Agenda item

To consider the risks contained within the Corporate Risk Register and assurance that the risks are being effectively managed.   

26.1          The report of the Head of Service: Audit and Governance, circulated at Pages No. 171-189, asked Members to consider the risks contained within the corporate risk register and assurance that the risks were being effectively managed.

26.2          The Director: Corporate Resources advised that the corporate risk register was brought to every Audit and Governance Committee meeting and was a tool to demonstrate the corporate risks being considered and managed.  It did not contain every risk faced by the authority but the key ones which the Committee needed to be assured were being managed and the main updates since the last meeting were set out at Page No. 173, Paragraph 3.0 of the report.  It was noted that Ref. 2 Protection of the ICT Network was the biggest risk the Council faced and work would be ongoing in relation to that; since the last meeting, a new vulnerability management system was now fully operational and phishing exercises had taken place which had highlighted further training needs.  In terms of Ref. 4 GDPR (General Data Protection Regulation) Compliance, this was also a significant risk to the Council and it was positive that a new Information Governance Officer had recently commenced employment with the authority and would be proactively taking forward the GDPR action plan.  Ref. 7 Garden Town needed to be reviewed following the Council decision the previous night and with regard to Ref. 9 Climate Change it was noted that work had commenced on the replacement of the heating system at the Public Services Centre and the Executive Committee had recently approved a new Climate Change Officer role to provide additional resource to take forward the Council’s ambition.  Ref. 13 Development Management Review was now being overseen by the Associate Director: Planning who had recently taken up his post and a bid had been submitted for government funding to assist with the backlog of planning applications in the department.  As referenced at Page No. 173, Paragraph 3.1 of the report, the Corporate Governance Group had recently discussed whether any emerging risks should be included in the register and it was felt that planning appeals should be added – the Overview and Scrutiny Committee had raised concern with the amount of money that had been spent on planning appeals over and above what had been budgeted and the increasing number of appeals being lost, as such, it would be included as a risk when the corporate risk register was next considered by the Committee.

26.3          With regard to Ref. 5 Use of Swindon Road Depot, a Member noted that a report was due to be considered by the Executive Committee in November around a project plan for a new joint depot and she asked which body would be responsible for overseeing delivery of that plan.  In response, the Executive Director: Resources advised that was still to be determined – either, or both, the Depot Services Working Group and Transform Working Group may be most appropriate but he would also expect formal reporting to Executive Committee as a long term project.  This would be set out in the report to the Executive Committee in November.  The Member asked how long the new lease was for and the Executive Director: Resources indicated it had recently been renewed so he would need to check and update Members outside of the meeting.  With regard to the risks around the ICT network, a Member sought clarification as to who the Associate Director: ICT and Cyber was and was informed the post was currently vacant and options were being considered to ensure an appointment was made as soon as possible.

26.4          In terms of Ref. 6 Assets, a Member sought clarification as to how much was within the asset budget for commercial properties and how much had been used for the office refurbishment project.  In response, the Executive Director: Resources advised there was a separate reserve for commercial properties of £225,000 per year and there was currently over £1m in that reserve.  The asset management reserve was around £400,000 and was contributing to general office refurbishment work.  He was confident that any issues with the commercial property portfolio could be dealt with within the available reserves.

26.5          In response to a query as to how Members could contribute to the corporate risk register, the Director: Corporate Resources advised that the corporate risk register would be brought to every Audit and Governance Committee meeting to give assurance it was accurate and reflective of what was known about the environment.  He undertook to circulate the Risk Management Strategy following the meeting which would demonstrate how risks were scored; the Corporate Governance Group, which included the Executive Director: Resources, Director: Corporate Governance and the Associate Director: Finance, quality assured the scoring and the corporate risk register was taken to the Chief Officers Group on a regular basis.  In addition, there were a number of days allocated in the Internal Audit Plan to give assurance that controls were in place and working effectively and that action points were delivered.  A Member asked what data was looked at when considering the action points - she noted that Ref. 1 had a current risk score of 25 and a target of 9 and questioned the period over which that was intended to be achieved.  The Director: Corporate Resources felt this was a very good point which had not been raised before and he indicated that delivery dates needed to be added to the register in order to hold the risk owner to account.  In terms of Ref. 1 which related to volatility of funding streams, the Executive Director: Resources pointed out that those risks were out of the Council’s control – it had first been included in the corporate risk register three or four years ago and it had been hoped it would be resolved in a shorter timeframe.  All risks were different and would have different timescales associated with them.  He provided assurance that Officers would do everything in their control to balance the budget but, given what the deficit could be, it could not be resolved by the Council alone without change of government policy.  Members expressed the view it would be beneficial to know the previous risk score, or the direction of travel, and it was agreed this could be incorporated.  In response to a query, the Director: Corporate Resources clarified that the risks were currently in no particular order.  A Member asked if some were more important than others and was advised that some had a more strategic element, for example, risks around Section 114 Notices or cyber, and that was something which could potentially be drawn out in consideration of the format of the corporate risk register.

26.6.         It was

RESOLVED           That the risks and mitigating controls within the corporate risk register be NOTED.