Agenda item

To consider the risks contained within the corporate risk register and assurance that the risks are being effectively managed. 

28.1          The report of the Head of Corporate Services, circulated at Pages No. 70-90, asked Members to consider the risks contained within the corporate risk register and assurance that the risks were being effectively managed.

28.2          Members were advised that the corporate risk register was a high-level tool which helped management to consider what the corporate risks were and how they were being managed.  The scoring was based on three stages: gross risk score – the inherent risk without any mitigating controls in place; current risk score – the assessed risk after the application of controls; and target risk score – the proposed risk score by applying future controls if the current risk score was deemed to be too high.  The register was used to inform the Internal Audit Plan as risks were followed-up to give the Committee assurance that controls were in place and working effectively.  It was presented to the Corporate Management Team on a monthly basis and further reviewed by the Corporate Governance Group.  The register was attached at Appendix 1 to the report; it was noted that each risk had a designated owner who was accountable for the risk and a comments box to update Members.  The key actions arising since the register was last presented to the Committee in July were set out at Page No. 72, Paragraph 3.1 of the report.  With regard to Ref. 3 – Cyber Security, Members were advised that awareness training had been arranged for Members in October, the Executive Committee had recently approved a new two year post within the IT team and a new firewall was being procured.  In terms of Ref. 7 – Waste Partnership, it was noted that a Depot Services Working Group had been established by the Overview and Scrutiny Committee with the intention of dealing with all Ubico issues in one place and these meetings would be attended by the Lead Member and the Chair of Audit and Governance Committee.  With respect to Ref. 8 – Asset Management, Members were informed that the refurbishment of the vacant ground floor space at the rear of the west wing was now complete and being occupied by the County Council which had signed a new long term lease for all areas of occupation within the Public Services Centre.  It was noted that Ref. 6 – Emergency Planning and Ref. 13 – Fraud and Corruption had both been added to the corporate risk register as part of the work undertaken during the last quarter.  The findings of the emergency planning audit were contained within the Internal Audit Monitoring Report which was the next item on the Agenda.  In terms of emergency planning, whilst there was confidence that the Council was fulfilling its duties, it was recommended that a training programme be formalised and properly documented and a schedule of test exercises carried out.   In addition, it was considered that all members of the response team should be provided with a mobile telephone and the Resilience Direct network should be reviewed to ensure that all documentation was up-to-date.  The risk assessment update was presented to the Emergency Planning Team Leader meeting every quarter and it was recommended that each Team Leader should provide feedback to their teams, for example, the Head of Corporate Services advised that he headed up the co-ordination team which set-up the IT room in the event of an emergency and he should be accountable for that as opposed to the District Emergency Planning Liaison Officer (DEPLO).  There were also recommendations around updating job descriptions to reflect emergency planning requirements in order to address inconsistencies which had been identified.  Overall, it was considered there was a satisfactory level of control within the systems audited. 

28.3          In response to a query regarding the type of emergencies which may require these arrangements to be put into effect, the Head of Community Services indicated that flooding was an obvious one for the borough and Officers were well versed in how to respond to that particular emergency; however, there were other “rising-tide” events, such as Brexit which the county had been preparing for via the Local Resilience Forum over the past year.  The other significant emergency event which had occurred since he had worked at the authority was the water supply outage in December 2017 when 10,000 properties within the borough had been left without water for up to 72 hours; in addition, there had been an incident with a fire in Brockworth which, although not a major emergency, had required a similar reaction from Officers.  A Member recognised that Tewkesbury Borough Council had its own plans in place but he questioned what happened if the Council Office building was compromised, how the Council interacted with other partners, such as the Police and Fire Service, and whether someone stepped in to perform a liaison role to ensure there was a co-ordinated response.  The Head of Community Services confirmed that Tewkesbury Borough Council had a business continuity plan in the event that the building was inaccessible etc. The Local Resilience Forum met twice a month and there were currently strategic and tactical groups looking at Brexit – in the run up to 31 October, when the United Kingdom was due to leave the European Union, meetings would take place daily.  A lot of information was fed up to COBRA, the government’s emergency committee, and in the event of a major incident being declared by a single agency, all other Local Resilience Forum agencies would be notified in accordance with Operation Link and, within hours, the DEPLO would be engaged in a teleconference or face to face meeting to discuss that emergency.  In response to a query regarding Brexit, Members were informed that the biggest risk for the Council was a concurrent event, for example, if there was a flood event and the Police had been deployed to another part of the country as they were obliged to provide mutual aid to other authorities.  A Member queried where the rest centres were located within the borough as this had been unclear when trying to provide a safe place for the families affected by the recent fire in Brockworth who had ultimately been taken to the community centre.  The Head of Community Services explained that there were a variety of rest centres across the borough and he undertook to let Members know their locations following the meeting.  In terms of the fire in Brockworth, he provided assurance that everyone had been accommodated very quickly - before anyone from the Council had arrived on the scene - but it was likely that the community centre was the rest centre location in that area which was why the families had been taken there.  He also pointed out that a rolling programme was in place to work with Parishes to ensure they had emergency plans so this would include Brockworth at some point.  The Head of Corporate Services confirmed that there was a debrief following every emergency event and there were always lessons to be learnt from each incident.  The Chair felt that the audit demonstrated how much emergency planning had progressed since the flooding in 2007 and he was amazed at the work that had been done.

28.4           The Head of Corporate Services went on to draw attention to Page No. 87 of the report which related to the risk around the Council’s fraud and corruption framework and he advised that an audit had been undertaken to assess whether this was robust.  Audit testing had concluded that there were appropriate mitigating controls on the policy framework and there was an action to regularly review key policies such as the Counter Fraud and Anti-Corruption Policy which had been considered earlier in the meeting.  He indicated that Tewkesbury Borough Council was a fairly low risk authority due to the nature of its services, for instance, it did not have its own housing stock, Ubico was responsible for depot services and the leisure centre had transferred to Places for People; nevertheless, it was always important to be alert in terms of potential areas of risk.  It was noted that there was an additional risk around the Ashchurch bridge project which was likely to be included in the corporate risk register in the next quarter.  Members were advised that all risks would be picked up by the Internal Audit team and audits would be undertaken at appropriate points in order to add value; all key risks were monitored and managed to ensure key milestones were reached and the relevant governance was in place to deliver at the correct time.

28.5           Having considered the information provided, it was

RESOLVED          That the risks and mitigating controls within the Corporate Risk Register be NOTED.