Agenda item

Strategic Risk Update

To present the updated Strategic Risk Register


Sally Hendrick, Head of Audit and Risk Management attended the Committee and presented the Strategic Risk update.


The Strategic Risk Register was last reviewed by the Governance and Audit Committee on 30January 2019, by SRMG on 8 May and by CMT on 5 June 2019.

Key proposed changes reviewed and agreed at SRNG and CMT were:

  • To add a risk on internal control weaknesses as identified in the Head of

Internal Audit Annual Opinion which was currently being investigated and

actioned by the Corporate Management Team;

  • To add a risk on continuing health care;
  • To increase the Finance risk due to uncertainty around level of future central

government funding and delays in delivering transformation savings. This

mirrored the increase in risk in the Central directorates risk register;

  • To increase the transformation risk due to pressure on transformation savings;
  • To increase the business continuity risk firstly due to recent incidents that have highlighted weaknesses and gaps in out of hours IT support and the need for service areas to have a clearer understanding of systems and functionality and how to instigate business continuity processes in the event of an incident and secondly as a result of the findings of the review of business continuity across the authorities in the emergency planning shared service.


Comment was made that risk 12 of the Register - Business Continuity Plans and procedures inadequate or not clearly communicated and understood – should have a current rating of red, and not amber, if the unmitigated and current residual risk rating were both 4 x 4, and in light of the fact that the risk had increased over the last 3 years.  Sally Hendrick agreed with this assessment and said the scoring would be revisited.


Sally advised the Committee that Risks do drop out of the Register and when that occurs they remain in view and continue to be monitored.


It was noted there was a new Risk to the Register – Continuing Health Care.  A question arose from the Committee as to why the rating was amber when the rationale for the score described the potential for considerable financial impact to the Council.  Sally Hendrick agreed this was confusing and said the Risk was very new and still being looked at and that an External Consultant was due to undertake a review of CHC.  Stuart McKellar, Director of Finance, said the Risk had been discussed earlier in the day at CMT and from this it discussion at CMT the rating should be changed to red.


With regard to Risk 10 - IT controls or staff vulnerabilities fail to prevent a cyber attack and/or unable to respond effectively to an attack to enable IT services to be sustained – Sally Hendrick said that ICT had provided the description and risk scores.  David St John Jones said the Risk Register must reflect what the current situation was and he sought assurance that ICT were responding to the Risk as a priority.


It was discussed that the Officers who did the scoring must understand there would be scrutiny applied to their rating and there was an expectation for them to explain how they arrived at their conclusions.


It was agreed that the Risk Owner for Risks 10 and 12, the Executive Director: Delivery would attend the September meeting to explain their findings.

Supporting documents: