The Interim Section 151 Officer presented the Quarterly Risk Update for Cabinet’s consideration.
Members were advised that in 2018/19 there had been an audit of risk management arrangements in place at the Council. As a result of this audit, Zurich Municipal was commissioned to consider the Council’s risk management arrangements and the suggestions made in this review led to the Council adopting a Risk Management Strategy. The Internal Audit team subsequently reviewed risk management arrangements in place at the Council and unfortunately this had concluded that there was a lack of evidence that the requirements detailed in the Risk Management Strategy were being fully complied with. The Corporate Management Team (CMT) had subsequently reviewed arrangements and, whilst finding some compliance, had concluded that this was not consistent across the authority. A Risk Management Board had subsequently been introduced and all departments were required to nominate a risk champion who attended meetings of the board.
The Audit, Standards and Governance Committee was the responsible body for considering the Council’s management of corporate risks. However, as no report had been presented for Members’ consideration on the subject of risk management for three years, a decision had been taken to also report to Cabinet on the arrangements.
The Council used the 4Risk system to manage both corporate and departmental risks. This system had been reviewed and had been found to be fit for purpose as long as correct information was logged on the system. However, the Council was not prescriptive about how the system should be used.
Members discussed the content of the report and in doing so made reference to the two departmental risks categorised as “red risks”, both in relation to the ICT department. These related to failure to identify, maintain and test disaster recovery arrangements and system functionality to manage records. Officers explained that the ICT department had been very strict in reviewing their departmental risks and a lot of action was in the process of being taken to try to address these risks, including in relation to cyber security, which was considered to be a corporate risk.
Reference was made to the Risk Management Handbook which referred to the Leader as the lead Councillor for risk management. Officers confirmed that this would be updated in the handbook and Members were advised that in fact the Audit, Standards and Governance Committee was the lead for risk management.
Cabinet discussed the definition that had been provided in the report for a corporate risk, which needed to have significant impact on the Council’s finances, be cross departmental and / or result in serious reputational damage. Questions were raised about what was considered likely to fall within this definition and the potential for departmental risks to also be considered corporate risks. Officers clarified that corporate risks tended to be cross cutting across various departments. The only corporate risk that was specific to one department related to the Planning process.
1) the definition of a Corporate Risk be approved;
2) the present list of Corporate Risks be approved;
3) the use of the Risk Management Framework devised by Zurich be approved; and
4) the progress made on the Action Plan approved by CMT on the 16th March 2022 be approved.