Minutes:
Officers introduced the Annual Risk management report 2022-23.
This was a statutory responsibility and the report outlined the key actions taken to promote and embed risk management during the financial year 2022-23. The role of risk management remained unchanged. There were lots of ongoing programmes of work such as the training and risk management e-learning module and risk champions in terms of governance structure. On corporate governance, it was noted that there was a new Leader of the Council in 2021 and a new Cabinet and so risk management included awareness of roles and responsibilities. The Council’s constitution had also been remodelled and modernized to meet emerging risks and changing needs locally, and to encompass new national legislation. Internal Audit had adopted a new three-year Internal Audit strategy which was reflective of this new environment. Internal Audit continued to communicate findings of the risk-based approach of limited and nil assurance reviews to the Corporate Risk Management Group.
The Corporate Risk Register was also part of the Forward Plan. It was noted that the Corporate Risk Register had been amalgamated with the Directorate Risk Registers with a new excel template to improve collaboration between directorates. This allowed improved tracking of risks.
Recently, an independent review of risk management has been conducted and officers were working through the findings.
Members asked why School Places was still listed as a C1 type risk. Offices clarified that this was the monitoring review of the corporate risks over the 2022/23 financial year and that the main detail would be within the corporate risk register. Officers further clarified that in terms of school places, Hillingdon had a strong track record of ensuring that every child had a school place and this continued to be the ambition. There was a rising level of demand for places particularly among the special educational needs and disabilities (SEND) group and this was where the risk came from. There was a smaller level of risk around secondary school places, and in primary schools there was a small drop in rolls. Members suggested more specifics on this risk to better tie in with the Council Strategy.
The Chairman noted that the key findings on nil and limited assurance reviews were reported to the Corporate Risk Management Group, and asked whether risks identified by the Audit team and not being currently well managed were moved onto departmental risk registers. Officers clarified that it was usually a summary of the findings of the nil and limited assurance reviews that were presented to the Corporate Risk Management Group and these were up for discussion as to other risks, themes, isolated incidents, or underlying issues. Sometimes these could feed into an existing risk or could present a new risk.
The Chairman also asked about the aspiration to develop risk maturity, and asked if there was an action plan in place for this. Officers noted that one of the main priorities was looking at risk management, and refreshing the way in which it was done. This included ensuring that down to an operational level with services, responsibility was taken within service areas, and that there was a clear process of escalating risk up to the Corporate Risk Register if they were significant risks, and how things from a corporate level go down to an operational level. This also included ensuring that actions were smart actions with timescales and responsible officers so that these could be tracked. Officers were also looking at risk management software which would allow more access and different ways of extracting data. This would enable information to be extracted on officers using the system and updating risks, and not just report on what the risks were. There was a project card in relation to risk management and this included updating the policy and training; raising awareness; and engaging with staff. In summary, officers confirmed that there was a very detailed action plan.
Further to this, the Chairman asked if officers had explored how SharePoint could be used as a front end to the excel spreadsheets that were being developed. Officers noted that one of the reasons for the move to excel was to improve access, so that there was more data centralised on one excel document which was located on SharePoint. This meant it was possible to track who was logging into the spreadsheet and who had made changes, which was easier to do than on Microsoft Word. Officers were also looking at how to ensure easier access from the front end of SharePoint as well as links into the risk software or the risk registers.
The Chairman noted the Finance Directorate Risk Register and that due to the cost-of-living crisis and other pressures, ‘increased levels of fraud’ was listed as a ‘B1’ or ‘high likelihood’ risk. The Chairman asked whether this was an issue rather than a risk due to an increased reality of fraud, not just risk. Officers noted that some of this was a function of current economic circumstances. Some responses had been made on an operational level so there was some flexibility within the structure of the fraud team. In other aspects, there had been more closely linking of the audit approach and the fraud approach, so a joint approach was being developed to risk management across the two teams. It was noted that new types of fraud were being discovered. There was some London-wide collaborative work. Officers noted that they would continue to look at the scoring of risk when the programme was next refreshed.
RESOLVED: That the Audit Committee noted the Risk Management Annual Report for 2022/23.
Supporting documents: