Agenda item

To consider a progress report on individual risks identified in the Council’s Strategic Risk Register.

The Committee considered a progress report in relation to the individual risks identified on the Strategic Risk Register, specifically in relation to the risk regarding ‘Ineffective Governance’. The report was presented by Mr Towers, Director of Governance and Partnerships, who outlined the controls and mitigation in place around the sub-risk ‘Non-compliance with statutory requirements and internal procedures. In connection with the new and developing controls, Mr Towers gave details of the efforts being made to raise awareness of the standards that were required and awareness of the consequences of failure. He spoke about the need to ensure all relevant policies and procedures were updated and the need to ensure staff awareness was up to date. He explained that audits had recently taken place in both the Place and Resources directorates to provide the necessary assurances that staff knowledge and awareness of the Council’s decision making process was adequate and up to date.

Mr Thompson, Director of Resources explained that the topic of governance covered a whole range of issues and spoke specifically about the cyber threat sub-risks. He explained that the risk of cyber-attack had grown exponentially and that basically, the risks had doubled during the past year. The risk of staff errors had grown due to people having to work harder with less time, thereby increasing the risk of making mistakes. Mr Thompson explained that it was hugely important for the Council to try to minimise those risks and at the same time, to learn from any mistakes that were made.

In connection with the sub-risk of increased risk of fraud, Mr Thompson reported that risk management was getting stronger in this area. He explained that all services within the Council were now maintaining risk registers at 100% compliance. He added that the i-Pool Fraud Awareness course was now marketed across the Council and whilst it was not possible to fully eliminate the risk of fraud, it was pleasing to record amber net risk scores in this area.

Mr Jack, Chief Executive spoke of the importance of recording compliance requirements whilst at the same time managing the risks. He added that it was important for the Council and its partners to do the right thing for the people of the town in any given circumstance, rather than what might be right for the organisation from an individual risk perspective.

Mr Jack responded to questions from the Committee about the high level of IT activity that now took place between the public and the Council and the ability to cross-check between departments if, for example, a payment was made in error. He explained that mechanisms were in place to cross-check across departments and that online methods were more robust with less scope for error compared with more traditional payment methods. He assured the Committee that a misplaced payment could be traced and checked, provided it had been made in the first place.

The Committee questioned whether the resource capability of the Council’s Internal Audit department was sufficient and whether the frequency of audits undertaken were satisfactory. Mrs Greenhalgh, Chief Internal Auditor provided assurances that staffing within the department was adequate and that audit coverage across the Council was appropriate, with no access problems to report.

The Committee asked questions about whether progress had been made in relation to the overall net scores on the Strategic Risk Register, pointing out that the current ratings appeared the same as those of the previous year. Mr Thompson pointed out that whilst progress had been made, it was probably not reflected in the scores, adding that all of the risks were still prevalent, although there was now a greater level of awareness. With specific reference to cyber threats, which as previously explained the risk had markedly grown, it was considered positive that the score had remained the same. He further explained that as things evolved, the Strategic Risk Register would become more sophisticated and would include a greater number of sub-risks.

The Committee discussed the capacity of Elected Members to deal with fast changing risks, particularly the risk of responding to emails that might not be considered genuine. The Chairman pointed out the Member Training Panel had agreed that cyber awareness training would become mandatory for all Councillors and Mr Thompson requested that any suspicious emails should be forwarded to the ICT help desk for follow up action.

The Committee agreed to note the report.

Background papers: None.