NRS Audit and Risk Committee (ARC) Meeting
Thursday 27 November 2025
Hybrid / Teams 10:00 – 13:00
(Private discussion 13:00-13:15)
ARC Members
Maggie Waterston (Chair) NRS Non-Executive Director
Anne Moises NRS Non-Executive Director
Tim Wright NRS Non-Executive Director
Bryan Robertson NRS Non-Executive Director
John McDonough NRS Non-Executive Director
ARC Attendees
Alison Byrne NRS, CEO
NRS, Director for Corporate Services & Accountable Officer
NRS, Director for Customer Services, Operations and Archives
NRS, Director for Census Statistics
NRS, Interim Director for Digital & IT Services
NRS, Interim Director for Statistics
FCDO, (Foreign, Commonwealth and Development Office)
SG, Senior Internal Audit Manager
SG, Internal Audit Manager
SG, Internal Auditor Manager
Grant Thornton, External Audit Engagement Manager
NRS, Head of NRS Business Management
NRS, Corporate Business Assurance Manager
NRS, Business Support Officer (Secretariat)
NRS, Finance Manager
NRS, Corporate Business Continuity Lead
NRS, Archive Services Programme Manage
Apologies
NRS, Director for Delivery
Grant Thornton, External Audit Engagement Director
1. Welcome, Introductions and Apologies. Declaration of Interests & Matters Arising
1.1 Maggie Waterston welcomed everyone to the meeting. Apologies were noted as listed above.
1.2 There were no declarations of interests or matters arising.
2. Meeting held on 28 August 2025 and 11 September 2025
2.1 The minutes were approved and would be published on the NRS website.
2.2 A review of actions was undertaken. The action tracker would be updated accordingly.
3.1.1 NRS Risk Dashboard
3.1.2 The Corporate Business Assurance Manager and Director of Corporate Services & Accountable officer introduced the NRS Risk Dashboard and Issues Log to the meeting and covered the following key points below.
- Census Funding - This risk previous focused on the development of Census but updated to move the focus onto the funding aspect. This risk score was set to the highest level but pending Ministerial and other discussions would expect this to reduce considerably over the coming month(s)
- Risk appetite markings would be reviewed as part of an EMT Risk workshop arranged for December 2025
- A risk workshop had been undertaken with the new CSOA Directorate with a follow up session in early 2026 to review risk appetite markings and scores in more detail
- EMT would re-consider a Corporate Risk Appetite Statement in light of NRS Post Strategy being launched
- Deep Dive/Review of current Corporate Risk Register and consideration of reducing the number of risks/refocus to better utilise EMT time. This was likely to happen post current corporate risk planned for closure being removed and added at business/operational level (where applicable)
- Intellectual property work due to be concluded by December 2025 along with legal advice from SGLD. It was likely once these matters had been addressed, that this issue would be moved to closure
- Ongoing work around Cyber Essentials Plus accreditation and framework being developed for of out of hours IT support
- Accredited archive status renewed and storage risk closed
3.1.3 In discussion the following points were raised:
- A frequent number of risks were related to funding but would be closed off or become issues following the publication of the SG budget in January 2026.
- NRS were scenario planning for various budget allocations
3.2 Corporate Issues Log
3.3 The committee noted the update.
4.1. Cyber Security Assurance and Risk Response (aligned to Internal Audit Review)
4.2 The Interim Director for Digital & IT Services provided an update on NRS Cyber Security Assurance and Risk Response with the following key points below:
- The update provided a strategic overview of NRS cyber security assurance and risk response activities, highlighting key developments, emerging threats, and the effectiveness of current controls
- The paper outlined progress against planned cyber improvements, summarised recent risk assessments, incident trends, and mitigation efforts
- The report aimed to inform the board of NRS current posture, areas of concern, and priorities requiring attention or support to maintain a robust and responsive security environment
4.3 In discussion the following points were raised:
- SG were in the process of updating their Cyber Strategy including Cyber Essentials Plus
- To engage with NRS NXD Albert King regarding Scottish Wide Area Network (S.W.A.N) requirements around Cyber Essentials plus or equivalent accreditation
- NRS were exploring BC
- Noted trend for Cyber-attacks via Service Desk to gain access to Networks.
- Interim Director for Digital & IT Services to ask SG if they have plans in placed for PSR SG insurance policy for cyber events
The actions noted were as follows:
Action A45/25: Interim Director for Digital & IT Services to arrange a meeting with NRS NXD Albert King to discuss Scottish Wide Area Network (S.W.A.N) requirements around Cyber Essentials plus or equivalent accreditation. Action Owner: Interim Director for Digital & IT Services
Action A46/25: Interim Director for Digital & IT Services to ask SG if they have plans in placed for PSR SG insurance policy for cyber events. Action Owner: Interim Director for Digital & IT Services
Action A47/25: Interim Director for Digital & IT Services to reach out to SG regarding security cover/joint cover to step in operationally/share resource. Action Owner: Interim Director for Digital & IT Services
Action A48/25: Tim Wright to update register of interests declaration. Action Owner: Tim Wright/BMU
Action A49/25: Change Governance to be added to agenda for February 2026 ARC meeting. Action Owner: BMU
Action A50/25: Enterprise Project Management (EPM) to be added to ARC forward look for 2026. Action Owner: BMU
5. Internal Audit update: Internal Audit interim progress report on Cyber Review Report and active/follow-up audits
5.1. SG Internal Audit introduced the paper with the following key points:
- Cyber Report recommended NRS continue to progress work to strengthen approach
- Progress was being made against the NRS Annual Plan
- Further details of Assurance work were provided
- Progress on the implementation of recommendations was provided
- The latest Internal Audit Strategic Matters, Integrated Assurance and Strategic Best Practice / insight sharing were provided
- Drafting up a Terms of Reference for Final Review around Workforce Planning
- IA were developing Cyber Insights
- Wider Integrated Assurance work
- Annual Planning work had begun
5.1.1 The committee noted the update.
5.1.2 Members noted NRS staff regularly carried out Cyber Security training.
5.1.3 Members noted strategic improvements needed to be considered around internal audit processes and once for Scotland approach.
5.1.4 The committee thanked The SG Senior Internal Audit Manager for their support to ARC and wished them well in their retirement.
6. Business Continuity Review Update
6.1 The Corporate Business Continuity (BC) Lead and Director for Corporate Services & Accountable Officer introduced the Business Continuity Review Update with the following key points:
- The BC Policy and Framework outlined NRS commitment to Business Continuity and how NRS would support and embed BC across the organisation
- This was presented to EMB members in May 2025, along with recommendations for next steps which were unanimously approved. Progress was being made against those recommendations
- The Framework document included the creation of a BC Working Group with cross-organisational representation and the establishment of milestones/feedback loops to EMB and ARC. It also incorporated feedback from colleagues from across the organisation
- Carried out testing of NRS BC incident response, including management of Gold and Silver incidents
6.2 The committee noted the update. In discussion the following points were raised:
- BC grab bags were located in Business Management Unit (BMU) office
- NRS Conservation also had their own BC grab bags
- Members requested further detail on how NRS BC plan interacted with SG BC plans in the event of a loss of Scots network. Testing carried out on this recently by SG on loss of Scots network. NRS would receive lessons learned from testing
- NRS IMT also recently tested use of the app used for emergency incidents
- NRS also carried out scenario planning for other BC responses to emergencies such as a water ingress event
- NRS attended Police Scotland Event around Terrorism BC
- Guidance on where the lead decision maker(s) were devolved to in the event of decision maker(s) not being available be included in BC framework document
- Existing and prospective customer’s BC priority planning be noted earlier in the BC framework document
7. First-tier Tribunal Update
7.1 The Committee noted a paper providing an update on the legal action taken through the First-tier tribunal under the Re-use of Public Sector Information with the following key points below:
The First-tier Tribunal issued a decision which did not immediately impact NRS operations or current model for public reuse.
Appeals were underway against aspects of the decision. ARC would be updated in due course.
7.2 Members noted the update.
8.1. Census 2031 Update
8.1.1 The Director for Census Statistics provided an update on Census 2031 with the following key points below:
- The paper outlined plan to 2027 Test and associated Memorandum of Understanding (MoU for 2027 Census Test) timelines
- The 2027 Census Test was designed to experiment with operational elements and address response challenges
- Key objectives are to gather evidence including testing paper questionnaire distribution, improved field force training and follow-up SMS to improve response rates
- Side benefits included gaining live operational experience and building census team capability
- Next steps focused on refining scope, costing the test with ONS, and confirming March 2027 as the test date
- A single sign-off for the 2027 Test MoU was planned for March 2026 instead of staged signing
- Gateway Zero Reviews carried out in August 2025 and November 2025
- Gateway Health Check November 2025 review assessed progress as Amber/Red with confidence dependent on securing 2026/27 budget
- Review team warned that failure to secure budget could lead to project being deemed unachievable. Recommendations were made for NRS leadership to ensure stakeholders understood consequences of budget uncertainty
- Governance arrangements for MOU approval were recommended to avoid delays in sign-off
- Key milestones included market engagement, procurement launch, and budget settlement for 2026/27
8.1.2 In discussion the following points were raised:
- The central recommendation around process and governance were progressing well
- NRS continued collaborative engagement with ONS and NISRA on Census 2031 planning
8.2. Archive Services Programme update
8.3 The Archive Services Programme Manager introduced the Archive Services Programme update with the following key points below:
- Workshops for physical storage project were completed and a short-term options paper was presented to Programme Board
- Estate wide space planning survey requirements were agreed
- DAO assessment for digital archiving was completed and recommendations were closed
- Invitation to tender for new digital preservation management system was issued
- Procurement route and requirements for fit out of updated physical environment were agreed
- Procurement route and requirements for fit out of new treatment space were agreed
- CALM pre discovery reset workshop was held and statement of work for discovery exercise was drafted
- Additional budget was secured to support service design for digital archiving end to end service
- Engagement with SG and culture cluster members continued to secure funding for future expansion
- Site capacity massing exercise was undertaken with National Galleries Scotland and visits to National Library of Scotland, Historic Environment Scotland and National Records of Scotland were conducted
8.4 Members noted the update.
9.1 NRS MYR Financial Report
9.1.1 The NRS Finance Manager presented the NRS MYR Financial Report with the following key points below:
- The paper provided updated budget post Autumn Budget Revision (ABR) and realignment of budgets and forecast across resource, Capital, projects and income noting risks
- Census programme has identified some core costs for staffing and non-staffing that should be recharged to the programme, this has been estimated for MYR, costs would be finalised before year end, core would ensure that should census overspend that there would be an underspend to ensure that a balanced budget was achieved
- A commission has been issued to Directors asking for any priority 1 & 2 work that could be brought forward if needed to accommodate any emerging underspends
- Figures provided were based on Period 6, In process of closing off Period 8
9.1.2 The committee noted the update.
9.2 NRS Fees, Charges & Income (FCI) Project: NRS Current Income Streams
9.3 The Director for Corporate Services & Accountable Officer and Interim Director for Statistics presented the Fees & Income Project: NRS Current Income Streams with the following key points below:
- The paper provided a high-level strategic overview of NRS income performance, risks and opportunities
- Outlined the scope and progress of the Fees, Charges & Income (FCI) Programme
- Highlighted financial benefits realised and presented future planning recommendations
- Identified key risks to income sustainability alongside mitigation strategies and opportunities for growth
- Invited the Audit & Risk Committee (ARC) to note the update on current income received by NRS to help fund the organisation
- Requested ARC to review and comment on the strategic direction of the FCI Programme, note risks and next step priorities
- Programme Board set up December 2025 to support FCI projects
9.4 In discussion the following points were raised:
- Members noted any income raised by NRS could potentially impact future SG budget allocations
- Members noted this was a common risk across SG public bodies and agencies
- Members noted opportunity for targeted marketing to promote NRS Services
- NRS Scotland's People Christmas social media campaign went live this week
- Members suggested a FCI workshop on be arranged for future Strategic Board
Action A51/25. Fees, Charges and Income (FCI) workshop be arranged for future Strategic Board. Action Owner: BMU
10. External Audit update (oral)
10.1 Grant Thornton provided an oral update for the External Audit item with the following key points below:
- Grant Thornton were progressing timescales for the next interim audit
10.2 The Committee noted the report.
11. NRS Audit Recommendations Status Report
11.1 The Committee noted the report.
12. Committee Reports - To Note and Questions
NRS Governance Report
12.1 The Committee noted the report. In discussion the following points were raised:
- Members discussed Climate Change initiatives, Heat Network and opportunities for funding
NRS Portfolio & IT Services report
12.2 The Committee noted the report.
NRS Assurance update
12.3 The Committee noted the report.
13. To Note: ARC Forward Look for year ahead
13.1 The Forward Look was noted by all Committee members.
13.2 Members requested a Health & Safety update for the February meeting.
Action A52/25: Health & Safety update to be provided at the February ARC meeting. Action Owner: BMU / Director for Corporate Services & Accountable Officer
14. AOB & Date of Next Meeting
The date of the next meeting was noted as 26 February 2026
End
