|
Meeting: |
Audit & Governance Committee |
|
Meeting date: |
3rd September 2025 |
|
Report of: |
Debbie Mitchell, Director of Finance (S151 Officer) |
|
Portfolio of: |
Councillor Lomas, Executive Member for Finance, Performance, Major Projects, Human Rights, Equality and Inclusion |
Audit and Governance Committee
Report: Monitor 2 2025/26
– Key Corporate Risks
Subject of
Report
1. The purpose of this paper is to present Audit & Governance Committee with an update on the key corporate risks (KCRs) for City of York Council (CYC), which is included at Annex A.
Policy Basis
2. The effective consideration and management of risk within all the council’s business processes helps support the administration’s key commitments and priorities as outlined in the Council Plan 2023-2027.
Recommendation and Reasons
3. Audit and Governance Committee are asked to:
a) consider and comment on the key corporate risks included at Annex A, summarised at Annex B;
b) note and provide feedback on the in-depth review of KCR 4 (Changing Demographics) at Annex C;
c) provide feedback on any further information that they wish to see on future committee agendas;
Reason:
To provide assurance that the authority is effectively understanding and managing its key risks.
Background
4. The role of Audit & Governance Committee in relation to risk management is to receive;
· assurance with regards to the governance of risk, including leadership, integration of risk management into the wider governance arrangements of the council including CMT ownership and accountability
· the up-to-date key corporate risk profile including the effectiveness of risk management actions; and
· monitoring the effectiveness of risk management arrangements in supporting the development and embedding of good practice across the organisation
5. Risks are usually identified in three ways at the Council;
· A risk identification workshop to initiate and/or develop and refresh a risk register. The risks are continually reviewed through directorate management teams (DMT) sessions.
· Risks are raised or escalated on an ad-hoc basis by any employee
· Risks are identified at DMT meetings
6. Due to the diversity of services provided, the risks faced by the authority are many and varied. The Council is unable to manage all risks at a corporate level. Best practice is to focus on the significant risks to the council’s objectives these are known as the key corporate risks (KCRs).
7. The corporate risk register is held digitally in ‘Magique’. The non KCR risks are specific to council directorates and consist of both strategic and operational risk. Operational risks are those which affect day to day operations and underpin the directorate risk register. All operational risk owners are required review their risks on a regular basis and inform the risk management service of any changes.
8. In addition to the current KCRs, in line with the RM policy, risks identified by any of the Directorates can be escalated to Council Management Team (CMT) for consideration as to whether they should be included as a KCR. KCRs are reported and discussed quarterly with CMT and Portfolio Holders. KCR’s can also be reduced to directorate level risk as part of this process.
Key Corporate Risk (KCR) update
9. There are currently 11 KCRs which are included at Annex A in further detail, alongside progress to addressing the risks. There has been one change since the May report with the removal of KCR 8 (Local Plan).
10. At A&G on 30th July A&G members asked for the Capital Programme risk to be brought forward and it will now replace KCR 5 ‘Safeguarding’ at Monitor 3. There was also a debate at A&G around whether subsequent risks arising from the implementation of the local plan gives rise to a further/new KCR. This will be debated by officers and any view provided at Monitor 3 in January.
11. Annex B provides a one-page summary of all the KCR’s and their current gross and net risk ratings.
12. In summary the key risks to the Council are:
· KCR1 – Financial Pressures: The Council’s increasing collaboration with partnership organisations and ongoing government funding cuts will continue to have an impact on Council services
· KCR2 – Governance: Failure to ensure key governance frameworks are fit for purpose.
· KCR3 – Effective and Strong Partnership: Failure to ensure governance and monitoring frameworks of partnership arrangements are fit for purpose to effectively deliver outcomes.
· KCR4 – Changing Demographics: Inability to meet statutory deadlines due to changes in demographics
· KCR5 – Safeguarding: A vulnerable child or adult with care and support needs is not protected from harm
· KCR6 – Health and Wellbeing: Failure to protect the health of the local population from preventable health threats.
· KCR7 – Capital Programme: Failure to deliver the Capital Programme, which includes high profile projects
· KCR9 – Communities: Failure to ensure we have resilient, cohesive, communities who are empowered and able to shape and deliver services.
· KCR10 – Workforce Capacity: Reduction in workforce/ capacity may lead to a risk in service delivery.
· KCR11 – External market conditions: Failure to deliver commissioned services due to external market conditions.
· KCR12 – Major Incidents: Failure to respond appropriately to major incidents. This includes regular incidents such as Flood and a Major fire to national and international incidents such as Pandemic, Climate change, Supply chain failure.
13. Risks are scored at gross and net levels. The gross score assumes controls are in place such as minimum staffing levels or minimum statutory requirements. The net score will consider any additional measures which are in place such as training or reporting. The risk scoring matrix is included at Annex D for reference.
14. The following matrix categorises the KCRs according to their net risk evaluation. To highlight changes in each during the last quarter, the number of risks as at the previous monitor are shown in brackets.
|
Impact |
|
|
|
|
|
|
Critical |
|
|
|
|
|
|
Major |
|
1 (1) |
4 (5) |
1 (1) |
|
|
Moderate |
|
1 (1) |
3 (3) |
1 (1) |
|
|
Minor |
|
|
|
|
|
|
Insignificant |
|
|
|
|
|
|
Likelihood |
Remote |
Unlikely |
Possible |
Probable |
Highly Probable |
15. By their very nature, the KCRs remain reasonably static with any movement generally being in further actions that are undertaken which strengthen the control of the risk further or any change in the risk score. In summary, key points to note are as follows;
· New Risks- No new KCRs have been added since the last monitor.
· Increased Risks – No KCRs have increased their net risk score since the last monitor
· Removed Risks – One KCR, the Local Plan risk (KCR 8) has been removed since the last monitor. The plan has been adopted with no legal challenges received.
· Reduced Risks – No KCRs have reduced their net risk score since the last monitor
Updates to KCR risks, actions and controls
16. KCR 1 – Financial Pressures: A new action has been added to respond to the fair funding review.
17. KCR 4 –Changing Demographics: A review of the risk has been undertaken resulting in changes to the risk detail, implications and controls, with the addition of an owner responsible for the data analyses.
18. KCR 6 – Health and Wellbeing: Changes to the risk detail and the implications and the addition of a new control:
New risk detail:
· Added: Infectious disease outbreaks, rising cost of living, healthcare service pressures e.g. waiting lists and wider societal changes could adversely impact health.
· Added: Demand for early intervention and prevention services which aim to improve and protect health could outstrip supply.
Implications:
· Removal of: Sexual health service is overwhelmed leading to poor sexual health and increasing infections across the local authority.
Controls:
· Added: Ongoing Public Health grant assurance process with DHSC to ensure the effective use of public health resources.
19. KCR10 – Workforce Capacity: Removal of action to implement the 24/25 pay award – this will be delivered in August salaries, backdated to April 2025. Addition of a new risk:
· There continues to be a review of the NJC pay spine as National Living Wage and Living Wage Foundation rates increase, it has an impact on the compression of the grading structure. This in turn has an impact on competitive market rates.
KCR 4 Changing Demographics
20. As agreed at this committee in November 2024, a cycle of in-depth reviews will be carried out whereby one KCR is reviewed in detail and the risk owner attends that meeting to assist with the conversation. This monitor (Monitor 4 2025/26) it is KCR 4 (Changing Demographics) that is under review.
Consultation Analysis
21. Not applicable
Risks and Mitigations
22. In compliance with the council’s Risk Management Strategy, there are no risks directly associated with the recommendations of this report. The activity resulting from this report will contribute to improving the council’s internal control environment.
Contact details
For further information please contact the authors of this report.
Author
|
Name: |
David Walker |
|
Job Title: |
Customer Finance Risk & Insurance |
|
Service Area: |
Corporate Services |
|
Report approved: |
Yes |
|
Date: |
19/8/25 |
Background
papers
None
Annexes
· Annex A: Key Corporate Risk Register
· Annex B: Summary of Key Corporate Risks
· Annex C: KCR 4 Changing Demographics
· Annex D: Risk Scoring Matrix