Minutes:
The Interim Director of Finance and Section 151 Officer presented the Quarterly Risk Update and in doing so highlighted that this was now the fourth cycle of reviewing Corporate and Departmental Risks since the original baselining of risks in April 2022. It was also the fourth management report on risk presented to the Committee since the original baselining of risks.
It was reported that there were 13 Corporate Risks, including a risk related to the Cost of Living Crisis. Since last reporting, a new Corporate Risk had been included which related to the replacement of the Council’s existing Customer interface, which was also linked to significant budgetary savings in the 2025/26 financial year.
There were now 51 Departmental Risks of which 1 was a red risk related to Revenues - Performance Indicator data which was not deemed robust as it could not be system generated. It was reported that it was unlikely the number of risks could be further reduced as these were now mostly linked to compliance. In addition, the Worcestershire Regulatory Service (WRS) Risks, reported to its board on a quarterly basis, were included at Appendix B. The significant risk for WRS centred around finance and contracts with other local authorities.
It was reported that cyber security presented probably the greatest risk for the Council and the local authority sector at large. The sector was particularly affected by cyber-attacks and Officers commented that there were now less insurers willing to offer cyber insurance services. It was reported that this was considered by the Audit, Governance and Standards Committee at Redditch Borough Council (Minute No. 25 – Quarterly Risk Update) with a motion agreed by that Committee recommending that the Local Government Association (LGA) facilitate a process to assist the local government sector with the deficiency in the cyber security insurance market.
It was reported that Councils needed to have two-factor authentication for accessing Council systems as a requirement to obtain cyber insurance. This was in place for Bromsgrove District Council. Additionally, other measures were taken to improve cyber security at the Council including a mandatory cyber security training for all staff and periodic phishing tests undertaken across the organisation.
Following the presentation, a number of questions were asked to which the following answers were provided:
· It was stated that Artificial Intelligence (AI) solutions were being considered by the Council in areas such as customer interface and preparation of job descriptions, as part of work on replacing the current customer access portal. Parts of customer interfaces were already automated. It was noted that the Council needed to be fully assured of the safety of any technologies such as AI before any implementation could be undertaken.
· It was reported that the Council’s financial ledger system was hosted on a cloud by TechnologyOne, the supplier, which meant it was possible for the company to access the Council’s data, in case of, for example, performing IT maintenance work on the system. This access was, however, bound by contractual agreements and protected against access for unauthorised purposes.
· There was a remote back-up process for data hosted on the financial system and Officers undertook to report back to Members on the frequency with which back-ups were taken.
RESOLVED that the present list of Corporate and Departmental Risks be noted.
Supporting documents: