Issue - meetings

The Committee considered a report on the changes that had been made to the corporate risk register since it was last presented to the Committee in June 2023, including the addition of new risks, changes to scoring, mitigations etc. which were detailed in Appendix 1 to the report, together with the scoring matrix and risk criteria for impact and likelihood.

The report had also detailed how the new process continued to achieve the desired outcomes set out in the Risk Management Strategy and Policy as well as setting out the changes made to the Strategy and Policy by the Risk Management Group.

The Corporate Risk Register set out in the report had included 31 risks in total, with 9 marked as red, 14 amber, and 8 green. 

The following comments were made during the debate:

·      Concern was expressed that there were too many risks contained in the high-level corporate risk register and that some of the risks ought to be moved to directorate/service risk registers. Further concern was raised that there should be a more consistent approach between all the risk registers at the various levels.  It was suggested that there should be a review of the whole risk management framework across both Guildford and Waverley. 

·      Noting the risk change heat map in Appendix 2 to the report, concern was expressed that the likelihood and impact of CR15 – Risk of Financial Fraud had shifted from low to high.  The anti-fraud and corruption policy was stated as one of the mitigating factors.  It was suggested that this policy should be reviewed by this Committee or the Overview & Scrutiny Committee.  The Chairman indicated that he would follow up the suggestion to ascertain whether the anti-fraud and corruption policy was due for review and, if so, the governance route for such a review.

·      It was noted that when the Committee had considered the external auditor’s report, a concern was raised as to whether a specific risk had been included in the Corporate Risk Register in respect of the receipt of timely independent external assurance in accordance with statutory deadlines.  It did not appear that such a risk had been included. The Chairman indicated that he would ensure that this point was followed up.

·      In relation to CR14 (risk that the Council experiences increased costs), clarification was sought as to whether this was an “in year” risk, or a risk associated with the medium-term financial plan period. In response, officers confirmed that the mitigation had referred to financial monitoring with the assumption that the risk was associated with the “in year” position.

Having considered the report, theCommittee

RESOLVED:  That the progress made to implement the risk management process be noted and that officers be requested to respond to the Committee’s observations and comments referred to above.

Reason:

The Risk Management Strategy and Policy states that this Committee will review the corporate risk register on a six-monthly basis. It is the responsibility of the Committee to ensure it is satisfied that  ...  view the full minutes text for item 49

The Committee considered a report on the changes that had been made to the corporate risk register since it was last presented to the Committee in November 2022.  The report had also detailed how the new process continued to achieve the desired outcomes set out in the Risk Management Strategy and Policy as well as setting out the changes made to the Strategy and Policy by the Risk Management Group.

The Committee’s attention was drawn to the update on the Supplementary Information Sheet in respect of Risk Reference CR32 (risk of designation by Secretary of State for failing to achieve national target for determining non major planning applications).

Since the November 2022 report, the Risk Management Group had met twice, most recently on 18 May 2023, when they reviewed the Corporate Risk Register.

The Corporate Risk Register set out in the report had included 31 risks in total, with 7 marked as red, 13 amber, and 8 green.   Two of the risks had unscored residual risks that were waiting to be scored by the Risk Management Group and one new risk which needed to be completed by the Risk Management Group.

The Committee noted that, in the next quarter, officers would be working with the Council’s insurers to hold risk challenge lessons and provide assurance for risks that were red RAG rated, the aim of which was to assess whether the mitigation measures identified in the Corporate Risk Register would address the risk identified and also factors affecting the likelihood.

The following comments were made during the debate:

·      In response to concerns expressed about the 7 red rated residual risks and how work would be prioritised to mitigate those risks, the Joint Strategic Director: Transformation and Governance informed the Committee that the risk register was a live document, with risks changing constantly, and the Corporate Management Board, the Executive, and the Lead Councillor monitoring the risks closely on a very regular basis.

·      In response to a question regarding having sufficient staff capacity to deliver on the management of these risks, the Strategic Director confirmed that for some risks, for example Risk CR32, maintaining sufficient capacity had been very difficult.  However, managing the risks was a day-to-day active management process.  A more detailed explanation of how the Council will ensure that it has sufficient staff resources to achieve the various mitigations proposed would be provided.

·      In response to a concern that there appeared to be no strategic solution to mitigating Risk CR6 (risk that the Council is unable to recruit and retain staff, including as a result of the collaboration), the Committee noted that part of the collaborative work with Waverley included a strategy on workforce development the aim of which was to identify how the Council could recruit, retain and develop staff, with a view to effective succession planning, particularly in those areas where this has been, and continues to be, difficult. 

·      Welcomed progress on implementing the risk management process, noting that in respect of the movement of risks,  ...  view the full minutes text for item 5

The Committee considered a report on the changes to the corporate risk register since it was last presented to the Committee in April 2022, including the change in residual RAG ratings in respect of threecorporate risks, as shown by table 1 referred to in the report.

This report also detailed how the new process continued to achieve the desired outcomes set out in the Risk Management Strategy and Policy as well as setting out any changes made to the Strategy and Policy by the Risk Management Group.

Whilst the Committee acknowledged and appreciated the work carried out to date, there were a number of comments and suggestions for improvement as follows:

·       where items were being re-scored, particularly if they were moving into a red rating, more information was requested in that regard in respect of the reasons for the change and any concomitant mitigations. There was particular concern, which was shared by the Deputy Leader, about CR9 (risk that capital programmes and projects experience issues that affect time, quality or budget) and further information as to reasons and mitigation measures was requested.  The Deputy Leader confirmed that the main reason for the red rating on CR9 was inflationary pressures in major projects such that the viability of some of those projects was under review. It would be a matter for the Major Projects Board and the various governance boards to propose possible solutions and mitigations, which would then need to be put to Executive and, if additional monies or changes to the objectives or delivery plan for such projects were required, to full Council for approval.  

·       It was suggested that the Risk Management Group consider for future reports:

(a)   whether the risk change heatmap should also plot the gross scores as well as residual scores, so that it is easy to see risk changes before any mitigation is applied; 

(b)   the axes on the heatmap charts are labelled in order to identify the ‘likelihood’ axis and the ‘impact’ axis;

(c)   all the boxes are the same size so that some sense of perspective is achieved;

(d)   the risk register is re-arranged in descending order according to gross scores;

(e)   the possible duplication of reference to CR23 (risk that Council staff or contractual staff take industrial action) on the revised heatmap and whether it should be rated green, rather than red;

(f)    In view of the outcome of the internal audit report on risk management considered at this meeting, whether CR25 (risk that management and governance processes in place are not fully utilised for all programmes and projects) had been rated too strongly as a red risk;

(g)   whether CR21 (risk that the Council fails to meet its target of becoming net carbon zero by 2030) should appear on the heatmap.

The Committee, having considered the corporate risk register

RESOLVED:

(1)    That the Committee’s comments and suggestions, as outlined above, be considered by the Risk Management Group.

(2)    That the Committee notes the progress made to  ...  view the full minutes text for item 44

Decision:

The Executive approved the Risk Management Strategy and Policy including amendments proposed by the Corporate Governance and Standards Committee.

Reason(s):

To adopt a corporate Risk Management Strategy and Policy which will allow risk to be articulated, managed and mitigated consistently across the Council.

Other options considered and rejected by the Executive:

None.

Details of any conflict of interest declared by the Leader or lead councillors and any dispensation granted:

None.

The Executive considered a report that presented the draft Risk Management Strategy and Policy with a recommendation for adoption and the corporate risk register was presented for comment. In the absence of the Leader of the Council, the Lead Councillor for Resources introduced the report.

The draft policy had been considered by the Corporate Governance and Standards Committee on 21 April and the comments and suggested amendments arising were set out in the Supplementary Information Sheet.

The Executive commented that the draft policy would deliver a great improvement in practice. It was noted that the draft policy was rigorous and the report was well received.

RESOLVED, to approve the Risk Management Strategy and Policy including amendments proposed by the Corporate Governance and Standards Committee.

Reason(s):

To adopt a corporate Risk Management Strategy and Policy which will allow risk to be articulated, managed and mitigated consistently across the Council.

The Committee considered a report on the Council’s new risk management framework including the Risk Management Strategy and Policy, the corporate risk register and risk scoring guidance and matrix. The Strategy and Policy would be presented to the Executive at its meeting on 28 April 2022 for formal approval.  As the Committee had corporate risk within its remit, it was being asked to consider and comment upon the corporate risk register.

It was intended to submit an updated corporate risk register to the Committee on a six-monthly basis, together with a report outlining any changes to the Strategy and Policy and any lessons learned in respect of the corporate risk register.

During the debate the following comments were made:

·       The report was too general in outlook, and it would be better to have a more specific assessment of risk within other reports, particularly in respect of corporate performance management.  In response, officers clarified that there were different levels of risk registers from the highest-level strategic risks down to service level and to individual programmes and projects.  The corporate risk register represented the high-level strategic risk register.

·       A suggestion that the Executive Summary should include particular points worth highlighting, for example the Council's attitude to risk.

·       When reviewing the Strategy and Policy it would be useful to highlight examples of any risks that had not previously been identified.

·       Request for clarity on who managed and owned risks and also to seek feedback from our Auditors on our assessment of risk and associated mitigation measures

·       To note that at a high-level, it was necessary to identify the key risks, action to be taken to address them, and the impacts of mitigations measures.  It was also necessary to understand how risks change over time and this should be highlighted.

·       Although the Committee would be monitoring the corporate risk register over time, it was worth noting that risks were being monitored at different levels of management. It was also noted that the new risk management process and how it was reported would take time to evolve in terms of what would need to be reported to the Committee.

Having considered the report, the Committee

RESOLVED: That the corporate risk register, the Risk Management Strategy and Policy be noted and that the comments referred to in the debate be agreed.

Reason:

Following the recommendations relating to risk management in the KPMG report produced in February 2021, the Council had developed a new corporate risk register. Risk was in the remit of the Corporate Governance and Standards Committee.

The Committee considered a report which provided an update on the work undertaken so far to improve the Council’s risk management processes in light of the KPMG audit recommendations in March 2021. It had set out the internal consultation carried out to develop a new Risk Management Framework as well as outlining the current status of the Corporate Risk Register and the Committee’s proposed role moving forward.

The report summarised the next steps, including bringing the revised Corporate Risk Register and a further report on progress to the Committee’s meeting in April 2022.

The Committee

RESOLVED: That the report detailing the work undertaken to improve the Council’s risk management processes and controls, be noted.

Reason:

To advise the Committee on the work undertaken to progress the recommendations within the KPMG report and to achieve risk management best practice.