Agenda item

The Audit Committee is responsible for providing assurance about the adequacy of the Council’s Risk Management Framework and Policy and monitoring the effectiveness of systems for the management of risk across the Council and compliance with them as part of its Terms of Reference.

Under its terms of reference, the Committee is also required to note the Council’s Corporate Risk Register and be satisfied appropriate mitigating actions are being completed in a timely manner.

Mr Minesh Jani, Head of Audit and Risk Management, introduced the report.

The Committee considered the corporate risk register and asked specific questions over the arrangements put in place to manage the risks noted on the register.

The Committee heard:

·         There was a Digital services emergency response plan. This should respond to any eventuality including power outage so that if the Council was unable to access all the data that the Council had in its building, it would be possible to access it through some other means. Prevention was always better than having to deal with issues having taken place, so the Council had maintained a record of its data in more than one data centre. If the Council could not access its data where it was, it had alternative sources to be able to get to that data.

·         Much like the savings risk and making sure that the Committee was appraised of where the Council was in managing the area of staff turnover. A paper would be brought to the Committee with an update.

·         The Council was trying everything it could to try to find trying to mitigate its financial risk. Some of the key areas of trying to do that involved savings, transformation, efficiency, cost control, revenue generation. These were actively being worked on. These had been included in the year's audit plan. The risk was a very challenging picture for the Council. It was difficult for many councils in the position to be able to meet demand with the resources in hand.

·         In relation to Procurement, savings and the budget envelope, the Council should try to do everything as perfectly as it could to maximise every penny that the Council spent. From an audit perspective, audits would be carried out around the Procurement areas and reports would be brought to the Committee on the progress in terms of the specific recommendations, but more generally around some of the procurement activities as well.

·         Transformation was a long-term process. The service would identify and manage key risks across all the different category A projects. The Committee asked for the transformation risk register to be brought to the next meeting.

·         In relation to the cyber risk, the way the Council scored risks was the worst-case scenario. The impact would always be high on a risk register, but this did not mean that the Council should not be looking to mitigate some of the impact.

·         The way officers were looking at cyber risk was primarily looking at preventative controls and other areas, such as plans in place of how to respond to issues arising, needed to be considered.

·         In relation to safeguarding children and vulnerable adults, if a risk in this area was to materialise then it could be quite detrimental for the Council. It was important for the Council to put in place appropriate controls to try to stop such a risk from happening or to at least minimise its effect as much as possible. This was what the Council had identified in their risk register as one of their future actions and current procedures.

RESOLVED:

To note the Corporate Risk Register as at 31 May 2025, attached at Appendix A of the report.