Agenda item

The Deputy Chief Executive / S151 Officer presented the Quarterly Risk Update Quarter 3, 2024/25.

Members’ attention was drawn to page 52 of the main agenda pack, which detailed the ninth cycle of reviewing Corporate and Departmental Risks since the original baselining of Risks in April 2022. Over this period, we had seen:-

·       Departmental ownership of risks and reviews at Management Teams on a monthly basis.

·       Active review, mitigation, and reduction of risks – ensuring they became managed as part of business as usual.

·       Updating of the 4Risk System – as the Authorities repository of this information.

·       That the Officer Risk Group had actively reduced risk numbers through their work and that a common approach to risk was now being embedded within the organisation.

·       That the Risk Level had moved to a Moderate Assurance level in May 2023.

Corporate Risks were summarised in the table on page 53 of the main agenda pack. There had been two additions in relation to the upcoming Devolution/Local Government Reorganisation and also the embedding of a new Chief Executive and Deputy Chief Executive, both of whom were due to commence on 31^st March 2025. In addition to this, there had been a number of changes with Financial Pressures (COR10), Resolution of the Approved Budget Position (COR17), Financial Position Rectification (COR20), Delivery of Levelling Up and Towns Fund Initiatives (COR22) reducing in RAG rating. There were five of these Corporate Risks classed as RED.

Members’ attention was further drawn to the section on ‘Devolution and Local Government Reorganisation’, as the new risk was significant and would impact on all facets of Council operations. Within this parliament, all Councils within Worcestershire would be disbanded and replaced by Unitary Authorities. Councils within Worcestershire had been invited to give high level “agreed” solutions/options by the 21^st March 2025, with detailed solutions by November 2025. The Council would need to deliver business as usual until vesting day and there were significant risks linked to operations, relationships with other Councils within the County, finances and potential loss of staff that needed to be managed.

It was also important that the current Chief Executive and Deputy Chief Executive passed on their knowledge to the new Chief Executive and Deputy Chief Executive.

The table at Appendix A to the report, set out the detail of these departmental Risks and linked them where relevant to Corporate Risks. The table also set out the RAG rating for each of these risks for Quarters 4 2023/24 and Quarters 1-3 2024/25. Those risks that had been mitigated had a “black” colour in the quarter showing it was no longer a Departmental Risk. There were now no Red Risks.

It was important when fighting claims that we maintained the correct records and the new CIVICA Housing system was helping with this.

Our insurers had highlighted 2 major risks for the sector:

• Under-Insurance of Council assets due to incomplete assets. Insurers were now starting to intimate that they would only insure to a certain level and not the full value, if the data were not fully updated.

·       The use of Artificial Intelligence – as it was not clear on what decisions were being made with this data and what the risks implications were because of this.

The Deputy Chief Executive / S151 Officer referred to security in meetings / Teams meetings and the potential use of AI generated avatars.

Following on from the presentation Members discussed cyber security in some detail and the following areas of concern were included in the discussions:-

·       The number of Members who had undertaken cyber security KnowBe4 training

·       Cyber security training KnowBe4 was this mandatory for all Members

·       ‘People’ in Teams meetings potentially using AI avatars

·       How safe were we on Teams meetings

·       How Members could protect themselves from a cyber-attack

·       The use of ChatGPT, was a good tool to use, but where was information stored 

·       Exempt sessions during meetings / Teams meetings, meetings being Live Streamed, how secure were exempt sessions. Where were ‘people’ located whilst participating in exempt sessions during Teams meetings, be aware of your surroundings/environment

Members further requested a simple guide on what to look for in order to protect themselves from a potential cyber-attack.

In response the Deputy Chief Executive / S151 Officer stated that everyone needed to be vigilant. Officers could not mandate Members to attend the cyber security KnowBe4 training. However, liaison with the Council’s ICT Transformation Manager with regard to producing a simple guide for Members would be carried out (as referred to in the preamble above); and a useful link on ‘AI Unpacked’ from the Local Government Association (LGA) would be forwarded to all Committee Members.

The Deputy Chief Executive / S151 Officer reassured Members that he would raise their concerns on exempt sessions with the relevant senior officers. 

It was agreed by Members that cyber security KnowBe4 training should be made mandatory for all Members.

Members then focused on Devolution and the restructuring that would be required, with the following questions / concerns being raised:-

·       The use of consultancy experts and cost implications

·       The tight timescale in which to achieve certain milestones, other authorities that had undergone devolution were given a longer period

·       Be clear on what officers were expected to do, separate the functions from the devolution restructuring  

·       Have a clear forward plan, which sets out our key deliverables and measure delivery against it

However, the Deputy Chief Executive / S151 Officer stated that it was certainly seen as a positive that the new Chief Executive had been through devolution and would certainly bring his knowledge and some ideas. 

RESOLVED that the present list of Corporate and Departmental risks be noted.

RECOMMENDATION that cyber security KnowBe4 training be made mandatory for all Members.