensure they continue to reflect best
practices. This includes clearer definitions, replacing manual declaration
forms with a self-service online portal, a centralised interests register, and
strengthened review process requiring multi-step approvals including people
leaders, Tier 3 managers, the Risk and Assurance team, and general managers.
The proposed changes to the procedures have been endorsed by the
Executive.
Statutory Context
12. The Office of the
Auditor-General recommends that councils have clear and robust policies for
identifying, disclosing, and managing conflicts of interest to uphold integrity
and public trust. A well-defined conflicts of interest policy ensures that
decisions are made impartially and transparently, and that personal interests
do not improperly influence council activities. This is essential for
maintaining confidence in local government and reflects best practice in
governance and accountability.
13. The Local Government Act 2002
(LGA) requires councils to act in a manner that is open, democratically
accountable, and promotes the current and future interests of communities.
Managing conflicts of interest is a key part of this obligation, as it supports
fair decision-making and protects the integrity of council processes. The Local
Government Official Information and Meetings Act 1987 (LGOIMA) also enables
councils to manage sensitive disclosures appropriately, including through
provisions that allow withholding information or excluding the public from
meetings where conflicts are discussed. Together, these frameworks reinforce
the need for structured conflict management policies.
STRATEGIC ALIGNMENT
This
contributes to the promotion or achievement of the following strategic
community outcome(s):
|
Contributes
|
|
We are an inclusive city
|
ü
|
|
We value, protect and enhance the environment
|
ü
|
|
We are a well-planned city
|
ü
|
|
We can move around our city easily
|
ü
|
|
We are a city that supports business and education
|
ü
|
14. Effective identification and
management of conflicts of interest supports all strategic community outcomes
by promoting transparency, fairness, and trust in council decision-making. It
ensures that council activities are conducted impartially and in the public
interest, which is essential for inclusive governance, sustainable planning,
and responsible service delivery. Regular review and improvement of conflict
management processes helps safeguard the integrity of council operations and
supports the council’s legislative obligations under the LGA and the
LGOIMA.
Options Analysis
15. Several amendments are
recommended to improve the policy (Attachment One). This includes
clarifying the scope and definitions, operational improvements, strengthening
cultural safety and alignment with the council’s Code of Conduct/
Ngā Kawa Arataki, merging the Building Consent team’s separate
policy, and transitioning from manual declarations to an online system. A
summary of the proposed changes and the rationale are presented in the table
below:
16. Table
1: Summary of proposed changes to the policy
|
Clause
|
Proposed Change
|
Rationale
|
|
2.1
|
Update the scope to
define “worker” instead of “employee”.
|
Ensures inclusivity
across contractors, secondees, and volunteers.
|
|
2.2
|
Clarify elected members
are not covered.
|
Aligns with the
elected members code of conduct and prevents misinterpretation of policy
coverage.
|
|
Deleted 2.3, 2.4 &
appendix,
and added 5.2.10
|
Merge Building Consent
Team policy into the main policy and incorporate specific elements where
required.
|
Reduces duplication
and supports consistent monitoring.
|
|
3.
|
Include definitions for
friend, family member, material interest, minor or routine transaction, and
pecuniary advantage.
|
Improves clarity and
shared understanding of key terms.
|
|
4.1
|
Include Te Ao
Māori principles aligned with council values.
|
Demonstrates cultural
commitment and alignment with the council’s Code of Conduct/ Ngā
Kawa Arataki.
|
|
5.1.3
|
Acknowledge
personal/community ties as both assets and potential conflicts.
|
Supports culturally
aware conflict of interest management.
|
|
5.2.1
|
Change
“may” to “will” for applicant disclosures.
|
Strengthens
expectations and accountability for transparency.
|
|
5.2.5
|
Replace references in
the policy to manual declaration forms to an Online Portal and Interests
Register.
|
Acknowledges the
transition to a modern, centralised system that enhances transparency,
accountability, and auditability.
|
|
5.2.9
|
Update
procurement-related disclosure requirements.
|
Aligns with current
procurement policy and reinforces transparency.
|
|
5.2.11-5.2.12
|
Add a section about
when the council is the applicant.
|
Ensures impartiality
and public trust in council-led applications and aligns with regulatory
expectations.
|
|
5.2.16
|
Add a note on senior
workers/policy roles maintaining neutrality
|
Reinforces trust in
policy advice and decision-making and aligns with public service principles
and council values.
|
|
5.2.17-5.2.18
|
Add a section on
expressing personal views.
|
Clarifies boundaries
between personal expression and council representation.
|
|
5.2.19-5.2.23
|
Add a section about
worker conduct during council meetings and public forums.
|
Reinforces
impartiality and professionalism in public settings and provides clear
expectations for staff behaviour.
|
|
5.3.1
|
Clarify that internal
relationships include personal and business relationships.
|
Improves clarity and
shared understanding.
|
|
5.5
|
Add a section on
managing conflicts of interest.
|
Provides clear
direction within the overarching policy.
|
|
5.6
|
Update specific
prohibitions to provide more clarity.
|
Clarifies boundaries
and supports consistent application.
|
|
5.7
|
Add a section on
personal use of council resources.
|
Sets expectations for
responsible use of council resources.
|
Issue 1: Advice on the policy
17. The Committee is asked to
endorse a revised policy for the Executive to consider and adopt.
18. Table
2: Options to provide advice on the policy
|
Option
|
Advantages
|
Disadvantages
|
|
1a
|
Endorse the updated
policy (Attachment One)
Recommended
|
· Signals
confidence in the policy’s alignment with best practice and
organisational values.
· Enables timely
progression to Executive review and adoption.
|
· May miss
opportunity to refine or clarify aspects of the policy.
|
|
1b
|
Provide advice for
consideration by the Executive on the updated policy (Attachment One)
|
· Allows the
Committee to shape improvements and ensure clarity or consistency.
|
· May delay
Executive adoption depending on scope of advice.
|
Financial Considerations
19. There are no financial
implications in endorsing these changes. The development of on online system
has already been budgeted for.
Legal Implications / Risks
20. There are no significant risks
with the recommendations to endorse these changes. The review process aligns
with recent improvements identified by Audit NZ and reflects best practice
guidance from the Office of the Auditor-General.
TE AO MĀORI APPROACH
21. Application of Te Ao Māori
principles in our management of conflicts of interest has been considered in
consultation with the Takawaenga Unit. The principles section of the proposed
draft policy has been updated to align with the council’s Code of
Conduct/ Ngā Kawa Arataki. This includes specific examples of how the
values guide the approach to conflicts of interest through Whanaungatanga and
Collaboration; Manaakitanga and Respect; Whāia te tika and Service; and
Pono and Integrity.
22. These values are reflected in
updated guidance on conduct during council meetings and public forums, which
emphasises impartiality, professionalism, and respectful management of personal
views and relationships. The policy also acknowledges that personal
relationships, community ties, and lived experience can be valuable assets,
while reinforcing the importance of managing potential conflicts openly and
transparently. This approach supports culturally safe practice and aligns with
Te Ao Māori principles and council values.
Consultation / Engagement
23. There is low to moderate public
interest and therefore no public consultation or engagement has been
undertaken. To ensure our policy remains aligned with best practice, the Risk
and Assurance team continues to engage with sector peers, participate in local
government forums and working groups, benchmark against other councils, review
guidance from oversight bodies, incorporate feedback from internal audits, and
monitor legislative and regulatory developments.
Significance
24. The Local Government Act 2002
requires an assessment of the significance of matters, issues, proposals and
decisions in this report against Council’s Significance and Engagement
Policy. Council acknowledges that in some instances a matter, issue,
proposal or decision may have a high degree of importance to individuals,
groups, or agencies affected by the report.
25. In making this assessment,
consideration has been given to the likely impact, and likely consequences for:
(a) the current
and future social, economic, environmental, or cultural well-being of the
district or region
(b) any persons who are likely to be
particularly affected by, or interested in, the issue.
(c) the capacity of the local authority
to perform its role, and the financial and other costs of doing so.
26. In accordance with the
considerations above, criteria and thresholds in the policy, it is considered
that the issue is of low significance.
ENGAGEMENT
27. Taking into consideration the
above assessment, that the issue is of low significance, officers are of the
opinion that no further engagement is required prior to Council making a
decision.
Next Steps
28. If the
Committee endorses the changes to the policy, it will be forwarded to the
Executive to review and adopt. If the Committee provides further advice, this
will be taken to the Executive to consider before adopting the policy. The
policy is an internal policy and will be made available to council staff on the
staff intranet.
Attachments
1. Draft
Conflicts of Interest Policy 2025 - A19132308 ⇩
|
Audit
& Risk Committee meeting Agenda
|
17
November 2025
|
|
Audit
& Risk Committee meeting Agenda
|
17
November 2025
|
9.4 Policy
Review - Risk Management Policy
File
Number: A18356221
Author: Sharon
Herbst, Policy Analyst
Chris Quest,
Manager: Risk & Assurance
Authoriser: Alastair
McNeil, Acting COFO - Commercial & General Counsel
Purpose of the Report
1. To
approve and adopt a revised Risk Management Policy.
|
Recommendations
That the Audit &
Risk Committee:
(a) Receives the report
"Policy Review - Risk Management Policy".
(b) Approves and adopts the
revised Risk Management Policy incorporating changes provided in the report
for the policy to take effect immediately, including:
(i) updating the
definitions of the terms Business Continuity, Council, Tauranga City Council,
the Committee, council staff, risk, Enterprise Risk Management System (ERMS),
group and division
(ii) including Te Ao
Māori principles in the principles section of the policy in alignment
with Tauranga City Council’s Code of Conduct/ Ngā Kawa Arataki
(iii) updating the
responsibilities in the policy for Council, the Committee and the Chief
Executive
(iv) changing the frequency of
the review of risk registers from quarterly by department to regularly by
each division
(v) including a description of
strategic risks and how they are recorded.
(c) Delegates to the Acting Chief
Operating and Financial Officer - Commercial and General Counsel to make any
necessary minor drafting or presentation changes to the Risk Management
Policy prior to it being published.
|
Executive Summary
2. The Audit & Risk
Committee (the Committee) is asked to approve and adopt Tauranga City
Council’s Risk Management Policy (the policy). The current policy was
last reviewed in 2022 and is due for review.
3. The policy outlines
our commitment to ensure Tauranga City Council (the council) undertakes
effective risk and opportunity management in alignment with the relevant
standards[4].
The policy aims to support council staff to identify, analyse and manage risks
which are crucial for maintaining public trust and ensuring the smooth
operation of council services. Managing risk helps the council achieve
its objectives by reducing threats and maximising opportunities, making good
decisions and improving our performance.
4. This policy review
was considered by the Committee in May however the Committee requested the
adoption of the revised policy was deferred to the next Committee meeting to
allow members additional time to deepen their understanding of risk management
before making decisions related to the policy. Since the May Committee meeting
a small number of additional minor amendments to the policy were endorsed by
the Executive. The proposed changes include clarifying definitions, including
Te Ao Māori principles, updating responsibilities in the policy and the
process for reviewing and recording risks.
5. There is low to
moderate public interest and therefore no public consultation is planned.
6. There are no direct
financial implications in adopting this policy.
Background
7. On
20 March 2025, the Executive considered changes to the policy and
made a recommendation for the Committee to approve the minor amendments
proposed and adopt the revised policy[5].
8. On 19 May 2025, the
Committee considered proposed policy changes and suggested additional changes
to clarify definitions and responsibilities, and to align with Te Ao Māori
principles. However, the adoption of the revised policy was deferred to the
next Committee meeting to allow members additional time to deepen their
understanding of risk management before making decisions related to the policy.
In the interim, the Risk and Assurance team have met on an informal basis with
most of the councillors to introduce the council’s risk management
practices and framework. On 9 July 2025 the Executive endorsed further minor
amendments to the policy.
9. A workshop was also
held with the full Council decision-making body (Council) to discuss risk
appetite. Risk appetite underpins the policy and the effective management of
risk. Risk appetite defines the level of risk an organisation is willing to
accept, while risk thresholds set the specific limits to ensure risks remain
within that appetite. The Executive provide directives that are endorsed by
Council to indicate their comfort levels for risk, thereby indicating our
organisation’s overall risk appetite. The session provided context and
confidence for progressing the policy review.
10. In
parallel with this review, a standalone Business Continuity Policy is being
developed to further strengthen council’s organisational resilience and
ensure alignment with the standard. This new policy will complement the Risk
Management Policy by providing a structured approach to preparing for,
responding to, and recovering from disruptive events. It is intended that the
Business Continuity Policy will be presented to the Committee for consideration
in early 2026.
Statutory
Context
11. The Office of the
Auditor-General recommends that councils have a clearly defined risk policy and
framework for managing risk to ensure consistent and effective risk management
practices. Having a risk management policy helps to identify, analyse and manage
risks which is crucial for maintaining public trust and ensuring the smooth
operation of council services. Effective risk management contributes to
improved management systems, informed-decision-making, and meeting Local
Government Act 2002 (LGA) requirements. The LGA requires councils to manage
their activities prudently and in a way that promotes the current and future
interests of communities. This includes identifying and managing risks to
service delivery and financial sustainability.
STRATEGIC ALIGNMENT
12. This contributes to the
promotion or achievement of the following strategic community outcome(s):
|
Contributes
|
|
We are an inclusive city
|
ü
|
|
We value, protect and enhance the environment
|
ü
|
|
We are a well-planned city
|
ü
|
|
We can move around our city easily
|
ü
|
|
We are a city that supports business and education
|
ü
|
13. Identified council risks have
impacts on, at differing levels, each of the community outcomes, and therefore
on organisational activity. Regular review and assessment of our risk
management processes helps better understand and manage key organisational and
city risks.
Options Analysis
Risk Management Policy
14. The Risk Management Policy has
been reviewed by the Risk and Assurance team to ensure continued alignment with
the AS/NZS ISO 31000 risk standard and AS/NZS ISO 22301 business continuity
standard.
15. Council staff have identified
four areas where the policy could be improved as set out in Issues 1 to 4 in
this paper. The proposed changes to the policy are minor. They are also
highlighted as tracked changes in the revised Risk Management Policy (Attachment
One). These changes incorporate the feedback received from the
Committee on 19 May 2025.
Issue 1: Clarifying definitions
16. The definitions table has been
updated to clarify the terms used in the policy and distinguish the difference
between the Council decision-making body, the Committee, and the council
organisation and workers. The definition of risk has been updated to indicate
that risk is calculated using likelihood
and consequence. A new Enterprise Risk Management System (ERMS), also known as
the Camms/Riskonnect, software solution is now being utilised to record risk.
The policy has been updated to include a definition and several references to
the ERMS.
17. Table
1: Options to clarify definitions
Issue 2: Including Te Ao Māori principles
18. Application of Te Ao Māori
principles in our risk management approach has been considered in consultation
with the Takawaenga Unit. The principles section of the policy has been updated
to align with the council’s Code of Conduct/ Ngā Kawa Arataki. This
includes specific examples of how the values guide the approach to risk
management through Whanaungatanga and Collaboration; Manaakitanga and Respect;
Whāia te tika and Service; and Pono and Integrity.
19. Table
2: Options to include Te Ao Māori principles
Issue 3: Responsibilities in the Policy
20. The review identified the
following updates to clarify roles and responsibilities in alignment with the
Committee’s Terms of Reference:
(a) Council’s responsibility
to own and govern risk management; and evaluate risks as escalated to it by the
Committee (rather than being limited to confirm and evaluate risks to the
delivery of the Long-term Plan)
(b) the Committee’s
responsibility to assist and advise Council in discharging its responsibility
and ownership of risk management; review the effectiveness of risk management
and internal control systems; and review strategic risks to ensure effective
mitigation and alignment with organisational objectives, and
(c) the Chief Executive’s
responsibility to endorse and recommend the policy (rather than approve, as it
is the Committee that approves the policy).
21. Table
3: Options for Responsibilities in the Policy
|
Option
|
Advantages
|
Disadvantages
|
|
3a
|
Update the responsibilities in the policy.
Recommended
|
· Provides more
clarity on the role of the Committee, Council and the Chief Executive in
managing risks.
|
· None.
|
|
3b
|
Status quo. Retain the
current policy and do not adopt the revised draft policy.
|
· None.
|
· Confusion around
Council, Committee and Chief Executive responsibilities with regards to risk.
|
Issue 4: Reviewing and recording risks
22. Updates
to the policy are recommended to reflect improvements in current practice for
reviewing and recording risk. This includes updating the policy to reflect the
reviewing of risk registers regularly by division (rather than quarterly by
department); and detailing strategic risks and how they are recorded.
23. Table
4: Options for Recording Risks
Financial Considerations
24. Adopting the revised policy
does not have any financial implications.
Legal Implications / Risks
25. There are no significant risks
associated with the recommendations to adopt the revised policy. The review
process reflects best practice guidance consistent with AS/NZS ISO 31000 and
AS/NZS ISO 22301, supporting a systematic and integrated approach to managing
risk and organisational resilience.
TE AO MĀORI APPROACH
26. Application
of Te Ao Māori principles in our risk management approach has been
considered in consultation with the Takawaenga Unit. The principles section of
the proposed draft policy aligns with the council’s Code of Conduct/
Ngā Kawa Arataki. This includes specific examples of how the values guide
the approach to risk management through Whanaungatanga and Collaboration;
Manaakitanga and Respect; Whāia te tika and Service; and Pono and
Integrity.
27. In the policy, these principles
guide how we identify, assess, and respond to risks in ways that uphold mana,
foster collaboration, and support ethical, inclusive decision-making.
CLIMATE IMPACT
28. There are no direct or specific
climate change impacts resulting from the proposed changes to the policy.
Consultation
/ Engagement
29. There
is low to moderate public interest and therefore no public consultation or
engagement has been undertaken. To ensure our policy remains aligned with best
practice, the Risk and Assurance team continues to engage with sector peers,
participate in local government forums and working groups, benchmark against
other councils, review guidance from oversight bodies, incorporate feedback
from internal audits, and monitor legislative and regulatory developments.
Significance
30. The Local Government Act 2002
requires an assessment of the significance of matters, issues, proposals and
decisions in this report against Council’s Significance and Engagement
Policy. Council acknowledges that in some instances a matter, issue,
proposal or decision may have a high degree of importance to individuals,
groups, or agencies affected by the report.
31. In making this assessment,
consideration has been given to the likely impact, and likely consequences for:
(a) the current
and future social, economic, environmental, or cultural well-being of the
district or region
(b) any persons who are likely to be
particularly affected by, or interested in, the decision.
(c) the capacity of the local authority
to perform its role, and the financial and other costs of doing so.
32. In accordance with the
considerations above, criteria and thresholds in the policy, it is considered
that the decision is of low significance.
ENGAGEMENT
33. Taking into consideration the
above assessment, that the decision is of low significance, officers are of the
opinion that no further engagement is required prior to the Committee making a
decision.
Next Steps
34. If the Committee decides to
adopt the revised policy it will take effect immediately. The policy will be
made available on the council’s website.
Attachments
1. Revised
Risk Management Policy - A19071834 ⇩
|
Audit
& Risk Committee meeting Agenda
|
17
November 2025
|
9.5 Policy
Review - Privacy Policy
File
Number: A18717530
Author: Sharon
Powell, Privacy Officer
Sharon Herbst,
Policy Analyst
Authoriser: Alastair
McNeil, Acting COFO - Commercial & General Counsel
Purpose of the Report
1. To endorse a new Privacy
Policy.
|
Recommendations
That the Audit &
Risk Committee:
(a) Receives the report
"Policy Review - Privacy Policy".
(b) Endorses the creation of a
new Privacy Policy (Attachment One) for the Executive to consider and
adopt, which includes:
(i) a scope that includes
all council workers, including the mayor, councillors and persons appointed
to council committees
(ii) applying the
Information Privacy Principles (IPPs) and ensuring appropriate systems are in
place to manage personal information
(iii) a commitment to enhancing
culturally aligned practices
(iv) an annually reviewed privacy
statement on the council website
(v) clear roles and
responsibilities for privacy officers
(vi) annual privacy training for
workers
(vii) effective management of privacy
breaches.
|
Executive Summary
2. The Audit & Risk
Committee (the Committee) is asked to endorse a new Privacy Policy (the policy)
for the Executive to then consider and adopt[6].
3. Tauranga
City Council (the council) has obligations and responsibilities under the
Privacy Act 2020 (the Act) for how personal information is collected, stored,
used, and disclosed.
4. Currently, the
council has a Privacy Breach Management Procedure (the procedure) that
demonstrates our preparedness to respond swiftly and effectively to any privacy
breaches. The procedure was last reviewed in 2022 and is due for review.
5. The new policy will
ensure that the Procedure is not standing alone; by setting clear expectations
for staff handling personal information and includes a commitment for annual
training to support staff understanding, help build community trust and reduce
organisation non-compliance.
6. Together this will
provide a comprehensive organisational approach to privacy, both preventative
(the policy) and reactive (the procedure).
7. There are no direct
financial implications in endorsing this document. However, not endorsing
the policy may increase our risk of non-compliance, reputational damage, and
operational inefficiency.
Background
8. Guidance
from the Office of the Privacy Commissioner has informed the review and has
been incorporated into a revised draft procedure. The procedure,
compulsory induction training for all workers, and information on the council
intranet about privacy responsibilities, all currently inform the
council’s practices to meet its obligations under the Privacy Act. There
is however no policy that outlines the council’s over-arching approach to
meeting its obligations.
9. As part of this
review, a new Privacy Policy has been drafted to complement the existing
procedure. The policy will ensure a proactive approach, enhancing
transparency, compliance, and accountability regarding our privacy obligations.
10. The new policy will be an
internal document, with the accompanying procedure also an internal document;
both will be approved by the Executive. We are asking the Committee to endorse
the draft policy. The procedure is a more operational
document and as such is not being brought to the Committee for advice. Once
the policy is endorsed it will be presented to the Executive for final
revisions and adoption alongside their review of the updated procedure
document.
11. The new policy (Attachment One) has been
written to outline the council’s over-arching approach. The new policy
has been drafted to align with the principles outlined in the Act,
incorporating guidance from the Office of the Privacy Commissioner. Our privacy
officers and legal team have collaboratively developed this document.
12. The original procedure has been reassessed
alongside the new policy to ensure it continues to reflect best practice. The
proposed changes to the procedure will be taken to the Executive to
consider.
Statutory Context
13. The Privacy Act 2020, aims to promote and protect an
individual’s privacy by applying the information privacy principles
(IPPs) that govern how personal information is collected, used, stored and
disclosed. The Act requires organisations to appoint a privacy officer. While
the Act does not explicitly mandate that councils must have a standalone
privacy policy, having one is considered best practice.
14. The Privacy Amendment Bill,
currently before Parliament, will introduce IPP 3A into the Act. IPP 3A will
enhance transparency by requiring agencies to inform individuals when
collecting personal information from other sources (indirect collection), ensuring
they are aware of the collection and its purpose. The commencement date will be
delayed until at least May 2026. Council staff are already preparing for these
new requirements. Once the Act is passed and guidance is clear, we will update
the policy to ensure compliance with the new legislation.
STRATEGIC ALIGNMENT
15. This contributes to the
promotion or achievement of the following strategic community outcome(s):
|
Contributes
|
|
We are an inclusive city
|
ü
|
|
We value, protect and enhance the environment
|
ü
|
|
We are a well-planned city
|
ü
|
|
We can move around our city easily
|
ü
|
|
We are a city that supports business and education
|
ü
|
16. The policy supports our
strategic direction by promoting responsible information practices that build
trust and support inclusive engagement. Identified privacy practices have
varying impacts across community outcomes and influence organisational activity.
Regular review and assessment of these processes helps us better understand and
manage both organisational performance and broader city outcomes.
Options Analysis
Issue 1: Do we need a privacy policy?
17. Whilst there is some
information available on the council intranet and induction training, there is
currently no formal document outlining the council’s overall approach to
managing privacy responsibilities. The development of a policy (Attachment
One) would elevate awareness, provide clear guidance, and support
compliance with the Act.
18. Table
1: Options for Developing a Privacy Policy
|
Option
|
Advantages
|
Disadvantages
|
|
1a
|
Endorse the creation of
a new draft privacy policy
(Recommended)
|
· Establishes
a formal, consistent approach to managing privacy.
· Increases
awareness of responsibilities under the Privacy Act.
· Aligns
with related internal policies (e.g. Digital Acceptable Use Policy).
· Includes
specific commitments to annual training.
|
· Adds
another document to the review and approval pipeline.
|
|
1b
|
Retain the status quo
and do not develop a privacy policy
|
· Avoids
immediate administrative work.
|
· Lack
of formal commitment to privacy.
· Increased
risk of inconsistent practices, privacy breaches, and reputational harm.
|
Issue 2: What should the scope of the policy be?
19. The scope of the new policy
should apply to all individuals who handle personal information on behalf of
council. This includes council workers, but also the mayor, councillors, and
persons appointed to council committees, all of whom are subject to the Act.
20. There is precedent for
including the mayor and councillors in internal policies (e.g. digital
policies, LGOIMA policy, Fleet User Policy, and the Social Media Policy). The
Elected Members’ Code of Conduct references privacy obligations
including:
(a) Clause 7.1 – confidential
information must not be used or disclosed for any purpose other than that for
which it was provided.
(b) Clause 7.2 – covers the
handling of information received, noting it should only be shared if it does
not breach individual privacy.
(c) Appendix A – Highlights
that council policies and legislation, including the Act and LGOIMA, apply in
public communications, including social media use.
21. The proposed policy goes beyond
handling received information and includes responsibilities for collection,
storage, access, use, disclosure, and privacy breach reporting.
22. If the mayor, councillors and
persons appointed to council committees are not included within the scope of
the policy, then at a minimum, compulsory privacy training should be provided
as part of their induction.
23. Table
2: Options for Defining the Scope of the Privacy Policy
|
Option
|
Advantages
|
Disadvantages
|
|
2a
|
Include
all council workers, the mayor, councillors, and committee appointees
(Recommended)
|
· Ensures
consistent privacy expectations across all individuals acting on behalf of
the council.
· Aligns
with legal obligations under the Act.
· Builds
on precedent from other internal policies.
· Reinforces
accountability and transparency.
|
· May
require tailored onboarding or training for the mayor, councillor and
committee. appointees (though this would support consistent application)
|
|
2b
|
Include
only council workers
|
· Limits
scope to those under direct operational management.
· Reduces
need for additional training or engagement with elected members.
|
· Creates
inconsistency in expectations.
· Misses
opportunity to reinforce the mayor and councillors’ legal obligations.
· May
increase risk of privacy breaches due to gaps in awareness.
|
Issue 3: Who should adopt the policy?
24. The appropriate adoption
pathway depends on the scope of the policy:
· If
the policy applies only to council workers, Executive approval is appropriate.
· If
the policy includes the mayor, councillors and committee appointees, the
Committee may wish to adopt the policy directly, given their oversight role in
privacy matters.
Table 3: Options for
Endorsing and Adopting the Privacy Policy
|
Option
|
Advantages
|
Disadvantages
|
|
3a
|
The
Committee endorses the policy for Executive approval
(Recommended)
|
· Follows
established governance processes for internal policies
· Enables
timely implementation
|
· May
be seen as insufficient if elected members are within scope
|
|
3b
|
The
Committee adopts the policy directly
|
· Reinforces
the Committee’s leadership role in privacy governance
· Ensures
that elected members are formally bound by the policy
|
· May
blur governance boundaries
· Could
delay implementation if Committee processes are slower
|
25. Issue
4: What should be included in the privacy policy?
26. The newly drafted policy
clearly outlines how the council will meet its obligations under the Act. This
includes applying the IPPs, cultural considerations, an annually reviewed
privacy statement on the council website, the role of privacy officers, annual
worker training, and effective management of privacy breaches.
27. The draft policy reflects
current best practice and internal needs. However, any additional inclusions
identified by the Committee during review can be incorporated prior to
Executive adoption.
28. The following table outlines
the proposed inclusions and their rationale. These elements are recommended to
ensure the policy is comprehensive, practical, and aligned with both legal
obligations and organisational values.
29. Table
4: Options to outline how council meets its obligations under the Act
|
Option
|
Advantages
|
Disadvantages
|
|
4a
|
Include a commitment to
apply the IPPs and ensuring appropriate systems are in place to manage
personal information.
(Recommended)
|
· Ensures
the council has a transparent and consistent approach to applying the IPPs
and complying with the Act.
|
· None.
|
|
4b
|
Include a section that
outlines our commitment to enhancing culturally aligned practices
(Recommended)
|
· Strengthens
trust through culturally respectful privacy practices.
· Aligns
with council values, a Te Ao Māori approach and Te Tiriti o Waitangi
obligations.
|
· None.
|
|
4c
|
Include commitment to
have an annually reviewed privacy statement on the council website
(Recommended)
|
· Ensures
the public is informed about how the council manages personal information.
· Supports
transparency and trust.
|
· None.
|
|
4d
|
Include the role of
privacy officers
(Recommended)
|
· Demonstrates
accountability and governance.
· Clarifies
responsibilities for managing privacy obligations.
|
· None.
|
|
4e
|
Include annual worker
training
(Recommended)
|
· Ensures
workers are regularly reminded of their privacy responsibilities.
· Reduces
risk of unintentional breaches.
|
· None.
|
|
4f
|
Include effective
management of privacy breaches
(Recommended)
|
· Ensures
the council has a clear procedure for responding to privacy breaches.
· Supports
timely and appropriate incident management.
|
· None.
|
Financial Considerations
30. Endorsing the policy does not
have any financial implications
Legal Implications / Risks
31. There are no significant risks
associated with the recommendations to endorse the Policy.
32. If we do not develop a Privacy
Policy, there is a risk that more privacy breaches may occur due to a lack of
awareness of our responsibilities under the Act.
TE AO MĀORI APPROACH
33. The policy reflects the
council’s values as outlined in the Code of Conduct / Ngā Kawa
Arataki. It supports manaakitanga and respect by promoting culturally
aligned and inclusive privacy practices that honour diverse communities. It upholds pono
and integrity through clear responsibilities, transparency, and
accountability in how personal information is handled. The policy
advances whāia te tika and service by guiding staff to act
ethically and prioritise public interest when managing privacy risks. Finally,
it fosters whanaungatanga and collaboration by encouraging
partnership with communities and shared responsibility across teams to uphold
privacy rights and build trust.
34. As part of the review process,
staff sought advice from the Takawaenga Unit to incorporate a cultural
perspective on privacy. This advice acknowledged that cultural perspectives on
privacy are still emerging, particularly in relation to Māori data
sovereignty. There is growing awareness of the need to appropriately manage
information received from hapū and iwi, including whether such information
should be retained for specific purposes or shared more broadly. This aligns
with sector thinking, including guidance informed by the Office of the Privacy
Commissioner, which recognises the importance of collective privacy rights and
culturally grounded approaches to data governance.
CLIMATE IMPACT
35. While the policy does not
directly influence climate outcomes, it supports sustainable digital practices
by encouraging responsible data handling, minimising unnecessary data
collection and storage, and promoting secure, efficient systems. These practices
can contribute to reduced energy use and digital waste over time.
Consultation / Engagement
36. There is low to moderate public
interest and therefore no public consultation or engagement has been
undertaken. To ensure our policy remains aligned with best practice, our
privacy officers continue to engage with sector peers, participate in local
government forums and working groups, benchmark against other councils, review
guidance from oversight bodies, incorporate feedback from internal audits, and
monitor legislative and regulatory developments.
Significance
37. The Local Government Act 2002
requires an assessment of the significance of matters, issues, proposals and
decisions in this report against Council’s Significance and Engagement
Policy. Council acknowledges that in some instances a matter, issue,
proposal or decision may have a high degree of importance to individuals,
groups, or agencies affected by the report.
38. In making this assessment,
consideration has been given to the likely impact, and likely consequences for:
(a) the current
and future social, economic, environmental, or cultural well-being of the
district or region
(b) any persons who are likely to be
particularly affected by, or interested in, the decision.
(c) the capacity of the local authority
to perform its role, and the financial and other costs of doing so.
39. In accordance with the
considerations above, criteria and thresholds in the policy, it is considered
that the decision is of low significance as the policy provides an overview of
actions already required under the Act.
ENGAGEMENT
40. Taking into consideration the
above assessment, that the decision is of low significance, officers are of the
opinion that no further engagement is required prior to Council making a
decision.
Next Steps
41. If the Committee endorses the
creation of a Privacy Policy and its proposed contents, the policy will be
forwarded to the Executive for final consideration and adoption. The Executive
will also review the updated Privacy Breach Management Procedure alongside the
policy to ensure both documents are aligned and reflect current best practice.
42. If the Committee instead
chooses to adopt the policy directly, the policy will be finalised and
published on the staff intranet following any final revisions. In this case,
the Executive will still review the updated procedure to ensure operational
alignment.
Attachments
1. Draft
Privacy Policy 2025 - A19132335 ⇩
|
Audit
& Risk Committee meeting Agenda
|
17
November 2025
|
|
Audit
& Risk Committee meeting Agenda
|
17
November 2025
|
|
Audit & Risk Committee meeting Agenda
|
17 November 2025
|
10 Discussion of late
items
|
Audit & Risk Committee meeting Agenda
|
17 November 2025
|
11 Public excluded
session
Resolution to exclude
the public
|
Recommendations
That the public be
excluded from the following parts of the proceedings of this meeting.
The general subject
matter of each matter to be considered while the public is excluded, the
reason for passing this resolution in relation to each matter, and the
specific grounds under section 48 of the Local Government Official
Information and Meetings Act 1987 for the passing of this resolution are as
follows:
|
General subject of each matter to be
considered
|
Reason for passing this resolution in
relation to each matter
|
Ground(s) under section 48 for the
passing of this resolution
|
|
11.1 - Public Excluded Minutes of the
Audit & Risk Committee meeting held on 21 July 2025
|
s7(2)(a) - The withholding of the information is
necessary to protect the privacy of natural persons, including that of
deceased natural persons
s7(2)(b)(i) - The withholding of the information
is necessary to protect information where the making available of the
information would disclose a trade secret
s7(2)(g) - The withholding of the information is
necessary to maintain legal professional privilege
s7(2)(h) - The withholding of the information is
necessary to enable Council to carry out, without prejudice or
disadvantage, commercial activities
s7(2)(i) - The withholding of the information is
necessary to enable Council to carry on, without prejudice or disadvantage,
negotiations (including commercial and industrial negotiations)
s7(2)(j) - The withholding of the information is
necessary to prevent the disclosure or use of official information for
improper gain or improper advantage
|
s48(1)(a) - the public conduct of the relevant
part of the proceedings of the meeting would be likely to result in the
disclosure of information for which good reason for withholding would exist
under section 6 or section 7
|
|
11.2 - Digital/Cyber Risk Quarterly
Report
|
s7(2)(a) - The withholding of the information is
necessary to protect the privacy of natural persons, including that of
deceased natural persons
s7(2)(b)(i) - The withholding of the information
is necessary to protect information where the making available of the
information would disclose a trade secret
|
s48(1)(a) - the public conduct of the relevant
part of the proceedings of the meeting would be likely to result in the
disclosure of information for which good reason for withholding would exist
under section 6 or section 7
|
|
11.3 - Risk Register - Quarterly
Update
|
s7(2)(j) - The withholding of the information is
necessary to prevent the disclosure or use of official information for
improper gain or improper advantage
|
s48(1)(a) - the public conduct of the relevant
part of the proceedings of the meeting would be likely to result in the
disclosure of information for which good reason for withholding would exist
under section 6 or section 7
|
|
11.4 - Internal Audit & Assurance
- Quarterly Update
|
s7(2)(j) - The withholding of the information is
necessary to prevent the disclosure or use of official information for
improper gain or improper advantage
|
s48(1)(a) - the public conduct of the relevant
part of the proceedings of the meeting would be likely to result in the
disclosure of information for which good reason for withholding would exist
under section 6 or section 7
|
|
11.5 - Health, Safety and Wellbeing
Quarterly Report: Q1 July to September 2025
|
s7(2)(a) - The withholding of the information is
necessary to protect the privacy of natural persons, including that of
deceased natural persons
|
s48(1)(a) - the public conduct of the relevant
part of the proceedings of the meeting would be likely to result in the
disclosure of information for which good reason for withholding would exist
under section 6 or section 7
|
|
Confidential Attachment 2 - 9.1 -
Status Update on actions from prior Audit & Risk Committee meetings
|
s7(2)(j) - The withholding of the information is
necessary to prevent the disclosure or use of official information for
improper gain or improper advantage
|
s48(1)(a) the public conduct of the relevant part
of the proceedings of the meeting would be likely to result in the
disclosure of information for which good reason for withholding would exist
under section 6 or section 7
|
|
Confidential Attachment 2 - 9.2 - Risk
Appetite Report - November 2025
|
s7(2)(j) - The withholding of the information is
necessary to prevent the disclosure or use of official information for
improper gain or improper advantage
|
s48(1)(a) the public conduct of the relevant part
of the proceedings of the meeting would be likely to result in the
disclosure of information for which good reason for withholding would exist
under section 6 or section 7
|
|
Confidential Attachment 3 - 9.2 - Risk
Appetite Report - November 2025
|
s7(2)(c)(i) - The withholding of the information
is necessary to protect information which is subject to an obligation of
confidence or which any person has been or could be compelled to provide
under the authority of any enactment, where the making available of the
information would be likely to prejudice the supply of similar information,
or information from the same source, and it is in the public interest that
such information should continue to be supplied
|
s48(1)(a) the public conduct of the relevant part
of the proceedings of the meeting would be likely to result in the
disclosure of information for which good reason for withholding would exist
under section 6 or section 7
|
|
|
Audit & Risk Committee meeting Agenda
|
17 November 2025
|
12 Closing
karakia