Agenda item

To consider a progress report on individual risks identified in the Council’s Strategic Risk Register.

The Committee considered a progress report in relation to the individual risks identified on the Strategic Risk Register, specifically in relation to risks regarding ‘Service Failure’. The Committee discussed plans to control and mitigate the risks with the strategic risk owner, Mr Thompson, Director of Resources.

Mr Thompson began by explaining that the risk of service failure was split between external and internal provision of services. In the case of the former, the sub-risk was identified as ‘Failure of a service provider in high risk contracted areas such as Social Care and Waste Management’. He pointed out that in the current climate, it was not unusual for providers to go into administration. In such cases, where a service was terminated, the Council had a statutory duty to provide continuity. An example quoted was the provision of services to residents in care homes. To mitigate against risks, the Committee was informed that contractors were required to provide adequate business continuity arrangements, although difficulties arose where services were sub-contracted.

In relation to internal services and the sub-risk ‘Loss of key infrastructure which results in Council services not being delivered, such as ICT and property’, Mr Thompson advised that ICT (as an example) was a common thread that most services relied upon and that the property portfolio, together with the services within, needed to be prioritised. The Corporate Risk Management Group was involved in testing priorities and an example quoted was the arrangements that were in place to ensure continuity of services in the case of a flu epidemic. On the requirement to ensure that all services had up to date business continuity plans in place, it was pointed out that the current proportional figure within the Council was 95% against a target of 90%. Mr Thompson mentioned however that the current aim was to achieve 100% in the near future.

Mr Thompson also advised that it was important not to lose sight of the full spectrum of risks that may impact on service failure in the future. A feature of the current financial climate was that some local authorities were forecasting considerable risks in relation to forthcoming budget issues going forward.

Mr Thompson was questioned about risks that were considered to be uncontrollable and the types that were considered to be so. He explained that a flu epidemic would be a good example and a flu pandemic would be considered critical. External inspections that affected the operation of care comes was also quoted. He explained that whilst processes were in place to mitigate against such failures, it was not possible to provide continuous monitoring. It was further explained that risks around infrastructure were easier to manage.

The Committee raised questions around corporate ICT business continuity and resilience against a possible cyber attack. Specifically, the question around the adequacy of the Council’s server back up arrangements at Municipal Buildings and Bickerstaffe House. Mr Thompson acknowledged that the risk of cyber attack was a prevalent threat and would feature within the Quarter 3 Internal Audit report. In relation to adequacy, he advised that external provision could be bought, although at a premium cost and the risk needed to be balanced against that cost. Continuing on the subject of ICT back up arrangements, the Committee asked whether additional steps were not being taken due to costs. Mr Thompson explained that even if additional arrangements were located elsewhere, there would still be an element of risk. Under the current arrangements, the Council had direct control and influence over the risk. In terms of the actual risk rating for ICT back up arrangements which was currently at amber, Mr Thompson was asked about the possibility of achieving a green rating. He explained that it would never be possible to totally eliminate risk in the area and was therefore comfortable with an amber rating.

Mr Thompson was questioned about the level of staff turnover in ICT and whether the right people were in place. He acknowledged that experienced ICT personnel were a marketable resource and that ultimately the answer to the question was based upon judgement. The Council continued to strive to be an attractive proposition to ICT employees.

The Committee asked questions relating to the net score of 16 on the register against the sub risk of external service failure in a high risk area. In particular, Members asked whether benchmarking had been undertaken with other unitary authorities that faced the same issues. Mr Thompson responded by explaining that benchmarking was not possible because the circumstances were so different between authorities. In terms of the score itself, Mr Thompson suggested that the difference between a score of 16 and 20 was not material and the focus ought to be more on whether the rating was at red or amber. He added that further mitigation methods were unlikely to reduce the figure any further.

The Committee thanked Mr Thompson for his attendance and agreed:

1.         To note the report.

2.         To receive the Quarter 3 Internal Audit report at a future meeting of the Committee.

3.         To request the attendance of the Head of ICT at the same meeting that the Quarter 3 Internal Audit report is considered.

Background papers: None.