Report of the Executive Director (Finance and Transformation) on the current strategic risks facing the Council as determined by the Corporate Management Team. These risks have been reviewed in place for Quarter Four.
Minutes:
Report of the Executive Director (Finance and Transformation) on the current strategic risks facing the Council as determined by the Corporate Management Team. These risks have been reviewed in place for Quarter Four.
It was noted there was an error in the report which was that the report that was published pulled through the level of risk rather than the impact or the level of risk which is usually held in the background which determines the traffic light colour of the risk. This stemmed from the preparatory work being done on reporting under the new risk framework which will be presented from the next meeting.
At the end of quarter 4, there were four strategic risks with a high score. The first of those is finance. While the Council has a balanced budget for 2023/24, there are ongoing risks within the budget and sizeable budget gaps in future years. Government funding for future years also remains uncertain. An updated Medium Term financial forecast will be presented in the coming months to Cabinet to take into account the financial outturn position from 2022/23 and any impacts of current and emerging pressures. The next high-risk is health and safety, at the end of the quarter, the Health and Safety Manager position was being covered on an interim basis while permanent recruitment took place, the position has been recruited to the manager has since started with the Council. The terms of reference and the membership of the occupational health and safety board had been refreshed and the group has regular reports to the Corporate Governance Group.
A review has commenced on the health and safety management system, along with a refresh of the council’s health and safety policies and any gaps identified as part of that review. Control measures will be put in place.
The next high-risk is ICT failure. This score was raised during the pandemic and maintained at a high level since the start of the war in Ukraine. This was based on government guidance that there was a heightened risk of targeted attacks against public bodies. A phishing exercise was completed during quarter 4 and additional training was rolled out following that exercise. The IT control environment is also subject to third party testing and accreditation and officers are currently preparing the Council's submission to the Cabinet Office seeking ongoing accreditation for the public services network.
The last strategic risk was the income from recyclables. This market is a volatile one, influenced by both national and international markets. The outturn for the for the year 2022/23 has just been finalised and would be reported at the next Cabinet meeting, overall, taking the recycling credits into account from the County Council. The recycling income was higher than budgeted. So whilst the out turn was a positive outturn position, the markets do remain volatile and this will still be an ongoing risk.
There were two high operational risks, the first was the lack of the five-year land supply, this risk is dependent on the delivery of the local plan and, as Members will be aware, the council has been out to consult on the main modifications to the local plan and the Planning Inspector is currently consulting on further main modifications. After this, the plan and consultation responses will be considered by the Inspector and the report will be presented to the relevant committees once received. The final high operational risk relates to housing complaints, there has been a backlog of complaints within the team during the last quarter and recruitment has been underway to fill a number of vacant posts within the team, the council has been successful in filling a number of those roles and there is agency cover in place whilst recruitment takes place for remaining vacant roles. Additional money and management oversight meetings have been put into place and to go through the outstanding complaints on a weekly basis with a view to improve the complaints performance within the team.
The following points were raised and discussed:
· Members stated they thought it was right to keep the strategic risk in red especially if the council is under threat. Members thanked the team for their fantastic work.
· Members asked about strategic risks under finance and queried is it red because the council is stating there are ongoing cuts for the coming years and then a payment is made that is more than the anticipated cuts. Members asked if that is still the case for the coming financial year, Officers stated they said the council have not got any confirmation over the 2024/25 settlement. The council is making use of general fund reserves in 2023/24 to balance the budget. It has not been confirmed but they have started looking at the fair funding review which has been coming for a few years. There is no certainty around what will happen in next year.
· Members asked about the local plan and the five year land supply and wanted officers to elaborate more on that, who is that risk to by not having a five year land supply, is it for the developer or is it for the council? Officers stated the risk, as reflected on the register, is the risk against the council. So there are risks of challenges to, planning decisions based on the fact the council does not have a five year land supply and obviously those challenges can then lead to costly court battles, so it is a risk to the Council.
· Members queried the relationship between the probability figure and the score and stated surely the probability is higher because it’s actually happening. Officers stated the report is under the old risk management framework, so the new risk management framework, which training will be provided for, will be slightly different, but for this particular one the score is calculated as probability multiplied by impact multiplied by impact.
· Members asked about property services in appendix B and stated handling remains a challenge. Members wanted to know if the new structure will address it and wanted a timeline of this being addressed? Officers stated the new structure was approved and has been put into place. The recruitment has been ongoing since the last quarter and that a number of those roles have been filled, there are still some vacancies in the team, but there is agency cover. The team is better resourced now and there are weekly meetings between senior managers and the customer services team who oversee the complaints. The council are pretty confident that they can make some good improvements.
· The Independent Person asked if an overview can be given of which risks are increasing in their significance. Officers stated there isn't currently, so under the new framework, the council will be monitoring trends and looking at which ones are increasing, which ones are decreasing. Officers will follow up in an email after the meeting.
· The Independent Person asked will the new risk-management framework also include risk indicators so that the council can get an assessment of how that's moving. Officers stated that it will.
· The Independent Person asked specifically on the risk ICT failure, it seems to be quite specific to Microsoft Windows, how are other areas assessed. Officers stated the risk description needs updating. It does look at ICT failure across the board and it is not just Microsoft Windows and under the new risk register, there will be a better description and better controls in place for reporting.
· The Independent Person asked about the Quarter 4 phishing attack exercise and stated given there are other threats, is there a simulation plan as part of disaster recovery? Officers stated the council does run disaster recovery tests. The exercises usually run once a year and the council have external accreditations. The council have also done penetration testing. The overview and scrutiny committee have recently raised this area to look at. Officers are looking at presenting a report to the committee. It was noted the report would also be sent to the Independent person too.
RESOLVED:
(unanimous)
Members noted the attached current Risk Management Update and noted comments and actions in respect of the strategic and top operational risks.
Supporting documents: