Agenda item

RISK REGISTER

Minutes:

Report CSD17170

 

The Committee considered a report setting out the current Risk Registers for Finance, Chief Executive’s, Commissioning and Human Resources. 

 

The Chairman noted that an amendment to Appendix A of the report (Finance Risk Register) had been tabled.  In the amended document the RAG ratings had been realigned but the commentary remained broadly the same as the original report.

 

In response to a question from a Member concerning the risk work undertaken by Internal Audit and Commissioning the Head of Audit explained that each Directorate was responsible for identifying its key risks.  There were also separate risks identified in relation to themes such as commissioning, and worked had taken place to identify contracts with the greatest risks.  Internal Audit would review both areas of risk which should dovetail in relevant areas with the work of Commissioning.  This would then provide an alert to help identify areas that may become a problem and enable discussions to take place.  The Director of Commissioning reported that alerts would automatically be sent to contract managers and this provided a level of confidence that in future the Council’s contracting risks would reduce significantly.

 

The Vice-Chairman queried whether the assessment of risk was as accurate as it could be, noting that there appeared to be some inconsistency around IT with some of the risk ratings appearing to be low.  In response, the Head of Audit highlighted that this was the first time that this risk register had been bought together in this way.  Internal Audit had discussed the ratings with the respective officers and in terms of IT risk officers understood the service and had mitigated against risk.  The comments, feedback and challenge from the PDS Committee would be reflected upon.  The Head of Audit reminded the Committee that this was a live document which was regularly updated and that risks were fluid.

 

In relation to cyber security, the Chairman queried whether the Local Authority had sufficient safeguards in place to be able to withstand an attack by a determined hacker.  The Head of Audit confirmed that his team had been provided with the layered approach to security which was in operation across the Local Authority.  In addition to this there had been a swift and robust response to the two ransomware attacks that had impacted on the Local Authority.  Internal Audit was comfortable that the service had worked to ensure sufficient protection was in place.  Patching was undertaken on a regular basis however more effort needed to go into training end users as mistakes in this area could leave the Local Authority vulnerable.  The Director of Corporate Services stressed that it would not be possible to give an absolute assurance in any organisation but everything that was possible was being done to protect the Local Authority’s systems and where there had been challenges these had been dealt with robustly.

 

In conclusion, the Head of Audit reported that the Risk Register would form the basis for the 2018/19 Audit Plan and IT security would be a key priority, and controls in place to mitigate risks would be tested.

 

RESOLVED: That the risk registers be noted.

Supporting documents: