As part of the Audit & Governance Committee’s role, the Committee’s terms of reference include monitoring the Council’s risk management arrangements and providing independent assurance as to their adequacy. This report contains details of all of the open Part A risks. A complementary Part B report contains details of risks with exempt information.
Minutes:
Malcom Davies, Head of Insurance, Anti-Fraud and Risk introduced the report to the Committee.
The report included publication of the full Part A Corporate Risk Register, which indicated a significant improvement in the council’s risk reporting maturity and supported the broader transparency agenda for the council. This provided a complete overview for the Committee and enabled it to ‘call in’ any risk for a deep dive regardless of its current rating by risk owners.
The risk summary report included at Appendix A was noted, as requested by the Committee this indicated the direction of travel of risks in a condensed dashboard.
A summary of the intended developments for the risk register framework going forward, with input from the Committee and other key stakeholders was included within the report.
The Committee thanked officers for their work alongside the Independent Chair, Vice Chair, Independent Member, Chair of Scrutiny and Overview Committee and others to develop and improve the risk management framework further and for taking onboard feedback raised by members at the previous Committee meeting.
The Committee noted there were several risks which had been at red status since October 2023 and queried whether this was because nothing could be done to improve the risk score. Officers advised there were some areas such as the accounts which were anticipated to improve and finance where there were ongoing issues, particularly where for example demand was rising and therefore issues were anticipated to continue. The risk register provided an accurate overview of where the council’s risk profile was presently.
The Committee raised risks where there was a future rating which was inexplicably low, with no details provided within the future control measures to explain how the future rating would be achieved. It was noted that members had discussed with the dashboard developer the possibility of a field to provide a justification narrative for the future rating.
The Committee discussed the importance of clearly defined definitions for future risk rating, which should articulate a future target level for the risk, the anticipated future rating based upon the implementation of current control measures, and narrative around how this would be achieved. This would ensure the Committee was able to challenge the link between the actions and the reductions in the risk.
The Committee raised that there appeared to be inconsistencies in how risk owners were adopting the risk management framework, either due to differing interpretations of what was required or that risk owners were not using the risk management framework to manage risks.
Officers advised that a recommendation from the improvement work being undertaken was to ensure consistency in the terminology and noted Members would likely prefer the council to move towards using the standardised risk management terminology of ‘inherent’, ‘residual’ and ‘target’ risk ratings. At present the council’s target risk rating was described as ‘future’ risk rating.
It was suggested that risks with anticipated scored reductions but insufficient control measures lacking could be called in by the Committee to seek further assurance.
Officers was advised that risk owners were always able to access the risk management system but were required to complete a formal quarterly review. The quarterly review was reported to Corporate Directors for oversight and risk officers supported them to challenge the risk statuses and narrative against the scoring guide. In some instances, not all risk management activity was being captured within the risk management system narrative and there was ongoing work to improve this.
The Committee noted usually future/residual scores were based on controls whereas a target score was based on ambition. For example, risk FR0065 on financial sustainability had the future control as red which illustrated the anticipated reality, whereas the target would ultimately be to balance the council’s budget and therefore be green.
Officers advised there was currently no target rating within the risk the management framework, only future which was based upon the control measures being implemented. The Committee felt that a target rating would provide greater understanding of what the council wanted to achieve and enable it the Committee to challenge the control measures in place.
Members advised they felt the council’s risk appetite was a missing component within the reporting. Officers suggested there was an aspiration for the council to move towards this, however it was important to ensure the basics of correct interpretation of the terminology and provision of narrative were being done correctly first.
The Committee requested an overview report explaining the journey of improvement for the Council’s risk management framework to be brought to a future committee meeting.
In response to questions from the committee around the need for refresher training on use of the scoring guide and whether it would be possible to standardise the narrative provided across departments.
In response to questions officers agreed to include the scoring guide reference table with future reporting to the committee and advised that the financial impact was included within this empirical scoring. It was noted that several of the risks included within the register could be deemed ‘issues’ and these were not reported separately but kept on the risk register for ease of reporting and engagement by officers.
Officers noted the committee’s interest in developing the council’s risk appetite and this would form part of the risk management improvements in the future.
The Committee had requested the Public Switched Telephone Network Risk CDS0043 for the deep dive at its September meeting and agreed to circulate suggestions for future risk deep dive areas to the Independent Chair and officers.
The Committee RESOLVED;
1. To note the contents of the corporate risk register as at July 2024 as set out in Appendix 1 Risk Summary Report and Appendix 2 Risk Detail Report.
2. To agree which risk(s) will be called in for a risk ‘deep dive’ at following meetings of the committee.
Supporting documents: