CORPORATE RISK REGISTER REVIEW- FEBRUARY 2023
To consider a report (copy attached) by the Strategic Planning and Performance Officer which seeks the Committee to consider and comment on the amendments to the Corporate Risk Register resulting from the recent review of the Register.
10.10am – 10.40am
The Lead Member for Corporate Strategy, Policy and Equalities introduced the report and appendices (previously circulated) which presented the Committee with the revised Council Corporate Risk Register following the six-monthly review undertaken in February 2023.
During her introduction the Lead Member informed the Committee that whilst a number of amendments had been made to the register in relation to risk owners, titles, description and actions, there had been no changes to risk scores as a result of the latest review. By the next scheduled review of the Risk Register, in September 2023, the recruitment exercises for the vacant Heads of Service posts should have been concluded. This would most likely result in changes to ‘risk owner’ names again, once the new Heads of Service assumed their roles.
The Interim Head of Corporate Support Service: Performance, Digital and Assets along with the Strategic Planning and Performance Officer guided members through the report, highlighting the changes made to the report’s format as a result of feedback made by the Committee and by the Governance and Audit Committee. They advised that, during the last 12 months, whilst the severity of a number of the risks had escalated the amendments made during the current review related to named ‘risk owners’, this was to reflect the Council’s new managerial structure. It was emphasised that whilst the risk scores had not changed following this review and the risk register seemed a little more settled that did not mean that the risks themselves were not as severe or serious. The objective of the colour chart at the beginning of Register itself (Appendix 1) was to clearly illustrate to the reader the severity of each risk before and after the implementation of mitigation measures. It also illustrated each risk’s ‘trend’ since the previous review, and indicated whether as a result of the application mitigation measures the risk was now within the Council’s ‘risk appetite’ threshold. Despite the fact that a number of mitigation measures had been implemented with a view to managing the risks the ‘trend’ for a number of them remained the same as under the previous review. In the case of over half the corporate risks the ‘risk appetite’ was greater than the Council’s tolerance level, this was due to the complexities involved with individual risks. However, the Council’s aim was to continually drive down the risks.
The Strategic Planning and Performance Officer provided the Committee with an overview of the most significant changes detailed in the report. These included:
Risk 01 – Safeguarding: the governance relating to this risk was now extremely tight with regular reports being provided to the Corporate Executive Team (CET) and to Cabinet Briefing. As well as Scrutiny the Governance and Audit Committee had also highlighted its concerns regarding this risk, particularly with regards to staff recruitment and retention pressures in social care. As a result, the Council’s Internal Audit department were undertaking a review of recruitment and retention matters.
Risk 21 – the development of effective partnerships and interfaces between Betsi Cadwaladr University Health Board (BCUHB) and the Council: the current review of the Risk Register had been undertaken prior to the Health Board being placed back in special measures. Nevertheless, following the Welsh Government’s (WG) decision to place BCUHB back in special measures officers discussed the situation with the ‘risk owner’. As a result of those discussions it was decided not to revise the risk score at present, but that CET would closely monitor developments at the Health Board having particular regard to their potential impact on this risk.
Risk 36 – the risk associated with the economic and financial environment worsening beyond current expectations and having a detrimental impact on local businesses: this risk has been slightly modified to focus more specifically on businesses rather than on communities, with Risk 37 focussing on economic hardship for local communities, including inequalities and deprivation.
Risk 50 – the terminology in the title of this risk had changed from ‘Looked After Children’ to ‘Children Looked After’.
Concluding her presentation, the Strategic Planning and Performance Officer advised that the Council was currently carrying 20 corporate risks in the Risk Register of which 11 or 55% were outside of the Authority’s ‘risk appetite’. However, the owners of these 11 risks were comfortable that every possible mitigation measure was being taken with a view to managing these risks. It was emphasised that as the Corporate Risk Register was the place where all the greatest risks to the Council and its communities were recorded and managed, there would always be a number of risks outside of the Council’s risk appetite. By having them included on the Register the Council was acknowledging their existence, the potential severity of their impact and was attempting to do everything within its powers to manage and mitigate their impact.
Members were advised by the Interim Head of Service that the Council’s management team viewed the Corporate Risk Register very seriously and consequently a session would be held imminently during which the Authority’s Senior Leadership Team (SLT) would be discussing the risks collectively with a view to ensuring that everyone and very Service was doing all within their means to manage and mitigate the impact of the risks, particularly those which were outside of the Council’s risk appetite.
Responding to members’ questions the Lead Member and officers:
· explained the differences and the relationships between the Corporate Risk Register, Service Risk Registers and Project Risk Registers. The Risk Registers Guidance identified trigger points when risks may require to be escalated from one register to another and vice-versa. Officers could at any time contact the Corporate Support Service: Performance, Digital and Assets to seek advice on whether it would be beneficial to escalate a risk to the Corporate Risk Register. Whilst at first it may seem unusual that large high financial risk projects, such as the Queen’s Market and the new Waste Depot, did not appear on the Corporate Risk Register but appeared on Service or Project Risk Registers, they did actually feature on the Corporate Risk Register collectively under ‘risk 18 relating to programme and project benefits not being fully realised.’
· advised that Service Risk Registers were reviewed on a quarterly basis. During that review process consideration would be given to whether any Service level risks should be escalated to the Corporate Risk Register.
· Escalation and de-escalation of risks between the Corporate and Service Registers occurred on a regular basis. Services were encouraged to ensure that any activities required by their particular service to help mitigate the impact of corporate risks featured within their Service Business Plan.
· advised that the current socio-economic environment was contributing towards the ‘trend’ in relation to a number of risks remaining static. Although the situation was continually changing and the Council needed to respond to the changes, it would take some time for this to reflect in the ‘trend’ status for the risks.
· advised that the Corporate Risk Register should give elected members’ some assurance that the Council was continually identifying and monitoring risks and responding to those risks by putting mitigating measures in place. Ideally the Council’s goal would be to carry a level of risk that was consistent with its ‘risk appetite’. If then after achieving that goal the trend remained static that would be an acceptable position to be in.
· advised that the actions in place to respond to Risk 01 relating to Safeguarding reflected the seriousness with which the Council viewed the potential implications of this risk. However, the Council was of the view that having a standalone process, outside of the Risk Register process, to address this risk would not be beneficial.
· confirmed that Risk 50 relating to the WG’s commitment to eliminate profit from the care of Children Looked After resulting in an unstable or unsuitable supply of placements did not relate to the Council providing the service in-house. It was essentially about eliminating profit from service provision and related to the business model for these types of services. Councillor Alan Hughes registered his concerns that if WG did proceed with this approach it would pose a huge risk for the Council going forward and therefore required close monitoring. It was confirmed that the Bwthyn y Ddôl Integrated Children’s Assessment Centre project in Colwyn Bay was progressing despite some initial setbacks. Officers agreed to make enquiries on the current status of the project with Councillor Bobby Feeley, who represented Denbighshire’s Scrutiny Committees on the Project Board, and the Corporate Director: Social Services and Education.
· drew members’ attention to the section titled ‘anticipated direction of travel’ which could be found in the narrative for each risk in the Register. The information contained in this paragraph could help provide reassurance to members about what officers anticipated to happen going forward. This section may also raise further concerns which members may wish to examine in detail at Scrutiny.
· confirmed that the ICT Service did take the threat of a cyber-attack extremely seriously. Some work was currently being undertaken on a UK-wide basis under the auspices of Operation Palisade, part of the counter terrorism work, in relation to cyber security. The Council also undertook its own cyber security work as well as participating in national cyber security events and work. It employed a dedicated Cyber Security Officer, all services had business continuity plans to ensure services continued to be delivered in the event of a cyber-attack, and a simulation exercise had been conducted to test the Authority’s response in the event of a cyber-attack. Mitigation against cyber-attacks and proposed actions in response to such attacks were regularly reviewed and updated. The Governance and Audit Committee had recently considered an Audit Wales (AW) report on cyber security. This report was discussed under Part II business, but was available for all councillors to read. The Committee, if it wished, could request to examine the Council’s cyber security arrangements.
· offered to provide assistance to individual members who wished to access and navigate the corporate reporting system for data gathering purposes.
· advised that as a result of the complexities involved with the risks listed in the Corporate Risk Register, particularly those that were above the Council’s ‘risk appetite’ level, it would be extremely difficult to identify specific ‘target dates’ for reducing the residual risk score. Target dates may also prove unhelpful as they could take the focus away from the important elements related to the risks. The narrative under the ‘anticipated direction of travel’ was a far better guide to follow in relation to reducing residual risk scores. As the Risk Register document required by law to be accessible to all users and able to be read by a ‘screen reader’ officers agreed to make enquiries on whether an appropriate indicator could be included under the ‘anticipated direction of travel’ illustrating the current direction of travel.
· illustrated the complexities entailed with Risk 33: the cost of care outstripping demand, which comprised of a number of elements including increase in the cost of living, introduction of the real living wage, demand and supply and demographic changes. This risk had featured on the Risk Register for a long time and was expected to remain on the Register for the foreseeable future. The issue of monitoring that the Real Living Wage when implemented reached the pockets of care workers was a concern. Officers agreed to make enquiries on the matter and feedback to the Committee on how this could be monitored.
· advised that looking ahead the majority of the main risks facing the Council were currently listed on the Corporate Risk Register. When reviewing risk registers with Directors and Lead Members the guide question which was usually asked was “is there anything that keeps you awake at night?” Anticipating the future was generally built into the risk register review process. One potential new risk which was currently coming to the fore, and may well feature on the Corporate Risk Register in future, was a risk relating to the conduct and management of elections. This potential risk stemmed from the introduction of new rules and regulations relating to the holding of elections. The increasing divergence in election conduct and management practices between elections governed under UK election regulations and those governed in Wales under Senedd regulations had been identified as a potential risk going forward. Officers would be shadowing English authorities during the forthcoming local elections in May with a view to gaining a better understanding of the new requirements in order to build in risk mitigation measures for the holding of elections in Denbighshire in due course.
· confirmed it was key that officers were aware of the challenges facing their services and that they ensured that they were listed on their Service’s Risk Register. If then, in their opinion, those risks were becoming too great for them to manage them at a service level they could request that they be escalated to the Corporate Risk Register. If services were effectively managed nothing on the Corporate Risk Register should therefore come as a surprise.
· emphasised that having risks, such as health and safety for instance, listed on the Corporate Risk Register was not a bad thing. It was actually good practice and reflected well on the Authority, as it was acknowledging publicly that these risks existed and demonstrating to residents that it was proactively taking steps to mitigate against the potential adverse impact of the risks occurring. Having both the Governance and Audit Committee and Performance Scrutiny Committee regularly reviewing the Risk Register also provided added assurances that all risks were being given detailed consideration.
· Members were invited to bring any issues of concern to them to the attention of officers ahead of the next review of the Register in September 2023.
Members requested that their concerns on the adverse effect that Risk 48: recruitment and retention of staff also had on the health and well-being of staff members expected to cover additional work due to the Council carrying a high number of vacant posts, be noted. Concerns were also raised in relation to the lack of information and consultation to date with local businesses on the proposed new Economic Strategy for the county, which Scrutiny was due to examine in November 2023. Officers agreed to raise these concerns with the relevant services.
At the conclusion of the discussion members thanked the Lead Member and officers for attending and for being open and willing to answer all questions raised and for encouraging all elected members to participate in the review and provide feedback.
Resolved: subject to the above observations made in relation to the Corporate Risk Register Review of February 2023 to –
(i) accept the amendments made to the Register as outlined in the report and detailed in Appendix 2;
(ii) acknowledge the rationale used to determine the status of each risk against the Council’s Risk Appetite Statement (Appendix 3); and
(iii) endorse the colour and trend status summary document for members and officers use at Appendix 1.
- Corporate Risk Register Report 270423, item 5. PDF 130 KB
- Corporate Risk Register Report 270423 - App 1, item 5. PDF 398 KB
- Corporate Risk Register Report 270423 - App 2, item 5. PDF 856 KB
- Corporate Risk Register Report 270423 - App 3, item 5. PDF 228 KB