Agenda item

To present to the Audit Committee the updated Corporate Risk Register.

Minutes:

The Committee considered the updated Corporate Risk Register, which had last been submitted to it in September 2021.

 

Members noted that the Corporate Risk Management Framework had remained unchanged at this time though a review of the framework had unfortunately been delayed and would now be reported to the Audit Committee in June 2022.

 

The table set out below detailed all amendments to the Risk Register since it had last been considered by the Committee in September 2021:-

 

Risk Register Item

Amendments / Comments

 

New Risks Identified

 

None

 

Risks Removed

 

None

 

Risk Scores Amended

 

Item 6b - Disconnection from PSN Network – inherent risk score reduced from 20 to 12, due to end of lifecycle.

 

 

Risk under review

 

None

 

 

Risks Amended

Item 1a - Failure to effectively manage assets – update on main text.

 

Item 1b - Catastrophic IT network failure – change in service delivery target, increased from 85% to 90%.

 

Item 1c - Ineffective communication / management of information – update on main wording relating to cybersecurity.

 

Item 1d - Ineffective Cyber Security Physical and Application (software) Based Protection Management – updates to main wording relating to cyber security initiatives.    

 

Item 2d - Ineffective delivery of Transforming Tendring project – update on main wording relating to main office site work being completed.

 

Item 5a - Financial Strategy – Current action wording updated

 

Item 6b - Disconnection from PSN Network - change in wording to reflect the inherent risk being reduced.  End of lifecycle.

 

Item 9a - Ineffective Emergency Planning – change to main wording and change of responsible officer.

 

Item 9b - Ineffective Business Continuity Planning – update to main text.

 

 

At its meeting held in September 2021, two further potential emerging risks had been highlighted to the Committee, namely:

 

·      Shortage of Global Supplies

·      Failure to Deliver Key Contracts

 

In terms of the second point, a report had been considered earlier in the meeting in respect of the Careline Service.

 

In terms of the first point, it was reported that this had continued to present a significant risk, especially in respect of computer processing chips and the impact from on-going global events. However, this continued to be managed via earlier procurement planning and remaining alert to market conditions.

 

The Committee was advised that the Fraud and Risk Team continued to oversee the Council’s Risk Management supported by the Council’s Internal Audit Team. The table below set out the work currently being undertaken:-

 

 Agreed Action

 

Current Position

Management Team to promote the importance of operational risk management within the organisation and ensure that Senior Managers implement a process for identifying and mitigating risks in coordination with the Corporate Fraud and Risk Manager.

  

The Fraud and Risk Manager continues to work with Management Team to effectively promote the importance of operational risk management within the Council, and continues to attend management team meetings (via Teams) on a quarterly basis and provides monthly updates for any urgent matters identified. 

One to one meetings will continue to take place between Senior Managers and the Corporate Fraud and Risk Manager to identify and record key operational risks within their service areas. Support to be provided by Internal Audit if required

These one to one meetings have commenced, but have not been fully completed due to time constraints and officers prior commitments. This matter will be reported to Audit Committee at a later meeting.

 

Follow Up Item

 

Agreed Action

Current Position

Arrange Risk Management training for all departments across the council

Risk Management training was carried out by the Fraud and Risk Manager in October 2021. This training was not suitable to be rolled out to all departments and alternative training is currently being negotiated with a Risk Management provider that will meet the council’s requirements, with a view to rolling this out in 2022.  

Review carried out relating to the effectiveness of the current control measures in place to identify inherent risk.

This review is still ongoing and a report will be brought before the Audit Committee at a later meeting. 

 

During the discussion of this item, specific comments were made by the Committee members to the need for Councillors to adopt practices to support the measures to protect the Council from a catastrophic IT network failure.  These included using the Council’s own email address provided to them and the IT kit for connecting to the Council’s network.

 

RESOLVED that the updates provided to the current Corporate Risk Register be noted.

 

Supporting documents: