To receive a report from the Group Manager - Insights & Transformation.

Suzanne Rolfe, Group Manager (Insights and Transformation) presented Members with the Risk Management Report, pages 55 to 59 of the Agenda refer.  A copy of the Quarter 4 Strategic Risks Register (SRR) was attached at Appendix A, pages 61 to 71 of the Agenda refer.

Members were advised that the SRR had been reviewed by the quarterly risk clinic and by Senior Leadership Team to provide the Q4 position statement.  Further details were contained in Paragraphs 2 and 3 of the report, pages 57 to 58 refer.

The Group Manager (Insights and Transformation) reported that positive feedback had been received from the auditors on the risk policy.  The feedback was useful with assurance around the items that were already in the policy as well as good practice suggestions for improvement.  The draft Policy would be brought to the next meeting in September.

Another element that was brought to Members’ attention was the Strategic Risk Register summary of changes, section 2.2 on pages 56 to 57 of the report refer.  The Group Manager (Insights and Transformation) pointed out that the Q1 review of risks was underway and any emerging risks in the risk register review would be identified and included in the covering report.

Members were invited for their comments and questions.

A Member referred to CORP001(a), page 61 of the Agenda refers, and suggested that there needed to be more information as it was unclear with regards to what the risk was about.

A Member further queried how the Council would balance the budget if there was a reduction in future funding and whether there was a plan in place going forward.  The Group Manager (Insights and Transformation) advised that the comments would be picked up.

A Member referred to CORP002, page 62 of the Agenda refers and queried the matrix score on page 70 of the Agenda, pointing out that with a score of 10, the scoring should be Amber.  The Group Manager (Insights and Transformation) advised that this may be incorrect and would look in to it.

A Member commented that when looking at the risk register they expected to see target risks and future actions, along with risk appetite per category.  The Member also suggested that with regards to Risk No. 1 and 2, it would be better to merge these into one. 

There were further queries that related to CORP012 ‘Technology Infrastructure failure’, pages 67 of the Agenda refers as follows:

A query was raised with regards to Risk No. 14 ‘Cyber Incident’ and whether penetration testing took place and to Risk No. 15 ‘Capital Programme’ as to whether there was a project management methodology.  It was confirmed that penetration testing was in place, however, would need to check when it was last undertaken.  It was confirmed that a Council project management methodology was in place.

With regards to Risk No. 17 ‘General Fund Assets’, page 69 of the Agenda refers, a query was raised whether this should be on the register when the risk was low. Members were advised that low risk items were often kept on the register so they could be reviewed, and would subsequently be taken off the register if there were too many.

A Member further queried whether the rating was appropriate on Risk No. 18 ‘Economic Hardship’. The Group Manager (Insights and Transformation) advised that the target risk score, along with the inherent risk score and current risk score would be included in the new policy, furthermore some risk appetite work would also take place.

The Group Manager (Insights and Transformation) advised that she would review all of the risks and would take into account Members’ comments made around Risk Nos. 1, 2, 14, 15, 17 and 18.

A Member referred to CORP003 ‘Business continuity and recovery in the event of a major incident or event’, page 63 of the Agenda refers, and queried whether any testing would be carried out to check that the business continuity plans actually worked.

A Member further referred to CORP012 ‘Technical Infrastructure Failure’, page 67 of the Agenda refers and commented that a score of 2 was too low and having seen the outages that had taken place over recent months, considered that the score should be higher.

With regards to Risk 14 ‘Cyber Incident’, page 67 of the Agenda refers, questions were raised with regards to how many cyber attacks had taken place over the last two years, the frequency of the attacks and how many were successful.  The Group Manager (Insights and Transformation) advised that testing was carried out as part of the business continuity plans but would respond to Members with details of the next testing date, along with details on cyber attacks.

A Member referred to CORP001(b) ‘Economic Growth’, page 62 of the Agenda refers and queried whether the score should be at a higher level so that it tied in with the matrix score on page 69 of the Agenda.

A Member commented that risks could also present opportunities and the Group Manager (Insights and Transformation) advised that the auditors had picked this up in the policy and were looking into it.

Following which, it was

RESOLVED:

That the Risk Management Report be noted.