Agenda item

To provide an update on risk management.

Speakers:

David Mody, Head of Strategic Risk

Russell Banks, Chief Internal Auditor

Key points raised in the discussion:

1.    The Head of Strategic Risk thanked Internal Audit for its help with undertaking the comparator exercise concerning the Council’s Corporate Risk Register. The Council had twenty-two corporate risks which was above the optimum of fifteen to twenty, that was not unwarranted given the Council’s size and activities. All the other councils’ top risks were included in the Council’s Corporate Risk Register apart from a risk relating to HS2 which was not applicable. The Corporate Leadership Team (CLT) reviewed the findings via a workshop and no changes were made to the Corporate Risk Register. There was an additional risk concerning payroll and pensions, which related to the new Unit4/MySurrey system; a follow-up report would go to a future Informal Cabinet meeting. No changes were proposed to the Risk Management Strategy.

2.    A Committee member asked whether the process of how risks were added to the register was reviewed or whether it was an assessment of what was already included. The Head of Strategic Risk explained that different councils treated what they categorised as a corporate risk differently.

3.    A Committee member asked about risk maturity and classification of the risks. The Head of Strategic Risk explained that risk registers were divergent, one council had forty-three risks and another had eleven risks, there was no universal standard however most councils were using the five by five matrix.

4.    A Committee member asked whether there was an opportunity to share best practice between councils. The Head of Strategic Risk noted that he was engaging with other councils, over the last six months he had been contacted by around ten councils seeking best practice from the Council.

5.    A Committee member asked whether the process of identifying risks was comprehensive enough. The Head of Strategic Risk noted that the many discussions around risk made it more likely that risks were identified, significant risks were being captured. He championed the approach of having deep dives, CLT had a monthly session and the directorates had their own sessions.

6.    A Committee member welcomed the proactive approach by Internal Audit reviewing the Corporate Risk Register and was reassured that the communications sessions were happening. He welcomed that there were no changes needed to the Risk Management Strategy.

7.    The Chief Internal Auditor noted that regarding information sharing and assurance on risk identification, working as a partnership Internal Audit had access to knowledge in partner organisations and worked with other heads of audit nationally, comparing Internal Audit Plans which were risk-based.

8.    The Chairman referred to the optimum number of corporate risks noting that if there were too many the Council would be inundated. The Head of Strategic Risk agreed, noting the need to be able to understand what the significant risks were so resources could be allocated to address priority areas.

9.    Responding to the Chairman’s query, the Head of Strategic Risk noted that there had not been any changes to the risk scores since March, however some changes were to come.

10.  Regarding item 8 around the complaints and financial redress, the Chairman asked whether that should be included in the Corporate Risk Register. The Head of Strategic Risk explained that he had received the Ombudsman’s report, a risk was included on the directorate’s risk register and an action plan was in place. CLT reviewed whether those risks needed to be escalated.

11.  The Cabinet Member for Finance and Resources noted that Informal Cabinet reviewed risks quarterly and undertook deep dives into one of the corporate risks, he shares any concerns with the Head of Strategic Risk. 

12.  A Committee member noted that Durham had nearly less than half Surrey’s budget but had nearly twice the number of corporate risks. The Head of Strategic Risk explained that was likely due to combining corporate and directorate risks, there was no correlation between an organisation’s size and the number of risks.

RESOLVED:

1.    Noted the update on risk management.

2.    Approved the Risk Management Strategy.        

Actions/further information to be provided:

None.