Agenda item
To present to the Audit Committee the updated Corporate Risk Register.
Minutes:
The Committee considered the updated Corporate Risk Register which was normally updated and presented to the Committee every six months. The Register had been last presented in April 2024.
The following table summarised the position at the end of the period under review with updated information provided within the register where necessary:-
|
Item |
Number |
|
New Risks Identified |
0 |
|
Risks Removed |
1 |
|
Risk Score Amended |
0 |
|
Risks Under Review |
4 |
|
Risks Amended |
9 |
Corporate Risk Management Framework
It was anticipated that there would be a need to change the responsibilities section of the risk management framework soon due to changes in roles. No changes had been made at this time. The assessment criteria and objectives of the framework currently remained the same. The framework had been included at Appendix A of the Internal Audit Manager’s report following a recent review and was for Members’ information only.
Corporate Risk Register
The Committee was informed that the register had been subject to the review process with all officers responsible for the risks identified within the risk register, with some highlights as follows:-
· Financial Strategy, IT Security, Data Protection and Coastal Defence remained as high risk on the Corporate Risk Register. The responsible officers had provided an update on the ‘Current Action Status’ of the risk register.
· The Human Resource risks around lack of capacity and loss of key staff had now been merged as one risk. Although both were separate issues, they had the same impact on the Council with regards to not being able to deliver key services. Additional sub-risks with mitigation had been included within the ‘Current Action Status’ of the overarching corporate risk.
· The changes to the Corporate Risk Register set out in this report reflected minor changes undertaken since the Committee had last considered the register in April 2024. It provided updates, where needed and revised changing deadlines.
The Internal Audit Manager recommended that a further review be undertaken to determine where some risks could now be removed or potentially merged. Examples of this could be to remove risk 2d – Transforming Tendring Project as the Council’s transformation project had been completed several years ago or risk 2e – Essex Family Solutions as it was now a partnership between ECC and TDC and therefore no longer considered a significant corporate risk.
There might also be an opportunity to merge some risks such as IT Security and Information Management risks potentially reducing four risks to one or two. This was because all those risks were managed centrally with the same controls and procedures reducing the inherent risk for all areas identified.
The Committee noted that the Internal Audit Team had been working with the IT department to build an in-house system to manage Business Impact Assessments (BIA) for all services across the Council. The Internal Audit Manager had now collected all BIA’s required. Some final testing of the system was being undertaken before all BIA’s were uploaded. This would allow all departments to log in and update their risks periodically rather than chasing spreadsheets and collating data that could be very time consuming.
The below table sets out all amendments to the Risk Register since it had been last considered by the Committee in April 2024.
|
Risk Register Item |
Amendments / Comments |
|
New Risks Identified |
None |
|
Risks Removed |
4b – Lack of Capacity to Deliver Core Services (Merged with 4a – Loss of Key Staff) |
|
Risk Scores Amended |
None |
|
Risk number changed.
|
None |
|
Risks Amended |
Item 1b – Catastrophic IT network failure – Controls updated within the current action status.
Item 1c -Ineffective communication / management of information – additional information on information breaches added to the current action status.
Item 1d - Ineffective Cyber Security Physical and Application (software) Based Protection Management – additional information added regarding immutable back ups and Zero Trust Network Architecture (ZTNA).
Item 2f – Garden Communities – Current action status updated to reflect the latest timeline of events.
Item 3a – Member Conduct – Current action status updated to reflect and increase in complaints and training provision updates.
Item 4a – Loss of Key Staff – merged with 4b and now includes all sub risks and mitigation against the overarching corporate risk.
Item 6a - Loss of sensitive and/or personal data through malicious actions loss theft and/or hacking – additional update on policy and procedures included within current action status
Item 6b - Disconnection from PSN Network – additional information relating to IT Security Healthchecks and Cyber Assessment Frameworks.
Item 7a – Local Plan - current action updated to reflect current timelines.
|
Members were informed that no changes had been required for the following risks. The responsibility for some risks had recently changed and therefore might require a further update for future reports.
|
Risk number |
Risk title |
Responsible officer |
|
1a |
Failure to effectively manager assets
|
Andy White |
|
2a |
Coastal defence
|
Andy White |
|
2b |
Community Leadership Projects |
Lee Heley |
|
2c |
Building Council Homes
|
Damian Williams |
|
2d |
Ineffective delivery of transforming Tendring project |
Andy White |
|
2e |
Essex Family Solutions |
Lee Heley |
|
3b |
Failure to comply with legislative requirements.
|
Lisa Hastings |
|
3c |
Health and Safety |
John Higgins / Clare Lewis |
|
3d |
Fraud and Corruption |
Richard Barrett / Craig Clawson |
|
5a |
Financial Strategy |
Richard Barrett |
|
8a |
Failure to collect levels of income required from Council Tax to fund the Councils financial requirements. |
Richard Barrett |
|
8b |
Failure to collect levels of income required from non-domestic rates to meet the shares between the Government, Essex County Council, Essex Fire Authority and TDC |
Richard Barrett |
|
9a |
Ineffective Emergency Planning |
John Fox/Catherine Boyer-Besant |
|
9b |
Ineffective Business Continuity Planning |
John Higgins |
The Committee was made aware that the Fraud and Risk Team continued to oversee the Council’s Risk Management supported by the Council’s Internal Audit Team. The table below set out the work currently being undertaken.
|
Agreed Action
|
Current Position |
|
Management Team to promote the importance of operational risk management within the organisation and ensure that Senior Managers implement a process for identifying and mitigating risks in coordination with the Assurance and Resilience Manager |
Management team continue to be updated with urgent matters on a quarterly basis. |
|
Actions to be undertaken to identify and record key operational risks within service areas relating to risk management and business continuity. Support to be provided by Internal Audit manager if required |
Due to changes in responsibilities a review is now being undertaken with all services relating to their business continuity plans. |
Follow Up Item
|
Arrange Risk Management training for all departments across the council |
Suitable Risk Management training has been identified; this will be rolled out as part of the Members training programme. Dates to be arranged via the Committee Services Team.
|
The Internal Audit Manager and the Director (Finance & IT) responded to the Committee’s questions on this report.
After discussion it was moved by Councillor Sudra, seconded by Councillor Fairley and unanimously:-
RESOLVED that –
(a) the contents of the Internal Audit Manager’s report (A.2) be noted;
(b) the Internal Audit Manager’s recommendation that a further review be undertaken to determine where some risks could now be removed or potentially merged or others added, be supported; and
(c) a training workshop/module on risk management for the Committee be explored and that it takes place before the Committee meets to make any decision on the review referred to in (b) above.
Supporting documents:
-
A2 Report - Corporate Risk Update, item 58.
PDF 170 KB -
A2 Appendix A - Risk Management Framework, item 58.
PDF 788 KB
-
A2 Appendix B - Corporate Risk Register - January 2025, item 58.
PDF 598 KB