Agenda item

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk setting out the amendments to the Strategic Risk Register since it was last presented to the Committee in February 2023 was presented for the Committee’s consideration.

The Risk and Insurance Manager reported that with the new Council Plan 2023-28 in place, the Leadership Team undertook a review of the strategic risk register as a whole in July 2023 to ensure that the register provided an accurate reflection of the risk to the Council’s strategic objectives. In the same period the system holding the risk registers (4risk) was upgraded and the method by which risks are scored has also been changed to reflect a numeric value only with the highest risk now being 25 rather than A1. There have been some initial challenges with the upgrade process with the result that the register as presented does not have the same level of assurance detail as previously although work to resolve the issues with the software provider is ongoing. The Risk and Insurance Manager referred to the changes to the strategic risks as follows –

·      The redefinition of risks YM1, YM5, YM7, YM8, YM3 and YM14 as per the table at paragraph 8 of the report and the reasons for the change.

·      The closure of risk YM4 in relation to the impact of a cyber-attack on the provision of frontline and support services and its incorporation within risk YM3 in relation to IT failure and the disruption that would cause to service delivery.

·      The addition of two new risks to the register namely YM15 in relation to core collaborative working and partnership arrangements and YM16 in relation to a lack of resources to update business processes affecting the Council’s ability to modernise.

·      The uprating at both an inherent and residual level of risk YM1 – the risk that a real term reduction in Council funding will lead to a reduction in statutory services - from 4 (Likely) to 5 (Almost Certain) because of the economic situation and the financial challenges facing the public sector.

The Committee considered the report and the following matters were discussed –

·      Encouraging services to move systems to the Cloud to strengthen resiliency and eliminate the need for a second data centre as a mitigating action in respect of risk YM3 (The risk that IT failure significantly disrupts service delivery). The Committee questioned whether there might be risks in being over reliant on the Cloud and whether there were disadvantages associated with Cloud provision in terms of cost, security, and access to data. The Committee suggested that a review of Cloud services might be beneficial in providing assurance about Cloud operations.

The Committee was advised that the Council’s IT auditors could be asked to undertake a review of Cloud services.

·      The separation of the roles of the Governance and Audit Committee and Scrutiny in relation to risk management and the detailed evaluation of risks.

The Committee was advised that this Committee’s responsibility is to be assured that management has arrangements in place to manage risk and that those risk management arrangements are effective. Should the Committee in monitoring the strategic risk register be concerned about any emerging risk or detect a pattern of risk deterioration over a period of time then it can refer those concerns to the relevant Risk Owner for action or to provide assurance. The Committee was also reminded that Zurich Risk Engineering will be undertaking an assessment of the Council’s Risk Management Framework and will be reporting to this Committee on the outcome of the assessment early next year.

·      The number of risks where the residual risk level after mitigation is still Red or Critical and the Council’s approach to dealing with this level of risk.

The Committee was advised that although all the risks will be reviewed in detail in the coming months, there are certain risks with YM1 being an example where the scope for introducing additional controls and the impact they are likely to have in reducing the residual risk are limited because of external factors such as the wider economic situation and outlook which are beyond the Council’s control.

·      In noting that one of the main controls with regard to YM1 (the risk that a real term reduction in Council funding will lead to a reduction in statutory services) is to ensure that the Council retains balances of over 5% of the annual budget in reserve, the Committee asked what is the burn rate on the reserves and at what point will the Council reach a position which several councils are already finding themselves in of having run out of money.

The Committee was advised that currently the Council has approximately £11m in General reserves and £18m in Earmarked reserves these having been allocated for specific purposes (as well as there being school balances which are under the management of schools). To balance the 2023/24 budget, the Council used £3.78m of its reserves and based on the anticipated settlement, it is expected that a similar sum will be required to make up the budget shortfall in 2024/25 although the precise amount will depend on the level of Council Tax increase and/or budget cuts which Full Council determines to implement. That would indicate a burn rate of £3m to £4m per year which would deplete the General Balances within 3 years and if the Council were to deallocate the earmarked reserves for general use that would sustain the Council for a while longer. It is also anticipated that the 2025/26 financial year will be equally challenging and as the scope for savings reduces so the burn rate is likely to increase. The outlook beyond that point is uncertain as political changes could also lead to changes in the financial landscape. In the short to medium term the Council is not in danger of finding itself in such severe financial difficulties as to have to issue a Section 114 notice. However, as the Council’s reserves reduce so does the impact of mitigation leading to increased risk.

It was resolved to note the amendments made to the Strategic Risk Register and to confirm that the Governance and Audit Committee takes assurance that the Leadership Team has recognised and is managing the risks to the achievement of the Council’s priorities.

Additional Action – Head of Audit and Risk to request the Council’s IT auditors to undertake a review of Cloud services.