To provide assurance of the adequacy of the council’s risk management framework and internal controls in 2025/26. 

The council’s risk management approach and risk appetite were updated in June 2025. Senior officers have reviewed the Corporate Risk Register for September 2025 to update risk scores and check whether existing controls are still suitable. One new risk was added earlier in the year relating to the possible financial failure of a major supplier, but no new risks were added for Quarter 2.  Key reporting to the committee focussed on:

Risk about delivering capital and major projects:  This risk used to have a score of 9 (likelihood 3, impact 3).  It has now increased to 12 because the impact of any overspend on the council’s finances would be more serious than before.  The likelihood of issues happening hasn’t changed, but the consequences would now be greater.  To manage this, the council is strengthening how it runs capital projects, focusing on whether teams have the right capacity and skills.

Despite the increased risk score, the council is currently performing well against its 2025/26 capital budget, with spending on track and projects generally progressing as planned.

Risk about long?term financial sustainability:  This risk score has also gone up because of national changes through the fair fundingreview, which puts pressure on the council’s future financial position.  In response, senior officers reviewed the Medium-Term Financial Strategy (MTFS) in September and are now rapidly developing the 2026/27 budget and future plans for 2027/28 and beyond. The council is strengthening financial controls as part of this work.

Assurance and governance:  These risks have been reviewed by the Corporate Leadership Team (CLT) and Cabinet, who confirmed that the changes in scoring are appropriate.

Whenever a score changed, officers reviewed whether the actions in place were still suitable or needed strengthening. In both cases, steps had already been taken to ensure the council is responding properly. The Internal Audit Plan had been aligned to these risks, and further work is underway to improve risk training, update guidance, and develop better dashboard reporting.

The committee noted that several significant risks, specifically R3 (SEND placement provision), Risk 6, Risk 8, and Risk 9 show no audit activity in the system. Officers explained that internal audit is not automatically required to assess every corporate risk.  Internal audit helps assess whether controls in a service are effective, but it is not, in itself, a mitigation measure.

To take Risk 3 as an example, it is not explicitly listed in the audit plan, but related work had been undertaken through the Dedicated Schools Grant (DSG) audit, which is now nearly finalised. Officers had reviewed, challenged, and shaped the recommendations and would bring the report to the committee.  Risk 6 – Workforce capacity – as another example is better handled by HR and organisational development, not internal audit.

It was explained that internal audit is only one part of the overall governance and assurance framework.  This demonstrated that the right processes were in place and working as intended.

The Committee welcomed the ability to see the changes in the risk  ...  view the full minutes text for item 121