Item #:
23.13-06
Item:
Enterprise Risk update: Counter-disinformation risk
To:
Electoral Commission
For:
Board meeting 13 September 2023
Prepared by:
Leigh Deuchars, DCE SGD
Recommendations
It is recommended that the Board:
1.
note the attached update on managing disinformation
2.
note the cyber security update is included in the cyber security item from Enterprise Services
3.
discuss overall Commission preparations in each of the areas
4.
note the managing disinformation does not include an assurance comment due to the absence of the Manager
Strategy, Risk and Assurance
5.
note that updates from previous deep dives have been incorporated into the regular reporting channels, and
have been included in the monthly update.
Purpose
1. This paper updates the Board on cross-Commission activities to anticipate, prepare for, manage and mitigate the
impacts of mis- and disinformation.
Background
2. On 17 May 2023 the Board commissioned a series of enterprise risk deep dives on potential issues where the
Board would like to seek further assurance. The purpose of these pieces of work is for identified areas:
a. to provide the Board with a holistic, summarised view of the risk and how it may impact outcomes the
Commission seeks to enable; which Commission activities or programmes of work may be impacted; and
how the Commission has prepared to reduce, mitigate, avoid or respond. (This view should improve
board visibility or confidence that the risk is broadly understood and being actioned in a coordinated
manner at the appropriate levels within the Commission.)
b. to enable the Board to have a conversation about whether activities being undertaken result in an
overall risk profile which aligns to the risk appetite and risk tolerance of the Commission.
Discussion
3. The potential issues were acknowledged not solely to be areas where risks may materialise, but also where they
may be perceived to have materialised. Therefore, the Commission needs to be well prepared to make
statements to redress incorrect or incomplete public understanding of the risk.
4. The first round of updates on recruitment; disruptive events at voting places; and privacy and information
management were delivered in July, and two further updates on cyclone / flood-affected areas and Māori
engagement, were considered on 16 August.
1
5. The Cyber security and managing disinformation are the final two deep dives of the items requested by the
Board.
Next steps
4. Further updates in any areas covered by the deep dives will be covered through the regular reporting channels.
Appendix
Appendix: A3 Update on managing disinformation