City of York Council (Logo)

Meeting:

Audit & Governance Committee

Meeting date:

14/05/2025

Report of:

Debbie Mitchell, Director of Finance (S151 Officer)

Portfolio of:

Councillor Lomas, Executive Member for Finance, Performance, Major Projects, Human Rights, Equality and Inclusion


Audit and Governance Committee Report: Monitor 4 2024/25 – Key Corporate Risks


Subject of Report

 

1.           The purpose of this paper is to present Audit & Governance Committee with an update on the key corporate risks (KCRs) for City of York Council (CYC), which is included at Annex A.

 

Policy Basis

 

2.           The effective consideration and management of risk within all the council’s business processes helps support the administration’s key commitments and priorities as outlined in the Council Plan 2023-2027.

 

Recommendation and Reasons

 

3.           Audit and Governance Committee are asked to:

a)   consider and comment on the key corporate risks included at Annex A, summarised at Annex B; 

b)   note and provide feedback on the in-depth review of KCR 2 (Governance) at Annex C;

c)   provide feedback on any further information that they wish to see on future committee agendas;

 

Reason:

To provide assurance that the authority is effectively understanding and managing its key risks.

 

Background

 

4.           The role of Audit & Governance Committee in relation to risk management is to receive;

·        assurance with regards to the governance of risk, including leadership, integration of risk management into the wider governance arrangements of the council including CMT ownership and accountability

·        the up-to-date key corporate risk profile including the effectiveness of risk management actions; and

·        monitoring the effectiveness of risk management arrangements in supporting the development and embedding of good practice across the organisation

 

5.           Risks are usually identified in three ways at the Council;

·          A risk identification workshop to initiate and/or develop and refresh a risk register. The risks are continually reviewed through directorate management teams (DMT) sessions.

·          Risks are raised or escalated on an ad-hoc basis by any employee

·          Risks are identified at DMT meetings

 

6.           Due to the diversity of services provided, the risks faced by the authority are many and varied. The Council is unable to manage all risks at a corporate level.  Best practice is to focus on the significant risks to the council’s objectives these are known as the key corporate risks (KCRs).

 

7.           The corporate risk register is held digitally in ‘Magique’. The non KCR risks are specific to council directorates and consist of both strategic and operational risk. Operational risks are those which affect day to day operations and underpin the directorate risk register. All operational risk owners are required review their risks on a regular basis and inform the risk management service of any changes.

 

8.           In addition to the current KCRs, in line with the RM policy, risks identified by any of the Directorates can be escalated to Council Management Team (CMT) for consideration as to whether they should be included as a KCR. KCRs are reported and discussed quarterly with CMT and Portfolio Holders. KCR’s can also be reduced to directorate level risk as part of this process. 

 

Key Corporate Risk (KCR) update

 

9.           There are currently 12 KCRs which are included at Annex A in further detail, alongside progress to addressing the risks.

 

10.        Annex B is a one-page summary of all the KCR’s and their current gross and net risk ratings.

 

11.        In summary the key risks to the Council are:

 

·        KCR1 – Financial Pressures: The Council’s increasing collaboration with partnership organisations and ongoing government funding cuts will continue to have an impact on Council services

·        KCR2 – Governance: Failure to ensure key governance frameworks are fit for purpose.

·        KCR3 – Effective and Strong Partnership: Failure to ensure governance and monitoring frameworks of partnership arrangements are fit for purpose to effectively deliver outcomes.

·        KCR4 – Changing Demographics: Inability to meet statutory deadlines due to changes in demographics

·        KCR5 – Safeguarding: A vulnerable child or adult with care and support needs is not protected from harm

·        KCR6 – Health and Wellbeing: Failure to protect the health of the local population from preventable health threats. 

·        KCR7 – Capital Programme: Failure to deliver the Capital Programme, which includes high profile projects

·        KCR8 - Local Plan: Failure to develop a Local Plan could result in York losing its power to make planning decisions and potential loss of funding. This could potentially now be removed?

·        KCR9 – Communities: Failure to ensure we have resilient, cohesive, communities who are empowered and able to shape and deliver services.

·        KCR10 – Workforce Capacity: Reduction in workforce/ capacity may lead to a risk in service delivery.

·        KCR11 – External market conditions: Failure to deliver commissioned services due to external market conditions.

·        KCR12 – Major Incidents: Failure to respond appropriately to major incidents.  This includes regular incidents such as Flood and a Major fire to national and international incidents such as Pandemic, Climate change, Supply chain failure.  

 

12.        Risks are scored at gross and net levels. The gross score assumes controls are in place such as minimum staffing levels or minimum statutory requirements. The net score will take into account any additional measures which are in place such as training or reporting. The risk scoring matrix is included at Annex C for reference.

 

13.        The following matrix categorises the KCRs according to their net risk evaluation. To highlight changes in each during the last quarter, the number of risks as at the previous monitor are shown in brackets.

 

Impact

 

 

 

 

 

Critical

 

 

 

 

 

Major

 

1 (1)

5 (5)

1 (1)

 

Moderate

 

1 (1)

3 (3)

1 (1)

 

Minor

 

 

 

 

 

Insignificant

 

 

 

 

 

Likelihood

Remote

Unlikely

Possible

Probable

Highly Probable

 

14.        By their very nature, the KCRs remain reasonably static with any movement generally being in further actions that are undertaken which strengthen the control of the risk further or any change in the risk score. In summary, key points to note are as follows; 

 

·        New Risks- No new KCRs have been added since the last monitor

·        Increased Risks – No KCRs have increased their net risk score since the last monitor

·        Removed Risks – No KCRs have been removed since the last monitor

·        Reduced Risks – No KCRs have reduced their net risk score since the last monitor

 

Updates to KCR risks, actions and controls

 

15.        KCR 1Financial Pressures: actions have been updated following Council approval of the 2025/26 Financial Strategy

 

16.        KCR 2 – Governance: the title has been restored as Governance following the discussion at the July Audit & Governance Committee meeting with the risk detail, implications and controls updated accordingly.  A revised date has been added to the ongoing action assigned to this risk.

 

17.        KCR 3 – Effective and Strong Partnerships: implications updated, and the wording of some controls updated.  New control added around the joint project group to develop a neighbourhood team model.

 

18.        KCR 7Capital Programme: actions have been updated following Council approval of the 2025/26 Financial Strategy.  A new action has been added to review the governance of major capital projects.

 

19.        KCR 8 – Local Plan: Controls and actions updated following Council approval of the Local Plan.

         

20.        KCR 10 – Workforce/Capacity: All ongoing actions have been reviewed and revised dates set.

 

21.        KCR 12 – Major Incidents: Updated to reference the Prevent Situational Risk Assessment.  LRF Local and National Risk Registers attached see paragraph 22 below.

KCR 12

22.        In terms of this KCR the detailed risk sets out as one of the controls working with the Local Resilience Forum (LRF).  The LRF risk registers for both local risks and national risks can now be accessed on the following link - Our risks in North Yorkshire | North Yorkshire Council.  A copy of the national and local risk registers are attached at Annex E & F of this paper for information purposes. 

KCR 2 Governance

 

23.        As agreed at this committee in November 2024, a cycle of in-depth reviews will be carried out whereby one KCR is reviewed in detail and the risk owner attends that meeting to assist with the conversation.  This monitor KCR 2 (Governance) that is under review.

 

Consultation Analysis

 

24.        Not applicable

 

Risks and Mitigations

 

25.        In compliance with the council’s Risk Management Strategy, there are no risks directly associated with the recommendations of this report.  The activity resulting from this report will contribute to improving the council’s internal control environment.

 

Contact details

 

For further information please contact the authors of this report.

 

Author

 

Name:

David Walker

Job Title:

Customer Finance Risk & Insurance

Service Area:

Corporate Services

Report approved:

Yes

Date:

29/04/2025


Background papers

 

None


Annexes

 

·        Annex A: Key Corporate Risk Register

·        Annex B: Summary of Key Corporate Risks

·        Annex C: KCR 2 Governance - in depth review

·        Annex D: Risk Scoring Matrix

·        Annex E: Local Resilience Forum Risk Register

·        Annex F: National Risk Register