The URL can be used to link to this page

Home My WebLink AboutStaff Report 13911 City of Palo Alto (ID # 13911) Policy and Services Committee Staff Report Meeting Date: 3/8/2022 Report Type: Action Items City of Palo Alto Page 1 Title: Presentation of the FY22 Risk Assessment Report & Audit Plan From: City Manager Lead Department: City Auditor Recommendation Executive Summary Baker Tilly conducted a comprehensive Risk Assessment in FY21, which was used as the basis the FY22/23 Risk Assessment. In order to make updates to the assessment, Baker Tilly spoke with City Council members and executive leadership across 14 departments within the City. In addition, executive leaders were asked to complete a survey that evaluated the potential opportunities and threats to their departments and the City as a whole. Baker Tilly analyzed the results of the survey and conducted additional interviews, as necessary. The Risk Assessment identifies 15 risks rated as high to the organization among 154 total risks listed. The FY22/23 Audit Plan was prepared based on the results of the risk assessment, conversations with leadership, and other matters. Background The City Auditor recommends that the Policy and Services Committee take the following actions and forward the corresponding reports to the City Council for consent: 1) Review the Fiscal Year 2022/23 Risk Assessment Report and Recommend City Council Approval 2) Review the Fiscal Year 2022/23 Audit Plan Report and Recommend City Council Approval 3) Review the following Task Orders identified in the Audit Plan Report and Recommend City Council Approval o Remote and Flexible Work Study o Cybersecurity Assessment o Wastewater Treatment Plant Agreement Audit City of Palo Alto Page 2 Discussion The attached reports summarize the analysis of the risk assessment and the outline of potential future audit actives derived from the report. Timeline, Resource Impact, Policy Implications (If Applicable) Timeline for risk assessment and audit plan is is for FY22-23. The audit plan assumes that the Office of the City Auditor will be allocated a similar budget in FY23 as in FY22. The budget will be approved at a future point, and may neccssitate review of the Audit Plan. The City Auditor will bring any necessary changes to the Committee and to City Council. Stakeholder Engagement The Office of the City Auditor worked with Executive Leaders from 14 Departments across the City and engaged the City Council. Environmental Review Attachments: • OCA - Risk Assessment Report FY22-23 (Final Draft for P&S) • OCA - FY22-23 Audit Plan (Final Draft for P&S) In its capacity serving as the City Auditor function, and in accordance with Baker Tilly’s agreement with the City (Task #2 of the agreement), Baker Tilly performed a citywide risk assessment. The purpose of the assessment was to identify and prioritize risks in order to develop the annual audit plan (Task #1). During the risk assessment, Baker Tilly assessed a wide range of risk areas, including strategic, financial, operational, compliance, technological, and reputation risks. The comprehensive risk matrix is included as an appendix to the report. Baker Tilly will provide a presentation to the Committee to discuss the results of the Risk Assessment and is asking that the Committee recommend approval of the report by City Council. The Palo Alto Municipal Code (Section 2.08.130) requires the City Auditor prepare and submit an annual audit plan to the City Council for review and approval. Baker Tilly performed the initial risk assessment after having started to serve as the Office of the City Auditor in October 2020 and submitted in early 2021 the FY21-FY22 annual audit plan identifying audit activities across an 18-month horizon (through FY22). The OCA updated the initial risk assessment in January 2022, one year after our initial risk assessment. This audit plan covers the remainder of FY22 as well as FY23 and was prepared based on the results of the updated risk assessment described above. Baker Tilly plans to present the audit plan and is asking that the Committee recommend approval of the audit plan report by City Council. Upon approval of the audit plan, the Task Orders will be approved by the Policy & Services Committee Chair. Environmental review is not applicable to this activity. City of Palo Alto Office of the City Auditor FY22 Annual Risk Assessment February 15, 2022 Table of Contents INTRODUCTION ......................................................................................................................................................................... 3 RISK ASSESSMENT APPROACH ............................................................................................................................................ 4 SURVEY RESULTS .................................................................................................................................................................... 5 MANAGEMENT’S VIEW OF STRENGTHS AND WEAKNESSES/THREATS .................................................................................................................... 5 KEY RISK AREAS RATED BY MANAGEMENT ...................................................................................................................................................... 6 SIGNIFICANT CHANGES IN FY21 .................................................................................................................................................................... 8 BARRIERS TO MEETING GOALS AND OBJECTIVES IN FY22 ................................................................................................................................... 8 RISK ASSESSMENT RESULTS ............................................................................................................................................... 9 APPENDICES ........................................................................................................................................................................... 11 APPENDIX A: SURVEY QUESTIONS ................................................................................................................................................................ 11 APPENDIX B: RISK MATRIX ......................................................................................................................................................................... 16 3 Introduction According to City Ordinance of the City of Palo Alto (the City), the mission of the Office of City Auditor (OCA) is to promote honest, efficient, effective, economical, and fully accountable and transparent city government. To fulfill this mission, the OCA conducts performance audits and performs financial/operational analyses of city departments, programs, services, or activities as approved by the City Council. (Section 2.08.130). In its capacity serving as the City Auditor function, and in accordance with Baker Tilly’s agreement with the City (Task #1 of the agreement), Baker Tilly conducted the FY22 citywide risk assessment in order to develop the FY22/FY23 annual audit plan (Task #2). The California Government Code Section 1236 requires all cities that conduct audit activities to conduct their work under the general and specified standards prescribed by the Institute of Internal Auditors (IIA) or the Government Auditing Standards (GAO) issued by the Comptroller General of the United States, as appropriate. According to the IIA Standard 2010, the head of internal audit function “must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals” and consider the input of senior management and a governing board. The purpose of the risk assessment is to develop an internal audit plan that assigns internal audit resources to the activities that add the most value to the City. The risk assessment process involves identifying, measuring, and prioritizing risks associated with the audit universe (list of specific departments, functions, processes, programs, etc. that can be subject to an audit). Risk is defined as “the possibility of an event or condition occurring that will have an impact on the ability of an organization to achieve its objectives.”1 Our risk assessment involved collaboration with City Council and executive leadership from 14 main departments across the organization. This report summarizes our risk assessment methodology, analysis, and results. The FY22/FY23 annual audit plan is based on the results of this risk assessment. Through the risk assessment, we observed certain strengths of the City. Key strengths include: - Commitment to public service - High value on efficient and effective government - Focus on long term strategy - Dedicated and highly professional management and staff - Demonstrated history of innovation and commitment to sustainability Additionally, OCA commends the City for its continued response to COVID-19. In particular, we greatly admire all efforts taken to support the health and wellbeing of Palo Alto citizens and Stanford students, as well as the support of essential workers during this time of heightened risk. 1 Rick A. Wright Jr., CIA, “The Internal Auditor’s Guide to Risk Assessment” The Institute of Internal Auditors Research Foundation (IIARF), 2018 4 Risk Assessment Approach Baker Tilly’s risk assessment approach consisted of the following phases: Baker Tilly conducted an initial comprehensive risk assessment in FY2021 by interviewing all Council members and Executive Leadership Team (ELT) members to create a risk matrix. For the FY2022 risk assessment, we interviewed all available Council members, surveyed all ELT members and some additional members of management, and conducted interviews with key ELT members representing areas of perceived high risk in the current landscape (e.g., Information Technology, Human Resources). Our initial FY2021 risk assessment primarily measured inherent risk (the risk without mitigating controls/factors). We continue to learn the City’s risk responses, processes, controls, and/or other factors in place to mitigate identified risks through internal audit activities. We considered the information gathered to identify risks and determine the likelihood and impact of risks identified. The risk matrix in Appendix B includes our risk rating scale and lists all of the identified risks and associated likelihood and impact of potential adverse events. Planning − Discussed a survey using an online survey tool with the City and the Baker Tilly internal resources. − Prepared risk assessment survey questions and the online survey tool. Information Gathering − Reviewed key documentation such as the capital plan, annual budget, organizational charts, financial statements, and internal audit reports. − Sent a link to the online survey to ELT members, asking them to complete the survey and forward it to their staff members as appropriate. Survey responses were downloaded in Excel spreadsheet. − Updated the risks in the existing risk matrix based on interviews with City Council members and the ELT members, survey responses, and review of critical documents. Analysis − Analyzed the survey responses. − Scored the risks in the risk matrix based on the likelihood and the impact of potential adverse events. − Identified potential internal audit activities with high risk scores. Reporting − Summarized the approach and results of the risk assessment. FY22 Risk Assessment Phase 5 Survey Results Baker Tilly team conducted an online risk assessment survey to gather management’s insights for all City departments and received 24 responses. The survey questions are listed in Appendix A. Management’s View of Strengths and Weaknesses/Threats Each manager was asked to identify up to three strengths of his/her team/department or the City. The following summary shows that the employees are the strength of the City and that the relationships and collaboration with different departments and organizations are an integral part of the City’s operation. Managers were also asked to identify up to three weaknesses as well as threats for their teams/departments or the City. The results show that the City currently faces various issues related to human capital management. Additionally, economy, rising costs, aging population, and a supply chain issue were listed as some of the threats (unfavorable external factors). 6 Key Risk Areas Rated by Management We asked the managers who participated in the survey to rate 38 risk factors across five risk categories, using a scale of 1 (Very Low) to 5 (Very High), to assess their teams/departments. As shown in the table below, five out of top ten risk factors rated high by the City’s management belong to the Environmental risk category. Each risk category is summarized below, and the detailed descriptions of risk factors are included in the survey in Appendix A. Environmental (Factors external to the organization) Five out of six risk factors in this category are included in the top ten high-risk factors. External factors, such as the economy and citizen demands, are identified as the highest areas of Environmental risk category. Compliance with laws and standards and the opinions and perceptions of the public and customers towards the City (Regulatory) are also rated higher than other risk factors. Legal risk is the potential for an unforeseen event to cause litigation for the City or its elected leaders, directors, and officers. Strategy (Planning and decision-making) The top two risk factors of this risk category concern financial management necessary to achieving the City’s goals (Planning and Budgeting) and the City’s ability to modify its processes in order to either align with its current strategy or to achieve a different strategic goal (Strategic Change). The Compliance Management risk factor refers to the continuous monitoring of the organization’s ability to operate within regulatory requirements and community standards Rank Risk Category: Risk Factor Average Rating 1 Environmental: Economy 4.04 2 Environmental: Citizen Demands 3.71 3 Organization: Succession Planning 3.63 4 Environmental: Regulatory 3.46 5 Environmental: Reputation 3.42 6 Strategy: Planning and Budgeting 3.38 7 Organization: Human Capital Management 3.33 7 Organization: Governance 3.33 9 Environmental: Legal 3.25 10 Strategy: Strategic Change 3.17 Risk Factor Average Rating Planning and Budgeting 3.4 Strategic Change 3.2 Resource Allocation 3.1 Compliance Management 3.1 Financial 2.8 Investments 2.8 Inter-government Relations 2.6 Strategy 3.0 Risk Factor Average Rating Economy 4.0 Citizen Demands 3.7 Regulatory 3.5 Reputation 3.4 Legal 3.3 Technologies 2.5 Enviornmental 3.4 7 Organization (Attributes of departments) Three risk factors in the Organization category are included in the top ten risk factors. The Succession Planning risk factor is rated as the third highest risk factor. It is the planning and processes to ensure that there are highly qualified people in key leadership positions today and in the future. The related risk factor rated as the seventh highest is Human Capital Management that is the set of practices an organization uses for recruiting, managing, developing, and optimizing their human capital. Governance is also rated as the seventh highest overall and relates to the activities providing direction and oversight for the organization. Process and Operations (Functional effectiveness and policies and procedures) The Process and Operations risk factor was not represented on the top ten risks rated by the City’s management. However, the top three risk factors of this category are the 13th through 15th risk factors among all 38 risk factors. Human Resources concerns the knowledge, skills and experiences, and resources among personnel, which allow for the execution of the organization’s business plan and achievement of its critical success factors. Procurement/Sourcing pertains to the ability to acquire the necessary goods and services for operation and the process of vetting, selecting and managing supplier, vendors and contractors. Information (Data governance) This Information risk category had the lowest average rating among the five categories. The risk factor rated highest by City management in this category is the availability of relevant critical information when needed in order to maintain the organization’s critical operations and processes, including when a disaster or unplanned disruption occurs. The Security (any event that could result in the compromise of organizational data) is rated as the second highest risk. Risk Factor Average Rating Human Resources 3.1 Procurement/Sourcing 3.0 Change Management 3.0 Efficiency 2.9 Information Systems 2.8 Vendor Management 2.8 Fraud 2.5 Contracts 2.5 Accounting 2.3 Payroll 2.2 Process and Operations 2.7 Risk Factor Average Rating Succession Planning 3.6 Governance 3.3 Human Capital Management 3.3 Communication 2.9 Leadership and Authority 2.9 Safety 2.7 Organizational Structure 2.7 Empowerment and Values 2.6 Ethics and Code of Conduct 2.5 Organization 2.9 Risk Factor Average Rating Information:Availability 2.8 Information: Security 2.7 Information: Retention 2.7 Information (Data Governance): Data Integrity 2.6 Information: Privacy 2.5 Information: Access 2.3 Information 2.6 8 Significant Changes in FY21 We asked the managers who participated in the survey to describe the significant changes for their teams or departments during the past 12 months. The responses seem to be consistent with the effect of a significant reduction of staff in FY21 as described in the FY22 Adopted Operating Budget as well as the national labor market facing all industries. Barriers to Meeting Goals and Objectives in FY22 We asked the managers who participated the survey to describe the possible reasons that prevent their teams or departments from meeting their goals and objectives in FY22. These responses are consistent with the weaknesses and significant changes mentioned by them in this survey. Significant Changes During Last 12 Months % of Respondents Change in Workload 64% Workforce Reduction 44% New Workflows or Business Processes 40% Change in Compliance Requirements (Due to Changes in Policies/Contracts/Laws/Regulations)32% New/additional Staff 32% Change in Organizational Structure 32% Other (No Significant Change, Staff Turnover, Mandatory Overtime )24% Changes in Processes/Controls/ Information Technology Systems 24% New Software 20% Increased Undesirable Performance or Instances (such as Injuries/Complaints/Customer Dissatisfaction)16% Change in Culture 16% Change in Goals/Objectives/ Performance Measures 12% New Vendors and Contractors 12% Change in Any Risks Previously Identified for Your Team/Department 4% Barriers to Meeting Goals and Objectives in FY22 % of Respondents Staffing Constraints 88% Financial Constraints 48% Limited Skills/Knowledge/Experience/Training 32% Constraints due to COVID-19 24% Community Pressure 24% Inefficiency in Process and/or Communication 20% Technology Issue 20% Other (Changing Priorities/Goals/Assignments Bottlenecks)16% State/Federal Regulations 12% Lack of or Ineffective Internal Controls 4% 9 Risk Assessment Results We developed the risk matrix in FY21 during our first risk assessment for the City. For the FY22 risk assessment, we updated the matrix by identifying the changes that have occurred (e.g. City’s goals, organizational structure, etc.) over the past 12 months, obtaining input from City Council members and the City’s management, and by continuing to learn more about the City’s programs, initiatives, and processes. We added additional information to the existing risks, added or removed risks, and adjusted the rating, as necessary. The updated risk matrix is included in Appendix B. The following chart shows the distribution of overall risk scoring in our risk matrix. We do not necessarily seek a normal distribution but do consider distribution to evaluate the effectiveness of our scoring methodology, which has been right-sized to the City. 10 Listed below are the risks with a score over 36 (out of 50) in the risk matrix, excluding six risks that were audited in FY21 – FY22 or are currently being audited. The list includes 15 areas rated as high risks (with a score between 40 and 50) and 20 areas rated as high-moderate risks (with a score 36 and 38). In determining the audit activities to be performed in FY22 and in FY23, we further review these risks and functional areas and consider risk-based priorities as well as other factors such as requirements by law or regulation, timing of activities, special projects, and requests from City Council and management. Functional Area Title Likelihood (1-5) Impact (1-5)Score City Wide COVID-19 Response 5 5 50 Org Wide Employee Retention & Succession Planning 5 4 46 Planning and Development Services Long Rnage Planning 5 4 46 Information Technology Disaster Recovery Preparedness and Testing 3 5 44 Information Technology Host Intrusion and Malware Defense 3 5 44 Information Technology Problem Management and Incident Response 3 5 44 Transportation Contract Management 3 5 44 Org Wide Workforce 4 4 42 Org Wide Citywide Risk Management 4 4 42 Administrative Services Procurement 4 4 42 Fire Emergency Medical Service 4 4 42 Human Resources High Cost Claims 4 4 42 Human Resources Workload 4 4 42 Information Technology Mobile Device Management 5 3 40 Information Technology Strategy and Governance 5 3 40 Public Works Secondary Treatment Upgrades 2 5 38 Public Works ADA Compliance Upgrade 2 5 38 Administrative Services Investments, Debt, and Cash Management 2 5 38 Information Technology Information Security 2 5 38 Information Technology Operations and Monitoring 2 5 38 Information Technology Physical and Environmental Controls 2 5 38 Information Technology Ransomware 2 5 38 Police Use of Force and Officer Conduct 2 5 38 Org Wide Governance 3 4 36 Org Wide Organizational Culture 3 4 36 Administrative Services ERP System Upgrade 3 4 36 City Wide Sustainability and Climate Action Plan 3 4 36 Administrative Services Accounts Receivable 3 4 36 Fire Fire Suppression 3 4 36 Fire Fire Prevention - Palo Alto Foothills & Wildlad Fire Risk 3 4 36 Public Works Public Services - Fleet 3 4 36 Public Works Wastewater Treatment Plant Operations 3 4 36 Public Works Public Services -Facilities 3 4 36 Utilities AMI (Advanced Metering Infrastructure) Project 3 4 36 Utilities Rates and Rate Adjustments 3 4 36 11 Appendices Appendix A: Survey Questions The Office of City Auditor is conducting the FY22 Risk Assessment to identify and prioritize risks in order to update the annual audit plan. As part of our FY22 Risk Assessment, we are conducting a survey. This survey is used primarily to collect information related to changes in operations, emerging issues and risks the City faces, and to gather your perspective on key risks faced by your department. Your candid responses would be greatly appreciated to assess the risks that prevent the City of Palo Alto from achieving its mission, goals, and objectives. Note: Although we may reach out to some of you to discuss specific topics further, your identity will not be part of our risk assessment report. 1. Please provide your name, title, Department, and e-mail address: • Name • Title • Department o City Council o City Attorney o City Manager’s Office – Other than Transportation o City Manager’s Office – Transportation o Administrative Services o City Clerk’s Office o Community Services o Emergency Services o Fire o Human Resources o Information Technology o Library o Planning o Police o Public works o Utilities • E-mail address 2. Are you a head of your department? • Yes • No – Please briefly describe the specific function or process for which you are responsible. 3. Describe any significant changes for your team or department during last 12 months. • New software • New workflows or business processes • Changes in processes, controls. Or information technology systems • Change in organizational structure • Change in culture • Workforce reduction • New/additional staff • New vendors and contractors 12 • Change in workload • Change in compliance requirements (due to changes in policies, contracts, laws, or regulations) • Change in goals, objectives, or performance measures • Increased undesirable performance or instances (such as injuries, complaints, customer dissatisfaction, etc.) • Change in any risks previously identified for your team/department • N/A • Other (please specify) 4. Are there adequate policies and procedures to perform your job responsibilities? • Yes • No – Please describe how the responsibilities and requirements are communicated in a clear and consistent manner. 5. Describe what can possibly prevent your team/department from meeting its goals and objectives in FY22. • Financial constraints • Staffing constraints • Limited skills, knowledge, experience, training • Technology issue • Inefficiency in process and/or communication • Ambiguity in roles and responsibilities • Lack of or ineffective internal controls • Community pressure • State/Federal regulations • Constraints due to COVID-19 • N/A • Other (please specify) 6. Describe the complexity of the processes in your team or department: Complexity is a measure of the difficulty in performing a process or function. As a process or function becomes more complex, the greater the opportunity for errors. • Very high complexity • High complexity • Medium complexity • Low complexity • Very low complexity Please provide any comment related to complexity, if necessary. To help us identify potential risks, please list your team/department’s Strengths, Weaknesses, Opportunities, and Threats (SWOT) for achieving its missions, goals, and objectives. Typically, strengths and weaknesses are internal aspects of team/department/organization, while opportunities and threats are found externally. 7. Describe up to three STRENGTHS of your team or department: Strengths refer to the resources or capabilities that help the team/department accomplish its mission and serve the public. These can be things like competitive advantages, available resources, engaged community, strong balance sheet, utilized technology and so on. 13 8. Describe up to three WEAKNESSES of your team or department: Weaknesses refer to the areas where the team/department needs to improve to accomplish its mission. These can include things like deficiencies in resources and capabilities, inefficient use of available technologies, barriers or inability to collaborate among different departments, lack of effective communication, mission or direction, high levels of debt, financial or human resources constraints and so on. 9. Describe up to three OPPORTUNITIES for your team or department: Opportunities are any area where the team/department can grow. They are often related to the organization’s strengths. Outside factors that affect the organization in a favorable way can include things like; offering more products or services to citizens, lower costs through new technology and so on. 10. Describe up to three THREATS for your team or department: Threats include the level of competition, the overall economy and any other external issue that can harm the team/department. Common threats include things like rising costs for housing/living, increasing competition, tight labor supply, billing rates and so on. 11. Environmental (factors external to the organization): For each risk category described below please assess the potential risk level to your department based on a scale of 1 (Very Low) to 5 (Very High). • Reputation - The opinions and perceptions of the public and customers toward the organization. • Regulatory - Laws and standards, which the organization must comply with in its operations. • Citizen Demands - The effect that current citizens demands have on the decisions made by management for aligning tactical plans with the business strategy and the allocation of resources. • Economy - The effect that current external conditions have on the decisions made by management for aligning tactical plans with the business strategy and the allocation of resources. • Legal - The potential for an unforeseen event to cause civil or criminal litigation for the organization or its elected leaders, directors, officers, and employees. • Emerging Technologies - The evolution of technology both within and outside of the organization’s industry. 12. Strategy (planning and decision-making): For each risk category described below please assess the potential risk level to your department based on a scale of 1 (Very Low) to 5 (Very High). • Strategic Change - The ability of the organization to modify its processes in order to either align with its current strategy and business model or to achieve a different strategic goal. • Investments - The portfolio of both intangible and tangible investments held by the organization, and the implications of these assets on the resources, financial viability, and operations of the organization. The effect on liquidity the ability of current assets to meet current liabilities when due. • Planning and Budgeting - Details of the organization’s goals and the financial management necessary to achieving those goals. • Financial - The goals of the organization in terms of the structure of its assets and liabilities, including the financing capability based on its credit worthiness, the ability to receive credit and the use of credit lines to achieve its business objectives. • Inter-government Relations - The relationship of the organization with other government agencies that have regulatory and oversight responsibilities and shared services or citizens. • Compliance Management - The continuous monitoring of the organization’s ability to operate within regulatory requirements and community standards. • Resource Allocation – The process for assigning and managing assets that support the organizations strategic goals 14 13. Organization (attributes of departments): For each risk category described below please assess the potential risk level to your department based on a scale of 1 (Very Low) to 5 (Very High). • Governance - The role, composition, and major activities of the governing body of the organization in providing direction and oversight for the organization. • Empowerment and Values - The ability of senior members of the organization to effectively delegate power or authority to other members of the organization. • Communication - The methods of communication commonly used in the organization and the effectiveness of this communication on the operations of the organization. • Ethics and Code of Conduct - The set of rules outlining the ethical practices expected of management and employees of the organization. • Leadership and Authority - The members of the organization who hold power and their ability to exercise this power effectively. • Organizational Structure - The configuration of units and work flows to align the behavior of the units to the higher-level goals of the organization. • Succession Planning - The planning and processes to ensure that there are highly qualified people in key leadership positions today and in the future. • Human Capital Management - The set of practices an organization uses for recruiting, managing, developing, and optimizing employees, including performance management (The process of creating expectations for performance, monitoring progress, and measuring the results) and training (The ability for employees to gain and develop necessary tools to ensure effective operations). • Safety - The organization strives to provide a safe working environment by effectively mitigating the risks to the safety of its employees. 14. Process and Operations (functional effectiveness and policies and procedures): For each risk category described below please assess the potential risk level to your department based on a scale of 1 (Very Low) to 5 (Very High). • Contracts - Contracts are adequately structured to address and mitigate risks. • Efficiency - Processes are up-to-date and efficient, resulting in efficient operations and output. • Accounting - The timely and accurate tracking of the financial position of the organization. • Payroll - The policies, processes, and systems in place to ensure that employee compensation is reliable, timely, and accurate. • Fraud - The organization uses internal controls to prevent and/or detect fraud. • Procurement/Sourcing – The ability to acquire the necessary goods and services for operation and the process of vetting, selecting and managing supplier, vendors and contractors. • Human Resources - The knowledge, skills and experiences, and resources among personnel, which allow for the execution of the organization’s business plan and achievement of its critical success factors. • Information Systems - The facilities, systems, and connectivity in place to support data processing. • Vendor Management - The need for the organization to continuously monitor the quality and reliability of vendors it uses in the course of its business. • Change Management - Management adapts appropriately to the evolution of the processes and operations of the organization. 15. Information (data governance): For each risk category described below please assess the potential risk level to your department based on a scale of 1 (Very Low) to 5 (Very High). • Data Integrity - Data used for making management decisions, recording information, and reporting financial activity is accurate, complete, and reliable. • Access - The right to view or manipulate data is carefully granted and monitored to prevent the mishandling of data. • Retention - The policies used by the organization to determine document retention in terms of the form of documents, how these documents are stored, and for how long these should be maintained. • Availability - Relevant critical information is available when needed in order to maintain the organization’s critical operations and processes, including when a disaster or unplanned disruption occurs. • Privacy - Organization policies are in place to ensure the correct treatment of sensitive information held by the organization. • Security – Any event that could result in the compromise of organizational data. (I.e. unauthorized use, loss, damage, disclosure or modification of organizational data). 15 16. Do you feel that adequate internal controls are in place and performed effectively to mitigate the risks your team or department is exposed to? Internal controls can be segregation of duties, proper approvals, application controls that prevent errors, proper training, timely communication, reconciliation of data/information, review and resolution of exception reports, and so on. • Yes – Processes and procedure are in place and performed effectively • Yes – Processes and procedures are in place but NOT always performed effectively • No – Processes and procedures are not in place to mitigate risks Please provide any comment related to complexity, if necessary. 17. What would be the potential impact of significant risks not being addressed in your team or department? • Reputation of the team/department or the City will be damaged • The team/department or the City will be in noncompliance with contracts, laws or regulations • The operations or procedures will be inefficient, which may result in more costs and/or decreased level of services • The team/department will not meet its objectives, goals, and mission • The consequences may be result in injuries or deaths • The City may lose assets (cash, properties, equipment, etc.) • The information provided to the public will be incomplete, inaccurate, and/or untimely. • No or little impact • Other (please specify) 18. Please share your thoughts on any risks you think your team/department or City of Palo Alto faces: For example, risks you identified for other teams or department; risks of frauds (corruption, misappropriation of assets, financial statement fraud); and so on. 19. Please list any potential audit activities you recommend based on the risks you identified. 16 Appendix B: Risk Matrix For purposes of scoring risks based on likelihood and impact, Baker Tilly categorized risks in the following manner: - Environment, Strategy, and Governance – Generally speaking, these risks affect the entire organization rather than a specific department or function. - Major Projects and Initiatives – These are risks related to on-going projects and initiatives; generally speaking, the duration of the project lasts only as long as the project itself (i.e., they are not inherent to the organization). - Function Specific Risks – These risks are inherent to a function with no timetable for completion. Likelihood of an Adverse Event Likelihood Definitions Likelihood Scale General Very Likely 5 Weekly (50+ occurrences annually) Likely 4 Monthly (10-50 occurrences annually) Somewhat Likely 3 Annually (>10 occurrences annually) Unlikely 2 Once every 2 years Rare 1 Less than once every 2 years Impact of an Adverse Event The table below shows the scoring methodology for major initiatives and projects: Impact - Major Initiatives Impact Scale Financial High 5 $50M+ Elevated 4 $25M - $49.99M Moderate 3 $10M - $24.99M Minor 2 $5M - $9.99M Insignificant 1 <$5M The table below shows the scoring methodology for function specific risks as well as general organization wide risks: Impact Definitions - General Impact Scale Financial General High 5 Event causes a $100k or greater impact to revenue, expense, or net revenue Very significant and long term impact to revenue, profit, brand/company image, and/or people Elevated 4 Event causes a $50k - $100k impact to revenue, expense, or net revenue Significant and sustained impact to revenue, profit, brand/company image, and/or people Moderate 3 Event causes a $25k - $50k impact to revenue, expense, or net revenue Moderate and short-term impact to revenue, profit, brand/company image, and/or people Minor 2 Event causes a $5k - $25k impact to revenue, expense, or net revenue Moderately low impact to revenue, profit, and/or brand/company image which can be overcome w/in 1 year Insignificant 1 Event causes less than $5k impact to revenue, expense, or net revenue Low impact to revenue, profit, and/or brand/company image which can be overcome within one quarter of occurrence Overall Risk Scoring Following the scoring of likelihood and impact, each risk is assigned an overall score based on the methodology outlined in The Internal Auditor’s Guide to Risk Assessment by Rick Wright Jr. Red represents high risk, yellow represents moderate, and green represents low. 5 30 38 44 48 50 4 20 28 36 42 46 3 12 18 26 34 40 2 6 10 16 24 32 1 2 3 8 14 22 1 2 3 4 5 Likelihood Im p a c t Note: Examples of Potential Risks Included in the Risk Detail column of the Risk Matrix in the following pages are examples of potential risks. These are examples of risks inherent in the activities before any controls are applied to reduce risks. The inherent risks are identified to understand what could go wrong without mitigating factors or controls. 17 Risk Matrix - Environment, Strategy, and Governance Risks (Risks 1-13) The following table summarizes risks related to Environment, Strategy, and Governance. Note: Examples of Potential Risks included in the Risk Detail column of the Risk Matrix on the following pages are examples of potential risks inherent to the function. These are examples of risks in the activities before any controls are applied to reduce risks. The inherent risks are identified to understand what could go wrong without mitigating factors or controls. These are not intended to communicate actual issues or challenges. Risk ID Functional Area Risk Title Municipal Code Reference (From City Municipal and Process Ordinances) Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 1 Org Wide Ethics Title 2 - Administrative Code, Part 7 Ethics in Contracting Title 2 - Administrative Code, Chapter 2.09 Conflict of Interest for Designated Positions Ethics is mentioned directly in the City Code as it pertains to purchasing/contracting. The City Code intends to prevent conflicts of interest in the purchasing process and requires employees from withdrawing from participation in a purchasing or contracting activity where a real or perceived conflict exists. Additionally, the City has adopted a Conflict of Interest Code in accordance with the CA Political Reform Act. The City of Palo Alto has a Fraud, Waste, and Abuse Hotline in place and corresponding administrative policy. The objective of the Hotline is to encourage anonymous reporting of potential instances of fraud, waste, and abuse. The Hotline is monitored by a committee consisting of the 3 members - the City Manager, City Auditor, and City Attorney. Examples of Potential Risks (Note): >Instance of fraud, waste, or abuse involving a City employee or contractor engaged by the City >Conflict of interest in the purchasing process whereby a City employee improperly influences a City purchasing decision 1 5 30 Financial Legal & Compliance Reputation 2 Org Wide Governance Charter of the City of Palo Alto, Article III. Council Charter of the City of Palo Alto, Article III. Council, Section 9 FY22 Risk Updates: In the risk assessment survey, Governance was rated as the seventh highest risk by management. Some of the risk assessment interviewees have a concern about governance, and some have a concern about risk management. FY21 Risks: The City of Palo Alto is governed first and foremost by its citizens. The citizens of Palo Alto elect seven members of City Council, who in turn elect the Mayor and Vice Mayor. The City Council is the governing body of the City and is responsible for all legislation. The Council also sets the strategic direction and priorities of the City. It approves the budget, adopts ordinances and resolutions, and functions as a board of appeals. The City Council also appoints the City Manager, City Attorney, City Clerk, and City Auditor. The City Council has committees including the Policy & Services Committee and the Finance Committee. The City Council also appoints members to Boards and Commissions including the Human Relations Commission, the Utilities Advisory Commission, and the Public Art Commission. The Executive Leadership Team is the administrative function of the City and is made up of leaders from different departments across the City. The Executive Leadership Team is led by the City Manager. Examples of Potential Risks (Note): >Acting outside the bounds of delegated authority >Misuse and abuse of authority for personal gain >Conflicts of interest in appointees by City Council >Non-compliance with the City Charter 3 4 36 Strategic Operational Legal & Compliance Reputation Political & Economic 3 Org Wide Labor Environment City of Palo Alto employees are represented by seven unions and collective bargaining agreements. Palo Alto must maintain ongoing negotiations, handle disputes, and mitigate conflicts from becoming larger, more costly issues. Labor contracts include: >International Association of Fire Fighters (IAFF) >Management and Professional Personnel and Council Appointees (MGMT) >Fire Chief's Association (FCA) >Palo Alto Peace Officers' Association (PAPOA) >Palo Alto Police Management Association (PAPMA) >Service Employees International Union (SEIU) >Utilities Management and Professional Association of Palo Alto (UMPAPA) The City also adheres to other compensation plans including: >Limited Hourly Employees Compensation Plan Examples of Potential Risks (Note): >Non-Compliance with California Labor Code >Long-term financial pressures, including unfunded pension liabilities >Agreement oversight and administrative burden >Service disruptions due to extended contract negotiations 3 3 26 Operational Financial Legal & Compliance Reputation Political & Economic 18 Risk ID Functional Area Risk Title Municipal Code Reference (From City Municipal and Process Ordinances) Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 4 Org Wide Financial Planning and Budgeting Title 2 - Administrative Code, Chapter 2.28 Fiscal Procedures The adopted budget is released annually in August. The preparation of the budget begins in September of the prior year. The Office of Management and Budget (OMB) in the Administrative Services Department develops the operating and capital budgets. The OMB works with senior management and the City Manager to develop budgets accordingly. Per the Capital Budget for FY21, there are six sources that inform the budget: >The City Council’s top priorities and other City Council directives, such as the 2014 Infrastructure Plan >Organizational financial status and budgetary guidelines >Service level and infrastructure prioritization, as identified by the City Manager >Community input (e.g. Infrastructure Blue Ribbon Commission) >The City’s policies regarding land use and community design, transportation, housing, natural environment, business, and economics, as outlined in the Comprehensive Plan. Examples of Potential Risks (Note): >Disagreement among City leadership and/or City Council regarding budgetary priorities >Non-compliance with City Code >Long-term financial pressures, including unfunded pension liabilities 2 4 28 Strategic Operational Financial 5 Org Wide Public-Private Partnerships Palo Alto partners with private organizations and non-profits. In particular, the City has established partnerships with non-profits in the administration of senior services, the animal shelter, urban forestry, local history museum, suicide prevention activities, the Zoo, and others. Examples of Potential Risks (Note): >Reputational damage done to the City based on actions of a partner >Financial impact of any inefficiencies >Agreement oversight and administrative burden 3 4 36 Strategic Operational Financial Reputation 6 Org Wide Compliance and Regulatory Environment FY22 Risk Update: In the risk assessment survey, Regulatory was rated as the fourth highest risk by management. FY21 Risks: Palo Alto has numerous laws and regulations, ordinances, and policies and procedures that the organization and its employee must abide by. These laws are promulgated at the Federal, State, and Local level. Examples of Potential Risks (Note): >Failure to track and update relevant regulations may lead to external audit findings, fines, and other punitive measures by federal and state agencies >Changing regulations may add complexity to operations and strategic planning >Non-compliance leading to enforcement action 3 3 26 Legal & Compliance Political & Economic 7 Org Wide Employee Retention & Succession Planning Title 2 - Administrative Code, Chapter 2.36 Personnel Procedures FY22 Risk Updates: Recruitment and retention challenges and lack of succession plan were identified as weaknesses by many managers who took our risk assessment survey. Palo Alto living situation (Long commute, Cost of living) was listed as threat. Some of the risk assessment interviewees are concerned about succession planning FY21 Risks: Many factors impact employee recruitment and retention within the City. The Public Employee Pension Reform Act of 2013 (PEPRA) ultimately made public employment less attractive in the State. The new benefits structure lowered retirement benefits to State employees. Palo Alto and the surrounding area has a high cost of living. For many employees, it is difficult to afford to live in or near Palo Alto, and any employees commute great distances to work for the City. For certain positions, it is difficult to recruit candidates, as there are other employment options in more affordable communities. This is especially difficult for those employees with skills in high demand, such as linemen and other employees in the trades. Examples of Potential Risks (Note): >Lack of succession planning or cross training may result in knowledge loss after employee separations >High levels of turnover may result in expensive hiring/training >Inability to recruit for key positions >Inability to hire qualified candidates due to greater competition from other companies/communities 5 4 46 Strategic Operational Financial 19 Risk ID Functional Area Risk Title Municipal Code Reference (From City Municipal and Process Ordinances) Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 8 Org Wide Stanford University Palo Alto provides Stanford University with a variety of services, including, but not limited too; police, fire, ambulance, disaster preparedness, land use, and utilities. Stanford directly and indirectly serves as a revenue source for the City. Stanford University is the largest source of property taxes within the City, with $5.5M in taxable assets for the City. The City and Stanford also partner on various community issues, relationships and projects. Stanford Medical and Stanford University are the first and third largest employer in Palo Alto, respectively. Palo Alto is responsible for providing services to students, facility, staff and visitors of the University every day, as well as providing increased services for special events held by or at Stanford University every year. Examples of Potential Risks (Note): > Reliance on revenues generation directly and indirectly tied to Stanford University > Shared blame or reputational impact for instances that occur on or by Stanford persons or property, and City services are involved 1 4 20 Financial Reputation Political & Economic 9 Org Wide Organizational Culture FY22 Risk Updates: Burnout / Low Moral, Multiple competing priorities, Lack of Diversity, and Lack of Communication (Among departments) were identified as weaknesses by many managers who took our risk assessment survey. FY21 Risks: General risk description: Culture is the system of values, beliefs and behaviors that shape how things get done within an organization. Culture risk results form potential misalignments between the values and beliefs of an organization and day to day operations. Examples of Potential Risks (Note): >Acceptance of deviations from policies and procedures >Culture of long hours leading to employee dissatisfaction >Lack of ethical tone at the top 3 4 36 Operational Reputation Political & Economic 10 Org Wide Workforce FY22 Risk Update: - FY22 Adopted Operating Budget reflects a net reduction of 86 full-time staff (equivalent of 78.85 FTE) and 102 part-time staff (equivalent of 24.73 FTE) - Workload and Limited Resources were identified as weaknesses by many managers who took our risk assessment survey. FY21 Risks: There are vacancies throughout the organization at all levels. Vacancies have increased workload of current employees, who must cover the same amount of work with fewer FTE's. Nationwide staffing and workforce shortages, combined with the generational highest resignations have also contributed to the City's difficulties finding potential employees. Examples of Potential Risks (Note): > Inability to be proactive in handling situations and concerns for the City > Burnout and resentment of staff > Exhaustion and increased safety concerns for field employees 4 4 42 Operational 11 Org Wide State Legislative Issues FY22 Risk Update: One of the risk assessment interviewees is concerned about unfunded state mandates. There is uncertainty with those mandates. FY21 Risks: State priorities and legislative action impact have increased in recent years, as the State priorities and mandates, particularly related to housing, land usage and development have become more robust. The City has to balance local priorities with legal regulations and usage from the State. Policies around the use of land, housing developments, low-income housing and green initiatives require additional legal action and planning considerations. Examples of Potential Risks (Note): > Litigation from improver use of land or housing requirements > Inability to properly grow and develop the City based on local priorities and community values > Non-compliance to State regulations resulting in delays in development, sanctions and citations 3 3 26 Financial Legal & Compliance Reputation 12 Org Wide Procurement and Supply Chain Worldwide raw materials and supply shortages from COVID-19 and the lack of available workforce, will continue to produce challenges for the City. There is also an associated increase in products as a result of the lack of available materials. Examples of Potential Risks (Note): > Increased costs of goods not incorporated into project budgets > Project schedule times will increase, increasing labor costs, opportunity costs and financial constraints > Impact to community trust and understanding as community services take longer to fulfill 4 3 34 Strategic Operational Financial 20 Risk ID Functional Area Risk Title Municipal Code Reference (From City Municipal and Process Ordinances) Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 13 Org Wide Aging Population Palo Alto’s community continues to age. Rising costs of living and the limited available housing have limited the ability for younger families and individuals to move into the area. Examples of Potential Risks (Note): > Loss of population that impacts revenues > Changing demographics that result in change of City priorities and community needs 1 1 2 Environmental Political & Economic 14 Org Wide Citywide Risk Management Some of the risk assessment interviewees have a concern about risk management and expressed a need for citywide risk assessment. The City currently has some risk management processes in Human Resources department for insurance and in Utilities department for safety. Excerpt from IIA position paper THE ROLE OF INTERNAL AUDITING IN ENTERPRISE-WIDE RISK MANAGEMENT "Enterprise-wide risk management (ERM) is a structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives. Responsibility for ERM The board has overall responsibility for ensuring that risks are managed. In practice, the board will delegate the operation of the risk management framework to the management team, who will be responsible for completing the activities below. There may be a separate function that co-ordinates and project-manages these activities and brings to bear specialist skills and knowledge. Benefits of ERM ERM can make a major contribution towards helping an organization manage the risks to achieving its objectives. The benefits include: • Greater likelihood of achieving those objectives; • Consolidated reporting of disparate risks at board level; • Improved understanding of the key risks and their wider implications; • Identification and sharing of cross business risks; • Greater management focus on the issues that really matter; • Fewer surprises or crises; • More focus internally on doing the right things in the right way; • Increased likelihood of change initiatives being achieved; • Capability to take on greater risk for greater reward and • More informed risk-taking and decision-making." 4 4 42 Strategic Operational Legal & Compliance Reputation Political & Economic 21 Risk Matrix - Major Projects & Initiatives (Risks 15-44) The following table summarizes risks related to Major Projects and Initiatives. Note: Examples of Potential Risks included in the Risk Detail column of the Risk Matrix on the following pages are examples of potential risks inherent to the function. These are examples of risks in the activities before any controls are applied to reduce risks. The inherent risks are identified to understand what could go wrong without mitigating factors or controls. These are not intended to communicate actual issues or challenges. Risk ID Functional Area Risk Title Municipal Code Reference (From City Municipal and Process Ordinances) Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 15 City Wide COVID-19 Response Palo Alto has operated under emergency response orders in some capacity since March 2020. Mitigation and control of COVID-19 is imperative for citizen and employee safety and continued operation of City services. COVID-19 has created additional needs and hurdles for the City, including: > Compliance with Federal vaccination requirements >Increased demand for public services >Transition to a hybrid virtual and in-person environment >More centralized need for internal and external communications >Discontinued shuttle services Examples of Potential Risks (Note): >Inability to meet citizens demands given current financial and operational constraints >Transition of communications and operations to normal operational status >Health and safety of citizens and employees 5 5 50 Strategic Operational Financial Legal & Compliance Reputation Political & Economic 16 Uplift Local Program Parking Revenue FY22 Risk Updates: Length of time of road closures and suspending parking payments increased the City’s risk for removing those regulations and reintroducing parking payments for Citizens. Prolonged lack of parking revenues may also impact the City’s ability to fund existing projects and budgeted items. Citizens and businesses may also push-back on reopening streets and reinstating parking payments. FY21 Risks: The City has closed or partially closed several streets to allow restaurants and patrons more space for socially distanced outdoor dining. The City has also removed parking meters and garage parking fees during this time. The City implemented the Uplift Local Program to help support the economy and local businesses, residents and visitors. Examples of Potential Risks (Note): >Loss of revenues from closure or suspending parking meter and parking garage fees >Logistics for reopening of closed streets after sustained closures >Resistance from businesses and vendors on reopening streets and stopping outdoor dining and shopping 5 2 32 Operational Financial Legal & Compliance Reputation Political & Economic 17 Administrative Services ERP System Upgrade FY22 Risk Updates: ERP system upgrade is still planned to be done. Noted as a risk area by a risk assessment interviewee FY21 Risks: The City of Palo Alto is currently undergoing an upgrade of the ERP system. This includes two phases of efforts. The first phase is migrating upgrading to a new version of SAP. The second phase focuses on process improvement through use of the upgraded system. Examples of Potential Risks (Note): >Unforeseen barriers in implementation requiring change orders that delay the process and increase overall expenses >Strain on capacity associated with the level of attention required by ERP implementation >Data loss during system upgrade or subsequent efforts >System downtime leading to stoppage in the ability to provide services 3 4 36 Operational Financial Legal & Compliance IT Reputational 18 Public Safety Public Safety Building Construction The City approved the FY22-FY26 Capital Improvement Plan, which includes construction of the Public Safety Building. The total project budget is $118M, $9.4M is budgeted from FY22-FY26. Justification for the project was included in the 2014 Council approved Infrastructure Plan, which was preceded by a recommendation by the Infrastructure Blue Ribbon Commission report in 2011. Construction Contract was awarded in early 2021, with plans to complete construction in Summer 2023. Examples of Potential Risks (Note): >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 3 5 44 Operational Financial 22 Risk ID Functional Area Risk Title Municipal Code Reference (From City Municipal and Process Ordinances) Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 19 Public Works Newell Road/San Francisquito Creek Bridge Replacement The City approved the FY22-FY26 Capital Improvement Plan, which includes the continued replacement of the Newell Road/San Francisquito Creek Bridge. The total project budget is $18.2M, $15.0M is budgeted from FY22-FY26. Removal of the existing bridge is a necessary element of the San Francisquito Creek Joint Powers Authority (JPA) comprehensive flood management program. Examples of Potential Risks (Note): >Increased costs related to project delays and need to coordinate with other agencies >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial Legal & Compliance Reputation 20 Public Works Fire Station 4 Replacement The City approved the FY22-FY26 Capital Improvement Plan, which includes construction of Fire Station 4. The total project budget is $10.2M, all of which is budgeted from FY22-FY26. This project provides funding to replace Fire Station #4 at the corner of Middlefield Road and East Meadow Drive. The replacement facility will be based on the prior Replacement Study and Needs Assessment prepared in 2005 and the station being operationally and technologically deficient. Examples of Potential Risks (Note): >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial Legal & Compliance Reputation 21 Public Works Street Maintenance FY22 Risk Updates: The City approved the FY22-FY26 Capital Improvement Plan, which includes the continued upkeep and repair of various City streets. The total project budget is $26.0M, all of which is budgeted from FY22-FY26. This project provides funding for annual resurfacing, slurry sealing, crack sealing, and reconstruction of various City streets. Using Pavement Maintenance Management Systems (PMMS) and Metropolitan Transportation Agency's Street Saver software, streets determined to be below the pavement condition index (PCI) standard minimum of 60, are to be repaired. The City Council established a goal of achieving an average City-wide PCI of 85,and intends to bring all City streets to a PCI of 85 or greater. Examples of Potential Risks (Note): >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 4 28 Operational Financial Legal & Compliance Reputation 22 Office of Transportation Railroad Grade Separation and Safety Improvements The City approved the FY22-FY26 Capital Improvement Plan, which includes the construction and upkeep of safety measure at railroad crossings. The total project budget is $15.9M, $11.7M is budgeted from FY22-FY26. Connecting Palo Alto, is a community-based process to advance the railroad grade crossing circulation study and context sensitive solutions study envisioned by the City Council. Examples of Potential Risks (Note): >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial Legal & Compliance Reputation 23 Public Works Airport Apron Reconstruction The City approved the FY22-FY26 Capital Improvement Plan, which includes the repaving of airport pathways. The total project budget is $41.9M, $.49M is budgeted from FY22-FY26, with $17.8M being distributed in FY21. The project includes the total re-pavement of airport runways, taxiways and pavement surfaces critical to airport safety. Average pavement condition index (PCI) for the airport was 36, below the industry standard minimum of 60, and below the City's goal of a PCI of 85. A PCI of 36 indicated a need for full pavement reconstruction. Examples of Potential Risks (Note): >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 1 3 Operational Financial Legal & Compliance Reputation 24 Utilities Electric Customer Connections The City approved the FY22-FY26 Capital Improvement Plan, which includes the installations of services, transformers and meters for new customers. The total project budget is $13.5M, all of which is budgeted from FY22-FY26. During a typical year, over 200 electric services are installed or upgraded in the City. This is a recurring CIP. Examples of Potential Risks (Note): >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial Legal & Compliance Reputation 23 Risk ID Functional Area Risk Title Municipal Code Reference (From City Municipal and Process Ordinances) Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 25 Utilities Electrical Systems Improvement The City approved the FY22-FY26 Capital Improvement Plan, which includes improve the Electrical Distribution System. The total project budget is $12.6M, all of which is budgeted from FY22-FY26. Typical activities include: increasing system capacity for load growth, replacing deteriorated capital facilities, reconfiguring/adding to the system to improve service reliability, repairing and replacing storm damaged equipment, and making general improvements to the system. This is a recurring CIP. Examples of Potential Risks (Note): >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial Legal & Compliance Reputation 26 Utilities Smart Grid Technology Installation The City approved the FY22-FY26 Capital Improvement Plan, which includes building a smart grid. The total project budget is $17.6M, $17M is budgeted from FY22-FY26. Smart grid technology, including the Smart Grid Road Map leads to cost operation savings and energy conservation. Examples of Potential Risks (Note): >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial Legal & Compliance Reputation 27 Utilities Fiber To The Home The City has been exploring the possibility of providing the option for residents to connect to a fiber optic network for faster internet. This would involve expanding the current fiber optic network and formalizing a new utility function. Interest in the service has been rising and the Utilities Department have been exploring the possibility of implementing a greater network of fiber optic. The City has engaged a consultant to perform a feasibility study. Examples of Potential Risks (Note) >Financial loss associated with learning curve of new service >Resources associated with operating the new service >Risk of misalignment with broader City strategy 2 4 28 Operational Financial Legal & Compliance Reputation 28 Utilities Gas Main Replacements FY22 Risk Updates: The City is replacing gas mains that may be leaking, inadequately sized, and/or structurally deficient based on the City's Distribution Integrity Management Plan's mathematical model. The model is used to evaluate risks presented by PVC and steel facilities located within business districts that have been assigned the highest probability and consequence scores. The project will target replacing PVC mains and services located in business districts and steel mains and services with ineffective corrosion protection, also known as catholic protection. Targeted streets will be coordinated with the Public Works Street Maintenance Program to complete replacement before streets are paved. Gas main replacements totals $22.46M, includes four projects > Project 23: 21,700 linear feet, at $.46M (remaining from FY21) > Project 24: 20,209 linear feet, at $9M > Project 25: 31,260 linear feet, at $11M > Project 26: 13,471 linear feet, at $2M Examples of Potential Risks (Note): >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial Legal & Compliance Reputation 29 Public Works Wastewater Collection System Rehabilitation/ Augmentation FY22 Risk Updates: The City is replacing wastewater mains for outdated, rusted and under capacity wastewater systems. The 2004 Collection System Master Plan update indicated facilities that are in need of augmentation to handle growth and peak flow increases. Priority will be given to areas identified by Public Works are targeted work zones. Wastewater aim replacement total $11.3M , includes four projects > Project 29: 9,965 linear feet, at $.35M > Project 30: 8,778 linear feet, at $4.1M > Project 31: 10,474 linear feet, at $5.2M > Project 32: 9,756 linear feet, at $1.65M Examples of Potential Risks (Note): >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial Legal & Compliance Reputation 24 Risk ID Functional Area Risk Title Municipal Code Reference (From City Municipal and Process Ordinances) Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 30 Public Works New Laboratory and Environment Services Building The City approved the FY22-FY26 Capital Improvement Plan, which includes construction of the Wastewater Laboratory and Environmental Services building. The total project budget is $24.1M, $23.8M is budgeted from FY22-FY26. The existing laboratory does not have adequate space for staff, instruments, chemical storage, and microbiology testing, the new building will allow for consolidation of staff in a single building and a larger updated lab. Examples of Potential Risks (Note): >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 3 3 26 Operational Financial 31 Public Works Advanced Water Purification Facility The project provides funding for an Advanced Water Purification Facility, with a total project budget of $20.2M, $17.2M is budgeted from FY22-FY26. The Regional Water Quality Control Plant (RWQCP) provides recycled water to the City, and currently have a TDS level of 800-900 mg/L. In 2010 City Council adopted a goal to reduce TDS to 600 mg/L, with approximately 40 potential users of recycled water waiting for connection still pending until TDS levels are lowered. Examples of Potential Risks (Note): >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial 32 Public Works Headworks Facility Replacement The City approved the FY22-FY26 Capital Improvement Plan, which includes the replacement of the Headworks Facility. The total project budget is $49.1M, with the entire amount budgeted from FY22-FY26. The project was identified in the Long Range Facilities Plan and adopted by City Council in 2012. The project will replace pumping, suction and discharge pipes, manifolds, valve and additional control system and equipment of the water facility. Examples of Potential Risks (Note): >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 4 28 Operational Financial 33 Public Works Outfall Line Construction The project provides funding for the construction of a new parallel outfall pipe of the San Francisco Bay. The total project budget is $10.7M, with $10,6M budgeted for FY22-FY26. The Long Range Facilities Plan identified the need for the construction of the water line, as the system has a 54-inch outfall line and a 36 in-inch legacy outfall line, which is inadequate in passing the Plant's peak wet-weather hydraulic flow capacity of 8- million gallons per day. Examples of Potential Risks (Note): >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 2 10 Operational Financial 34 Public Works RWQCP Plant Repair, Retrofit and Equipment Replacement This project provides funding for the assessment, repair, and retrofit of the Regional Water Quality Control Plant's (RWQCP) concrete and metal structures; the replacement of necessary RWQCP equipment and ancillary facilities to maintain treatment reliability and existing infrastructure; and the replacement of large diameter flow meters built into the wastewater treatment system on sewers, pipes, wires, transformers, switches and components of medium voltage electrical equipment. The budget from FY22-FY26 is $23.2M. Examples of Potential Risks (Note): >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial Legal & Compliance Reputation 35 Public Works Secondary Treatment Upgrades FY22 Risk Updates: Upgrades to the Secondary Treatment process at the Regional Water Quality Control Plant (RWQCP). The existing Secondary Treatment process has two main components: the Fixed Film Reactors (FFR) and the Activated Sludge (AS) Process. This project includes the reconfiguration of the aeration basins, modification of the AS Process, and the elimination of the FFRs. Justification of the project was identified in the Long-Range Facilities Plan accepted by Council in 2012. The components of the Secondary Treatment process are between 35 and 45 years old and show signs of wear and structural weakness. In FY22 the project was expanded to address the sea level rise policy implications. The budget from FY22-FY26 is $126.0M, with a total project budget of $129.0M. Examples of Potential Risks (Note): >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 5 38 Operational Financial Legal & Compliance Reputation 25 Risk ID Functional Area Risk Title Municipal Code Reference (From City Municipal and Process Ordinances) Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 36 Utilities Water Tank Seismic Upgrade and Rehabilitation The City approved the FY22-FY26 Capital Improvement Plan, which includes upgrades and repairs to the water tank seismic system. The total project budget is $26.3M, $15.6M is budgeted from FY22-FY26. Work at the reservoir sites will also include the installation of: new seismic shut off valves between the reservoirs and valve vaults, new plug valves, piping and pipe supports in the valve vaults, and recoating of the interior and exterior reservoir walls. Examples of Potential Risks (Note): >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial Legal & Compliance Reputation 37 Utilities Water Main Replacement FY22 Risk Updates: The project will fund the design and replacement of structurally deficient water mains and appurtenances in Fiscal Years 2024 and 2026. Mains are selected by researching the maintenance history of the system and identifying those that are undersized, corroded, and subject to breaks. Water main replacements totals $29.9M, include four projects > Project 28:18,985 linear feet, at $11.1M > Project 29:13,425 linear feet, at $9.4M > Project 30:13,025 linear feet, $9.4M Examples of Potential Risks (Note): >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 4 28 Operational Financial Legal & Compliance Reputation 38 Public Works Scheduled Vehicle and Equipment Replacement The ongoing replacement of City fleet vehicles and equipment is prescribed by the City's policy on vehicle replacement, which includes guidelines based on age, mileage accumulation, and obsolescence. Timely replacement of vehicles lowers maintenance costs, helps to maintain or even increase the productivity of client departments, and allows the City to take advantage of new technology. The largest vehicle replacement costs are scheduled for FY23-FY26. Total budget amounts for FY22-FY26 is $15.1M. > FY22: $1.4M > FY23: $3.4M > FY24: $3.5M > FY25: $3.4M > FY26: $3.4M Examples of Potential Risks (Note): >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to contract terms and conditions >Justification for change orders or changes in delivery schedules >On-going funding for replacement 2 3 18 Operational Financial Legal & Compliance Reputation 39 Utilities Gas Main Replacements The City is replacing gas mains that may be leaking, inadequately sized, and/or structurally deficient based on the City's Distribution Integrity Management Plan's mathematical model. The model is used to evaluate risks presented by PVC and steel facilities located within business districts that have been assigned the highest probability and consequence scores. The project will target replacing PVC mains and services located in business districts and steel mains and services with ineffective corrosion protection, also known as catholic protection. Targeted streets will be coordinated with the Public Works Street Maintenance Program to complete replacement before streets are paved. Gas main replacements totals $29.6M, include three projects > Project 23: 21,700 linear feet, at $7.6M > Project 24:33,050 linear feet, at $11M > Project 25:31,260 linear feet, at $11M Examples of Potential Risks (Note): >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 4 28 Operational Financial Legal & Compliance Reputation 26 Risk ID Functional Area Risk Title Municipal Code Reference (From City Municipal and Process Ordinances) Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 40 Public Works ADA Compliance Upgrade According to Palo Alto's ADA Transition Plan, the ADA Transition "project identifies potential noncompliant items and other physical barriers at City buildings, parking lots, and recreational facilities. The work to be performed under this contract includes the evaluation of site and program accessibility compliance to provide the basis for identification, prioritization, budgeting, and implementation of plans, as well as an updated plan and database which will be used in continuing efforts to comply with accessibility requirements as established by the ADA and State of California Building Code (CBC) accessibility provisions." This will be a multi-decade project to upgrade City-owned properties to align with ADA requirements. Examples of Potential Risks (Note): >Unforeseen costs associated with a multi-decade project, consuming greater Capital Improvement funds than expected >Changes in ADA regulations during the course of the project, requiring changes to the existing plan 2 5 38 Operational Financial Legal & Compliance Reputation 41 City Wide Sustainability and Climate Action Plan FY22 Risk Update: - FY22 Adopted Operating Budget reports one of the four priorities City Council selected was Climate Change (Protection and Adaptation). - Two of the risk assessment interviewees are concerned about sea level rise and one of them is concerned about climate risk in terms of adaptation of the plan and funding and the other is concerned about wildland fire. FY21 Risks: Palo Alto's goal is to reduce our greenhouse gas emissions 80 percent below 1990 levels by 2030. In early 2020, the City launched an update to the Sustainability and Climate Action Plan (S/CAP) to help meet our sustainability goals, including our goal of reducing GHG emissions 80 percent below 1990 levels and being completely carbon neutral by 2030. The plan includes goals and key actions in seven areas: Energy, Mobility, Electric Vehicles, Water, Climate Adaptation and Sea Level Rise, Natural Environment, and Zero Waste. The City currently has 100% renewable energy resource through several power purchase agreements. Next steps include electrification of cars and elimination of natural gas use in home and commercial electric appliances. As of 2019, Examples of Potential Risks (Note): >Reputational risk of not achieving stated goals >Costs associated with marginal improvements in greenhouse gas emission reductions 3 4 36 Operational Financial Reputation 42 City Wide Noise Pollution FY22 Risk Updates: Palo Alto is impacted by three arrival routes into San Francisco International Airport (SFO). These routes have had an ongoing negative health impact on our community and intensified due to the implementation of the Federal Aviation Administration’s NextGEN Initiative. The City is committed to working with our citizens, Congress, the Federal Aviation Administration (FAA), SFO, SFO’s Community Roundtable, neighboring city and county agencies, regional airports, noise groups, and all stakeholders associated with air traffic in Silicon Valley to find solutions which restore the quality of life of our community. Examples of Potential Risks (Note): >Health and safety risk associated with noise pollution. >Property value reductions >Community trust and engagement 4 3 34 Financial Legal & Compliance Reputation 43 City Wide College Terrace Market The PC ordinance (5069), and the associated Restrictive Covenant, require that a grocery store must be in continuous operation. If the grocery store ceases operations, a new grocery operator must be found. There is a six-month grace period for the property owner to find a new grocery tenant. Starting on February 13, 2020, daily fines of $2,157/day began to be assessed against the property owner for its failure to have a grocery store in operation. This requirement for the continuous operation of a grocery store was established by PC Ordinance 5069 and was further amended by a restrictive covenant put in place in 2015. Examples of Potential Risks (Note): >Inability to identify and retain a tenant >Reputational risk associated requiring a grocery store 2 2 10 Legal & Compliance Reputation 44 City Wide Race & Equity Initiative In June 2020, the City Council adopted a resolution affirming that Black lives matter and committed to address systemic racism and bias, and honored the lives of George Floyd, Breonna Taylor, Ahmaud Arbery, and others that have fallen victim to violence at the hands of authorities. The City Council also approved the Race & Equity Framework and action plan and a series of actions including reviewing policing practices, making changes to use-of- force policies to reduce the potential for violence, and engaging the community in ongoing, thoughtful dialogue and leadership. Examples of Potential Risks (Note): >Inaction causing reputational damage >Improper use of force 2 4 28 Financial Legal & Compliance Reputation 27 Risk Matrix - Function Specific Risks (Risks 45 -154) The following table summarizes Function Specific Risks. Note: Examples of Potential Risks included in the Risk Detail column of the Risk Matrix on the following pages are examples of potential risks inherent to the function. These are examples of risks in the activities before any controls are applied to reduce risks. The inherent risks are identified to understand what could go wrong without mitigating factors or controls. These are not intended to communicate actual issues or challenges. Risk ID Functional Area Risk Title Municipal / State Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 45 Administrative Services Real Estate and Property Management 2.08.150 Department of Administrative Services FY22 Risk Updates: The Real Estate team started using a new database called Spacebase to centrally manage all lease agreements. The requirements of GASB 87 (Leases) are effective for the City's fiscal year ending June 30, 2022. FY21 Risks: The City of Palo Alto handles many different real estate and property agreements such as easements, rights of way, leases, tie back agreements, and more. The Real Property team provides expertise on real estate matters and partners with client departments on specific real estate needs. Examples in which the Real Property team coordinates with client department include leases at the Cubberley Community Center and hangar space at the airport. Examples of Potential Risks (Note): >Inadequate technology to manage lease agreements >Lack of capacity to manage and ensure accuracy in real estate agreements >Revenue collection errors >Failure to properly implement GASB 87 4 3 34 Operational Financial Legal & Compliance 46 Administrative Services P-Card Program 2.08.150 Department of Administrative Services 2.30.240 Designated Employees' Use of Petty Cash, P-Card, or Other Credit Card The City of Palo Alto uses P-Cards throughout the organization to leverage purchasing power and improve purchasing processes. The organization has hundreds of P-Cards assigned to individuals throughout the City. P-Cards can be requested through purchasing and require supervisor approval for use. Transactions have a threshold of $10k. Examples of Potential Risks (Note): >Personal expenditures on City P-Cards for items that could be interpreted as business expenses >Circumventing policy, such as splitting transactions to fall below the $10K threshold >Information technology purchases that do not allow for proper IT oversight or governance 4 2 24 Financial Legal & Compliance 47 Administrative Services Vendor Master File 2.08.150 Department of Administrative Services At City of Palo Alto, segregation of duties as it pertains to changes to the Vendor Master File are segregated such that one individual cannot process payments and modify the vendor master file. Examples of Potential Risks (Note): >Accounts Payable changing payment information to a personal bank account routing number >Erroneous Vendor data leading improper payments 1 3 12 Financial Reputation 48 Administrative Services Print and Mail Services 2.08.150 Department of Administrative Services The City of Palo Alto operates a print and mail services department, managing the mailing of all utility bills, acting as a central receiving area in City Hall, and also completing any printing services. The print services division handles printing of Council packets for City Council members. Examples of Potential Risks (Note): >Financial and operational opportunity costs of running in-house mail services department compared to outsourcing the function 2 2 10 Strategic Operational Financial 49 Attorney Claims & Claim Reserves 2.28.240 Settlement of Claims and Actions 2.08.120 Office and Duties of the City Attorney State of California Tort Claims Act As provided in Section 935.4 of the Government Code of California, the City Attorney is designated to perform the functions of the City Council relative to claims and actions against the City or any of its officers or employees under the provisions of Division 3.6 of the Government Code. The City may be liable for a variety of claims including: >Torts Claims >Law Claims >Labor and Employment Claims >Contract Claims Risk to the City is mitigated though the City's membership in the Authority for California Cities Excess Liability (ACCEL) pool, though which the insures itself. Examples of Potential Risks (Note): >Property damage resulting from City actions >Motorist injuries due to an interaction with a Palo Alto staff member acting within scope of her/his employment >An employee suffers an injury while performing their job duties 3 3 26 Legal & Compliance 28 Risk ID Functional Area Risk Title Municipal / State Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 50 Clerk Public Records Requests 2.08.110 Office and Duties of the City Clerk 2.08.300 Books and records. (Ord. 4274 § 1 (part), 1995) The City receives upwards of 400 requests for information every year. Public records requests come in a variety of ways; written, in person, online and over the phone. Compliance with the Freedom of Information Act (FOIA) and state and local jurisdiction dictate the availability of requests and outlines the procedures for providing documents to the public. Examples of Potential Risks (Note) >Incoming requests are decentralized, leaving possibility for requests to go unfulfilled >Fulfilling of requests is centralized, burdening the department and causing inefficiencies >Noncompliance with applicable laws 2 3 18 Financial Legal & Compliance Reputation 51 Clerk Elections Chapter 2.40 Municipal Elections The City Clerk is the local Filing Officer for the State of California. All local campaign Committees are required to file Campaign Statements with the City Clerk. The City Clerk maintains regulations and forms under the State of California Fair Political Practices Commission. Examples of Potential Risks (Note) >Non-compliance with regulatory requirements 1 2 6 Reputation 52 Clerk Records Management 2.08.110 Office and Duties of the City Clerk 2.08.300 Books and records. (Ord. 4274 § 1 (part), 1995) The City Clerk is the Records Manager for the City and is responsible for maintaining the City's Records Retention Schedule and for providing departments with guidance on policies and best practices of records management. The City Clerk's Office records official actions and legislation of the municipal government and retains other legal and historical records. The City Clerk manages the proper maintenance and disposition of City records and information according to statute, and helps to preserve City history. Formalized Standard Operating Procedures (SOPs) communicate the correct way of carrying out records management activities. SOPs help the organization operate efficiently, maintain consistency, and communicate clearly. The City Clerk does not have current SOPs detailing records management and retention practices. A modern/centralized records management system may increase efficiency and offer functionality such as analytics and reporting capability. Without a centralized repository, employees use paper based files and multiple online platforms. The City of Palo Alto operates on a decentralized records management process. Examples of Potential Risks (Note) >Damage to documents from improper storage >Inability for documents and information to be accurately recorded and sourced for public information requests and public is given inaccurate information about the availability of documents >Institutional knowledge is lost when employees retire or leave the department >Records are destroyed prematurely or stored longer that legally necessary 4 2 24 Operational Legal & Compliance Reputation 53 Communications Social Media Management Brown Act (California Government Code Section 54950 et seq.) Social media accounts are handled and managed by separate, decentralized departments. Content published by these accounts are not generated from a central office, but are monitored by the Communications Office. Additionally, elected official’s social media posts may be considered public record and may be subject to State law. The majority of instances include the use of personal platforms to promote City agenda, issues and positions. Examples of Potential Risks (Note): >False or misleading information is published by City owned accounts >Conflicting information is provided by multiple City owned accounts >Lack of internal controls for publishing content on City owned accounts >Publishing of inappropriate or inaccurate content >Inaccurately holding and/or of managing public information for records management 3 3 26 Strategic Legal & Compliance Reputation Political & Economic 54 Communications Digital Marketing Digital platforms, such as websites, social media, online platforms, blog posts (Palo Alto Connect) and digital newsletters are used to disperse information and inform community members and City employees. Additionally, these platforms are used to advertise City services and events. Examples of Potential Risks (Note): >False and/or misleading information is published by the City >Publishing of inappropriate or inaccurate content 1 3 12 Strategic Legal & Compliance Reputation Political & Economic 55 Communications External Affairs Relations with the media and general public are primarily handled by the Communications Office. The City of Palo Alto works to timely and accurately inform the media, Including a monthly newsletter, presses releases, interviews, news releases to 400 media contacts and statements on behalf of departments and the City. Requests for information from media is decentralized, with the majority of responses for comments and communication coming from the Communications Department. Multiple channels are used by the City to build relationships and inform the citizens of Palo Alto and surrounding communities. The City works to engage stakeholders and provide a positive public perception by: >Communicating through its multiple platforms >Hosting community service events >Maintaining open and transparent government Examples of Potential Risks (Note): >False or misleading information is published by the City 2 2 10 Strategic Legal & Compliance Reputation Political & Economic 29 Risk ID Functional Area Risk Title Municipal / State Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas >Conflicting statements made by City officials >Lack of internal controls for managing media requests 56 Communications Website FY22 Risk Updates: 1) City website updated 2) Website maintained centrally with records of who has back-end access FY21 Risks: The City's website and affiliated websites are maintained and updated in conjunction with the Communications Office and the Information Technology Department. Both departments work with website host to update information and publish new webpages. Additionally, Individual departments have access to back-end website publishing. Examples of Potential Risks (Note) >Lack of internal controls for website access >Publishing of inappropriate or inaccurate content 2 2 10 Legal & Compliance Reputation IT 57 Communications Internal Communications 18.79.010 Purposes Communications oversees formal internal communications, including creation and/or review of Citywide emails, internal newsletters and communications. A centralized place of issuance for organization wide communication including City Manager and department head presentations and reporting. Examples of Potential Risks (Note): >Conflicting information is provided to City Employees >Internal communications are improperly published to the community 2 1 3 Operational 58 Community Services Contract Monitoring 2.30 Contracts and Purchasing Procedures FY22 Risk Updates: 1) Non-profit agreements internal audit 2) Updated internal controls for contract and vendor management 3) Diversification of contractors 4) Updated software FY21 Risks: Community Services relies on third-party contractors to manage the animal shelter, deliver recreational services (i.e. swimming pool, athletic fields, the golf course), and provide arts and theatre programs. As a result, Community Services oversees dozens of contracts and independent contractors. Examples of Potential Risks (Note): >Loss of revenue due to overpayments on contracts >Reputational risk associated with actions of a 3rd party >Failure to adhere to contract terms including scope of work and other critical provisions >Failure to monitor vendor performance 3 4 36 Strategic Operational Financial Legal & Compliance Reputation 59 Community Services Background Check Procedures 2.08.210 Department of community services. Community Services offers a variety of programs where workers may come into contact with children. The following is a non-inclusive list of screening practices the City uses: local criminal record check, state criminal record check, FBI criminal record check, employment reference checks, and personal reference checks. Examples of Potential Risks (Note): >Hiring of unqualified individuals >Employing an individual that should be ineligible for employment involving interactions with children 3 3 26 Operational Legal & Compliance Reputation 60 Community Services Recreations Services Recreation Services has a focus on youth wellbeing. Facilities include the historic Lucie Stern Community Center, Mitchell Park Community Center, Cubberley Community Center, and Rinconada Pool. Recreation Services also coordinates a variety of recreation programs including middle school athletics, the Teen Center, Palo Alto Youth Leadership programs, year-round Life-Long Learning classes, adult sports leagues, dynamic summer camp and aquatics program. Examples of Potential Risks (Note): >Resources are expended on services that are not of sufficient benefit to the community >Employing an individual that should be ineligible for employment involving interactions with children >Improper payment for services (e.g., a referee) 2 3 18 Strategic Financial Legal & Compliance Reputation 30 Risk ID Functional Area Risk Title Municipal / State Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 61 Community Services Human Services 2.08.210 Department of community services. The Office of Human Services provides services and works toward enhancing the quality of life in Palo Alto in a variety of ways. Services relate to the following areas: >Children Resources >Family Resources >Tenant/Landlord >Human Services Grants >Emerging Needs Funds Examples of Potential Risks (Note): >Resources are expended on services that are not of sufficient benefit to the community >Ineligible program participation >Fraud/waste/abuse of public funds 1 3 12 Operational Financial Legal & Compliance Reputation 62 Community Services Children's Theatre 2.08.210 Department of community services. Palo Alto's Children Theatre serves more than 57,000 community members each year with theatrical productions and programs for youth ages 3 through high school. Performing arts education opportunities include onsite classes, camps, and production experiences, as well as theatrical Outreach Productions (grades 3-5) and Dance in Schools classes (grades K-2) in all twelve PAUSD Elementary Schools. Children's Theatre offers a variety of programs where workers may come into contact with children. Examples of Potential Risks (Note): >Resources are expended on services that are not of sufficient benefit to the community >Employing an individual that should be ineligible for employment involving interactions with children 1 3 12 Strategic Financial Legal & Compliance Reputation 63 Community Services Open Space, Parks, & Baylands Golf Links The City of Palo Alto has almost 4,000 acres of open space to explore, recreate and relax in. Park Services handles the maintenance of 162 developed acres of urban parklands. Individual parks range in size from under two acres to large community parks such as Rinconada Park, Mitchell Park, and Greer Park. Besides maintaining urban parks, Parks Services handles landscape maintenance of libraries, community centers, business districts and utility sub-stations. Troon, previously OB Sports, manages the newly constructed Baylands Golf Links. According to the contract, Troon is responsible for course maintenance, leases a cafe from the City, and manages a pro shop. The City receives a percentage of revenue from the pro shop. This approach to golf course management is new to the City within the past few years. The City has a contract with Brightview for maintenance and landscaping services on other open space and parks land. Examples of Potential Risks (Note): >Resources are expended on services that are not of sufficient benefit to the community >3rd party management of City resources, such as the golf course 1 3 12 Strategic Legal & Compliance Reputation 64 Community Services Palo Alto Art Center 2.08.210 Department of community services. 2.18 Public Art Commission The Palo Alto Art Center has a partnership with the Palo Alto Art Center (PAAC) Foundation Board. Successful fundraising efforts of the PAAC Foundation are necessary, in addition to City funds, to sustain the Art Center. The Art Center measures its progress based on the following priorities: >Community Engagement >Financial Sustainability >Leadership capacity Examples of Potential Risks (Note): >Resources are expended on services that are not of sufficient benefit to the community >Employing an individual that should be ineligible for employment involving interactions with children 1 2 6 Strategic Financial Legal & Compliance Reputation 65 Community Services Junior Museum & Zoo 2.08.210 Department of community services. The Palo Alto Junior Museum & Zoo has a partnership with the Friends of Palo Alto Junior Museum & Zoo. Successful fundraising efforts of Friends of Palo Alto Junior Museum & Zoo are necessary, in addition to City funds, to sustain the museum and zoo. The JMZ is owned and operated by the City of Palo Alto. The JMZ hosts more than 17,000 local students annually from schools, science camps, and field trips. In total, the JMZ has approximately 180,000 visitors per year. The City is exploring potential opportunities to relinquish day-to-day operations responsibilities to Friends of Palo Alto Junior Museum & Zoo. These discussions are still early stage. Examples of Potential Risks (Note): > Resources are expended on services that are not of sufficient benefit to the community >Transferring operating responsibilities to a non-profit may result in legal challenge from existing City employees >Failure to properly manage the JMZ may result in negative publicity and reputational damage 1 2 6 Strategic Financial Legal & Compliance Reputation 66 Community Services Public Art Program Chapter 2.26 15.61.110 Public Art Fund 2.26.070 Public Art for Municipal Projects 2.26.030 Duties of the Public Art Commission The Public Art Program operates in accordance with Chapter 2.26 of Palo Alto Municipal Code to provide opportunities for the placement of permanent and temporary site-specific public art projects in municipal projects across Palo Alto. Additionally, the Program oversees the implementation of the Ordinance requirement to incorporate public art in private development projects. The Public Art Commission (PAC) reviews and advises the Public Art Program on selection, placement, and care of public art throughout the City of Palo Alto. The City collection of public art is comprised of approximately 100 permanently sited works and approximately 200 portable works of art in a diverse range of media. All works are commissioned and acquired through a public process. 1 2 6 Strategic Financial 31 Risk ID Functional Area Risk Title Municipal / State Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas Examples of Potential Risks (Note): >Resources are expended on services that are not of sufficient benefit to the community 67 Emergency Services Disaster Response 2.08.185 Office of Emergency Services. The mission of the Office of Emergency Services is to prevent, prepare for, mitigate, respond to, and recover from all hazards. This involves: >Executing a training plan for designated staff >Maintaining emergency management facilities, critical infrastructure, and essential equipment >Coordinating with private sector, non-governmental organizations to promote continuity of operations >Maintaining disaster plans for the City The City has developed many resources and have placed them on the website: www.cityofpaloalto.org/thira. Example of Potential Risks (Note): >Inadequate response to an emergency such as an earthquake, fire, urban flood, or active shooter situation may result in injury, loss of life, financial hardship, and reputational damage to the City and its employees 1 5 30 Strategic Operational Financial Legal & Compliance Reputation Political & Economic 68 Emergency Services Emergency Volunteer Coverage Palo Alto Municipal Code (PAMC) Sec. 2.12.070 2.08.185 Office of Emergency Services. FY22 Risk Updates: 1) On-going pandemic has impacted the ability to find volunteers • Additional COVID19 protocols • Apprehension of working with the community during the pandemic • Availability of vaccinated or proven negative volunteers 2) Aging population FY21 Risks: In the case of emergency, the Office of Emergency Services may enlist the assistance of the community through a volunteer network. The mission of the Palo Alto Emergency Services Volunteers (ESV) is to: 1) provide supplemental resources to the professional first responders of the City and surrounding communities and 2) facilitate means for neighbors to help neighbors (including business and other entities). Emergency Service Volunteers are often times geographically concentrated in some, but not all, neighborhoods. Examples of Potential Risks (Note): >Lack of volunteer participation across the City/concentration of volunteers leading to inconsistent emergency response depending on location 3 3 26 Strategic Operational Financial Legal & Compliance Reputation Political & Economic 69 Administrative Services Tax Revenue 2.08.150 Department of Administrative Services FY22 Risk Updates: In the risk assessment survey, Economy was rated as the seventh highest risk by management. One of the risk assessment interviewees wants the structure of revenue sources to be looked at. FY21 Risks: The City of Palo Alto's largest sources of revenue include property taxes, sales taxes, and transient occupancy taxes. These three main sources of tax revenue. Palo Alto has been a hub for large technology businesses which bring in visitors to hotels, restaurants, and retail. These visitors and daytime population help feed the sales and transient occupancy taxes. Palo Alto property values have also risen over the last few decades, driving an increase in property tax revenue. Examples of Potential Risks (Note): >Large businesses moving to other locations or decreasing the focus on in-person interactions at headquarters lowers the daytime population and visitors >Decreasing real estate values due to external factors decreases City revenues from property taxes 3 5 44 Strategic Financial Political & Economic 70 Administrative Services Asset Management 2.08.150 Department of Administrative Services FY22 Risk Updates: The requirements of GASB 87 (Leases) and GASB 89 (Interest Cost) are effective for the City's fiscal year ending June 30, 2022. FY21 Risks: The City manages assets to ensure that all assets are properly accounted for both operationally and financially. Asset management is important to the accounting function as well to ensure that depreciation on all assets is being properly tracked and applied as well as classification of various assets. Examples of Potential Risks (Note): >Misclassification of assets, hampering the ability to properly account for depreciation and other accounting requirements >Lack of internal controls in managing and accounting for assets 3 4 36 Operational Financial 32 Risk ID Functional Area Risk Title Municipal / State Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 71 Administrative Services Investments, Debt, and Cash Management 2.08.150 Department of Administrative Services 2.28.140 Depositories and Investments FY22 Risk Updates: Based on the FY2022 survey and interview, investments is an area where the City may benefit from an internal audit. There is a need to update the City's investment policy to increase flexibility based on the current environment. FY21 Risks: Palo Alto manages their investment, debt, and cash portfolio through a single internal investment manager. This investment manager maintains the City's investment portfolio subject to the investment policy, including limits on holdings of various financial products. Maintaining an internal investments manager allows for the City of Palo Alto to avoid commissions/fees. In addition, the investment manager also performs cash management and cash flow modeling, executes wire transactions, serves as the bank custodian, and performs a daily cash flow reconciliation. Examples of Potential Risks (Note): >Financial opportunity cost from an optimized portfolio managed by an outsourced firm >Operational inefficiencies due to lack of economies of scale in comparison to an outsourced firm >Fraud/misuse/abuse risk associated with lacking or failed internal controls in regards to investments >Noncompliance with the investment policy >Over reliance on one individual to manage City investments 2 5 38 Strategic Financial Legal & Compliance 72 Administrative Services Accounts Receivable 2.08.150 Department of Administrative Services FY22 Risk Updates: > There is a lack of communication and transparency with other City Departments. >The department has goals that change frequently which may result in the inability to focus and follow through with any one goal. > The department struggles is attracting and retaining staff. > Public meetings increase pressure on the department to perform. FY21 Risks: The Revenue Collection and General Accounting teams manage the City's accounts receivable function. This function ensures that bills are timely, accurate and include adequate information for those who paying the City. Additionally, this function manages what payments are expected, any overdue payments, and any necessary collections. Note that this function is not responsible for utility billing. Examples of Potential Risks (Note): >Outstanding balances for extended periods of time >Redirected payments to personal accounts 3 4 36 Operational Financial Legal & Compliance 73 Administrative Services Credit & Debt 2.08.150 Department of Administrative Services Palo Alto's credit rating is currently AAA, the highest rating a municipality can receive. This is due in large part to high fund balances and low debt burdens. Healthy fund balances and low reliance on debt equips the City to face economic hardships or other external factors outside the City's control. Example of Potential Risks (Note): >Sustained decreasing revenues may require the City to diminish fund balances and rely more heavily on debt >Operational inefficiencies may result from sustained economic prosperity, leaving the City vulnerable to inefficient uses of debt and fund balances during times of economic hardship 2 4 28 Financial Reputation Political & Economic 74 Administrative Services General Accounting 2.08.150 Department of Administrative Services FY22 Risk Updates: There is a lack of skills and/or time to implement new accounting pronouncements / GASB's, which may result in being noncompliant with applicable laws. FY21 Risks: Palo Alto's accountants ensure that the City has accurate financial information with which to make decisions and to report to the public. The accounting function ensures that the financial statements reflect the true operations and financial state of the City. Examples of Potential Risks (Note): >Misstatement on financial statements >Lack of internal controls to catch accounting errors 3 3 26 Strategy Operational Financial Legal & Compliance 75 Administrative Services Budget Management 2.08.150 Department of Administrative Services FY22 Risk Updates: > There can be challenges with the OMB due to the need for coordination between City Departments and City Leadership to ensure information/requests provided align with the needs of the department to provide services in addition to that fact that various financial systems are used to maintain the budget. > OMB staff have been tasked with updating policies and procedures when changes occur to keep them current; however, turnover in staff and the decentralization of where policies are stored has caused some documentation to be updated more slowly. > There is a need for a central budgeting tool and specialized budget training. One of the risk assessment interviewees has a concern about lack of a plan around funding for infrastructure 3 3 26 Operational Financial 33 Risk ID Functional Area Risk Title Municipal / State Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 76 Administrative Services Accounts Payable 2.08.150 Department of Administrative Services FY22 Risk Updates: > There have been fraud attempts surrounding the wire payments process. Currently, the City is working to establish a formal for this process. > Staffing changes are impacting the department. There is a need to better define staff responsibilities. FY21 Risks: The Accounts Payable division handles payment of vendor invoices, p-card transactions, and other payments. The Accounts Payable department issues payments in a number of manners, including ACH and Checks. Accounts Payable is managed in SAP and any paper invoices are inputted into the system. Examples of Potential Risks (Note): >Late payment of invoices in the event invoices are not inputted into SAP >Invoices entered into the system with incorrect information, such as dates miskeyed 4 2 24 Financial Legal & Compliance 77 Administrative Services Procurement 2.08.150 Department of Administrative Services 2.30.040 Centralized Purchasing FY22 Risk Updates: > Staffing constraints may prevent the department from meeting its goals and objectives. > Financial constraints may prevent the department from meeting its goals and objectives. > Some of the risk assessment interviewees mentioned the inefficient procurement process. > Procurement/Sourcing was rated 14th highest risk factor (out of 38 risk factors) in the risk assessment FY21 Risks: Palo Alto has detailed policies and procedures in place for purchasing and procurement. The process includes internal controls to ensure that the organization is protected against fraud, misuse and abuse in the purchasing process. If any areas within the purchasing process are missing controls, it opens an opportunity for unethical, fraudulent, or erroneous activities. If the purchasing process has too many controls, the City may be missing opportunities for cost savings and operational efficiencies. Examples of Potential Risks (Note): >Burdensome internal controls slowing the purchasing process down, discouraging good vendors from bidding on projects >Lack on internal purchasing controls, opening opportunities for fraud, misuse and abuse 4 4 42 Operational Financial Legal & Compliance 78 Administrative Services Payroll 2.08.150 Department of Administrative Services Payroll ensures that all City employees are paid on time and with accuracy. Payroll must ensure that all benefit deductions, taxes, withholdings, and other individual differences in paychecks are proper and included in paychecks. This includes ensuring that any changes to employee statuses are properly reflected in paychecks. Examples of Potential Risks (Note): >Lack of audit prior to payroll disbursements leading to errors in paychecks, including over or under payments >Not accounting for updates to qualifying events such as marriage or new children 4 2 24 Operational Financial Legal & Compliance 79 Administrative Services Grants Management 2.08.150 Department of Administrative Services Grants Management include the pursuit of grants, the tracking of outstanding grant decisions, reporting managing any awards and associated reporting and spending deadlines. The City of Palo Alto does not have a centralized Grant Management Function. Rather, each department pursues grant opportunities applicable to a specific program or the department as a whole and manages the grant in accordance with the grant agreement and applicable law. The Administrative Services Department prepares pertinent financial reports including the Schedule of Expenditures of Federal Awards (SEFA). Examples of Potential Risks (Note): >Missed grant reporting deadlines >Use of grant funding on ineligible expenses >Missed grant opportunities due to inaction or delays in application writing 3 2 16 Operational Financial Legal & Compliance 80 Administrative Services Proposition 13 2.08.150 Department of Administrative Services Proposition 13, or "The Peoples Amendment to Control Taxation", caps property tax rates according to a percentage of the property value or the Consumer Product Index. This proposition limits the amount that residents can be taxed on their property in the midst of rising property values, while also limits the ability for the City to collect revenue at a rate in pace with the Palo Alto real estate market. Examples of Potential Risks (Note): >Lost revenue for the City to fund City services with Prop 13 in place >High taxation on residents due to increased property values, especially long term Palo Alto residents, in the absence of Prop 13 1 3 12 Financial Reputation Political & Economic 34 Risk ID Functional Area Risk Title Municipal / State Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 81 Fire Emergency Medical Service State of California Senate Bill 201 2.08.180 Fire department. FY22 Risk Update: Various changes were noted in responses to the risk assessment survey. - There have been numerous employee reductions - Redeployed the resources to optimize our response with less personnel (based on predictive analysis with previous years incident data and response times). - Had a higher than normal number of personnel on injury, likely from fatigue related to COVID - The increase in mandatory overtime due to personnel reductions. - The goals identified in the 5 year strategic plan and other work flows were negatively impacted due to COVID responses and reduction in staff and line positions. FY21 Risks: The Fire Department operates an ambulance transfer service. The EMS Director oversees equipment, staffing, training, and all other activities associated with this ambulance function. The City is implementing an Ambulance Subscription Fee Program. The program will be voluntary and proposes to waive the insurance co-pay participants would otherwise be charged when transported to the hospital by ambulance. Examples of Potential Risks (Note): >Compliance with EMS Act, including Section 201 and service level requirements >Proper billing and collection of subscription fees 4 4 42 Operational Financial Legal & Compliance Reputation 82 Fire Fire Suppression 2.08.180 Fire department. FY22 Risk Update: Various changes were noted in responses to the risk assessment survey. - There have been numerous employee reductions - Redeployed the resources to optimize our response with less personnel (based on predictive analysis with previous years incident data and response times). - Had a higher than normal number of personnel on injury, likely from fatigue related to COVID - The increase in mandatory overtime due to personnel reductions. - The goals identified in the 5 year strategic plan and other work flows were negatively impacted due to COVID responses and reduction in staff and line positions. Other - A technical rescue over a hillside or a large structure fire can be very technical. - Response time data is regularly reviewed, and an annual update is completed to the accreditation (CFAI - Commission on Fire Accreditation International) that details the performance in relation to the benchmarks established by council. === Respond to emergency and non-emergency calls Palo Alto's Hazardous Materials Team responds to calls involving hazardous materials. Examples of Potential Risks (Note): >Inadequate training, and certification >Improper staffing of firetruck and ambulance units 3 4 36 Operational Legal & Compliance 83 Fire Fire Prevention - Palo Alto Foothills & Wildland Fire Risk 2.08.180 Fire department. FIRE PREVENTION BUREAU Improve the quality of life for the Palo Alto community through risk assessment, code enforcement, fire investigation, public education, and hazardous materials management. FY22 Risk Update: - Current workforce constraints for the City and surrounding communities, as well as larger workforce shortages impact the response time or availability for mutual support. - Fire department's initiative includes rigorous wildland fire drills and trainings in order to prepare for the increased risk of a longer and more intense California fire season (FY22 Operating Budget) - One focus of climate adaption is preparation for and protection from wildfires (City of Palo Alto website) - One of the risk assessment interviewees mentioned a wildland fire risk and the effect on the climate. - One of the risk assessment survey respondents wants to see study of staffing and compensation package among similar departments. Another respondent suggests a review of the Self-Assessment Manual and a review of the current training facilities. FY21 Risks: The City includes land west of Highway 280, including Foothills Park. This area is served by Fire Station 8. When Fire Station 8 is not staffed, the City is heavily reliant on mutual aid. Examples of Potential Risks (Note): >Lack of staffing to respond to emergencies in the Foothills Park area 3 4 36 Operational Legal & Compliance Reputation 35 Risk ID Functional Area Risk Title Municipal / State Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 84 Fire Fire/EMS Training 2.08.180 Fire department. EMPLOYEE FIRE/EMS CERTIFICATION TRAINING Provide training to certify that staff maintain safe, efficient, and effective practices when responding to emergencies. Ensure personnel are familiar with and able to utilize the most up-to-date and proven techniques. Training specific to required EMT and/or Paramedic re-certification is also incorporated. FY22 Risk Update: Current workforce constraints for the City and larger shortage of EMT/EMS workers impacts the ability for the City to hire and/or train employees for proper staffing of EMT's. FY21 Risks: The majority of City of Palo Alto Firefighters are also certified as either EMT's or Paramedics. Palo Alto offers training for firefighters to be certified as EMT's. Paramedics and EMT's both respond to medical/rescue and fire calls. Paramedics are trained to perform additional medical services that EMT's are not certified to perform, including; starting IV's, administering medication and beginning intubation. According to NFPA safety standards and best practices, two paramedics and two EMT or BLS trained individuals should be on scene for every event. Examples of Potential Risks (Note): >Inadequate training facilities and staff training and certification 2 3 18 Operational Legal & Compliance Reputation 85 Human Resources High Cost Claims 2.08.160 Department of human resources. Managing high-cost claimants, including individuals suspected of "gaming the system" is critical for controlling benefits costs. Staffing models should plan for high-cost scenarios such as employees with chronic illnesses and sick leave abuse. High cost claims include both expensive chronic medical conditions and acute conditions. Major cost drivers include: >Cardiovascular disease >Pulmonary conditions >Neurological conditions Examples of Potential Risks (Note): >Public safety employees may place a significant financial burden on the City given the dangerous nature of the role 4 4 42 Financial Legal & Compliance 86 Human Resources Workload 2.08.160 Department of human resources. Due to departmental workload, there is a risk of employees may experience the below. Examples of Potential Risks (Note): > Lower morale > Employee health (e.g. physical, mental and emotional) > Poor communication > Human error 4 4 42 Human Capital Management 87 Human Resources Staffing Levels 2.08.160 Department of human resources. FY22 Risk Updates: The HR department experiences some technology issues that prevent the department from meeting its goals and objectives. The City is still at risk for losing HR professionals. FY21 Risks: Multiple departments within the City expressed challenges with staffing levels. Hiring limitations in response to COVID-19 worsened these existing challenges. Example of Potential Risk: >Relying on unqualified employees to perform critical tasks due to an unfilled vacancy >Non-compliance with state and federal laws due to capacity limitations >Reductions in service quality due to capacity limitations 4 3 34 Operational Legal & Compliance 88 Human Resources Employee Separation and Offboarding The City adheres to a detailed offboarding process including a formalized employee termination checklist. Departmental management, Human Resources, and IT coordinate to gather necessary paperwork, update IT permissions and access rights, discuss knowledge transfer, schedule and conduct an exit interview, and recover city-owned assets. This process is not supported in SAP. Instead, it involves multiple workflows and manual communications. Example of Potential Risks (Note): >Payroll fraud >Compliance with relevant laws and regulations regarding employee separation >On-going, improper physical access or business/information systems 3 3 26 Strategic Operational Financial Legal & Compliance Reputation 36 Risk ID Functional Area Risk Title Municipal / State Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 89 Human Resources Hiring 2.08.160 Department of human resources. FY22 Risk Updates: City Council Staff Report #11973 meeting date 3/15/2021 - Finding and recommendation for fire departments in Santa Clara County: Increase the recruitment and hiring of more female firefighters Lack of diversity in Fire or Police departments were noted in the survey response and one of interviews we conducted. It was noted that the actions are being taken to correct the issue. FY21 Risks: The Human Resources Department oversees the hiring process. The hiring process starts with departments submitting a requisition to fill a vacancy. Upon receipt of approval from the Budget Office, Human Resources goes through a planning process with the department to identify urgency, develop a timeline, and agree on a process. Most positions are governed by merit rule and require public posting. At this stage, the City details position requirements including whether exams are necessary. Human Resources completes an initial review to eliminate candidates that fail to meet minimum requirements. Screening processes (i.e. phone, paper- based) differ depending on the position. Interview processes are structured and questions require sign-off from Human Resources. Human Resources works with departments to conduct a job analysis and author interview questions tied to job duties. To score interviews, the City uses a scoring matrix. Human Resources has plans to promote diversity, for example, blind resume reviews. To address issues related to diversity, the City focuses on job outreach to encourage a diverse candidate pools. Examples of Potential Risk: >Hiring of unqualified individuals >Employing an individual that should be ineligible for employment >Litigation due to an illegal interview question >Implicit bias in the hiring process 3 3 26 Operational Legal & Compliance Reputation 90 Human Resources Records Management 2.08.160 Department of human resources. CA Labor Code Section 226 - Record Keeping Requirements Human Resources lacks a centralized repository for employee records. As a result, tracking employee data is oftentimes cumbersome. Within the past three years, Human Resources started converting files in an effort to go paperless. Due to issues with the vendor partner, the department has been unable to complete this transition. Completing this transition would enhance the department's ability to store, retrieve, and archive information. In addition, it is unclear whether the department has policy language detailing proper handling of personal identifiable information (PII). This topic is covered through annual trainings. Examples of Potential Risks (Note): >Failure to establish clear record keeping guidelines increases the likelihood the City will be noncompliant with state and federal record keeping requirements such as USCIS, the EEOC, and numerous federal employment acts (such as ERISA, ADA, FMLA and OSHA) >Increased difficulty responding to various legal actions and unemployment claims 3 3 26 Legal & Compliance 91 Human Resources Succession Planning 2.08.160 Department of human resources. FY22 Risk Updates: Succession Planning is noted as a risk FY21 Risks: The City used to conduct "people-focused" succession planning exercises and is considering a transition to a more "skill-focused" approach. This process may include: >Determining current and short-term departmental needs >Compiling critical skillsets >Analyzing the current in-house talent pool >Assessing risk of turnover for critical positions Examples of Potential Risks (Note): >Successors may lack readiness >Loss of institutional knowledge >Costs associated with recruiting a replacement 3 3 26 Strategic 92 Human Resources Systems and Technology 2.08.160 Department of human resources. FY22 Risk Updates: 1) Changes in compliance related to COVID-19 workplace regulations. 2) Vacancies in HR due to turnover. 3) The City has not yet acquired a centralized Human Resources Information System (HRIS). i.e., HRIS is not fully utilized Noted as a risk area by a risk assessment interviewee FY21 Risks: The City does not have a centralized HRIS. Instead, Human Resources relies on multiple systems and software, especially the finance system powered by SAP. Due to system limitations, Human Resources is required to conduct critical processes manually. These processes include adjusting hazard pay and bilingual worker pay. In addition, Human Resources experiences challenges coordinating with the pension system and making salary adjustments when certain employee types are promoted. Example of Potential Risks (Note): >Human error due to manual processes >Inaccurate calculation of employee compensation and pension balance 3 3 26 Operational 37 Risk ID Functional Area Risk Title Municipal / State Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 93 Human Resources Class and Comp 2.08.160 Department of human resources. Due to COVID-19, cost of living increases (COLA) and merit-based increases are frozen for non-union, management-level employees. For unionized employees, the City has contractual obligations to adhere to agreed upon pay structures and step advancements. In the case of union employees, classification and compensation are determined through market analysis based on agreed upon comparable firms. In some instances, agreeing upon these comparable firms has been an obstacle. Examples of Potential Risks (Note): >Choosing an inappropriate market sample may result in an noncompetitive salary ranges >Noncompetitive salary ranges on the high end may result in an increased financial burden on the City >Noncompetitive salary ranges on the low end may result in difficulties with recruitment and retention 3 3 26 Operational 94 Human Resources Standard Operating Procedures 2.08.160 Department of human resources. FY22 Risk Updates: A flow chart of hiring process was presented to Council meeting. There is a restrictive merit fuels and policy was noted as a weakness in the risk assessment survey Need a study of remote positions which affect recruitment and retention as many people prefer remote positions Safety is a concern of HR department especially during COVID-19 pandemic since the City does not have a Safety Officer FY21 Risks: Formalized SOPs are a critical tool as they communicate the correct way of carrying out HR activities. SOPs help the organization operate efficiently, maintain consistency, and communicate clearly. Based on interviews, it is unclear whether SOPs cover all critical processes and are updated. Examples of Potential Risks (Note): >A lack of standard operating procedures detailing appropriate HR practices >A lack of standard operating procedures may result in loss of institutional knowledge if an employee leaves the organization >A lack of standard operating procedures related to employee safety may result in preventable injury claims 2 3 18 Strategic Operational Financial Legal & Compliance 95 Human Resources Contract Employees State of California Assembly Bill (AB) 5 State of California Assembly Bill (AB) 5 requires the application of the "ABC test" to determine if workers in California are employees or independent contractors. Under the ABC test, a worker is considered an employee and not an independent contractor, unless the hiring entity satisfies all three of the following conditions: 1. The worker is free from the control and direction of the hiring entity in connection with the performance of the work, both under the contract for the performance of the work and in fact; 2. The worker performs work that is outside the usual course of the hiring entity’s business; and 3 . The worker is customarily engaged in an independently established trade, occupation, or business of the same nature as that involved in the work performed Some City departments rely on third-party contractors to deliver services. For example, Community Services relies on third-party contractors to manage the golf course, deliver recreational services (i.e. swimming pool, athletic fields) and provide arts and theatre programs. The City uses a variety of methods to mitigate risk in this area including management-level trainings led by the City Attorney and detailed reviews by Procurement. The City relies on a variety of "flags" such as previous employees trying to work as contractors. In these cases, the City can share the contract with CalPERS for review. Examples of Potential Risks (Note): >Litigation against the City for improper employment practices 3 2 16 Strategic Operational Financial Legal & Compliance 96 Human Resources Onboarding Employee Set-up 2.08.160 Department of human resources. The City relies on NEOGOV HR Software to assist with the onboarding process and Check to assist with the background check process. Before the implementation of the NEOGOV onboarding module, the onboarding process was more paper-based. Once an employee is selected for hiring, their information is transferred from the applicant tracking system to the onboarding system. The City leverages the onboarding tool to ensure candidates receive benefits, payroll, and tax documents along with critical policies and procedures. The NEOGOV system allows the City to share paperwork with new employees before their first day and eliminate the step of creating applicant packets. Human Resources oversees a two-day onboarding training with new employees. In the past, the City conducted this training monthly thus allowing for a natural cohort structure. Employees would receive a tour, meet key employees, meet their union representative, and attend a variety of trainings reviewing policies and other key information. Since COVID-19, the City has shifted to an on demand hiring approach instead of the cohort model. Examples of Potential Risk: >New hires do not understand critical policies and procedures >New hires do not gain access to important employment documents in a timely manner 3 2 16 Strategic Operational Legal & Compliance 97 Human Resources Performance Management 2.08.160 Department of human resources. The performance management process is predominantly manual. The City has not transitioned to an automated process that would assist with critical steps such as notifying supervisors and employees about upcoming evaluation deadlines. Performance evaluations for non-union, management employees is less structured and involves greater discretion to determine merit based increases. Departments conduct these reviews on the anniversary of the employee’s first day to determine if an employee moves to the next step. Examples of Potential Risks (Note): >Failure to eliminate unconscious bias from the performance appraisal process may increase the risk of litigation against the City based on the Lilly Ledbetter Act (2009) and/or the State of California Fair Pay Act (2016) >Failure to accurately track and recognize employee performance may lead to reduced engagement, especially among high-performers >Failure to recognize employee performance may result in unwanted turnover of high-performers 3 2 16 Strategic Operational Financial Legal & Compliance Reputation Political & Economic IT 38 Risk ID Functional Area Risk Title Municipal / State Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 98 Information Technology Disaster Recovery Preparedness and Testing 2.08.240 Department of information technology. FY22 Risk Updates: Risk rating for this risk area was High in the internal audit report, IT Risk Management Report Noted as a risk area by a risk assessment interviewee FY21 Risks: This area focuses on the IT department’s preparations and testing for disaster recovery (DR). In-scope activities include the following: • Disaster recovery strategy and alignment with the organization’s business continuity plans • Disaster recovery plan preparation • Disaster recovery testing Examples of Potential Risks (Note): > Inability to establish a formal disaster recovery team that has the authority to declare a disaster and does not have defined roles during an event may result in financial penalties for service level misses > Inadequate disaster recovery preparedness may result in a disruption of essential process and service delivery thus preventing business continuity > Lack of restoration testing may result in false assurance that your organization has functional backups to restore operations in the event of an emergency 3 5 44 Strategic Operational Reputational IT 99 Information Technology Host Intrusion and Malware Defense 2.08.240 Department of information technology. FY22 Risk Updates: Risk rating for this risk area was High in the internal audit report, IT Risk Management Report One of the risk assessment interviewees is interested in understanding the risk the City faces in comparison with the risks others face FY21 Risks: This area focuses on the IT department’s practices for protecting network connected computers, telephones, printers and infrastructure hardware devices from intrusive activity and malicious software exploitation. In-scope activities include the following: • Intrusion detection and prevention deployment, operation, and monitoring • Malware defense deployment, operation (e.g., signature updating), and monitoring for hosts and applications (e.g., spam email) Examples of Potential Risks (Note): > Loss of system/application availability and integrity > Possible data breach and hijacking (ransomware) of organization data > Lack of intrusion detection and protection controls may result in the untimely identification of an attack 3 5 44 Strategic Operational Financial Legal & Compliance Reputational IT 100 Information Technology Problem Management and Incident Response 2.08.240 Department of information technology. FY22 Risk Updates: Risk rating for this risk area was High in the internal audit report, IT Risk Management Report FY21 Risks: This area focuses on the IT department’s practices for managing problems and incidents. In scope are the following activities: • The method(s) by which IT problems are reported and resolved • Problem tracking, reporting and communication • Incident response preparation and response testing • Incident identification, triaging, containment, eradication and recovery Examples of Potential Risks (Note): >Loss of IT asset confidentiality, integrity and availability >Inability to properly identify the root cause of an incident thus preventing the ability to implement the appropriate corrective controls to reduce the risk a future incidents 3 5 44 Strategic Operational Reputational IT 101 Information Technology Mobile Device Management 2.08.240 Department of information technology. FY22 Risk Updates: Risk rating for this risk area was Medium in the internal audit report, IT Risk Management Report Noted as a risk area by a risk assessment interviewee FY21 Risks: This area focuses on the IT department’s management of mobile devices. In-scope activities include the following: >Authorization to use mobile devices >Mobile device provisioning, monitoring, support and de-provisioning >Mobile device incident response Examples of Potential Risks (Note): >Unauthorized device access due to compromised security PINs >Unauthorized access by installed mobile applications to stored email, text messages, media and data >Unauthorized user access to stored email, text messages, media and data as well as network applications via VPN >Lack of mobile device monitoring may result in the untimely identification of an incident 5 3 40 Operational IT 39 Risk ID Functional Area Risk Title Municipal / State Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 102 Information Technology Strategy and Governance 2.08.240 Department of information technology. FY22 Risk Updates: Risk rating for this risk area was High in the internal audit report, IT Risk Management Report Noted as a risk area by a risk assessment interviewee FY21 Risks: This area focuses on IT strategy and governance practices. In-scope activities include the following: • Development, maintenance and approval of an IT strategic plan that is aligned with the organization's business strategy • Development and execution of tactical IT plans that are aligned to the IT strategy • Development, maintenance and approval of an IT operating budget • Recurring performance and risk reporting to Executive Management and the Board of Directors • Oversight of IT operation and resource consumption by Executive Management and the Board of Directors Examples of Potential Risks (Note): >Executive management and the Board of Directors are unaware of IT risks and their severity >IT service delivery is misaligned with the organization and/or over-spends and under-delivers 5 3 40 Strategic Operational, Reputational IT 103 Information Technology Information Security 2.08.240 Department of information technology. FY22 Risk Updates: Risk rating for this risk area was Medium in the internal audit report, IT Risk Management Report Noted as a risk area by a risk assessment interviewee FY21 Risks: This area focuses on the IT department’s practice of information security. Information security programs are developed to protect an organization’s information systems and information from plausible threats and vulnerability exploitation that could result in one or more losses of security: confidentiality, integrity, availability, authenticity and/or non-repudiation. Programs should address the following: • Policy development and enforcement • Identity and access management • Threat identification and management • Vulnerability identification and management • Security roles and responsibilities • Security training and awareness for IT and non-IT personnel Examples of Potential Risks (Note): > Increased probability that the systems and data within the systems are not adequately protected from technical and malicious threats. > Lack of security awareness training may result in internal employees exposing the organization to security threats. > Lack of vulnerability monitoring may result in untimely threat identification and a lag in response time 2 5 38 Strategic Operational Financial Legal & Compliance Reputational IT 104 Information Technology Operations and Monitoring 2.08.240 Department of information technology. FY22 Risk Updates: Risk rating for this risk area was Medium in the internal audit report, IT Risk Management Report FY21 Risks: This area focuses on the IT department’s practices for operating, monitoring and maintaining the computer systems and supporting infrastructure that are used by the work staff. In-scope activities include the following: >Capacity management > Hardware and software maintenance Examples of Potential Risks (Note): >Increased costs due to insufficient planning and forecasting >Disruption of business processes and service delivery >Financial penalties for service level misses 2 5 38 Operational IT 105 Information Technology Physical and Environmental Controls 2.08.240 Department of information technology. FY22 Risk Updates: Risk rating for this risk area was Medium in the internal audit report, IT Risk Management Report FY21 Risks: This area focuses on IT physical and environmental safeguards that are deployed to protect the organization’s application systems and information. In scope activities include the following: • Deployment and monitoring of physical access controls that protect IT assets • Deployment and monitoring of environmental controls that protect IT assets Examples of Potential Risks (Note): >Inappropriate or unauthorized physical access to data centers, server rooms, wiring closets, or facilities containing end-user IT hardware >Inappropriate or unauthorized physical access to IT hardware >IT hardware and/or infrastructure loss due to poor environmental controls 2 5 38 Strategic Operational Legal & Compliance IT 40 Risk ID Functional Area Risk Title Municipal / State Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 106 Information Technology Asset Management 2.08.240 Department of information technology. FY22 Risk Updates: Risk rating for this risk area was Medium in the internal audit report, IT Risk Management Report FY21 Risks: This area focuses on the IT department’s asset management practices. In-scope activities include the following: • Tracking information technology assets from procurement through disposal. • Reusing and decommissioning information technology assets • Ensuring information technology assets have an assigned owner, who is a stakeholder in the asset’s protection • Ensuring information technology assets are properly maintained to maximize their useful life • Tracking software usage and ensuring that vendors’ software license agreements are followed Examples of Potential Risks (Note): > Inadequate security management of untracked IT assets > Lack of asset longevity and usefulness of assets > Data loss due to unsecured assets 3 3 26 Strategic Operational Financial IT 107 Information Technology Compliance Management 2.08.240 Department of information technology. FY22 Risk Updates: Risk rating for this risk area was Medium in the internal audit report, IT Risk Management Report FY21 Risks: This area focuses on the IT department’s practices for complying with IT-related contract requirements, governmental regulations (e.g., HIPAA Security Rule) and industry standards (e.g., PCI Data Security Standard). In-scope are the following activities: • Compliance program development and maintenance • Compliance program monitoring and reporting Examples of Potential Risks (Note): > Poor compliance management practices may result in regulatory fines and oversight stemming from non-compliance. > Inability to management compliance requirements may result in increased operating expenses (e.g., payment card transaction costs). > Legal costs and ramifications that damage reputation and hinder business operations 3 3 26 Legal & Compliance IT 108 Information Technology Procurement and Service Provider Management 2.08.240 Department of information technology. FY22 Risk Updates: Risk rating for this risk area was Medium in the internal audit report, IT Risk Management Report Noted as a risk area by a risk assessment interviewee FY21 Risks: This area focuses on the IT department’s practices for procuring hardware, soft-ware, facilities and services as well as managing the contracted service providers. In scope are the following activities: >Procurement strategy > Vendor and service provider due diligence and performance monitoring Examples of Potential Risks (Note): >Insufficient oversight of procurement strategy and methods could result in the failure to optimize the cost and effectiveness of IT asset and service purchases >Insufficient oversight of service provider contract performance could result in the non-timely detection of product/service delivery problems >Insufficient oversight of service provider activity and security controls could cause security problems including a data breach 3 3 26 Strategic Operational Financial Legal & Compliance Reputational IT 109 Information Technology Risk Management 2.08.240 Department of information technology. FY22 Risk Updates: Risk rating for this risk area was Medium in the internal audit report, IT Risk Management Report FY21 Risks: This area focuses on the IT department’s risk management practices. In-scope activities include IT risk identification, triaging, treatment, tracking and management reporting. Examples of Potential Risks (Note): >Reputational damage >Monetary loss and penalties >Inadequate risk identification may lead to unmitigated threats to the organization 3 3 26 Strategic Operational Reputational IT 110 Information Technology Application Management 2.08.240 Department of information technology. FY22 Risk Updates: Risk rating for this risk area was Medium in the internal audit report, IT Risk Management Report FY21 Risks: This area focuses on the management of the organization's business applications – how they are developed, procured, modified and managed as well as how application security is performed and the role of the IT department in managing an application. Examples of Potential Risks (Note): > Inability to implement application changes and provide application support in a timely manner due to critical staff shortage or turn-over > Disruption of core business functions due to application downtime > Shared or generically named and/or shared among a group of users, the lack of accountability may result in inappropriate activity 2 3 18 Operational IT 41 Risk ID Functional Area Risk Title Municipal / State Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 111 Information Technology Architecture and Deployment 2.08.240 Department of information technology. FY22 Risk Updates: Risk rating for this risk area was Medium in the internal audit report, IT Risk Management Report FY21 Risks: This area focuses on the architecture and deployment of organization’s information technology. In-scope elements include: • The network architecture and deployed technology that is used to provide intra-site, inter-site connectivity and Internet connectivity • The organization’s server and storage infrastructure • The computer hardware that is deployed for end-users Examples of Potential Risks (Note): > Poor or unreliable IT service delivery that may result in customer dissatisfaction 2 3 18 Strategic Operational IT 112 Information Technology Change Management 2.08.240 Department of information technology. FY22 Risk Updates: Risk rating for this risk area was Medium in the internal audit report, IT Risk Management Report FY21 Risks: This area focuses on the IT department’s practices for controlling changes to the IT environment. In-scope activities include the following: • Management of infrastructure hardware, software and configuration changes • Management of host system software and configuration changes • Management of normal and emergency changes • Application release management • Delineation of the activities that are controlled by change management versus help desk request ticketing Examples of Potential Risks (Note): > Inappropriate, unauthorized, under-planned and/or under-tested system changes may be implemented that negatively impact agency operations and/or reputation > Lack of managements approval prior to moving changes into production may result in disruptions in business operations. > Lack of a formal documented change management process may result in the inconsistent application of changes. > Lack of segregation of duties between environments related to development, testing and production can result in inappropriate changes that may disrupt operations 2 3 18 Strategic Operational IT 113 Information Technology Database and Data Management 2.08.240 Department of information technology. FY22 Risk Updates: Risk rating for this risk area was Medium in the internal audit report, IT Risk Management Report Noted as a risk area by risk assessment interviewees FY21 Risks: This area focuses on the IT department’s practices for controlling changes to the IT environment. In-scope activities include the following: • Management of infrastructure hardware, software and configuration changes • Management of host system software and configuration changes • Management of normal and emergency changes • Application release management • Delineation of the activities that are controlled by change management versus help desk request ticketing Examples of Potential Risks (Note): > Inappropriate, unauthorized, under-planned and/or under-tested system changes may be implemented that negatively impact agency operations and/or reputation > Lack of managements approval prior to moving changes into production may result in disruptions in business operations. > Lack of a formal documented change management process may result in the inconsistent application of changes. > Lack of segregation of duties between environments related to development, testing and production can result in inappropriate changes that may disrupt operations 2 3 18 Operational IT 114 Information Technology Organizational Architecture 2.08.240 Department of information technology. FY22 Risk Updates: Risk rating for this risk area was Medium in the internal audit report, IT Risk Management Report Noted as a risk area by a risk assessment interviewee FY21 Risks: This area focuses on the organization of the IT department, its placement within the organization and its approach to staffing. Examples of Potential Risks (Note): >A decentralized IT Department may result in inefficient operations by resulting in shadow IT. >Unaligned organizational structure may result in inefficient service delivery resulting in increased operating costs and potential service disruption >Lack of cross-training to backfill critical job roles and tasks may result in inadequate staffing >Lack of professional development for staff may result in the inability to recruit and retain qualified talent 2 3 18 Strategic Operational IT 42 Risk ID Functional Area Risk Title Municipal / State Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 115 Information Technology Project Management 2.08.240 Department of information technology. FY22 Risk Updates: Risk rating for this risk area was Low in the internal audit report, IT Risk Management Report FY21 Risks: This area focuses on the IT department’s project management practices. In-scope activities include: >Initiating, planning, executing, controlling, and closing projects >Managing projects’ scope, milestones, quality and budget >Ensuring projects are adequately staffed >Reporting project progress and issues on a recurring basis to management and stakeholders Examples of Potential Risks (Note): >Poor project deliverable quality >Project cost overruns and late project completion >Inadequate project management may lead to fines due to unmet project milestones or non-compliance 2 2 10 Operational IT 116 Information Technology End-User Support and Perceptions 2.08.240 Department of information technology. FY22 Risk Updates: Risk rating for this risk area was Medium in the internal audit report, IT Risk Management Report FY21 Risks: This area focuses on the IT department’s scope and approach for providing end-user support as well as the perceptions that end-users have regarding IT service delivery. In-scope activities include the following: • End-user request intake • Help Desk triaging of end-user requests and problems • Help Desk request tracking and reporting • End-user notification of request handling progress and completion • Requesting and receiving end-user feedback on completed or abandoned service requests Examples of Potential Risks (Note): > Loss of end-user sponsorship and partnership in IT initiatives > Inefficient help desk processes related to request in-take, triaging, tracking and reporting may result in end-user dissatisfaction 3 1 8 Operational Reputational IT 117 Information Technology Ransomware 2.08.240 Department of information technology. FY22 Risk Updates: Noted as a risk area by a risk assessment interviewee FY21 Risks: Governments are subject to cybersecurity threats, including but not limited to hacking, malware, ransomware. These crimes are becoming more common and costly for local governments to detect and deter. Examples of Potential Risk: >Financial loss as a result of a cyber attacker demanding a monetary payment in exchange organization data. >Service delivery disruption as a result of organizational data being held ransom thus preventing employee assess to essential data. 2 5 38 Reputational IT 118 Information Technology Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) 2.08.240 Department of information technology. FY22 Risk Updates: Reference notes under "Disaster Recovery Preparedness and Testing" FY21 Risks: As a best practice, the City can benefit from a BCP which includes a DRP that is communicated to all staff. There is a lack of awareness across several functions on whether or not the City has a formal BCP and DRP. Failure to establish a plan leaves the potential for an interruption in services and the inability for all parties to know their roles, responsibilities and sequence of operations in the instance of an identified disasters. Examples of Potential Risks (Note): >Less effective and timely recovery from disaster events resulting in increased disruption of business operations or service delivery, increased expenditures for system recovery and potentially reputational damage 2 4 28 Strategic Financial IT 119 Information Technology IT Roadmap 2.08.240 Department of information technology. FY22 Risk Updates: • The City's three-year IT strategy is ending in 2021. Also, reference "Strategy and Governance" FY21 Risks: As a best practice, an IT Department's 1-3 year strategic roadmap is recommended to specifically align with the City's strategic goals. Failure to implement a documented roadmap may result in an insufficient use of limited resources and the inability of the department to support the overall business operations of the City. This can reveal itself when operations tend to be more reactive in nature. Proactive measures such as a roadmap will support alignment of network security, replacing aging application with new systems, hardware and software and technical items with the business goals of the City. Examples of Potential Risks (Note): >Absence of a formal IT Capital Plan approach has limited the transparency into the IT Capital Plan budget and misses the opportunity to facilitate a cohesive, City-wide IT investment strategy 2 3 18 Strategic Legal & Compliance Reputational IT 43 Risk ID Functional Area Risk Title Municipal / State Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 120 Library Events 2.08.230 Department of libraries. Throughout the year, the library hosts many events, holiday parties and seminars. These events are interactive, often involving food, music and performances. Events are hosted by the library in conjunction with external non-profits, community agencies, faith-based organizations and individual persons and groups. The library also works with internal departments such as Police and Fire to host events. Events are designed to be educational and to help engage the community. Examples of Potential Risks (Note): >Health and safety for gatherings of large groups of individuals >Culturally insensitive events 1 3 12 Strategic Legal & Compliance Reputation 121 Library Inventory Management 2.08.230 Department of libraries. The largest business of the library involves the management of the book inventory (check-in and check-out). An inherent risk to lending is the ability to recoup and collect items loaned. The City does not charge late fees for book rentals but does impose fines and fees for replacement of books that are 42 days late. Laptop's and other library collection items are subject to late fees and replacement costs. Examples of Potential Risks (Note): >Book return process and inventory management 3 2 16 Financial 122 Library Library Programs 2.08.230 Department of libraries. Palo Alto's library offers hundreds of adult, children and family programs and services. These programs and services are open to any member of the community or library card holder. These programs include; >Book Clubs >ESL Classes >Writers workshops and contests >Arts and Crafts >Story Times Library offered programs are services are traditionally in person and virtual. Programs may require pre-registration, while others are readily available online, to be used at any time. Examples of Potential Risks (Note): >Program demand 1 3 12 Strategic Financial Legal & Compliance Reputation 123 Library Privacy 2.08.230 Department of libraries. Privacy is a concern for both the City and its citizens. Holding and storing of personal information safely, even for minimal periods of time, is essential. The library collects personal information from residents when evaluating citizens requests for a library card, no information is retained by any of the City's libraries. Examples of Potential Risks (Note): >Users do not log off when using the library computers//hardware >Private information regarding uses of libraries and its services is stored improperly 3 1 8 Legal & Compliance Reputation IT 124 Library Locations Management 2.08.230 Department of libraries. FY22 Risk Updates: The Libraries organizational structure was reorganized and diminished during previous rounds of budgeting. Limited staff has increased workload on existing staff without changes in technology for inventory management. FY21 Risks: Palo Alto has 5 library branches spaced throughout the City. Each library has unique services and function and is situated near other City services. The placement and special function of each library is to best serve the local community surrounding the library. Individuals are able to use any library and may request books from another library be transferred to their chosen community library for reservation and check-out. Additionally, books may be returned to any library or book-drop, regardless of where the book was originally checked-out. Examples of Potential Risks (Note): >Internal management of book returns and logistics is inefficient, and books are temporarily or permanently lost >Balance of staff and service offerings 3 1 8 Strategic Operational Financial Reputational 125 Planning and Development Services Long Range Planning 2.08.220 Department of planning and development services Chapter 16.65 CITYWIDE AFFORDABLE HOUSING REQUIREMENTS Chapter 19.04 PLANNING COMMISSION FY22 Risk Updates: • Uncertainty of aging population • Workforce constraints • Economic uncertainty • Inflation • State mandated initiatives and/or funding requirements FY21 Risks: The Long Range Planning division within the Department of Planning & Development Services guides and develops visioning and implementation programs for the City's community development policies and programs. Division areas of focus include: >Affordable housing >Housing planning and policies >Land Use and zoning >Weatherization >Comprehensive Planning >Community Block Grants Examples of Potential Risks (Note): >Unforeseen changes in economic or political conditions leading to required changes and inability to forecast future circumstances 5 4 46 Strategic Operational Financial Legal & Compliance Reputation Political & Economic 44 Risk ID Functional Area Risk Title Municipal / State Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 126 Planning and Development Services Current Planning 2.08.220 Department of planning and development services FY22 Risk Updates: • Internal audit review of permitting processes, specific to solar panels • Updated ERP syst6em for tracking permitting, and payments FY21 Risks: For anyone desiring to build in Palo Alto, they will first need to receive a building permit. The planning function will provide building permits based on the function's broader Comprehensive Plan 2030, compliance with the California Environmental Quality Act (CEQA), Plan Review (a fully outsourced service) and other codes and regulations. There is also an Architecture Review Board that consults on the decision for new proposals. All of these factors are considered when making decisions regarding proposals and requests. Examples of Potential Risks (Note): >Disagreement amount interpretation of current codes and regulations increasing the amount of discretion necessary in decision making >High quantities of new building proposals required for review, putting pressure on existing staff and lowering overall quality 4 3 34 Strategic Operational Financial Legal & Compliance Reputation 127 Planning and Development Services Development Services 2.08.220 Department of planning and development services FY22 Risk Updates: • Internal audit review of permitting processes, specific to solar panels • Updated ERP syst6em for tracking permitting, and payments FY21 Risks: Development Services includes the Development Center, Plan Review Services, and the Inspection program. Permits are filed in person at City Hall or through the new Online Permit Services System. Permits and inspections are mandated before construction and/or remodeling for a variety of projects. Examples of Potential Risks (Note): >Individuals and businesses do not request permits or inspections before initiating projects >Delays or backlogs in providing permitting and inspection services 3 3 26 Operational Financial Legal & Compliance Reputation 128 Planning and Development Services Code Enforcement 2.08.220 Department of planning and development services The Code Enforcement Division of the Department of Planning & Development Services is responsible for enforcement of property maintenance, zoning, and building codes throughout Palo Alto. Examples of Potential Risks (Note): >High volume of development and/or renovations without adequate capacity to enforce all codes >Inability to respond to all complaints made by community members 3 2 16 Operational Legal & Compliance Reputation 129 Planning and Development Services Building Division 2.08.220 Department of planning and development services The City of Palo Alto Building Division serves as a resource for homeowners, businesses, designers and contractors. The goal is to help customers build safe, healthy and sustainable buildings that comply with applicable codes and regulations. Examples of Potential Risks (Note): >Volume of requests due to high demand for new builds and renovation, leading to lower quality of advice or inability to answer all incoming questions 3 2 16 Operational Legal & Compliance Reputation 130 Planning and Development Services Historic Preservation 2.08.220 Department of planning and development services 18.12.140 Historical Review and Incentives 18.10.130 Historical Review and Incentives The City of Palo Alto looks to preserve and protect its culturally, historically and architecturally significant places in order to create a vibrant and sustainable community that fully reflects Palo Alto’s diverse past. The City of Palo Alto’s Historic Preservation Program began in 1979 and currently boasts four National Register Districts and hundreds of individually significant resources. Examples of Potential Risks (Note): >Cultural significance of historic homes and architecturally significant places increases reputational risk related to preservation >Process efficiency and customer service 1 2 6 Financial Legal & Compliance Reputation Political & Economic 131 Police Use of Force and Officer Conduct 2.08.170 Police department. The Independent Police Auditor has the authority to review and assess for objectivity, thoroughness, and appropriateness of disposition citizen complaint investigations of misconduct and internal affairs investigations associated with the Police Department and makes recommendations to the Police Chief. Loss of trust in law enforcement is a common externality. Research shows that perceived legitimacy of law enforcement is critical to effective law enforcement. High profile officer-involved interactions carry with them a variety of risks. Examples of Potential Risks (Note): >Litigation due to perceived or actual misconduct may result in legal action and expensive settlements >Reputational harm from improper use of force 2 5 38 Operational Financial Reputation 45 Risk ID Functional Area Risk Title Municipal / State Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 132 Police Staffing Levels 2.08.170 Police department. FY22 Risk Updates: In the survey, an audit of hiring, recruiting, and retention was recommended. Some interviewees noted lack of diversity, which they are currently trying to address. FY21 Risks: As of November 2020, nine employees are eligible for retirement and the City recently offered a retirement incentive. In addition, PD is also experiencing attrition among line-level officers, some of whom make lateral moves to work in other communities. Due to hiring constraints, turnover typically results in prolonged position vacancies. Examples of Potential Risks (Note): >Costs associated with position vacancy including lost productivity, overtime paid to officers, and training costs 3 3 26 Strategic Operational Financial Legal & Compliance Reputation Political & Economic IT 133 Police Overtime 2.08.170 Police department. FY22 Risk Updates: Staffing shortages for police officers and first responders are common across the State and within the City. Additionally, public pressure to not grow police forces, and the retirement of City Officers. FY21 Risks: Unpaid overtime claims are the largest category of complaints filed under California's wage and hours laws. Palo Alto police officers frequently work overtime. A common issue is having step based officers working dispatch during times of need. Examples of Potential Risks (Note): >Increased stress and fatigue among officers >Increased financial burden on the City as officers are paid at a higher rate 4 2 24 Strategic Operational Financial Legal & Compliance Reputation Political & Economic IT 134 Police Records Management 2.08.170 Police department. Law enforcement records management systems are a valuable source of information essential to the investigative, arrest, and judicial processes. Failure to manage records can affect the successful prosecution of criminal violators, resulting in liability or loss of public confidence. The City of Palo Alto Police Department relies on Sun Ridge Systems, Inc. to manage its police records. Examples of Potential Risks (Note): >Mismanagement of records, resulting in non-compliance from federal and/or State standards >Insufficient record retainage for important, highly visible cases 2 3 18 Strategic Operational Financial Legal & Compliance Reputation Political & Economic IT 135 Police Dispatch 2.08.170 Police department. The City of Palo Alto uses the dispatch function within the Police Department in order to dispatch for multiple functions, including police calls, Stanford matters, utilities, fire, and others. This dispatching service provides a conduit from citizens to City public safety and emergency services. Examples of Potential Risks (Note): >Mishandling of emergency calls from the public could lead to unfavorable views of City Police and other services >Multiple services addressed by dispatch may raise the risk for errors or bottlenecks in dispatching processes >Inaccurate allocation of dispatch related costs to other departments or organizations 3 2 16 Operational Reputation 136 Police Onboarding/Training 2.08.170 Police department. FY22 Risk Updates: Staffing shortages for police officers and first responders are common across the State and within the City. Additionally, given the actual or perception of public pressure for law enforcement, training is increasingly important for public trust. FY21 Risks: Officers are required to reach a minimum of 32 hours of ongoing professional training every 24 months. Officer training is integrated into officers’ schedules throughout the year. Trainings are both in-person and virtual, and can be in both group or individual settings. Additionally, training and onboarding of a new officer recruit can take upwards of 18 months. Examples of Potential Risks (Note): >Noncompliance with training requirements >Inadequately trained personnel resulting in improper handling of public safety matters 2 3 18 Operational Legal & Compliance Reputation 46 Risk ID Functional Area Risk Title Municipal / State Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 137 Public Works Engineering Services 12.04.030 Public Works 2.30.100 Public Works Contracts 2.30.300 Public Works Contracts 2.08.190 Department of Public Works FY22 Risk Updates: • Collective cost of repairs, upgrades and new building projects has increased • Pipeline monies from State and Federal dollars • Supply chain constraints for raw materials and supplies • Cost of materials and labor, particularly for contracted work The internal audit report, Construction Project Controls Assessment, provided recommendations in the following areas: • Project Reporting • Document Control • Prevailing Wage Monitoring • Schedule Management • Allowance Usage FY21 Risks: The Engineering Services Division designs and constructs City-owned facilities, streets, sidewalks, storm drains and parks infrastructure; provides engineering support to City Departments and the private development community for construction in the public right of way. The City oversees approximately 400,000 square feet of City-owned facilities including multiple community centers and libraries. Usage and maintenance patterns differ for each of these facilities. For example, the City leases space within the Cubberley Community Center to a variety of long-term leases. Examples of Potential Risks (Note): >Lack of funding may cause some capital projects to be significantly delayed and risk cost over-run from lack of continuous activities (i.e. start-up/shut- down operations) >Unfavorable contract terms resulting in unexpected expenses 2 5 38 Strategic Operational Financial Legal & Compliance Reputation Political & Economic IT 138 Public Works Public Services - Fleet 2.30.100 Public works contract. FY22 Risk Updates: • Supply chain constraints for raw materials and supplies • Cost of materials and labor, particularly for contracted work FY21 Risks: The Public Services Division maintains the City’s fleet. Due to spending restrictions because of the COVID-19 pandemic, the City has limited fleet maintenance efforts as a cost savings measure. The City maintains a pool of vehicles that may be used for City business. Examples of Potential Risks (Note): >An ageing fleet may result in increased maintenance costs >Lack of funding stability may harm the City's ability to maintain and replace vehicles >Charges to user departments may not sufficiently cover the City's full fleet costs >Policies and procedures that fail to clearly define replacement criteria may result in inefficient replacement methods 3 4 36 Strategic Operational Financial Legal & Compliance Reputation 139 Public Works Wastewater Treatment Plant Operations The City operates the Regional Water Quality Control Plant (RWQCP), which cleans and treats wastewater before it is discharged to San Francisco Bay. The plant is owned and operated by the City of Palo Alto, and it treats wastewater for the communities of Los Altos, Los Altos Hills, Mountain View, Palo Alto, Stanford University and the East Palo Alto Sanitary District. There is an agreement in place to allocate costs to each community. Examples of Potential Risks (Note): >Accuracy of cost allocation to each community >Compliance with applicable environmental laws 3 4 36 Operational Financial Legal & Compliance 140 Public Works Airport 2.30.100 Public works contract. FY22 Risk Updates: In the survey, the following opportunity was identified: New Airport technologies for streamlining administrative processes FY21 Risks: The Airport Division operates and maintains the Palo Alto Airport, the 3rd busiest airport in the Bay Area. The Air Traffic Control Tower is operated by the Federal Aviation Administration. The Airport generates revenues through tie-down fees and hangar rentals. The fee schedule is updated periodically. The Airport Division is overseeing a multi-phase apron reconstruction project. Construction began in 2018 and is expected to be complete in 2021. Construction of Phase I was completed in June 2018. Construction of Phase II began in December 2018 and was completed in January 2020. Examples of Potential Risks (Note): >Unfavorable contract terms may result in in unexpected expenses >Failure to reconcile contractor invoices may result in overpayments >Poor project planning may result in expensive change orders >Improper billing or management of fees for service >Impact of repayment plan established by Airport to the General Fund causing impacts on airport operations 2 4 28 Strategic Operational Financial Legal & Compliance 47 Risk ID Functional Area Risk Title Municipal / State Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 141 Public Works Public Services - Facilities FY22 Risk Updates: State requirements to maintain facilities that are related to environmental impacts and controls have increased and oversight has changed. Larger workforce issues for the City and for outside Vendors. FY21 Risks: The City must prioritize capital projects based on a variety of factors. The 2011 Blue Ribbon Commission (IBCR) report highlighted conclusions the City uses to assist with project prioritization and funding models. Key conclusions include: >The City underfunded its infrastructure maintenance in the amount of over $2 million per year. >The City permitted the infrastructure underfunding to accumulate, building a backlog of "catch-up" needs totaling over $40 million. >Five major City-owned facilities fell below current standards of safety, capacity, and functionality. Examples of Potential Risks (Note): >Inadequate preventative maintenance resulting in long-term financial burden of managing emergency maintenance needs >Failure to adhere to an infrastructure management system may hinder the City's ability to track the condition and use of all City infrastructure >Failure to effectively maintain City-owned facilities may result in more costly long-term repairs and replacement in the future 3 4 36 Operational Financial 142 Public Works Environmental Services 2.30.100 Public works contract. FY22 Risk Updates: The City incorporated the building of a new Environmental Laboratory and Environmental Services Building. The building will allow for new technology and testing for water, wastewater and stormwater systems. FY21 Risks: The Environmental Services division operates and maintains the Regional Water Quality Control Plant; maintains a Pretreatment Program for control of industrial and commercial dischargers; provides pollution prevention information and programs to residents and businesses; manages the City’s solid waste programs. Environmental Services helps implement Zero Waste Palo Alto's mission, to help the community virtually eliminate waste being buried or burned. This effort involves garbage collection and sorting, recycling, and composting. Environmental Services contracts out these waste collection and sorting services. Examples of Potential Risks (Note): >Failure to detect non-compliant industrial dischargers may result in preventable pollution >Failure to achieve Zero Waste goals may harm the City's reputation 3 3 26 Strategic Operational Financial Legal & Compliance Reputation 143 Public Works Urban Forestry The Public Works Urban Forestry Section maintains nearly 66,000 trees of Palo Alto’s urban forest. The urban forest provides a variety of benefits including: >Reduce the effects of urban density >Increase property values >Assist with storm water mitigation >Remove air pollutants >Assist with greenhouse gas sequestration The City has established a Urban Forest Master Plan, which was adopted in February 2019. The “Implementation Plan” includes planning for: >Budget need >Inter-departmental collaboration >Municipal Code updates >Monitoring Examples of Potential Risks (Note): >Risks associated with contract management 1 3 12 Operational Legal & Compliance Reputation 144 Public Works Building Deconstruction 2.30.100 Public works contract. As part of an ongoing effort to reduce waste in Palo Alto, City Council approved a Deconstruction Ordinance. The goal is for building materials to be reused or recycled, so workers will have to disassemble structures instead of wrecking buildings. Two of the largest components of landfill waste are food waste and construction and demolition (C&D) related materials. C&D materials represent more than 40% of Palo Alto debris that gets disposed in landfills. Examples of Potential Risks (Note): >This ordinance may place a financial burden on residential, commercial, and industrial property owners interested in demolishing a building >The City may weaken its reputation as "business-friendly" >Property owners may avoid needed upgrades to circumvent additional costs 2 2 10 Financial Reputation Political & Economic 145 Transportation Safety Improvement Projects and Traffic Operations 2.08.260 Office of transportation. FY22 Risk Updates: The California Department of Transportation's mission was changed in FY22 to make transportation more equitable and defend the climate. State missions and funding streams will be used to advance this mission. FY21 Risks: The Office of Transportation works to enhance quality of life and improve the safety of the users of all modes of transportation. To achieve these goals, the Office manages safety improvement projects, collects transportation data, sets speed limits, follows signage and striping best practices, and implements traffic control measures. Examples of Potential Risks (Note): >Improper roadway safety and operations decisions may result in preventable roadway incidents with legal ramifications for the City >Failure to obtain community support for a project may result in expensive change orders and reputational harm 2 4 28 Strategic Financial Legal & Compliance Reputation 48 Risk ID Functional Area Risk Title Municipal / State Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 146 Transportation Contract Management 2.08.260 Office of transportation. FY22 Risk Updates: The contract with Duncan Solution was amended to implement ALPR technology and the Surveillance Use Policy were approved by City Council on 2/22/2021. There is a public's concern about privacy, and the contract is to comply with SB 210. The policy states, "ALPR system audits will be conducted on a regular, annual basis." Staff anticipates being able to procure the essential hardware by April 2021 or shortly thereafter, with full implementation expected to launch by late Summer 2021. FY21 Risks: The Office of Transportation relies on contracted services for a variety of areas including construction, parking enforcement, and permitting. Noteworthy contractors include Serco and Duncan Solutions. The Serco contract is three years, in an amount not-to-exceed $2,322,285 for residential preferential parking enforcement services. The Duncan Solution contract is $627,000 over a five-year term to develop, implement, support and maintain a parking permit and citation management system. Examples of Potential Risks (Note): >Unfavorable contract terms resulting in unexpected expenses >Contract compliance and cost control issues >Failure to reconcile contractor invoices may result in overpayments 3 5 44 Operational Financial Legal & Compliance 147 Utilities Workforce & Succession Planning 2.08.200 Department of Utilities FY22 Risk Updates - The department may be impacted by a loss of institutional knowledge due to long-term staff retirements creating position vacancies which results in the hiring of new staff that is unaware of the City's processes. There are also challenges with attracting and retaining staff due to non-competitive salaries. - One of the risk assessment interviewees mentioned that a salary is being increased as a currently vacant position cannot be filled. FY21 Risks: With Palo Alto's high cost of living, the City has had trouble recruiting and retaining positions such as lineman and operations crew as there are other organizations (such as investor-owned utilities) in more affordable areas that are also in need of these positions. These employees can oftentimes make the same or higher salaries at other organizations with lower costs of living. This creates an issue for the City in regards to recruiting and retaining positions in high demand such as linemen. Examples of Potential Risks (Note): >Sustained high vacancy of positions decrease the ability for Palo Alto to maintain pace of capital improvements and maintenance >High turnover of employees increases personnel expenses associated with onboarding and training >Difficulty hiring high-quality employees in these types of positions 2 3 18 Operational Financial Reputation Political & Economic 148 Utilities AMI Project 2.08.200 Department of Utilities FY22 Risk Updates: The City has the opportunity to improve its metering process. FY21 Risks: Palo Alto is moving towards an implementation of AMI technology for meter reading. AMI will allow for the City to conduct meter readings with more efficiency and accuracy. The costs associated with such an implementation are significant. Any implementation with such an effort may run into unexpected challenges and barriers to implementation. Additionally, redeploying current meter readers is also a challenge. Examples of Potential Risks (Note): >Customers desiring to opt out of AMI technology may introduce additional challenges in creating efficient meter reading processes >Implementation of AMI can introduce financial risks for unexpected challenges 3 4 36 Strategic Operational Financial IT 149 Utilities Word Order & Asset Management 2.08.200 Department of Utilities For any operations and maintenance, a proper work order system is vital to the operations of the utility. Modern day technology and automation can improve the work order process and reduce the number of steps required from employees. Examples of Potential Risks (Note): >Implementation of an automated work order system can be costly and disruptive >Lack of an automated work order system can create efficiency issues and opportunities for human error >Improper use of the work order system resulting in improper classification of assets 3 3 26 Operational IT 150 Utilities Rebates and Programs 2.08.200 Department of Utilities FY22 Risk Updates: - FY22 Adopted Operating Budget document states that it assumes various rate changes. - One of the risk assessment interviewees is concerned about capacity and costs to increase renewable energy. FY21 Risks: The City offers both residential and commercial utility customers rebates and programs to assist with efficiency and cost savings. In particular, both residential and commercial customers can take advantage of city resources to learn more about solar energy. The City also offers tips and tricks regarding energy efficiency. For residential customers, you can receive landscape rebates, rebates for outdoor surveys, home water surveys, EV rebates, heat pump water heater rebates, permeable pavement rebates just to name a few. Commercial customers also can receive water rebates and other business specific rebates. Commercial can also take advantage of the fiber program, renewable energy program and others. Examples of Potential Risks (Note): >Decreased consumption impacting rates >Rebates and programs become cost inefficient, producing less benefits than inputs required to run the program 3 3 26 Operational Financial Reputation 49 Risk ID Functional Area Risk Title Municipal / State Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 151 Utilities Purchase Power Contract Management 2.08.200 Department of Utilities FY22 Risk Updates (Based on PPA Audit): > There is no formal process to monitor and document vendor compliance with Power Purchase Agreements. > Changes made to the front office model do not require approvals, which may increase the likelihood of inaccurate reporting. > The OCA identified during process interviews that CPAU does not have a process in place to validate NCPA settlement processes that include the verification of invoice calculations, contract rates, and matching ARB amounts on behalf of the City. FY21 Risks: The City purchases all of their power from external sources, without any generation operations of their own. This requires a greater effort in monitoring these Purchase Power Agreements. Monitoring these agreements is important both from a compliance standpoint, ensuring that state and local requirements are being met, as well as a financial standpoint, ensuring that costs are reasonable. Examples of Potential Risks (Note): >The cost of purchased power exceeding the cost of generating power >Noncompliance with purchase power agreements 4 4 42 Strategic Financial Legal & Compliance 152 Utilities Rates and Rate Adjustments 2.08.200 Department of Utilities FY22 Risk Updates: The City needs improvement with processing large rate adjustments. FY21 Risks: Palo Alto owns and operates its own utilities. However, the City purchases all of its electric, water, and gas from other sources. The City must set its rates according to the cost to purchase power, water, and gas as well all O&M and capital costs associated with administering the utilities. For example, the City purchases water from a different source than its neighbors and subsequently has higher water rates. Examples of Potential Risks (Note): >Competitive rates in neighboring communities may provide incentive for any prospective residents to choose neighboring communities >Rising rates may indicate operational inefficiencies that contribute to a greater cost of service >Compliance with regulatory requirements in the rate setting process >Reputational risk associated with rate setting >Delay in cost recovery after provider's cost increase >Allocation of costs across utilities 3 4 36 Strategic Operational Financial Reputation 153 Utilities Utility Bill Collections 2.08.200 Department of Utilities As a practice, the City of Palo Alto does not currently shut off utilities for those who are regularly missing payments. This includes both commercial and residential customers. The City maintains financial reserves that fluctuate over time, but attempt to remain above 70 days. Continued customers who do not pay their bills will reduce financial reserves. Examples of Potential Risks (Note): >Continued practices of no water shut offs may encourage late payments or missed payments >The City may not have the option to complete water shut offs during times like COVID-19, or may not want to complete shut offs due to reputational risk 3 2 16 Financial Legal & Compliance Reputation Political & Economic 154 Utilities Customer Service 2.08.200 Department of Utilities The City of Palo Alto Utilities Customer Service supports the Utilities mission to provide safe, reliable, environmentally sustainable and cost effective services. Customer Services supports residential and commercial customers with questions about the Utilities services: electric, fiber optics, natural gas, water, and wastewater. Customer Services helps customers pay their bill, start new services, and access rebates. Examples of Potential Risks (Note): >Negative customer interactions reflect poorly upon the City >COVID-19 and other emergency utility disconnection moratoriums cause a financial burden for the City >Improper handling of customer accounts 3 2 16 Operational Reputation City of Palo Alto Office of the City Auditor FY22/FY23 Annual Audit Plan February 15, 2022 FY2022/2023 Audit Plan 2 Overview Introduction The purpose of the audit activites performed by the Office of the City Auditor (OCA) for the City of Palo Alto (the City) is “to ensure that city management is using its financial, physical, and informational resources effectively, efficiently, economically, ethically, and equitably, and in compliance with laws, regulations, contract and grant requirements, and city policies and procedures”, according to the Palo Alto Municipal Code (Section 2.08.130). It requires the City Auditor prepare an annual audit plan for the City Council’s approval at the beginning of each fiscal year. In accordance with Task #2 of the Baker Tilly agreement (City of Palo Alto Contract No, C21179340), Baker Tilly US, LLP (Baker Tilly) performed the initial risk assessment after having started to serve as OCA in October 2020 and submitted in early 2021 the FY21-FY22 annual audit plan identifying audit activities across an 18-months horizon (through FY22). The OCA updated the initial risk assessment in January 2022, one year after our initial risk assessment. This audit plan for the remaining FY22 and FY23 was prepared based on the results of the updated risk assessment. The OCA will seek approval of contract task orders iteratively during that timeframe in order to remain agile and accommodate changes to the plan as time passes. Other activities are addressed in separate task orders corresponding to the tasks in the Baker Tilly agreement. For example, the City Auditor performs follow up on audit findings and recommendations, as outlined in Task #5. Conformance with Local Ordinances and Standards Section 2.08.130 of the Palo Alto Municipal Code defines that the mission of OCA is to promote honest, efficient, effective, economical, and fully accountable and transparent city government. Audits are to be conducted and nonaudit services provided in accordance with Government Auditing Standards, as established by the Comptroller General of the United States, Governmental Accountability Office. The following duties of the City Auditor exist regarding the plan and scope of internal audits. Palo Alto City Charter Article IV Sec. 12 requires the City Auditor to perform the following: – Conduct audits in accordance with a schedule approved by the City Council and may conduct unscheduled audits from time to time. – Conducts internal audits of all the fiscal transactions of the City. Title 2 Administrative Code Section 2.08.130 requires the City Auditor to perform the following: – Prepare an annual audit plan for city council approval. – Identify the preliminary objectives of each audit to be performed, reflecting the purpose of the engagement and a preliminary description of the areas that may be addressed. – Conduct performance audits and perform nonaudit services of any city department, program, service, or activity as approved by the city council. California Government Code Section 1236 requires all cities that conduct audit activities to conduct their work under the general and specified standards prescribed by the Institute of Internal Auditors (IIA) or the Government Auditing Standards (GAO) issued by the Comptroller General of the United States, as appropriate. FY2022/2023 Audit Plan 3 Audit Activity Types OCA will conduct performance audits and perform financial/operational analyses of any City department, program, service, or activity as approved by the City Council in accordance with the Baker Tilly agreement. Performance Audits According to the Government Auditing Standards (GAO-18-568G, Section 1.21 and 1.22, page 10-12), performance audits provide objective analysis, findings, and conclusions to assist management and those charged with governance and oversight with, among other things, improving program performance and operations, reducing costs, facilitating decision making by parties responsible for overseeing or initiating corrective action, and contributing to public accountability. Performance audits may include the following four (4) audit objectives: – Program effectiveness and results – Internal control design and effectiveness – Compliance with laws, regulations, and policies – Prospective analysis Audit Planning Considerations While maintaining its independence and objectivity in accordance with standards, the City Auditor considers a variety of matters when developing the Annual Audit Plan, including but not limited to: – Risk assessment – OCA performed a risk assessment and summarized the results in a separate report (Task #2). Generally speaking, audit activities target high(er) risk areas. The results are shown the following page. – Ability to add value – audit seeks to add value through independent and objective analysis. – City Council – the City Auditor reports to the City Council and seeks input on audit priorities. – Coverage and Prior Audits – the City Auditor considers prior audits conducted by OCA, the financial audit, and other audit and consulting reports recently issued. – “Ripeness” and On-Going Initiatives – certain risk areas may be addressed through operational activities, which could mean they are not be ripe for audit to add value. – Scheduling – the City Auditor takes into consideration the timing of an audit and other on-going initiatives that directly relate. Putting an undue burden on City staff may exacerbate the risk at hand or other interrelated risks. FY2022/2023 Audit Plan 4 Risk Assessment Results The OCA performed a citywide risk assessment to plan for FY22 and FY23 audit activities and documented the methodology and the detailed results in a separate Risk Assessment Report. In summary, we identified the following areas rated as High or High-Moderate risks. In determining the audit activities to be performed in FY22 and in FY23, we further reviewed these risks and functional areas and considered the matters listed in the previous page. Functional Area Title Likelihood (1-5) Impact (1-5)Score City Wide COVID-19 Response 5 5 50 Org Wide Employee Retention & Succession Planning 5 4 46 Planning and Development Services Long Rnage Planning 5 4 46 Information Technology Disaster Recovery Preparedness and Testing 3 5 44 Information Technology Host Intrusion and Malware Defense 3 5 44 Information Technology Problem Management and Incident Response 3 5 44 Transportation Contract Management 3 5 44 Org Wide Workforce 4 4 42 Org Wide Citywide Risk Management 4 4 42 Administrative Services Procurement 4 4 42 Fire Emergency Medical Service 4 4 42 Human Resources High Cost Claims 4 4 42 Human Resources Workload 4 4 42 Information Technology Mobile Device Management 5 3 40 Information Technology Strategy and Governance 5 3 40 Public Works Secondary Treatment Upgrades 2 5 38 Public Works ADA Compliance Upgrade 2 5 38 Administrative Services Investments, Debt, and Cash Management 2 5 38 Information Technology Information Security 2 5 38 Information Technology Operations and Monitoring 2 5 38 Information Technology Physical and Environmental Controls 2 5 38 Information Technology Ransomware 2 5 38 Police Use of Force and Officer Conduct 2 5 38 Org Wide Governance 3 4 36 Org Wide Organizational Culture 3 4 36 Administrative Services ERP System Upgrade 3 4 36 City Wide Sustainability and Climate Action Plan 3 4 36 Administrative Services Accounts Receivable 3 4 36 Fire Fire Suppression 3 4 36 Fire Fire Prevention - Palo Alto Foothills & Wildlad Fire Risk 3 4 36 Public Works Public Services - Fleet 3 4 36 Public Works Wastewater Treatment Plant Operations 3 4 36 Public Works Public Services -Facilities 3 4 36 Utilities AMI (Advanced Metering Infrastructure) Project 3 4 36 Utilities Rates and Rate Adjustments 3 4 36 FY2022/2023 Audit Plan 5 Proposed Audit Activities for FY2022-2023 Included in the tables below are the proposed audit activities for the remainder of FY2022 and FY2023. Each audit activity corresponds to a risk rated as High or Moderate in the Risk Assessment Report and selected based on other factors outlined on page 3. The preliminary audit objectives are described for each audit listed. These objectives and scope of each audit activity will be further defined based on the result of a project planning risk assessment processes performed at the beginning of each activity. Audits are planned in three overall phases – note that the timing may differ slightly for each audit activity: – Phase I – Activities projected to start before March 2022 and end by June 2022 – Phase II – Activities projected to start in March 2022 and end by December 2022 – Phase III – Activities projected to start in June 2022 or January 2023 and end by June 2023 Amendments to the proposed audit plan will be proposed either as needed or after conducting an annual risk assessment and update the audit plan, as needed, during FY23. Amendments may be proposed in response to changes in the City’s environment such as organizational structure, operations, risks, systems, and controls. Please note that the City Auditor will actively manage projects and overall budgets and workload in its execution of the workplan. For each audit activity, a task order is submitted to the City Council for approval before the work is commenced. We have prepared and attached to this report multiple task orders that correspond to audit activities we have prioritized (e.g., those in Phase I). Those audit activities for are marked with an “X” in the ‘Seeking Approval’ column of the table below, and the Task Orders are included in the Appendix. FY2022/2023 Audit Plan 6 Phase I Activities Seeking Approval Function Project Title Audit Objectives Timeline Estimated Hours FY22 Cost FY23 Cost (*) Total Cost FY21+22+23 _ Administrative Services Economic Recovery Advisory (Task Order 4.7) ● Review the City’s long-term financial planning model and offer recommendations for improvement. ● Identify and evaluate key revenue sources categories that present long term risk to the City's financial sustainability. ● Perform scenario analysis and advise in the development of long term financial projections. March - December 2021 400 $64,663 $64,663 Public Works Public Safety Building - Construction Audit (Task Order 4.8) ● Monthly invoice review ● Change order testing ● Contingency and allowance testing ● Lien waiver control ● Compliance with insurance requirements ● Closeout testing ● Verify the City’s implementation and adherence to documented project controls March 2021 - June 2023 420 $26,633 $26,633 $51,266 Planning and Development Services Building Permit & Inspection Process Review (Task Order 4.9) ● Identify highest impact area to focus the assessment (e.g., specific permit type(s), specific sub-processes, etc.). ● Document corresponding process(es) and evaluate for efficiency and effectiveness. ● Benchmark operational performance against industry practices and established standards. April – September 2021 360 $48,300 $48,300 Citywide Nonprofit Agreements Risk Management Review (Task Order 4.10) ● Evaluate controls in place to ensure that nonprofit organizations are properly vetted prior to selection and monitored through the life of an agreement. ● Assess the performance monitoring process against the best practice. ● Follow up on relevant audit findings from past audit work. May – September 2021 400 $55,246 $55,246 Utilities Utility Work Order & Process Review (Task Order 4.11) ● Determine whether adequate controls are in place and working effectively around the work order process ● Assess the work order process against best practices January - December 2022 400 $81,400 $81,400 Administrative Services / Information Technology Wire Payment Process and Controls (Task Order 4.12) ● Determine whether adequate controls are in place and working effectively to ensure that all disbursements are valid and properly processed in compliance with City’s policies and procedures ● Determine whether end user security awareness training is sufficient to prevent erroneous payments caused by phishing February - June 2022 270 $54,550 $54,550 Phase I Sub Total 2,250 $329,792 $26,633 $355,425 * For the purpose of audit plan preparation, OCA used the FY22 budget amount for FY23 FY2022/2023 Audit Plan 7 Phase II Activities Seeking Approval Function Project Title Audit Objectives (preliminary objectives for audits not currently subject to approval) Timeline Estimated Hours FY22 Cost FY23 Cost (*) Total Cost X Human Resources Remote and Flexible Work Study ● Assess employee and management perspectives for long-term remote and flexible work viability and associated challenges ● Evaluate positive outcomes and challenges for managing a mixed location workforce ● Identify policies, processes, management practices and work culture improvements that may improve the City’s ability to manage a remote workforce March - December 2022 285 $50,000 $10,000 $60,000 X Information Technology Cybersecurity Assessment ● Map current state security capabilities to the NIST Cybersecurity Framework and evaluate the maturity of current security processes ● Identify current risks related to weaknesses in the City’s cybersecurity program ● Identify target state objectives utilizing the Capability Maturity Model (CMMI) and develop recommendation to meet the objectives March - December 2022 525 $90,000 $20,000 $110,000 X Public Works Wastewater Treatment Plant Agreement Audit ● Evaluate whether direct and indirect costs incurred by the City are properly allocated to the operation of the Wastewater Treatment Plant. ● Review whether costs are properly allocated to the various parties to the Wastewater Treatment Plant Agreement. March 2022 - December 2022 400 $60,000 $2,250 $62,250 Phase II Sub Total 1,210 $194,000 $38,250 $232,250 * For the purpose of audit plan preparation, OCA used the FY22 budget amount for FY23 FY2022/2023 Audit Plan 8 Phase III Activities Seeking Approval Function Project Title Preliminary Audit Objectives Timeline Estimated Hours FY22 Cost FY23 Cost (*) Total Cost Transportation Contract Management - ALPR Technology ● Determine whether policies and procedures are implemented effectively to protect the privacy of personal information gathered using ALPR technology for the City's parking management. ● Determine whether the City monitors the vendor's performance to ensure the compliance with contract terms and applicable laws and regulations related to data privacy. June 2022 - January 2023 400 $82,500 $82,500 Administrative Services Investment Management ● Determine whether adequate controls are in place and operating effectively to ensure that investments are managed in accordance with the investment management and other relevant policies. ● Assess the organizational structure and operations of the investment portfolio management function against best practice. June 2022 - January 2023 350 $61,550 $61,550 Information Technology Disaster Recovery Preparedness ● Determine whether a formal disaster recovery plan exists and aligns with the City's needs for business continuity ● Determine whether a disaster recovery plan is periodically tested and updated to ensure a successful recovery January - June 2023 400 $87,500 $87,500 Administrative Services Procurement Process ● Determine whether adequate controls are in place and working effectively to ensure that the appropriate vendors are selected properly to achieve desired objectives ● Identify the opportunities to improve the efficiency and effectiveness of the procurement process January - June 2023 350 $61,550 $61,550 Planning and Development Services Long Range Planning ● Review progress against intended goals and identify any gaps ● Determine whether an effective control environment exists for the Long Range Planning group to maintain City's Comprehensive Plan ● Determine whether adequate controls are in place and working effectively for data analyses January - June 2023 400 $82,500 $82,500 Public Works ADA Compliance ● Determine whether improvements have been made to make facilities, programs, and services accessible in accordance with the Transition Plan and Self-Evaluation Final Study to ensure compliance with the Americans with Disabilities Act (ADA) OF 1990 January - June 2023 350 $61,550 $61,550 TBD TBD / Ad Hoc Requests TBD TBD TBD Phase III Sub Total 2,300 $0 $458,100 $458,100 Phase I + II + III TOTAL 5,760 $523,792 $521,983 $1,045,775 FY22 - FY23 Budget $600,000 $560,000 $1,160,000 FY23 Ad Hoc / Contingency $76,208 $38,017 $114,225 * For the purpose of audit plan preparation, OCA used the FY22 budget amount for FY23 FY2021/2022 Audit Plan 9 Appendix: Task Orders 10 Audit Activity 4.13 – Remote and Flexible Work Study PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY22-004.13 Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): 1B. TASK O RDER NO.: FY22-004.13 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2022 COMPLETION: December 31, 2022 4 TOTAL TASK ORDER PRICE: $60,000 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT $TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Greer Stone, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE: ▪ SERVICES AND DELIVERABLES TO BE PROVIDED ▪ SCHEDULE OF PERFORMANCE ▪ MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable) ▪ REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ 11 Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements: • Services and Deliverables To Be Provided • Schedule of Performance • Maximum Compensation Amount and Rate Schedule (As Applicable) • Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting the Construction Controls Assessment involves four (3) primary steps: • Step 1: Audit Planning • Step 2: Control review and analysis • Step 3: Reporting Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include: • Gather information to understand the environment under review o Understand the organization structure and objectives o Review the codes, regulations, policies, and other standards and expectations o Review the prior audit results, if any o Review previously conducted employee engagement and satisfaction surveys o Issue an employee survey centered on remote work capabilities o Issue a management survey centered on remote work capabilities o Review additional documentation and conduct interviews as necessary • Assess the audit risk • Write an audit plan and audit program o Define audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained • Announce the initiation of the audit and conduct a kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit 12 Step 2 – Control Review and Testing This step involves executing the procedures in the audit program to gather information, interview individuals, and analyze the data and information to obtain sufficient evidence to address the audit objectives. The preliminary audit objective is to: (1) Assess employee and management perspectives for long-term remote and flexible work viability and associated challenges; (2) Evaluate positive outcomes and challenges for managing a mixed location workforce; (3) Identify policies, processes, management practices and work culture improvements that may improve the City’s ability to manage a remote workforce. Tasks include but are not limited to: • Analyze employee and management surveys to identify management and policy change opportunities and barriers for managing a mixed location workforce • Interview (focus group and/or individual) the Human Resources, employee representatives and management representatives to understand the current state, benefits and barriers to • Review relevant policies and procedures as well as the position eligibility standards for remote work to identify the criteria to be used for evaluation of control design and effectiveness • Research best practices and practices of surrounding communities • Analyze available data to assess current practices impact on recruitment and retention • Validate analysis with Human Resources Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers and submit a final audit report. Tasks include: • Develop findings, conclusions, and recommendations based on the supporting evidence gathered • Validate findings with the appropriate individuals • Complete the supervisory review of working papers and a draft audit report • Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses • Obtain written management responses and finalize a report Deliverables: The following deliverable will be prepared as part of this engagement: • Audit Report with remote and flexible work data analysis and best practice recommendation Schedule of Performance Anticipated Start Date: March 1, 2022 13 Anticipated End Date: December 31, 2022 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $60,000. The not-to-exceed budget is based on an estimate of 285 total project hours, of which 16 are estimated to be completed by the City Auditor. Reimbursable Expenses If circumstances allow, Baker Tilly anticipates planning one on-site fieldwork. Given this possibility, Baker Tilly could incur reimbursable expenses for this Task. The not-to-exceed maximum for reimbursable expenses for this Task is $5,000. The following summarizes anticipated reimbursable expenses: • Round-trip Airfare – $1,200 • Rental Car - $600 • Hotel accommodation - $2,500 (8 nights) • Food and incidentals – $700 Note that, if current restrictions associated with COVID-19 continue, an on-site visit may not be possible. The project team will work with the City to consider circumstances at the time. 14 Audit Activity 4.14 – Cybersecurity Assessment PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY22-004.14 Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): 1B. TASK O RDER NO.: FY22-004.14 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2022 COMPLETION: December 31, 2022 4 TOTAL TASK ORDER PRICE: $110,000 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT $TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Greer Stone, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE: ▪ SERVICES AND DELIVERABLES TO BE PROVIDED ▪ SCHEDULE OF PERFORMANCE ▪ MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable) ▪ REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ 15 Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements: • Services and Deliverables To Be Provided • Schedule of Performance • Maximum Compensation Amount and Rate Schedule (As Applicable) • Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Cybersecurity Maturity Assessment Baker Tilly’s approach to conducting a cybersecurity assessment and developing a cybersecurity program strategy involves four (4) primary steps: • Step 1: Assessment Planning and Kick-off • Step 2: Information Gathering • Step 3: Cybersecurity Capability Analysis and Recommendations • Step 4: Reporting Step 1 – Assessment Planning and Kick-off This step consists of the tasks performed to adequately plan the work necessary to address the overall assessment objective and to solidify mutual understanding of the assessment scope, objectives, assessment process, and timing between stakeholders and assessors. Tasks include: • Baker Tilly will work with the City to finalize the assessment scope and project timeline. Baker Tilly will also provide the City with an initial interview and documentation request list. • Finally, Baker Tilly will perform a project kick-off discussion with the City to ensure alignment with the project timeline, interview schedule, and deliverables. Step 2 – Information Gathering This step involves conducting interviews with identified IT security personnel and key stakeholders to identify security capabilities, processes, and currently implemented technologies. Baker Tilly will also review current IT security policy and procedure documentation, as well as network and infrastructure architecture documents. 16 Step 3 – Cybersecurity Capability Analysis and Recommendations This step involves mapping current state security capabilities to the NIST Cybersecurity Framework and evaluate the maturity of current security processes. Baker Tilly will also identify current risks related to weaknesses in the City’s cybersecurity program. Baker Tilly will then review current state capabilities and risks with the City to ensure alignment on Baker Tilly’s initial analysis and identify target state objectives utilizing the Capability Maturity Model (CMMI) Finally, Baker Tilly will take the identified improvement areas and target state maturity objectives to develop our recommendations for the City’s cybersecurity program to meet its target state objectives. Step 4 – Reporting The project team will perform tasks necessary to finalize the initial draft cybersecurity assessment report and review a draft report with the stakeholders. Additionally, the team will submit a final assessment report to the City. Tasks include: • Develop findings, conclusions, and recommendations based on the supporting evidence gathered • Validate findings with the appropriate individuals • Distribute a draft assessment report and conduct a closing meeting with key stakeholders o Discuss the assessment results, findings, conclusions, and recommendations • Obtain written management responses and finalize a report Deliverables: The following deliverable will be prepared as part of this engagement: • Cybersecurity Assessment Report and Program Strategy External Penetration Testing Baker Tilly will perform external penetration testing on behalf of the City. Baker Tilly’s approach to conducting these security testing activities involves four (4) primary steps: • Step 1: Assessment Planning and Kick-off • Step 2: Open-Source Information Gathering and Reconnaissance • Step 3: External Penetration Testing • Step 4: Reporting Step 1 – Assessment Planning and Kick-off This step consists of the tasks performed to adequately plan the work necessary to address the overall testing objective and to solidify mutual understanding of the testing scope, objectives, testing process, and timing between stakeholders and assessors. Tasks include: 17 • Baker Tilly will work with the City to finalize the testing scope and project timeline. • Baker Tilly will perform a project kick-off discussion with the City to ensure alignment with the project timeline, testing approach, and deliverables. • Baker Tilly will provide the City with an ISP authorization form and Rules of Engagement documents for signature to confirm testing scope and activities. Step 2 – Open-Source Information Gathering and Reconnaissance This step involves conducting interviews with identified IT security personnel and key stakeholders to identify security capabilities, processes, and currently implemented technologies. Baker Tilly will also review current IT security policy and procedure documentation, as well as network and infrastructure architecture documents. Step 3 – External Penetration Testing Baker Tilly will conduct external penetration testing on up to 300 active and 208 dormant external IP addresses provided by the City. External penetration testing services include: • Confirmation of active versus dormant IP addresses • Identification of services and service versions running on each active system; • Automated vulnerability discovery scanning for each active system; • Penetration attempts on systems identified that have known exploitable vulnerabilities; and • Deep dive exploitation of any identified exploitable vulnerabilities to gain unauthorized access to internal systems and/or data. Step 4 – Reporting The project team will perform tasks necessary to finalize our security testing report and review a draft report with City stakeholders. Additionally, the team will submit a final testing report to the City. Tasks include: • Develop findings, conclusions, and recommendations based on the supporting evidence gathered • Validate findings with the appropriate individuals • Distribute a draft testing report and conduct a closing meeting with key stakeholders o Discuss the testing results, findings, conclusions, and recommendations • Obtain written management responses and finalize a report Deliverables: The following deliverable will be prepared as part of this engagement: • External Penetration Testing Report 18 Schedule of Performance Anticipated Start Date: March 1, 2022 Anticipated End Date: December 31, 2022 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $110,000. The not-to-exceed budget is based on an estimate of 525 total project hours, of which 30 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete the audit work remotely, including all interviews and documentation review. However, if the City requests the assessment team to travel on-site for meetings, interviews, or assessment report readouts, these travel related expenses will be billed in addition to the fees above. 19 Audit Activity 4.15 – Wastewater Treatment Plant Agreement PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY22-004.15 Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): 1B. TASK O RDER NO.: FY22-004.14 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2022 COMPLETION: December 31, 2022 4 TOTAL TASK ORDER PRICE: $110,000 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT $TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Greer Stone, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE: ▪ SERVICES AND DELIVERABLES TO BE PROVIDED ▪ SCHEDULE OF PERFORMANCE ▪ MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable) ▪ REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ 20 Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements: • Services and Deliverables To Be Provided • Schedule of Performance • Maximum Compensation Amount and Rate Schedule (As Applicable) • Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting a Wasterwater Treatment Plant Agreement Review involves three (3) primary steps: • Step 1: Audit Planning • Step 2: Process and Control Review • Step 3: Reporting Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include: • Gather information to understand the environment under review o Understand the organizational structure and objectives o Review the City code, regulations, and other standards and expectations o Review prior audit results, as applicable o Review additional documentation and conduct interviews as necessary • Assess the audit risk • Write an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined • Announce the initiation of the audit and conduct kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit 21 Step 2 – Process and Control Review This step involves executing the procedures in the audit program to gather information, interview individuals, and analyze the data and information to obtain sufficient evidence to address the audit objectives. The preliminary audit objective is to: (1) Determine whether adequate controls are in place and working effectively to ensure that costs for treatment plan operations are properly accounted for and allocated; (2) Assess the compliance with contracts and regulations. Procedures include: • Interview the appropriate individuals to understand the process, the information system used, and internal controls related to accounting and allocation of costs for treatment plan operations. • Review the contracts, policies and procedures as well as the regulations and standards to identify the criteria to be used for evaluation of compliance and control design and effectiveness • Review the documents (such as contracts and supporting documents for allocation) for the selected allocation transactions • Compare the cost accounting and allocation methodology against the requirements Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks include: • Develop findings, conclusions, and recommendations based on the supporting evidence gathered • Validate findings with the appropriate individuals and discuss the root cause of the identified findings • Complete supervisory review of working papers and a draft audit report • Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses • Obtain written management responses and finalize a report • Review report with members of City Council and/or the appropriate Council Committee • Present the final report to the City Council and/or appropriate Council Committee Deliverables: The following deliverable will be prepared as part of this engagement: • Audit Report Schedule of Performance 22 Anticipated Start Date: March 1, 2022 Anticipated End Date: December 31, 2022 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $82,500. The not-to-exceed budget is based on an estimate of 400 total project hours, of which 20 are estimated to be completed by the City Auditor. Reimbursable Expenses If circumstances allow, Baker Tilly anticipates planning one on-site fieldwork week. Given this possibility, Baker Tilly could incur reimbursable expenses for this Task. The not-to-exceed maximum for reimbursable expenses for this Task is $4,750. The following summarizes anticipated reimbursable expenses (for three team members): • Round-trip Airfare – $1500 • Rental Car - $400 • Hotel accommodation - $2500 (4 nights) • Food and incidentals – $750 Note that, if current restrictions associated with COVID-19 continue, an on-site visit may not be possible. The project team will work with the City to consider circumstances at the time.