To inform the Committee on the current status of the Councils’ strategic risks (report of the Executive Director Strategy and Governance enclosed).
Consideration was given to the report of the Executive Director Strategy and Governance, which updated the Committee on the current status of the Authority’s strategic risks.
The last risk report to the Governance and Audit Committee was in December 2015. Since then, work had continued on configuring the new corporate performance and risk monitoring system, Covalent. The report had been generated using the new system and included updates on strategic risks for quarter 3, 2015/16. Changes had been made to the layout of the report including the addition of the original risk score and details of the controls/mitigation in place.
Strategic risks were captured on the Corporate Dashboard, reviewed by Executive Management Team quarterly. In addition, risks were reviewed monthly at the officer-led Performance, Risk and Audit Board, chaired by the Executive Director of Strategy and Governance.
Strategic risks had been reviewed and updated with responsible members of the Executive Management Team (EMT). The strategic risk register included twelve strategic risks (detailed at Appendix A to the report). These covered the over-arching risks that may affect the strategic direction of the Council, rather than risks linked to business continuity or those that affected discreet service areas.
Following recent high profile media coverage regarding the ICT breach at Lincolnshire County Council, a strategic risk had been developed relating to the security of ICT at South Holland. The severity of an attack on the ICT, and the resulting shut down in order to avoid breaches of data, had meant that the risk was currently scored as a high risk after controls and mitigation. This would continue to be monitored.
Strategic risks typically affected the whole of the organisation and not just one or more parts of it. Strategic risks could potentially involve very high stakes and often affect the ability of the organisation to survive, e.g. impact on the ability of the Council to achieve its corporate plan objectives and purpose. Strategic risks were managed at Board (EMT) level.
The Risk Framework was currently under review, alongside the implementation of the new ICT system. As part of the Risk Framework review, the procedure in which an operational risk became a strategic risk had been considered. It was recommended that operational risks continue to be monitored monthly as part of the Performance, Risk and Audit Board and where a risk remained at a score of fifteen for a period of more than one quarter after controls and mitigation had been put in place, this risk would then be considered a strategic risk and therefore be reported to the Governance and Audit Committee.
As a result of the Risk Framework review, the risk matrix had been changed from a 3 x 3 to a 5 x 5 matrix, based on best practice in comparable organisations. This provided a more comprehensive assessment and understanding of risk likelihood and impact. The matrix resulted in a numerical score which combined the impact of the risk occurring with the likelihood of it happening. Risks fell into High, Medium or Low categories depending on their rating.
The Committee considered the report, and the following question was asked:
· Staff recruitment and retention at all levels within the organisation – Improvement in this area had been seen. What was the reason for this improvement?
o The Committee was advised that this reflected a reduction in likelihood rather than impact. The context for this reduced risk would be ascertained and fed back to Committee members.
a) That the report be noted; and
b) That the context for the reduction in risk for ‘Staff recruitment and retention at all levels within the organisation’ be ascertained and fed back to the Committee.