Agenda item

Quarter 4 Risk Report 2024/25

To provide an update on risk as at the end of March 2025 (report of the Assistant Director – Governance enclosed).

Minutes:

Consideration was given to the report of the Assistant Director – Governance which provided an update on risk as at the end of March 2025.

 

The Business Intelligence and Change Manager introduced the report to the committee. The Q4 2024/25 SHDC Risk Registers were at Appendix A.

The Q4 2024/25 SHDC Housing Revenue Account Risk Register was at Appendix B.

 

Overview of changes included:

  • A proposal to remove the ‘Retention of Staff’ risk from the SHDC Risk Register as this was covered within the Partnership Risk Register;
  • A reduction in the ‘Net Zero Target’ risk which reduced from high to medium following the Cabinet approved plan;
  • A new Fraud Risk Register had been included following advice from auditors;
    • The ‘Procurement’ risk had been reduced following completion of the Procurement Card audit actions;
    • Fraud risk relating to ‘Council Tax - Credit Refund and Income’ had reduced due to improved controls.
  • The risk relating to ‘listening to tenants’ on the HRA Risk Register had reduced following the appointment of the lead officer and adoption of the Engagement Strategy; and
  • The register had been reformatted to improve readability.

 

Members considered the report and made the following comments:

 

  • Members requested more information regarding the ‘Trust’ risk SELCP02.
    • The Business Intelligence and Change Manager responded that an increased risk score was to be considered by the Senior Leadership Team (SLT) as a result of the political opinion differences across the partnership. More details would come forward when they were known.
    • The Assistant Director – Governance added that the score had not changed and that SLT kept the Trust risk under review via established partnership mechanisms.

 

  • Members stated that an informal session to understand the Risk Register more fully would be useful.

 

  • Members welcomed the F-06 ‘Council Tax – Credit Refund and Income Fraud’ risk and queried when this was applied and whether potential related controls had impacted the ‘lower’ risk score.
    • The Business Intelligence and Change Manager would investigate and report back to the committee after the meeting.

 

  • Members referred to risk SHDC-OP-33 ‘Parkwood Leisure Provision’ which stated ‘need action date to review’ and queried if a date had been confirmed.
    • The Business Intelligence and Change Manager would liaise with the risk owner so that an action date could be included.

 

  • Members referred to risk SHDC-OP-35 ‘Planning Software retiring 2027’ and queried if progress was on track for completion by the 31 March 2026 target date and whether Local Government Reorganisation (LGR) placed an increased risk on the project.
    • The Business Intelligence and Change Manager confirmed that the project was on track and that the size of the project would warrant a distinct area within the risk register in due course. The current Planning system was to become unsupported and therefore the project needed to be undertaken/completed regardless of LGR. Due diligence would take place regarding future contracts in this respect.

 

  • Members confirmed that residents had welcomed the work being undertaken following implementation of the Tenant Engagement and Influence Strategy.

 

  • Members stated that recent cyber-attacks upon national/international companies had impacted orders made to local businesses and in turn the workforce required during this period had reduced. Were the impacts of cyber-attacks upon the local economy considered within the register?
    • The Business Intelligence and Change Manager responded that although the Council could not control the wider economy, it was able to place a focus upon mitigations in relation to the matter. The target for this area was within the implementation and embedding of the ‘Growth and Prosperity Plan’ which aimed to boost economic growth and regeneration;
    • The Deputy Head of ICT and Digital (PSPS) had provided the following information to be given to members at the meeting:

PSPS IT on behalf of SELCP operate and maintain a number of industry leading cyber security measures. In additional we undertake annual health check, known as penetration tests, against all our operational environments, mitigating any identified risks.  We also actively engage with both the National Cyber Security Council, East Midlands WARP and Cert UK to ensure that we are aware of both emerging threats within the cyber space as well as findings associated with successful cyber-attacks.  In both instances we review the information provided and take any actions deemed appropriate.

The recent cyber security incident which impacted M&S were a result of a social engineering – the attackers impersonated a member of staff in an elevated position of trust, tricking a managed service provider employee into giving out a password.  PSPS ICT have robust password protection procedure, adding qualifying questions before resetting a password to mitigate the issues experienced by M&S, additionally our service desk team are unable to reset passwords of elevated accounts such as the one used in the cyber-attack’

 

AGREED:

 

That the quarterly risk monitoring information for Q4 2024/25 be noted.

 

Supporting documents: