The report of the Risk and Business Continuity Manager is attached.

Contact: Jane Cooper (01743) 252851

The Committee received the report of the Risk and Business Continuity Manager – copy attached to the signed Minutes – which set out the current strategic risk exposure following the December 2023 bi-annual review and subsequent discussions.

The Risk and Business Continuity Manager explained that the strategic risks were reviewed and reported on bi-annually and that the Executive Management Team reviewed individual strategic risks on a rolling programme. She went on to explain that the operational risk review took place first which enabled any emerging themes to be fed up to Executive Directors as part of the strategic risk review for consideration as a strategic risk.  Some risks on the strategic risk register were as a result of operational risk reviews and issues being escalated, for example:

• Health & Wellbeing of Staff

• Recruitment, retention and succession planning

• Impact of extreme pressures upon partners

The Risk and Business Continuity Manager informed the Committee that, as at the December review, there were 11 strategic risks and that some modifications had been made to the Council’s strategic risk exposure, with two risks being redefined to more clearly articulate what was being mitigating, and two new risks being added, one being ‘Impact of extreme pressures upon partners (social care, health, and criminal justice)’ and the other being ‘Impact of increased waiting lists in relation to Deprivation of Liberty, Occupational Therapy and Sensory Impairment.’ Also, as part of the last review the safeguarding children’s risk, which had previously been archived, had been reinstated to address issues raised by Ofsted. 

The Risk and Business Continuity Manager reminded Members that they could request a more detailed examination of any of the strategic risks and could invite the relevant risk owner to a committee meeting to discuss any of their risks. Finally, she went on to report that the June 2024 strategic risk review was coming to an end, the results of which would be reported to the Audit Committee at its September meeting.

In response to a query, the Risk and Business Continuity Manager explained that an overview of project and operational risks would be included in the Annual report that would be going to the July meeting of the Audit Committee.  In response to further queries, the Risk and Business Continuity Manager explained the process undertaken to reduce any risks that were above the risk acceptance level, and she expanded on the reasons for the two risks being redefined.

The Executive Director of Resources (Section 151 Officer) explained that strategic risks were constantly kept under review and he confirmed that during the December 2023 review it had been decided that it would be better to redefine the risks so that they were much clearer about the ability to stay within the budget in a particular year, and so that became more of a clear and present risk to be managed and then there was a separate risk around becoming a more sustainable organisation and being able to manage financially over the term of the Medium Term Financial Plan.  In terms of the management of those risks, in the previous year they were producing monthly reviews of the monitoring reports in relation to savings delivery with quarterly reports to Cabinet and Scrutiny around the overall financial position.  That risk had now been reviewed and reports were now going to Cabinet every month. Executive Directors were therefore aware of the risk and to help manage it were producing more information which was being put in the public domain more often.

In response to a query, the Executive Director of Resources (Section 151 Officer) explained the measures that were being taken to protect the Council’s IT system from cyber security attacks, such as having a separate organisation that monitors the system 24/7, removing access for staff and members whose cyber security training was not up to date and the development of a cyber response plan.  He went on to say that the impact score was kept high as a precaution, but he was confident that the Council had a robust cyber security strategy.  A brief discussion ensued, and it was agreed that the Head of IT be invited to the next meeting to discuss what would happen in the event of a successful cyber-attack.  An update was also requested on the 10 outstanding recommendations in relation to the cyber security action plan.

A query was raised in relation to the critical skills shortage and why eg social workers were paid less in Shropshire. The meeting was informed that a report on the recruitment of Social Workers was going to the next meeting of the People Overview and Scrutiny Committee which Members of the Audit Committee were welcome to attend.  The Executive Director of Resources (Section 151 Officer) briefly explained the initiatives that were being taken to address these workforce issues such as the apprenticeship scheme, bringing agency staff in-house and workforce/succession planning.

RESOLVED:  To note the position as set out in the report.

Councillor Roger Evans voted against this item as he did not feel it satisfied the criteria and the responsibilities of the Audit Committee in ensuring there was a robust and efficient opportunity risk management.