To approve the Risk Management Strategy and Corporate Risk Register.

ChildrenCHTHE MEMBER the The member for finance and corporate services introduced the report.  It was highlighted that the Audit and Governance committee had been engaged in the development of this strategy throughout 2024/25 and the draft strategy was reviewed by the committee in March 2025. 

The risks and context were set out, strategic delivery included those risks that would prevent the timely delivery of priorities and objectives of the Council Plan 2024 -2028 and supporting annual delivery plans across the themes of people, place, growth and transformation.

Legal and compliance included those risks arising from a defective transaction. Financial risks were ones that arose from not managing risks and finances in accordance with requirements, and financial constraints. Governance risks were those arising from unclear plans, priorities, authorities and accountabilities.

Data and technology risks arose from a failure to produce robust suitable and appropriate data in information. Security risks arose from a failure to prevent unauthorised and/or inappropriate access to the estate and information.

Finally, reputational risks arose from adverse events including ethical violations, lack of sustainability, systematic or repeated failures, or poor quality or lack of innovation leading to damages to the council’s reputation and or destruction of trust and relations.

 It was noted that the roles and responsibilities section clearly specified what was required for specific roles and highlighted that a strong risk management culture was demonstrated.   

The importance of the thrive core values were emphasised as the guiding principles.  It was noted that all elected members had a responsibility in respect to risk, and risk training would be provided.  The officers section also specified individuals and all staff indicating their responsibilities regarding risk.

It was highlighted that the risk management framework and processes section broke down the coordinated activities and processes into 5 clear steps. (1) Establish objectives, (2) Identify the risks, (3) Analyse and evaluate the risk, (4) Manage through mitigation or treatment of the risks, (5) Record and report.

It was confirmed that activities would continue in 2025/26 to ensure that this strategy translated to the management of risk across all services and projects and that risk drove decision-making and service delivery.  

It was noted there would be 3 levels of risk registers, (1) Corporate risk register would include those of significant strategic and cross cutting importance requiring the attention of senior management and elected members.  (2) Directorate risk registers would require the attention of the respective director, directorate leadership team and heads of service or senior managers.  (3) Directorate risks would be local versions of those on the corporate risk register e.g. directorate budget or information management and governance.  Service risk registers included programmes and projects at an operational nature and would be reported to the respective service management team, programme or project board.   

It was noted that the risk and insurance manager was responsible for ensuring consistency in the approach across the three levels of risk register.

It was confirmed that the Risk Management Strategy supported compliance with statutory requirements of the Accounts and Audit Regulations 2015.   

It was noted that the strategy at Appendix A set out the council’s risk appetite levels, as being one of four (1) averse, (2) cautious, (3) open and (4) eager.  These were then applied in Appendix B across each of the categories, the amber colour indicated the councils risk appetite for each risk category and the teal colour indicated the council's appetite for identified exceptions.  The corporate risk register at Appendix C showed the 8 corporate risks, with details of the risk owner, the risk appetite, control measures and mitigating actions, the inherent risk score and residual risk score.

It was highlighted that the risk register was linked to the Council Plan and its four themes of people, place, growth and transformation providing a golden thread to link everything together.

Lastly, it was noted that the Audit and Governance committee confirmed that this number of corporate risks were an appropriate quantity.  

There were no comments from cabinet members. 

Group leaders gave the views of their groups. The improved approach to risk management was welcomed.  It was positively noted that the importance of training for members was emphasised and should be embraced by all members.  It was raised that climate change was not mentioned in relation to corporate risk and the risks to the county. Risk culture was important to ensure risks were being accurately identified and managed.  It was queried if the risk report would be published quarterly to cabinet.  Assurance was also sought if the financial risks appeared on the directorate risk register. 

In response to queries it was confirmed that the risk report would be included every quarter. 

Councillor Stoddart proposed the recommendations, and it was unanimously resolved that: 

a)    The Risk Management Strategy 2025/26 and Risk Appetite Statement are approved by Cabinet; and

b)    The risks identified in the revised Corporate Risk Register are agreed as those of significant, strategic and cross-cutting importance to be managed and monitored in 2025/26

</AI10>

<TRAILER_SECTION>