Agenda item

Report by the Director of Finance, Performance and Procurement.

The Committee is asked to review the information detailed in the report and the current Corporate Risk Register, and provide comment as necessary.

27.1   The Committee considered a report by the Director of Finance, Performance and Procurement (copy appended to the signed minutes).

27.2   Mr Pake, Corporate Risk and Business Planning Manager, introduced the report and highlighted section 2.2 which outlined changes to the risk register for the quarter.  Risk Management Lunch n Learn sessions were going well, and the eLearning module was due to be launched at the beginning of February; with reviews to be undertaken every six months

27.3   The Committee made comments including those that follow.

•    Asked for details on the professional body Alarm.  – Mr Pake confirmed that Alarm is a risk management organisation which had a firm focus on local authorities.

•    Queried the low risk value for CR24 and how this related to risk CR22.  – Ms Eberhart confirmed that a review of the Corporate Risk Register would look to combine relevant risk and improve the language used in the register.

•    Asked if the whole council design transformation programme had a risk.  – Ms Eberhart explained that the programme had its own risk register.  There was not a high enough perceived risk for this to be on the Corporate Risk Register.

•    Asked if the capital programme should be on the Corporate Risk Register.  – Ms Eberhart explained that this work also had its own programme and did not need to be added to the Corporate Risk Register.  The Corporate Risk Register represented the main risks for discussion that were considered corporate risks.  Individual works would have their own processes.

•    Noted the individual processes for risks and discussed where items should appear.  – Ms Eberhart agreed to draft a strategy document to look into how information was presented.

•    Sought clarity on the change in risks, particularly the IT risk that was now over the threshold.  – Ms Eberhart explained that corporate responses to risk would be how a risk is determined; therefore an IT risk would remain in IT.  The Corporate Risk Register was designed for action.  A supplement to the Corporate Risk Register could be considered to highlight the discussed issues.

•    Queried the action taken for CR58.  – Mr Pake reported that there had been a change in director and that the Corporate Risk Register would be updated once the risk owner had been appointed.

•    Queried the action taken for CR57.  – Mr Pake reported that this has been recently reviewed and that the rating would come down following the work that had taken place.  A new risk owner would be confirmed soon.

•    Highlighted that the report referred to a January review.  – Ms Eberhart agreed to send an update to the committee on risks CR56, CR57 & CR58.

•    Noted that CR50 was rated 20 in March 2017 and was now at 16; was work still happening on this.  – Mr Pake explained that there was a significant amount of work, with actions in place to mitigate concerns.  Conversations would be had with the team to understand milestones and key performance indicators with a view to consider the review date.

•    Queried the lack of dates in CR39b.  – Mr Pake explained that the works were ongoing and so there was not a specific end date.  Mr Pake was due to review this risk with the Director of Law and Assurance.

•    Sought clarity on the risk levels for 39a.  – Mr Pake explained that this risk would never be completely mitigated and that work was on-going to continue raising awareness.  Tests had been run on the recovery of data, and results from this will be analysed.  Ms Eberhart explained that there were learning points from the exercise and that business continuity plans required updating.

•    Queried the details for an offline backup of data.  – Ms Eberhart reported that a backup was held in Horsham.  Ms Eberhart resolved to ask the Chief Information Officer for details on the arrangements for the Committee members.

•    Asked if the risk management lunch ‘n’ learn sessions were compulsory.  – Mr Pake explained that the sessions were not compulsory, but had been created to fill the training void while the eLearning modules were being developed.  The course evaluations received indicated that the sessions are of benefit.

•    Asked if the table in 2.3 could be compared with the previous quarter for future reports.  – Mr Pake agreed to include an additional column in the table indicating the risk score from the previous quarter.

•    Sought clarity on how the effectiveness of the eLearning modules would be monitored.  – Mr Pake explained that the Learning and Development would monitor the feedback of the sessions.  Mr Pake would also conduct a review of the contents every six months.  The modules would be part of the corporate induction and on the annual refresher programme.

•    Queried how far in the future risks were considered.  – Ms Eberhart explained that this depended on each risk scenario.

•    Highlighted that the current borrowing strategy would carry future risks that needed to be considered.  – Ms Eberhart gave assurance that long term strategy was considered as part of the decision process.

•    Commented on diversification of risk areas and the need to take a holistic view of the Capital Programme.  – Ms Eberhart confirmed that this had been discussed at the Performance and Finance Select Committee and was part of the budget papers.

•    Queried the work of the LGA peer review and how the dialogue related to the actions.  – Mr Pake confirmed that work was ongoing to see how the mitigations could be mapped.  Collectively the works looked to address the risk.

•    Noted the feedback given during the minutes item on the contract task and finish group and raised concerns that the task and finish group would only be focussing on governance, and not contract negotiation.

27.4   The Committee discussed the recommendation in the report and unanimously agreed the recommendations in minute 27.5.

27.5   Resolved – That the Committee.

1.   Requests that future reports are used to draw attention to risks that are not on the Corporate Risk Register, whose severity is severe.

2.   Requests that future reports show a previous quarter comparison for the table at section 2.3 in the report.

3.   Requests an update on the review of the Corporate Risk Register.

4.   Asks officers to look at the whole council review as part of risk reporting.