The report of the Head of Audit and Risk Management is attached.

The Committee considered a report of The Head of Audit and Risk Management which provided an update on organisational risk management arrangements; and a copy of the latest refresh of the Corporate Risk Register (CRR).

In introducing the report, the Head of Audit and Risk Management outlined the Strategy and CRR’s important role in the Council’s governance framework which was routinely discussed at Senior Management and  Directorate Leadership level.  He highlighted that the Register was scheduled for review later this year and referred to the broad scope and fluidity of risk in terms of how it continues to manifest and impact across the delivery of Council services.

The key points of discussion in the meeting were:

• The extent to which cumulative and / or compounding risk is effectively demonstrated in the Register’s three tiered rating system
• The approach taken for the development of risk management targets within the CRR
• The capability / capacity of the workforce with specific reference to the shortage of skills across the workforce, outside of managerial / technical  disciplines
• The introduction of cyber-risk as a stand alone item on the CRR
• The prominence of the risks around key suppliers of goods and services

In response to a question about how cumulative risk is communicated in the three tiered system, the Head of Audit and Risk Management referred to some authorities  recently introducing the use of purple to capture cumulative / compounding risk which may be considered in the upcoming review of the Register.

There was a discussion about the approach taken for the development of targets for October 2022 – a member noted that in some instances, the targets resulted in those risks being maintained at the current level as opposed to being reduced.   The Head of Audit and Risk Management explained that the rationale had been to develop realistic as opposed to aspirational targets, in light of the current uncertainty around financial / fiscal matters, such that it was anticipated that despite appropriate measures being in place, the level of risk remained high.  An achievable target of that risk being maintained in short term was therefore in place.  Discussions then moved to the target associated with costs of capital and revenue contracts and the implications on pre-existing budget pressures.  The  Deputy Chief Executive and City Treasurer explained that at the point that CRR was being finalised, the Council was in the process of finalising its energy contracts and as such inflation contingencies were in place. This however did not apply to wider risks associated with medium term financial resources where it would remain unclear until December of this year what the next financial settlement would be and what impact that would ultimately have on the Council’s budget position.

A member suggested that  greater weighting and explicit reference ought to be given to the lack of skilled tradespeople within the workforce in the CRR’s analysis of key risks, given the anticipated impacts such a shortfall could have on the performance and delivery of particular services (e.g. maintenance services) as well as a knock on  effect on the associated costs of service provision. 

In response to a comment about the introduction of cyber-risk as a stand alone item in the CRR, the Head of Audit and Risk Management  explained that whilst cyber-risk should not be considered as a new or emerging risk for the Authority, it had previously been embedded within other risks associated with ICT, data governance and information security.  A decision had therefore been made to explicitly reference cyber-risk as a standalone category on the CRR.

In response to a comment about the risks related to key supplies, the Head of Audit and Risk Management confirmed that this risk was anticipated to remain on the CRR as aspects of numerous supply chains continued to be impacted upon.  This therefore warranted  active monitoring and tracking through the CRR as well as other governance instruments such as the Commercial Board.

Decision

To note the assurance provided by the risk management report and approve the Council’s Risk Management Strategy.