Agenda item

The committee is requested to:

a)      Recommend to Cabinet and Council that the updated Risk Management Policy and Strategy be approved.

b)      Note the current strategic risk register and the internal controls in place plus any associated action plans to manage those risks and to raise any issues or concerns.

c)       Note both the high scoring programme board and organisational risks, the mitigation actions in place and to raise any issues or concerns.

The committee considered the report attached to the agenda.

Mrs Belenger presented the report drawing members’ attention to the heat map at item 6.3. During this quarter three new strategic risks had been identified including two high scoring risks – Southern Gateway and Local Plan. The high scoring Programme Board and Organisational Risks were included along with information on mitigation measures in place.

Mr Bennett advised that he was part of the Southern Gateway project group and updated the committee on the deliberations of that group when the project was discussed.

The committee made the following comments and received answers to questions as follows:

·         Internal controls for both the Southern Gateway and Local Plan had been amended from ‘improving’ to ‘poor’ by the Strategic Risk Group following assessment by the Senior Leadership Team.

·         Queried whether all Council members should have responsibility for managing risk to the council. A discussion took place on whether members needed to take individual as well as corporate responsibility for risks and to manage those risks within their role. It was agreed that a section should be added to the table on page 118 in the policy reflecting members’ roles and responsibilities.

·         Queried the table entitled ‘severity of impact matrix’ on page 121 of the policy and members’ responsibilities with regard to bringing embarrassment or reputation risk to the council. Add ‘member forced to resign’ under 3 Serious and add ‘Leader forced to resign’ under 4 Major under the heading entitled embarrassment or reputation risk.

·         Concern regarding the risk to the Southern Gateway project where internal controls are showing a current status of ‘poor’. Concern about the ability to achieve the target risk score of 3 by September 2018. Concern regarding the risk of reputational damage to the council which should be weighted on a similar level to financial risk. The project team was very strong, run by Mr P Over, and risks were being reassessed on a monthly basis. Mrs Belenger advised that the target risk score of 3 (Impact 3 (Serious); Likelihood 1 (Unlikely)) was perhaps not reconsidered by the Strategic Risk Group (SRG) however the risk register was reviewed on a quarterly basis by the Senior Leadership Team (SLT). Some members requested that this target score be increased as it was clearly unachievable by September 2018. Mrs Belenger referred members to the impact and likelihood descriptions on page 121 which was the criteria when setting target scores. Although the date was stated at September 2018 it was essentially a three to five year project. If all the internal controls in place were controlled then the impact on the council in terms of severity would be less and the likelihood would be ‘unlikely’. Mrs Belenger, referring to a recent note from Mr Over, advised that the risk score should have been reflected as Impact 4 (Major) Likelihood 1 (Unlikely) and not as stated in the report, however she would confirm this score with him. The committee wished to raise its concern at the target risk score of 3 but accepted that it was not the committee’s duty to amend the target risk score. Reputational damage would be added to the risk description ‘Failure to deliver the outcomes of the project leading to reputational damage and financial exposure to CDC as lead partner, and ….’ 

·         Queried whether the reference to OAN (4^th bullet point on page 143) should read OAN growth. Mrs Belenger undertook to investigate this wording and amend as necessary.

A recommendation was proposed and seconded to move to Part II confidential exempt business in order to consider Appendix 2(b) Cyber Risk Attack across ICT Estate. The committee approved this by a show of hands.

RESOLVED

That in accordance with section 100A of the Local Government Act 1972 (the Act) the public and the press be excluded from the meeting for the reason that it is likely in view of the nature of the business to be transacted that there would be disclosure to the public of ‘exempt information’ being information of the nature described in Paragraph 3 (information relating to the financial or business affairs of any particular person (including the authority holding that information)) of Part I of Schedule 12A to the Act and the public interest in maintaining the exemption outweighs the public interest in disclosing the information.

Following discussion of this Part II appendix the committee agreed to go back into Part I business having had a recommendation made and seconded.

Mrs Belenger agreed to investigate the queries raised and to update the policy and Strategic Risk Register with the specific actions and concerns identified above. The target risk scores for both new risks Southern Gateway and Local Plan would be clarified at the next quarterly review by SLT along with the target date for risk number CRR 147 Southern Gateway.

RECOMMENDED TO CABINET AND COUNCIL

That subject to the amendments suggested above the updated Risk Management Policy and Strategy be approved.

RESOLVED

1) That, subject to the specific actions above being updated and investigated, the current strategic risk register and the internal controls in place, plus any associated action plans to mitigate those risks, be noted.

2) That the current high scoring programme board and organisational risks and the associated mitigation plans in place be noted.