As part of the Audit & Governance Committee’s role, the Committee’s terms of reference include monitoring the Council’s risk management arrangements and providing independent assurance as to their adequacy.
For the reasons set out in the report and its appendices the Audit & Governance Committee are recommended:
To note the contents of the corporate risk register as at April 2024
Minutes:
Malcolm Davies, Head of Insurance, Anti-Fraud and Risk introduced the report to the Committee and noted it would be receiving the Corporate Risk Register reporting on a quarterly basis going forward. The Corporate Risk Register was received and scrutinised monthly via the council’s Corporate Management Team (CMT) meetings. Future control measures and the articulation of risk improvement plans were areas of weakness within the register. Key risks highlighted in the report which had escalated to Red status since last reviewed by Members were noted.
It was requested for the Committee to consider which area of risk to call in for the Risk ‘Deep Dive’ item at the June meeting of the Committee.
The Committee suggested that any of the risks which had recently become red were prime examples for the risk deep dive call ins. Concerns were noted around the potential impact and need to move quickly to mitigate the potential impacts of Risk CDS0043: Public Switched Telephone Network switch off is happening in December 2025. The Committee requested understanding of the immediate plans around this issue.
The ability for the Committee to call in officers with longstanding Red status risks as a separate tool from the deep dive requests was noted.
The Committee queried the improvements to leadership culture, integration and engagement with risk management within the council. Councillor Jason Cummings, Cabinet Member for Finance advised there had been a cultural shift where officers were not fearful to raise issues at the earliest stage. Potential risks were captured on the council’s period monitoring report and were therefore more visible for monitoring and early intervention.
The council’s risk champions within directorates had boosted management risk engagement and corporate directors were now seeking assurances which illustrated a culture change. It was suggested the Committee could invite risk champions to a future committee meeting. Officers noted risks were also considered thematically via the council’s internal control boards.
The weaknesses in future control measures within the Corporate Risk Register particularly where future control dates were in the past were noted by Members. It was felt there was no clear understanding of the impact of controls on the risk status and any movement in risk status was not illustrated. Officers advised the need for articulation of how future risk ratings would be achieved via a risk management plan was discussed with risk owners.
The Committee queried the inconsistency in compliance cited within the report. It was advised that some officers engaged better than others and the Committee was encouraged to call in risk owners where Corporate Risk Register entries were felt to be insufficient.
In response to questions, it was advised future controls were usually considered within a 12-month timeframe and the Committee should consider whether future control target dates were realistic to achieve the improvement. It was advised that the council’s management considered whether risks should be higher or lower in status and there was no desire to see risks reducing in status if this was not correct.
The Committee suggested the addition of a rating to reflect the impact of the current actions being undertaken, which would provide an assessment of their effectiveness in achieving the target score. Officers advised this could be explored using the JCAD risk management software.
The Committee noted that the council’s strategic priorities should be reflected within the Corporate Risk Register. Officers agreed having integrated performance and risk reporting was important and was on the work plan.
The Independent Chair requested for the Head of Risk, Anti-Fraud and Insurance to join their discussion with the Chair of Scrutiny and Overview Committee regarding the committee’s work programmes and risk.
The Committee queried whether the risk implementation date was when the control actions began or when they were effective and clarity on what was an acceptable level of risk for each entry, for example where Amber may be an acceptable risk level for some entries should be made clear. Officers advised the future control date was when it became effective and inclusion of the acceptable risk score as determined by risk appetite could be explored.
The Committee RESOLVED, to; note the contents of the corporate risk register as at April 2024.
Supporting documents: