Agenda item
To present to the Audit Committee the updated Corporate Risk Register and updated Risk Management Framework.
Minutes:
The Committee considered the updated Corporate Risk Register, which had last been submitted to it in March 2022.
Although no changes had been identified as being required at this time, following a recent review, the Corporate Risk Management Framework had been included at Appendix A to the Deputy Chief Executive’s report for Members’ information.
A full review of the corporate risks within this document had been conducted by the Assurance and Resilience Manager with a view to ensuring that the Council was considering the correct items.
It was reported that a review of the Council’s Business Impact Assessments was currently being undertaken by the Assurance and Resilience Manager in order to ensure that the Council identified the operational and financial impacts resulting from any potential disruption of business functions and processes. It would also consider how the Council could recover and continue to provide a service to residents in such circumstances.
Members were aware that the Council was dealing with some ongoing issues relating to Corporate IT that still needed to be resolved but those were moving forward at a reasonable pace, to ensure that the Council was not put at risk of cyber attack and was geared towards identifying the weaknesses throughout the authority which could make the Council vulnerable. This included stopping staff accessing TDC emails on their personal devices.
The Committee was reminded that the Council was experiencing difficulty in recruiting in some areas of the Council. The risk score had been increased to reflect this. It was hoped that this would be resolved in the next 6 months.
Given the various issues that continued to emerge from major changes / events within the national and global ‘landscape’, it was timely to undertake a wider review of the Corporate Risk Register heading into 2023/24. This would be undertaken by senior Officers, in consultation with Members, during the coming months. The changes to the Corporate Risk Register set out in this report therefore reflected a limited number of changes.
The table set out below detailed all amendments to the Risk Register since it had last been considered by the Committee in March 2022:-
|
Risk Register Item |
Amendments / Comments |
|
New Risks Identified |
None
|
|
Risks Removed |
None |
|
Risk Scores Amended |
Item 4a – Loss of Key Staff – residual and inherent risk changed from 12 to 16. Due to the difficulties in council recruiting.
Item 4b – Lack of Capacity to deliver core services - residual and inherent risk changed from 12 to 16. Due to the difficulties in council recruiting.
|
|
Risk number changed
|
None |
|
Risks Amended |
Item 1b - Catastrophic IT network failure – change in main wording relating to infrastructure response and controls.
Item 1c - Ineffective communication / management of information – update on main wording relating to cybersecurity.
Item 1d - Ineffective Cyber Security Physical and Application (software) Based Protection Management – updates to main wording relating to cyber security initiatives.
Item 2b – Community Leadership Projects – changes to main wording relating to working within the health structure.
Item 2e – Essex Family/Family Solutions - main wording changed to reflect that additional funding has been obtained for additional family solutions post in Harwich.
Item 2f – Garden Communities – current action updated relating to the development plan and providing a more detailed framework.
Item 3a – Member Conduct – main text updated relating to the training provided for members and the code of conduct requirements.
Item 3b – Failure to comply with legislative requirements – update to current actions. Addition of court claims for damages to service delivery.
Item 3c – Health and Safety – main wording changed to reflect risk assessment review being completed and review of lone worker devices.
Item 3d – Fraud and Corruption – current action amended to relating to fraud awareness training.
Item 4a – Loss of Key Staff – current action updated to explain the difficulties in recruiting.
Item 4b – Lack of capacity to deliver core services - current action updated to explain the difficulties in recruiting.
Item 6a – Loss of sensitive and/or personal data – update to main wording relating data breaches reporting arrangements.
Item 6b - Disconnection from PSN Network - change in wording to reflect the improvements being undertaken in cybersecurity.
Item 7a – Local Plan – main text updated relating to review of plan.
Item 9a - Ineffective Emergency Planning – change to main text tom reflect the increase in emergency planning incidents.
Item 9b – Ineffective Business Continuity Planning – update to main text relating to changes in the responsibilities of business continuity and the actions taken.
|
The Committee was advised that the Fraud and Risk Team continued to oversee the Council’s Risk Management supported by the Council’s Internal Audit Team. The table below set out the work currently being undertaken:-
|
Agreed Action
|
Current Position |
|
Management Team to promote the importance of operational risk management within the organisation and ensure that Senior Managers implement a process for identifying and mitigating risks in coordination with the Assurance and Resilience Manager (formally Corporate Fraud and Risk Manager)
|
“The Assurance and Resilience manager (formerly the Fraud and Risk Manager) continues to work with Management Team to effectively promote the importance of operational risk management within the Council and continues to attend management team meetings (via Teams) on a quarterly basis and provides monthly updates for any urgent matters identified.” |
|
One to one meeting will continue to take place between Senior Managers and the Assurance and Resilience manager (formally Corporate Fraud and Risk Manager) to identify and record key operational risks within their service areas. Support to be provided by Internal Audit if required |
“This task is now completed, and the review of the corporate risk register is now complete. Due to changes in responsibilities a review is now being undertaken with all services relating to their business continuity plans.” |
Follow Up Item
|
Arrange Risk Management training for all departments across the Council. |
“No suitable Risk Management training has been identified at this time, but this will be given priority and implemented by March 2023.” |
|
Review carried out relating to the effectiveness of the current control measures in place to identify inherent risk.
|
Review complete. |
The Chairman asked for an update on the risks relating to Cyber Attacks. The Assurance and Resilience Manager (Clare Lewis) replied that restrictions had been placed on the use by staff of their personal devices to access Council emails and documents et cetera. The Assistant Director (Finance & IT) also replied that the National Cyber Assessment Framework was being looked at and also that that a Member Task and Finish Working Group was also scrutinising the issue of cyber security.
RESOLVED that the updates provided to the current Corporate Risk Register be noted.
Supporting documents:
-
A3 Covering Report for Audit Committee - September 2022, item 13.
PDF 118 KB -
A3 Appendix A TDCRiskManagementFramework September 2022 -2, item 13.
PDF 275 KB
-
A3 Appendix B Corporate Risk Register - September 2022, item 13.
PDF 527 KB