To present the report of the Head of Audit and Risk.
Minutes:
The report of the Head of Function (Resources)/Section 151 Officer incorporating the Corporate Risk Register was presented for the Committee’s consideration.
The Risk and Insurance Manager reported that a new software system – 4risk has been introduced to record and monitor risks, the measures in place to control these risks and any actions that are to be introduced to mitigate those risks further. Although not currently populated within the 4risk system, work is being currently undertaken to record assurance against existing controls. Three lines of assurance will be recorded on 4risk namely– first line of assurance – front line action by the control owner; second line of assurance – overall management control, financial control; third line of assurance provided by internal, external audit and other regulatory bodies. This will allow the effectiveness of existing controls to be assessed and assurance provided that the residual risk has not been over or underestimated.
The Officer said that the version of the Corporate Risk Register presented reflects the comments of the Senior Leadership Team following a review of the register. The format of the register includes the Lines of Assurance that will be populated as risks are reviewed and audited.
The top Red risks to the Council are highlighted in section 7 of the report. Apart from the addition of risk YM40, there have been no other changes to the Corporate Risk Register. The Officer clarified that risk YM35 is no longer classified as a risk and is instead an issue which is being addressed and as such will be removed from the register.
The Committee considered the report and made the following points –
• The Committee noted that discounting YM35, the register contains 39 risks which it considered excessive at a corporate level making focusing on the really high level risks difficult. The Committee suggested that some risks would be more appropriately managed at departmental level.
The Risk and Insurance Manager said that priority is given to risks where the residual risk is Red and Amber. The Officer said that there are two approaches that could be taken in formulating the risk register – the one where the register contains generic risks only which are less accurately described but means there are fewer risks on the register, or the other where the risks are more detailed and as such are more numerous but are also more easily audited against. The Authority has opted for the detailed version but it is subject to review.
The Head of Audit and Risk said the 4risk system provides a better reporting tool which can focus the Senior Leadership Team’s scrutiny on the most important risks and which also allows them to be grouped into themes so that risks in relation to a specific area can be found quickly. A detailed version of the risk register is more helpful from an Internal Audit perspective.
• The Committee noted that there are areas where the inherent risk and residual risk levels are the same even after mitigation/reduction actions have been taken. The Committee further noted that the register could be improved as a source of risk management information were the risks to be dated to show when they were raised, when reviewed and when they are likely to be closed.
The Risk and Insurance Manager said that work in relation to assurance levels and assurance from controls is to be undertaken which will assess the effectiveness of controls in reducing risk. Additionally, each risk register will be reviewed with the Senior Leadership Team or relevant service over the coming months to ensure they are robust. The Officer said that the report presented is an abbreviated version for committee purposes which highlights the main points for the Committee. The 4risk system contains a much greater level of detail about each risk and how it is managed including dates and timelines.
• The Committee referred to the treatment of Brexit and queried whether risks associated with Brexit should be a matter for examination either by the Audit Committee or by Scrutiny.
The Committee was informed that there is a risk register for Brexit which is led by the Regulation and Economic Service. The Council is also endeavouring to ensure that the appropriate structures are in place internally based on both worst- case and best-case scenarios. The challenge in relation to Brexit are the “unknowables” which makes scrutiny premature at this point in time.
It was resolved to note the content of the report and to note also that the Committee takes assurance that the risks to the Council’s aims and objectives are being recognised and managed by the Senior Leadership Team.
NO ADDITIONAL ACTION WAS PROPOSED