The report of the Risk, Insurance and Resilience Manager is attached.

Contact:  Angela Beechey (01743) 258915

The Committee received the report of the Risk, Insurance and Resilience Manager (copy attached to the signed minutes) which set out the current strategic risk exposure following the March 2022 quarterly review and the outcome of the annual strategic risk workshop.

The Risk, Insurance and Resilience Manager introduced and amplified her report.  She explained that numerous changes had been made to the register following the workshop; ten risk scores had remained the same, two scores were increased and one reduced, with three risks being archived and one new risk added, which gave 14 current strategic risks. 

She explained that one of those scores that had been increased was regards to the ‘inability to deliver a balanced budget’, which particular strategic risk had an individual scoring mechanism which best suited the risk, and on this occasion the likelihood was reduced to a 4 from a 5 because the Council had achieved a balanced budget for year one but had not achieved one for year two.   The impact was increased from a 3 to a 4 to reflect the current status of social care costs, increased costs of living and the financial pressures from Covid.

The other risk where the score was increased was a ‘failure to manage and mitigate the mental health and wellbeing of staff’, this was due to pressures on HR and the whole Council, the ongoing impact of Covid and general wellbeing which was raised in the pulse survey, and the fact that stress absences were still high, it was agreed that the impact score should be increased to 4, making this a high risk.

She reported that the other score that was changed was the ‘ICT infrastructure reliance’ and due to the actions that had been taken it was actually considered that the likelihood of failure could be reduced on this occasion from a 3 to a 2 making it a medium risk.  This reflected the work that had been undertaken regarding ICT infrastructure.

It had been agreed that several risks could be archived during the workshop, and these were set out in paragraph 7.7.4 of the report.  The Risk, Insurance and Resilience Manager drew attention to the one new risk that had been identified, ‘Impact of pressures in the wider Health & Care System’ and this was marked as a high risk.

During the workshop with Executive Directors, the target scores, slippage and emerging risks were all discussed and there was agreement that slippage of implementation dates for additional controls needed to be monitored more closely by the risk owners and a recognition of the risk of future concurrent events.  A workshop was subsequently held because it was recognised that there would be quite a lot of incidents happening at once and how could that be managed in the future.

She explained with the strategic risks being available in real time in SharePoint and the fact the Executive Directors review strategic risks on a cyclical basis at their weekly meetings, it was considered that risks were now fully embedded within the authority and being looked at in real time.

In response to a query in relation to ICT infrastructure being a moment in time and whether that related to a specific action that had been taken, the Risk, Insurance and Resilience Manager explained that originally ICT reliance and cyber were all in one risk but it was decided that they were two different things.  It was known that the Council has a very big exposure with cyber and a lot of work was required around that, but there was a lot of work being done around ICT reliance and additional controls had been completed, so it was felt from the reliance point of view, the Council was in a much better place but recognised from the cyber point of view, more work was required.

In response to a comment about the description of the Cyber Attack risk and that the likelihood remained at 5; it was confirmed that was just a title and there was a more detailed description that sat underneath which detailed this risk and could be sent to Members.  It was agreed for the risk definition to be expanded. The Section 151 Officer explained the reason why the likelihood remained at 5. It meant that cyber-attacks were happening and the Council had been the victim of several (benign) attacks in the last few months that had come through and got into the Council’s systems.  It was known there were vulnerabilities in the system which needed to be managed.  Work was ongoing to tighten those up and reduce the likelihood down from 5 to 4.

Concern was raised around the score for the ‘Failure to safeguard vulnerable children’ risk, as it was felt that the processes in place were robust enough to reduce the likelihood of a failure to safeguard vulnerable children.  However, the impact in terms of the Council’s reputation should be at the maximum of 5 not the current score of 4.  In response the Risk, Insurance and Resilience Manager explained that currently Children’s safeguarding was, nationally, one of the main concerns that councils have with regard to lack of social workers, the cost of living, the effects of Covid, etc. The likelihood was reflecting all these concerns.

Concern was raised that the Direction of Travel for the Council’s ‘response to and recovery from Covid’ risk, has not been reducing as it was felt that this risk would have been absorbed by now.  In response, the Risk, Insurance and Resilience Manager explained that it had been agreed to do a complete overhaul of the Covid risk to recognise that although we are now living with Covid, there were concerns around the winter period coming up, and that review was currently being undertaken and would be reported to the Committee at its next meeting. 

RESOLVED:

To accept the position as set out in the report.