To present to the Audit Committee the updated Corporate Risk Register.
Minutes:
The Committee was presented with the updated Corporate Risk Register, which had been last presented to the Committee in September 2022. The Terms of Reference for the Audit Committee included a responsibility to provide independent assurance of the adequacy of the risk management framework and the associated control environment. The Corporate Risk Register was, where possible, brought to the Committee at six monthly intervals to enable the Committee to fulfil its role.
Corporate Risk Register
Members heard that the register had been subject to the review process with some highlights as follows.
A Covid 19 element continued to form part of all ongoing audits. Any significant findings identified would be provided at a later meeting by the Internal Audit Manager.
The Assurance and Resilience Manger continued to review the Council’s Business Impact Assessments (BIA) to ensure the Council was able to identify the operational and financial impacts resulting from any potential disruption of business functions and processes. The purpose of the review was to consider how the Council could recover and continue to provide a service to our residents should a significant disruption occur. A more in-depth update would be provided to the Audit Committee once the review had something to report.
Members also heard that the Council continued to deal with issues relating to Corporate IT and was committed to ensuring users were not put at risk of cyber-attack. Online training was provided, which was tailored towards identifying the weaknesses throughout the authority that could make the Council vulnerable to cyber-attacks and reduced the risk of the council being held to ransom by any attacker.
The Committee was informed that recruitment continued to be a challenge, but the Council had recently worked with the East of England Local Government Association to carry out an independent review of some areas of its pay structure and employment offer. This had led to some options to support the best use of the National Joint Council pay spine in alignment with the employment market. Those had included salary and benefits benchmarking, improved marketing of vacancies and employment offers, and expanding the well-established "grow your own" ethos. Those options were currently being considered as part of the Assistant Director change program.
The national and global "landscape" continued to impact the Council, and a full review of the Corporate Risk Register would be carried out during 2023/24. This would be done in consultation with Senior Officers and Members/Audit Committee. The changes to the Corporate Risk Register set out in this report reflected small changes undertaken since the Committee had last considered the register in September 2022 and provided updates on changing deadlines.
The Committee was also informed that a review of the Council's Risk Management concept would be carried out and brought back to the Audit Committee in the next six months. This work would include a review of the current risks included, along with the consideration of any changes or additions to reflect the most up-to-date position/changes faced by the council. This review would also consider the condition of the Council's assets and the risk of ineffective maintenance of all Council-owned properties that could have an adverse impact on the organizational focus delivery.
The table below set out all amendments to the Risk Register since it had last been considered by the Committee in September 2022.
Risk Register Item |
Amendments / Comments |
New Risks Identified |
None |
Risks Removed |
None |
Risk Scores Amended |
Item 2a - Coastal Defence – residual risk increased from 5 – 15.
Item 2d - Ineffective delivery of Transformation project – inherent risk reduced from 15 –2. Residual risk reduced from to 3 – 2. (consider removal of this item)
Item 4a -Loss of Key staff – inherent risk reduced from to 16 – 12.
Item 4b - Lack of capacity to deliver core services – residual risk reduced from 16- 12.
Item 7a - Local Plan - residual risk reduced from 12 – 5.
|
Risk number changed
|
None |
Risks Amended |
Item 1a - Failure to effectively manage assets – comment regarding a review of the asset management plan provided. Consideration to review Action Plan.
Item 1c - Ineffective communication / management of information – update on main wording relating to cybersecurity and members IT.
Item 1d - Ineffective Cyber Security Physical and Application (software) Based Protection Management – updates to main wording relating to cyber security being strengthened.
Item 2a - Coastal Defence – Officer responsibility updated from Corporate Director Operations and Delivery to Assistant Director Building and Public Realm. Description updated relating to risk and the stability of the cliffs. Current action updated. Update provided for cabinet member. Item 2b - Community Leadership Projects – current action updated to include a comment relating to reputational and financial risk in engaging in partnership relationships, ensuring robust agreements are in place.
Item 2d - Ineffective delivery of Transforming Tendring project – current action wording updated to reflect that this project is now finalised. Inherent risk score and residual risk score amended to reflect this update. Cabinet member updated.
Item 2f – Garden Communities - current action updated to reflect Housing Infrastructure Funding in place. Planning Performance Agreement in discussion with lead developers and Planning Manager. Updated portfolio holder details.
Item 3c – Health and Safety – Main wording updated regarding succession planning. Responsible officer updated.
Item 3d – Fraud and Corruption – wording updated to reflect changes in fraud awareness training and induction process. Officer responsibility updated.
Item 4a – Loss of Key staff - update provided relating to changes to recruitment buy utilizing ECC recruitment. Inherent risk and residual risk rating reduced to reflect this change.
Item 4b - Lack of capacity to deliver core services - comprehensive update provided relating to considerations of recruitment and the use of East of England Local Government Association. Officer responsibility updated.
Item 5a – Financial Strategy – update provided relating to developing a framework to capture key financial information/savings. A review of financial planning cycle to be reviewed during 2023.
Item 6a - Loss of sensitive and/or personal data through malicious actions loss theft and/or hacking. Current action updated relating to precures being in place to manage agreements with partner organizations.
Item 6b - Disconnection from PSN Network – updated current action wording relating to the national cyber security and cyber security framework. Comment provided relating to PSN health check.
Item 7a – Local Plan - current action update provided relating to local plan being adopted in Jann 22 and review due in 2025. Residual risk reduced to reflect this.
Item 9a - Ineffective Emergency Planning – update provided on emergency planning actions.
Item 9b – Ineffective Business Continuity Planning – update to main text relating to planned business continuity actions. Additional responsible officer added.
|
The Fraud and Risk Team continued to oversee the Council’s Risk Management supported by the Council’s Internal Audit Team. The table below set out the work currently being undertaken:-
Agreed Action
|
Current Position |
Management Team to promote the importance of operational risk management within the organisation and ensure that Senior Managers implement a process for identifying and mitigating risks in coordination with the Assurance and Resilience Manager (formally Corporate Fraud and Risk Manager)
|
The Assurance and Resilience Manager continued to work with Management Team to effectively promote the importance of operational risk management within the Council and continued to attend management team meetings on a quarterly basis and provided monthly updates for any urgent matters identified. |
Actions to be undertaken to identify and record key operational risks within service areas relating to risk management and business continuity. Support to be provided by Internal Audit manager if required |
Due to changes in responsibilities a review was now being undertaken with all services relating to their business continuity plans. |
Follow up item
Arrange Risk Management training for all departments across the Council |
Suitable Risk Management training had been identified; this would be rolled out as part of the Members’ training programme. Dates would be arranged via the Committee Services Team in liaison with the Assurance and Resilience Manager. |
The Risk Management Framework had been distributed to the Committee prior to the meeting as a late appendix.
After a detailed debate the Committee NOTED the contents of the report.
Supporting documents: