To present the updated Strategic Risk Register
Sally Hendrick, Head of Audit and Risk Management attended the Committee and presented the Strategic Risk update.
The Strategic Risk Register was last reviewed by the Governance and Audit Committee on 30January 2019, by SRMG on 8 May and by CMT on 5 June 2019.
Key proposed changes reviewed and agreed at SRNG and CMT were:
Internal Audit Annual Opinion which was currently being investigated and
actioned by the Corporate Management Team;
government funding and delays in delivering transformation savings. This
mirrored the increase in risk in the Central directorates risk register;
Comment was made that risk 12 of the Register - Business Continuity Plans and procedures inadequate or not clearly communicated and understood – should have a current rating of red, and not amber, if the unmitigated and current residual risk rating were both 4 x 4, and in light of the fact that the risk had increased over the last 3 years. Sally Hendrick agreed with this assessment and said the scoring would be revisited.
Sally advised the Committee that Risks do drop out of the Register and when that occurs they remain in view and continue to be monitored.
It was noted there was a new Risk to the Register – Continuing Health Care. A question arose from the Committee as to why the rating was amber when the rationale for the score described the potential for considerable financial impact to the Council. Sally Hendrick agreed this was confusing and said the Risk was very new and still being looked at and that an External Consultant was due to undertake a review of CHC. Stuart McKellar, Director of Finance, said the Risk had been discussed earlier in the day at CMT and from this it discussion at CMT the rating should be changed to red.
With regard to Risk 10 - IT controls or staff vulnerabilities fail to prevent a cyber attack and/or unable to respond effectively to an attack to enable IT services to be sustained – Sally Hendrick said that ICT had provided the description and risk scores. David St John Jones said the Risk Register must reflect what the current situation was and he sought assurance that ICT were responding to the Risk as a priority.
It was discussed that the Officers who did the scoring must understand there would be scrutiny applied to their rating and there was an expectation for them to explain how they arrived at their conclusions.
It was agreed that the Risk Owner for Risks 10 and 12, the Executive Director: Delivery would attend the September meeting to explain their findings.