The report of the Risk and Business Continuity Manager is attached.

Contact: Jane Cooper (01743) 252851

The Committee received the report of the Risk and Continuity Manager – copy attached to the signed Minutes – which provided an overview of the activity of the Risk and Business Continuity Team during 2023/24 and a synopsis of the current risk exposure of the authority in relation to Strategic, Operational and Project risks.

The Risk and Continuity Manager reported that a Risk Management audit for 2023-2024 had been undertaken by the Internal Audit team who had issued a Reasonable assurance level as there was generally a sound system of control in place but there was evidence of non-compliance with some of the controls predominantly around how project teams were managing project related risks. The recommendations made within the report had all now been actioned by the team.

The Risk and Continuity Manager went on to state that the strategic risk reviews continued to take place on a bi-annual basis, a month after the bi-annual operational risk reviews to ensure that any emerging issues were considered strategically.  This escalation also related to project risks and as project risks were reviewed any emerging risks were also considered for inclusion as a strategic risk.  Reports following risk reviews were provided to Assistant Directors for operational risks, project board leads for project risks and EMT, Cabinet and Audit Committee from a strategic risk perspective. 

As detailed in the report all current and additional controls were subject to review, with new controls being added as necessary.  The risk score was reviewed and altered if necessary to reflect current risk exposure and assurance levels were also updated with narrative using the three lines model of assurance as set out in Appendix A.  

The Risk and Continuity Manager informed the Committee that the strategic, operational and project risks were held digitally within the SharePoint system which enabled access at all times by all risk owners and enabled PowerBI reporting to provide real time information on the risk exposure.  Automatic email reminders to project risk owners had also been implemented along with an escalation process should they still remain unreviewed.  She went on to report that the Opportunity Risk Management strategy had recently been subject to its annual review.

She drew attention to the teams’ continued involvement in ALARM, the national public sector risk management organisation, of which she was currently President Elect and she informed the meeting that the Council’s Risk & Business Continuity Officer had been awarded the Rising Star Award for 2024/2025. 

The Risk and Continuity Manager further reported that the team continued to manage the Business Continuity Management Programme and worked collaboratively with the Audit team to follow up any unsatisfactory audit reports. They also engaged with the Office of the Chief Executive and the new Assistant Director to support the transformation work being undertaken across the Council and they had completed the development of LEAP training modules for Risk management and business continuity.

A query was raised around the risk of ‘Failure to protect from and manage the impact of a targeted cyber-attack on ICT Systems used by the authority’.  In response, the Risk and Continuity Manager explained that the risk post-mitigation was captured within the Risk Register and could be shared with the Committee however it was not released into the public domain as it was quite sensitive information.  She confirmed that they could include that information at year end for the Committee.  A brief discussion ensued and it was agreed to discuss it further during the Cyber Security Management Update in the exempt part of the meeting.

In response to a query, the Risk and Continuity Manager expanded on the measures being taken to address the non-compliance referred to in the audit report which included a layer of reporting to Executive Directors on their project risk review status and holding the project leads accountable for the management of their risk environment.

In response to concerns raised, the Risk and Continuity Manager assured the Committee that the Council had a robust and efficient Opportunity Risk Management process in place and that any non-compliance was followed up to ensure that the additional management controls required had been implemented.  In response to a further query, the Risk and Continuity Manager explained how third-party related risks were managed.

RESOLVED:

To approve the position as set out in the report.

Councillor Evans abstained from voting.