Minutes:
The Committee gave consideration to a report from the Corporate Policy Manager which covered both the Risk Strategy 2019-2023 and the six monthly review of strategic risks. He explained that, based on the new Corporate Plan, there had been slight amendments to the risk strategy. He reminded Members that the risk strategy was ultimately how much risk the Council was prepared to take in any given scenario. He highlighted that the risk appetite for the Council had been assessed as ‘creative and aware’, willing to consider all potential delivery options, and that ethos underpinned the whole strategy.
The Committee heard of one amendment regarding the consideration of both inherent risk (an estimation of the worst case scenario if the risk were to occur) and target risk (the reality if the risk were to occur once all mitigations were in place). The re-confirmed scoring matrix, a 4x4 matrix of likelihood and impact, was also highlighted within the report. The Corporate Policy Manager explained that work had been undertaken in recent years to ensure that risk awareness was inherent in day to day activity and the Council had been praised for this approach by Internal Audit. It was important for this to be maintained.
There was discussion regarding the accessibility of the risk strategy and the clear thread through the organisation that ensured everyone was aware of their risk responsibility. It was agreed that the document explained the information in a clear and concise format and was easy to navigate around.
Following a question from a Member of Committee regarding cases of data loss across the Council, the Corporate Policy Manager introduced the second part of the report regarding the six monthly review of strategic risks. He explained that the assessment template detailed what the triggers might be, the potential impact, the current controls in place and any other areas of consideration. Using the example of information security, the likelihood of it happening was high, despite the measures in place and the structures needed to be as robust as possible. The fact that there had not been significant losses was likely to be the strength of the systems but there always needed to be structured discussion around the likelihood, the impact and how to reduce both.
There was discussion regarding the risks included in the report and whether there were any marginal risks not covered. Members heard that all risk areas were based around the delivery of the Corporate Plan and that if any service risks impacted on strategic delivery, they would be referenced in the report. Members engaged in discussion around the risks that sat outside of the control of the District Council and it was confirmed that there was a role for the Council to play, for example in education. The Corporate policy Manager explained several initiatives that were running across the Council with the aim of making small improvements where possible. He gave the example of work experience placements for students and a mentoring scheme that had been running successfully for over 12 months.
With regards to the impact Brexit may have on the Council’s commercial ventures, it was confirmed that nothing could be done currently about the unpredictable impact there may be, but the Council was aware of the need to keep monitoring such risks. The planning and preparation for Brexit had been about the continuation of providing critical services, for example in case of blockades, and ensuring plans were in place to offset any difficulties as they arose.
RESOLVED that:
(1) Members approve the Council’s Risk Management Strategy 2019 – 2023;
(2) Members be assured that strategic risks were being captured, considered and managed effectively.
Supporting documents: