The purpose of this report is to provide the
Resources & Delivering Value Scrutiny Board with an update on
the Council’s corporate risk register.
The Scrutiny Board received a presentation to the report from the Health, Safety and Risk Manager. Matters addressed in the presentation included:
Having received the presentation to the report, Members of the Scrutiny Board asked a number of related questions to the report, which in summary included the following matters:
Councillor Meeson noted that the detail for the Risk Register report before the Scrutiny Board had already passed through Cabinet and questioned what was expected further of the Scrutiny Board in reviewing it. The Acting Chief Executive clarified that two years ago the Resources and Delivering Valur Scrutiny Board had agreed to consider the Risk Register report annually to review corporate risks and for the report to potentially inform the Scrutiny Board’s annual Work Programme going forward.
Councillor Clements noted that some of the risk detailed in the report was reviewed and updated every three months, whilst other areas had not appeared to have been updated since 2016 and queried why this was the case. Members were advised that the Risk Management Framework had a RAG rating following the application of mitigations against the risks identified. Red rated risks were reviewed monthly, amber risks quarterly or every 6 months depending on the activity concerned and green risks were monitored at least annually.
As far as the two risks identified by Councillor Clements as having not been updated since 2016, the Acting Chief Executive explained that the risk status and last monitoring timescale of 2016 indicated that the impact of the risk had not changed since the action undertaken to mitigate the risk had last been completed. However, the area of risk was consistently reviewed according to the Risk Register scheduled monitoring programme.
Councillor Moses referenced the Risk Title ‘A serious information breach requiring notification and a fine from the Information Commissioners Office’ and the corresponding Mitigating Action ‘Mandatory training for all staff on information security, with all staff being up to date with their training’ and questioned whether any other forms of mandatory staff training was delivered. The Acting Chief Executive clarified that mandatory training was a requirement of all new Council employees and that training was further refreshed and advertised for all staff through the Councils ‘Core Brief’ as necessary.
In relation to mitigating action ‘Details of poor training take up is sent to each member of CLT’, Councillor Meeson questioned how frequently was training information and related staff training statistics presented to CLT. Members were advised that all staff training information was supplied via the Oracle system, with staff training targets identified and included in the Risk Register. In terms of specific information security incidents, Members were informed that the relevant Director would decide the level at which the incident would be reviewed. In the Resources Directorate, the relevant manager of the service experiencing an information breach would meet directly with the Acting Chief Executive.
With regard to Risk Title ‘ Inefficient system and processes to share warning and information markers when dealing with a person, property or location for SMBC and SCH activities’ and the Mitigating Action ‘Implement Communications Plan to ensure that staff are aware of the Register and the requirements in the Warning Marker Policy’, Councillor Moses questioned whether the Communication Plan was progressing to meet the target date of 31/7/23. Members were advised that the Communication Plan was on course to meet the target date. Furthermore, through the Communications Team, the requirements of the register are communicated at both team and Directorate level for staff at all levels.
With regard to data breaches, Councillor Kaye questioned how potential cases of data theft via USB devices controlled. The Head of ICT and Information Governance clarified that the use of USB devices by Council staff was not allowed. In any cases where a USB was sanctioned, it had to be approved via the ICT Service Desk and encrypted.
Councillor Meeson queried whether the targets dates detailed in the Risk Register were realistic and likely to be achieved. The Head of Health, Safety and Risk advised that all corporate risk was reviewed on an on-going basis via the Audit Committee. The Council had in place a centralised Risk Register team, who worked closely with the risk owners.
Councillor Adeyemo queried whether the Council had risk rating targets that it wished to attain against each identified risk in the register. Members were advised that all data in the Risk Register was reviewed and the risk owner/s encouraged to study the risk report at the appropriate review date and to consider whether the identified risk level remained appropriate in light of the risk level and mitigations identified.
Councillor Adeyemo highlighted social care reforms within the context of MTFS delivery and subsequent lobbying of central Government of the Councils case for funding and sought further clarification as to the progress and outcomes arising from such lobbying. The Acting Chief Executive confirmed that the most recent and relevant example of success arising from such activity would be the West Midlands Devolution Deal, especially of the freedoms and flexibilities arising for the Council from the devolution arrangements, an example being the continuing 100% business rate retention.
In relation to the U.K. Central Programme, Councillor Adeyemo noted that it was a core element of the Council’s Local Plan and was therefore shocked to see the programme rated at 8 for securing of programme funding. Councillor Adeyemo sought further information on the future funding arrangements for the programme, particularly the securing of future funding by the Council. The Director of Economy and Infrastructure informed the Scrutiny Board that the U.K Central Programme was a long-term project, requiring due process to be followed. The project was also dependent on the WMCA for its Capital schemes, which had been very successful in securing such schemes for Solihull as a whole. However, other funding sources were always being sought and secured, such as the Strategic CIL and devolution deal funding. The WMCA and Solihull had been very successful to date in securing funding for Capital and infrastructure schemes, such as the Regional Transport Settlement which provided funding for the next ten years.
(i) To note the detail in the report regarding the Council’s identified corporate risks; and,
(ii) To recommend that future Risk Register commentary should address and explain why, if applicable, the status of specific risks have not been updated within the normal RAG monitoring timescales.