Agenda item
Third line assurance: Report of the Audit Review of Risk Management
The report of the Internal Audit Manager is attached.
Contact: Katie Williams 07584 217067
Minutes:
The Committee received the report of the Internal Audit Manager – copy attached to the signed Minutes – which detailed the results of the recent Internal Audit review of the Risk Management system which had been assessed as Reasonable, with minor control weaknesses identified. The focus of the review had been on user compliance with processes around operational and project risks.
It was explained that the Audit Committee were required to review annually the adequacy of the Council’s risk management arrangements. It had last been undertaken in January 2022 when it was assessed as ‘Good’ however following the most recent review, this had reduced to ‘Reasonable’.
The Internal Audit Manager drew attention to paragraph 6.8 of the report which set out the control objectives that were reviewed and whether they had been achieved. She reported that the main reason for the reduction to ‘Reasonable’ was the quality of the operational risk registers, some of which had not been updated within the 2023 year.
In response to a query about how the objectives would be achieved, it was explained that the risk manager had put in place a new process whereby separate reports were produced for those areas where they hadn’t been updating the register, in order to raise the profile. Members expressed their concern about this reduction along with the increased number of unsatisfactory assurances and wondered whether Managers were aware that it was their responsibility to keep these registers up to date and the consequence of not doing so.
In response, the Internal Audit Manager confirmed that the process was well communicated and in addition the risk management team had, this year, undertaken in person training sessions which every manager who was responsible for a risk register had been invited to and given support to ensure that the risk registers were reviewed and updated. However as it was managed through the Executive Directors and Assistant Directors, any area where they were not being updated, would be passed to their service manager or assistant director to manage. Members requested the Risk Manager provide a brief update on risk management at the next meeting.
A query was raised as to Audit Committee’s role within risk management. In response the Internal Audit Manager explained that the strategic risk review was in the Terms of Reference to go to Audit Committee twice a year. However, as part of the Risk Management Policy a strategic risk review was held with Executive Directors to review all of the strategic risks whereby some may be amended, or the scoring adjusted. The role of the Audit Committee was not to set the risks, although it could comment and feedback on them, but it was for the Committee’s wider awareness around the risks facing the Council and to ensure that it was receiving the right information to give a complete picture of the control environment.
The Executive Director of Resources (Section 151 Officer) added that the process was considered by the Internal Audit team and that the Audit Committee could take a view in terms of the risk process, but also, consideration of the risks themselves was also within the remit of the Committee who should be asking whether the strategic risks were known and accepted by the authority and whether officers were accountable for them.
In response to a query around project risks, the Executive Director of Resources (Section 151 Officer) explained that the Audit Committee was charged with reviewing the strategic risks of the organisation. The operational and project risks were all part of the risk management process, but they numbered in the thousands so, for this reason, operational risks would never come to the Audit Committee as it would be unmanageable and unhelpful. However, as part of that process, the operational risks were reviewed every year by the Internal Audit team to see that appropriate systems were working but the process by which those operational risks were managed were independently audited. In addition, there was a process within that which looked at any themes that were identified within the operational or project risks which need to be considered as a strategic risk and if so, would be reported to Audit Committee.
RESOLVED:
To endorse the findings from the review of Risk Management by Internal Audit.
Supporting documents: