Agenda item

Officers presented the Risk Management report.

As at 28 January 2026 there were 225 risks recorded on the risk register. 22 red risks were live at the time of reporting. Four red risks were closed in?period. Seven risks were downgraded (from red to amber/ green). Three risks were added to the Corporate Risk Register (one new risk; two escalated from amber). There was only one unscored risk, which had been added on the same day the report was run. This was scored shortly afterwards. Five risks were overdue for review, a substantial improvement from 41 in November. 32 risks had overdue actions, significantly reduced from 107 in November.

Officers emphasised that this represented significant and sustained improvement in risk management. Notably, improvements had arisen from stronger governance, not from chasing outstanding updates. Directorates were proactively engaging, supported by new business managers.

Officers presented the Strategic Risk Register, which covered cross?cutting, corporate risks. This register was owned by CMT and linked into the wider performance dashboard. It will undergo a full review at the start of next year.

In terms of further improvement, Members asked what may still be missing or inconsistent within the risk framework. Officers highlighted:

Consistency Across Services: some services were highly proactive in reporting emerging risks; others showed signs that they may not always escalate issues promptly. Directorate?level governance meetings now challenged services on any.

Timely Risk Closure & Action Completion: while risks were now logged promptly, the next step was ensuring faster action planning, faster action completion, and faster downgrading or closure when mitigations take effect. A new focus for next year will be KPI development to monitor the duration that risks remained high; speed of action implementation; and evidence of risk score movement (up or down).

Members asked about cyber risk following incidents in other London authorities. Officers noted that Hillingdon had provided mutual aid support to the impacted boroughs due to the severity of the incident.  The Tri?Borough cyber incident had originated from an unauthorised individual joining a Teams call, gaining unintended system access. Hillingdon has since strengthened internal controls, including requiring officers to check attendee lists on virtual meetings, encouraging cameras on where possible, briefing senior managers to treat unfamiliar participants as potential access risks. Hillingdon maintains close coordination with the National Cyber Security Centre, other London boroughs, and central government. External reviews had given significant assurance over cyber controls. The Council monitored cyber threats daily, with increased vigilance applied where national threat levels rise. Cyber awareness training and phishing simulations were mandatory and reinforced through regular communications and directorate briefings.

Members asked what “PEEPs” stands for. Officers confirmed it referred to Personal Emergency Evacuation Plans.

Members proposed that risk summaries relevant to each service area could be shared quarterly with the Select Committees to improve risk?based scrutiny and assist Members in identifying priority areas. Officers confirmed this was already planned via the developing corporate performance dashboard. The intention was for Select Committees to receive risk subsets relevant to their remit, enabling deeper, more targeted scrutiny.

The Committee welcomed the significant improvement in both the quality and timeliness of risk reporting; the clear evidence of increasing maturity across service areas; and the progress toward embedding risk awareness across the organisation rather than within a single team. Members noted the value of the improved governance culture and thanked officers for their work.

RESOLVED: That the Audit Committee noted the reports and level of assurance received