The Interim Deputy Head of Audit introduced her report setting out details of how the risk management processes had been working across the Council together with the work plan for the coming year.  It was noted that:

·  The purpose of the report was to provide assurance to Members that effective processes were in place to appropriately manage and monitor risk and to demonstrate how the risk processes worked in practice across the Council.

·  The Council’s corporate risks were those risks which could impede the achievement of strategic aims and objectives.  Processes were in place to ensure that new risks are captured and escalated.  Six new risks had been added to the corporate risk register in January 2022.

·  Operational risk registers were in place for each service (including shared services) and were reviewed and updated routinely depending on severity.  The overall number of operational risks had increased from 150 in April 2021 to 153 in February 2022.  The highest risk related to infrastructure improvements, and it was routinely monitored by the Corporate Leadership Team (CLT).

·  All operational risks would be reviewed as part of the implementation of the JCAD risk management software and there would be a complete refresh of the operational risk registers.

In response to questions:

The Interim Deputy Head of Audit advised the Committee that:

·  Some of the implications of the current situation in Ukraine such as rising fuel and construction costs were starting to come through in specific risks that were increasing.  Routine risk updates to CLT included consideration of external threats on the horizon.  As part of the horizon scanning discussion at the next CLT update, she would ask whether there were any other risks relating to global unrest that needed to be captured.

·  She would discuss with the owner of the infrastructure risk the extent to which KCC’s proposed changes to rural bus services should be captured as part of that operational risk.

·  In terms of the removal of Brexit/EU Transition from the corporate risk register, when the register was reviewed last summer, the view was taken that the implications now featured as part of other risks.  It was not removed completely; the different elements affecting the Council were incorporated in the other risks identified.

·  The existing risk management processes were admin intensive, restricting the time available for further work to embed risk across the Council.  Current processes required the prompting of risk leads to ensure risk information remained up to date and services/senior management did not have ‘live’ access to their risk information.  The JCAD software was more versatile.  At present, spreadsheets were used, and it was very difficult to extract information from them.  The Officers would be able to run reports, tailor reports and get more information out of the software than out of spreadsheets.  The system also had the advantage that it helped to ensure consistency in the risk registers in terms of how risks are framed, making sure that all controls that apply are captured and any actions are being taken.  There were automatic prompts to make sure risks are routinely updated and risk owners, senior Officers and CLT would be able to access risk information themselves.

·  Risks would be prioritised in JCAD through the risk scoring process.

·  JCAD would have the same risk matrix for operational risks and scoring process.  It would allow risks to be broken down by service and lower risks to be tracked and managed.  However, the focus would still be on the management of the red/black risks.

·  JCAD had a much smarter way of structuring risks.  The Internal Audit team would continue to facilitate the risk management process to ensure its robustness.  Risks would continue to be reported to Heads of Service, Directors and CLT.  Removing the administrative burden of the spreadsheets would allow more time for the Internal Audit team to facilitate the understanding of risk and embed that culture within the Council to an even greater degree.

The Director of Finance and Business Improvement advised the Committee that:

·  The system for monitoring risks worked well.  It was difficult to convey in the report how the processes worked.  However, he could confirm that CLT considered the way risks were reported to be helpful, and it would be more so with the implementation of the new software.

·  He wished to reassure Members that CLT took the discussion of risk on a regular basis very seriously.  The discussions informed CLT’s thinking on actions to be taken; for example, in relation to the Capital Programme which had significant risks.  This type of tool was very useful in providing a framework for addressing those.

RESOLVED:  That the Risk Management Annual Report, attached as Appendix 1 to the report of the Interim Deputy Head of Audit, be noted.