Agenda item

Officers introduced the Risk Management & Strategic Risk reports for Q2.

The number of new risks added to the system had slowed, which was expected after the initial push in Q1. Despite the slowdown, progress had been made and the number of unscored risks had reduced from 116 to 90. Unscored risks were initially added without scores to compel relevant services areas to assess and score them. Having 90 unscored risks at the end of Q2 was not ideal.

Since the end of Q2, there had been a change in the structure of different teams in various directorates, which had been updated in the new risk management system. This would lead to change at Q3 as services with more risks have moved to different directorates. There are 11 new risks on the register related to statutory service provision, primarily due to one service reviewing its risk register and adding new risks. One new red risk related to lone working devices had been identified, with an action plan in place to address it. There were 46 risks overdue for review, and 138 risks without actions which represented 61% of all risks on the register that did not have an action.

In relation to the Corporate Risk Register (red rates risks), there were two new risks added and four removed. Additional information was included under Section 3 of the report.

The Strategic Risk Register was also attached to the report, and there were no significant changes.

Also attached to the report was the draft Risk Management Policy, which was due to go to Cabinet in January for approval.

Members asked if Directors could update the Committee as to why there were a high level of unscored risks/ risks without actions. Officers noted that they could ask directors to explain in writing, which may help in prompting the update of risk registers. Officers highlighted the ongoing changes and transformation within the organisation and asked if this had had an impact on the updating of risk registers, such as with of staff changes and other priorities taking precedence. Officers acknowledged that changes and transformations had taken priority but emphasised the importance of updating risk registers. Officers further highlighted the importance of embedding risk management into the organisation, and that the organisation was currently on a journey towards this. Officers further noted that the risk appetite should be set by Cabinet, not the management team. Members asked about a proposed timeframe for asking Directors to update the Committee. Officers noted that they usually took an extract of data at the end of Q3, which was the end of December, though it was already part way through the current quarter. It was suggested that officers pull an extract at the end of December, which would leave time to receive an update before the next Audit Committee meeting in February.  The Chair further emphasised the need for effective risk management, especially during times of transformation. It was agreed that February would be a reasonable deadline, but flexibility was suggested to accommodate the organisation's ongoing development and governance improvements.

Members asked for clarity on the 90 unscored risks, and officers advised that these risks needed to be assessed for their likelihood and impact. For example, a risk that had a very large impact (over £5 million) and was very likely to happen would be scored as A1. If there were strong controls and the risk was very unlikely to happy, it may be scored F4. Because these risks were unscored, the likelihood and potential impact were unknown. Any ‘red’ risks went monthly to CMT, and ‘green’ risks were more service level.

The Chair noted that the system was looking much better than what was in place before and the presentation of information was much clearer and more useful for Members. The Chair also acknowledged that the authority was on a journey of change.

The Chair acknowledged that there was a difference between housekeeping and managing risk and while housekeeping could be delayed in the interest of managing risk, this could not go on forever. There was a need to build this into the routine of the way in which things were done. The Chair emphasised a strong message from the Committee that transformation and difficult change demonstrated the need for effective risk management. The Chair reiterated that whilst they tolerated some things not being as up to date as they should be at times, this could not last.

The Chair noted some concern the risks not reviewed and actions not taken and stressed the importance of making risk management a routine part of governance. There was work to be done here, good risk management was needed when times were difficult.

It was proposed to invite the Chief Operating Officer and Director of Transformation to the next meeting to provide an update on risks around transformation, and around digital transformation, and how these risks were being managed. Members agreed to request updates at the next meeting in February, emphasising the importance of risk management.

The Chair noted that he was happy with the draft Risk Management Policy.

The Chair referred to the use of external contractors and suggested a preference for more emphasis on the use of internal resources rather than external.

RESOLVED: That the Audit Committee noted the reports and provided feedback on the content and level of assurance received