Agenda item

Further to Minute no. 317, the Committee received an update to the draft Disaster Recovery Internal Audit Report with particular reference to the Frameworki (FWi) system.

The report set out details of the formal review of the FWi system in 2012, the fundamental issues resulting from that review, the short term actions and the work started following the review and the options going forward for further business resilience.

The Head of Systems and Customer Access reported that the current operational environment for the FWi system would be managed at minimal cost, and the new service provider for ICT infrastructure would be commissioned to cost a scheme to re-host FWi and provide a disaster recovery service, in line with the suggested service improvement plan, at the earliest opportunity.

The Commissioning work, engaging with Hewlett Packard (HP) to deliver operational support for the Council systems, and the Digital by Default strategy, would see substantial change in the way systems were designed and delivered to the Council. The limitations of the two existing computer rooms in County Hall and Wildwood, specifically, the lack of fire suppressant, were well understood and could be built into the arrangements for recovery of systems, such that the risk of loss of service through fire could be tolerated.

The Digital by Design was making greater use of services provided externally in the Cloud, reducing the risk of loss from disruption to central resources.  Similarly, opportunity existed to seek hosting services external to the Council via the contract for support with HP. Deployment of services away from the Council through current and developing technologies would reduce the risk of loss on the Council to a point where the Council could accept the risk.

In the ensuing debate, the following principal points were raised:

·         The Head of Systems and Customer Access stated that the negotiations with HP, the chosen provider were in their final stages and he anticipated that the contract would be signed next week

·         Had the Council received any advice from the fire service in relation to provision of fire suppression equipment in the mainframe computer room?  The Head of Systems and Customer Access commented that he had not received any advice of this nature from the fire service. However officers from property services had advised him that due to changes to the guidance, fire suppressant equipment was no longer a requirement

·         In response to a query, the Head of Systems and Customer Access explained that testing of the system did take place at present but other priorities tended to take precedence. The new contract would include provision for testing which would include better standby and call out arrangements

·         What steps had been taken to mitigate the risks associated with disaster recovery in the interim period before the contract was signed and implemented? The Head of Systems and Customer Access advised that the Council did not have a contingency measure for systems recovery using an external provider in the short term as it would be too expensive. However the Council did have access to expert external sources of advice should systems fail and this mitigated the risk. In the future, the Council would benefit from the development of a relationship with the contractor as well as through contractual elements of the agreement. The challenge to the Council was to mitigate the risks in the interim period at no further cost to the Council

·         In response to a query, the Head of Systems and Customer Access anticipated that HP would take a measured approach to reconfiguring the system rather than a more risky approach to implement the changes in one go

·         Was HP intending to increase staffing resources? The Head of Systems and Customer Access stated that HP intended to put in additional resources and expertise to transform the current infrastructure. HP also intended to introduce new monitoring tools and new processes to manage the Council's infrastructure more appropriately

·         The RAG rating for the risk for business continuity had been reduced in the Corporate Risk Register. In the light of the recent system failure, should the Director of Children's Services be instructed to amend this rating? The Risk and Business Continuity Manager advised that there was a time-lag in the reporting of this information and the RAG rating would be amended in the next report to reflect the issues that arose during the system failure. However, he anticipated that the proposed changes to the system would mitigate the risk

·         It was agreed that the Committee would wish to inform Council that it was reasonably re-assured by the mitigation measures set out in the disaster recovery plans for the next 12 months.                                                                                       

RESOLVED that:

a)    The update to the draft Disaster Recovery Internal Audit Report be noted;

b)    The update to the position with Frameworki be noted;

c)    The proposals to manage the current operational environment for FWi at minimal cost, and to commission the new service provider for ICT infrastructure to cost a scheme to re-host FWi and provide a disaster recovery service, in line with the suggested service improvement plan, at the earliest opportunity be noted; and

d)    Council be informed that the Committee were reasonably re-assured by the mitigation measures set out in the disaster recovery plans for the next 12 months.