To consider the status of the council’s corporate risk register in order to monitor the effectiveness of risk management within the performance management framework.

The Director of Strategy and Performance (DOSP) introduced the report and highlighted the following:

·            The Corporate Risk Register incorporates the key risks across the whole organisation.

·            There were currently 16 corporate risks and 73 directorate risks.

·            The committee were informed that the directorate risk registers were reviewed on a monthly basis with the relevant service and corporate directors which then reported into the corporate risk register should any risks need escalating; risks scored 16-25 would be escalated.

·            With regard to development work on the approach to strategic risk, it was highlighted that more work needed to be undertaken on the risk register surrounding the aggregation of risks, understanding of accountability and action planning. It was reported that the corporate leadership team would challenge and have more ownership of the risks in the corporate register.

·            The senior management team would undertake training, to be provided by the council’s insurance company, within the next couple of months. 

·            The corporate risk register and the directorate risk registers were appended to the report.

In response to committee questions, it was noted:

1.          The DOSP confirmed that service directors had overall responsibility of their individual directorate registers to ensure that risks were de-escalated, removed and added when applicable, risk scores were regularly reviewed and scores, controls and future mitigating activity were updated where necessary.

2.          All service areas would identify their own individual risks and those key risks to the council that needed oversight would be captured within the relevant risk register. It was highlighted that reporting could be made clearer with demonstrating where it is a strategic risk, a service risk or a financial risk and what the mitigation actions    were and the impact those had on the council.

3.          There was a need to consider whether Council’s decision on Friday 28 July 2023 to renew Herefordshire Council’s commitment to taking action to tackle the climate and ecological emergency was addressed appropriately in the risk registers, along with any further work necessary to identify other risks related to this.  

4.          Following a question surrounding cross-departmental risks, it was confirmed that these would be included in the strategic risk register.

5.          In response to a question about the management of risk in circumstances where a risk owner position was vacant, the DOSP confirmed that the directorate leadership team would have oversight and ultimately the service directors had overall responsibility for their directorate register to ensure that those risks had oversight, mitigation in place, and were monitored in an effective way.

6.          The DOSP offered to circulate the Risk Management Plan to members of the committee.

7.          The cabinet member finance and corporate services offered his support in reviewing the risk register.

8.          The Section 151 Officer confirmed there was still work to be done around the risk register and acknowledged concerns raised around Cyber Attacks (CS.09) being de-escalated from the corporate risk register.

9.          The Section 151 Officer confirmed in response to a query around Wetlands (EE.13) that the £1m of the LEP grant money had been spent.

10.       It was noted that Phosphates (EE.28) was a significant issue for the County but was only mentioned in the context of Neighbourhood Development Plans and a request was made to the DOSP as part of her review to look into what other risks could be associated with phosphates.

11.       The Chairperson made observations on the de-escalation of Highway Condition (EE.20) from the register.

12.       The notice to terminate the lease at The Maltings Car Park (EE.56) was noted.

13.       The Chairperson made the observations about the ‘risk management’ sections included in council reports and considered that improvements could be made to the wording of those sections.

14.       In response to a question surrounding what ‘de-escalating’ from the register meant, the DOSP advised there could be a number of reasons why a risk could be de-escalated, such as mitigating actions could have been put in place. It was explained that, if a risk was de-escalated from the corporate risk register, it would remain in the directorate risk register.  

15.       The Chairperson, noting that a number of items within the risk registers were of interest to the committee, suggested that the committee undertake a ‘deep dive’ into selected risks to provide assurance that the risk management framework was being applied appropriately.

Resolved

That:

a)         the status of the council’s corporate risk register be noted; and

b)         the Director of Strategy and Performance be invited to review risk descriptions and to explore whether risks had been addressed appropriately in terms of: the climate and ecological emergency; phosphates; risks identified by the auditors; and cyber security.

Actions(s)

2023/24-005    The Risk Management Plan to be circulated to committee members.

2023/24-006    The committee to undertake a ‘deep dive’ into a risk example, following the ‘Approach to strategic risk management update’ report due to be considered at the November 2023 meeting.