City of York Council (Logo)

Meeting:

Audit & Governance Committee

Meeting date:

04/09/2024

Report of:

Debbie Mitchell, Director of Finance (S151 Officer)

Portfolio of:

Councillors Lomas and Baxter (job-share),

Executive Members for Finance, Performance,

Major Projects, Human Rights, Equality and

Inclusion


Audit and Governance Committee Report: Monitors 1&2 2024/25 – Key Corporate Risks


Subject of Report

 

1.           The purpose of this paper is to present Audit & Governance Committee (A&G) with an update on the key corporate risks (KCRs) for City of York Council (CYC), which is included at Annex A.

 

Policy Basis

 

2.           The effective consideration and management of risk within all of the council’s business processes helps support the administration’s key commitments and priorities as outlined in the Council Plan 2023-2027.

 

Recommendation and Reasons

 

3.           Audit and Governance Committee are asked to:

a)   consider and comment on the key corporate risks included at Annex A, summarised at Annex B; 

b)   consider the proposal at para 20 to conduct an in-depth review of each KCR over the forthcoming monitors;

c)   provide feedback on any further information that they wish to see on future committee agendas.

Reason: To provide assurance that the authority is effectively understanding and managing its key risks.

Background

 

4.           The role of A&G in relation to risk management covers three major areas;

·        Assurance over the governance of risk, including leadership, integration of risk management into wider governance arrangements and the top level ownership and accountability for risk

·        Keeping up to date with the risk profile and effectiveness of risk management actions; and

·        Monitoring the effectiveness of risk management arrangements and supporting the development and embedding of good practice in risk management

 

5.           Risks are usually identified in three ways at the Council;

·          A risk identification workshop to initiate and/or develop and refresh a risk register. The risks are continually reviewed through directorate management teams (DMT) sessions.

·          Risks are raised or escalated on an ad-hoc basis by any employee

·          Risks are identified at DMT meetings

 

6.           Due to the diversity of services provided, the risks faced by the authority are many and varied. The Council is unable to manage all risks at a corporate level and so the main focus is on the significant risks to the council’s objectives, known as the key corporate risks (KCRs).

 

7.           The corporate risk register is held on a system called Magique. The non KCR risks are specific to the directorates and consist of both strategic and operational risk. Operational risks are those which affect day to day operations and underpin the directorate risk register. All operational risk owners are required to inform the risk officer of any updates.

 

8.           In addition to the current KCRs, in line with the policy, risks identified by any of the Directorates can be escalated to Council Management Team (CMT) for consideration as to whether they should be included as a KCR. KCRs are reported and discussed quarterly with CMT and Portfolio Holders. 

 

 

Key Corporate Risk (KCR) update

 

9.           There are currently 12 KCRs which are included at Annex A in further detail, alongside progress to addressing the risks.

 

10.        Annex B is a one page summary of all the KCR’s and their current gross and net risk ratings.

 

11.        In summary the key risks to the Council are:

 

·        KCR1 – Financial Pressures: The Council’s increasing collaboration with partnership organisations and ongoing government funding cuts will continue to have an impact on Council services

·        KCR2 – Governance: Failure to ensure key governance frameworks are fit for purpose.

·        KCR3 – Effective and Strong Partnership: Failure to ensure governance and monitoring frameworks of partnership arrangements are fit for purpose to effectively deliver outcomes.

·        KCR4 – Changing Demographics: Inability to meet statutory deadlines due to changes in demographics

·        KCR5 – Safeguarding: A vulnerable child or adult with care and support needs is not protected from harm

·        KCR6 – Health and Wellbeing: Failure to protect the health of the local population from preventable health threats. 

·        KCR7 – Capital Programme: Failure to deliver the Capital Programme, which includes high profile projects

·        KCR8 - Local Plan: Failure to develop a Local Plan could result in York losing its power to make planning decisions and potential loss of funding

·        KCR9 – Communities: Failure to ensure we have resilient, cohesive, communities who are empowered and able to shape and deliver services.

·        KCR10 – Workforce Capacity: Reduction in workforce/ capacity may lead to a risk in service delivery.

·        KCR11 – External market conditions: Failure to deliver commissioned services due to external market conditions.

·        KCR12 – Major Incidents: Failure to respond appropriately to major incidents.

 

12.        Risks are scored at gross and net levels. The gross score assumes controls are in place such as minimum staffing levels or minimum statutory requirements. The net score will take into account any additional measures which are in place such as training or reporting. The risk scoring matrix is included at Annex C for reference.

 

13.        The following matrix categorises the KCRs according to their net risk evaluation. To highlight changes in each during the last quarter, the number of risks as at the previous monitor are shown in brackets.

 

Impact

 

 

 

 

 

Critical

 

 

 

 

 

Major

 

1 (1)

5 (5)

1 (1)

 

Moderate

 

1 (1)

3 (3)

1 (1)

 

Minor

 

 

 

 

 

Insignificant

 

 

 

 

 

Likelihood

Remote

Unlikely

Possible

Probable

Highly Probable

 

14.        By their very nature, the KCRs remain reasonably static with any movement generally being in further actions that are undertaken which strengthen the control of the risk further or any change in the risk score. In summary, key points to note are as follows; 

 

·        New Risks- No new KCRs have been added since the last monitor

·        Increased Risks – No KCRs have increased their net risk score since the last monitor

·        Removed Risks – No KCRs have been removed since the last monitor

·        Reduced Risks – No KCRs have reduced their net risk score since the last monitor

Updates to KCR risks, actions and controls

 

15.        KCR 1- Financial Pressures: a new action has been added to reflect the work on the Corporate Improvement Framework relating to budget management, this is targeted at completion in January 2025

 

16.        KCR 2 – Governance: the title has been restored as Governance following the discussion at the July A&G meeting. A revised date has been added to the ongoing action assigned to this risk.

 

17.        KCR 8 – Local Plan: Further revisions to the target dates have been made to align with the revised timetable of the Local Plan approval. This follows on from the latest consultation due to finish at the end of August.

 

18.        KCR 9 – Communities:  A revised date has been set for the action to establish an Equalities & Inclusion team (31st December 2024).  Progress has been made now that the JD for the manager role has been approved and so the recruitment exercise can begin.

         

19.        KCR 10 – Workforce/Capacity: All ongoing actions have been reviewed and revised dates set.  Similar to the action for KCR1 a new action has been added relating to the Corporate Improvement Framework.

Proposal for In-depth reviews

 

20.        In order to enhance the scrutiny of the key corporate risks by the A&G committee, it is proposed that a cycle of in-depth reviews is started at the next monitor, whereby one KCR is reviewed in detail and the risk owner attends that meeting to assist with the conversation.  It is hoped that this will not only allow time for the risk to be discussed in full but also assist members’ understanding of that risk at the present time.  This cyclical approach was last taken in 2022 and was effective when undertaken then.

 

21.        If Members agree then we will commence with KCR 1 at the A&G meeting in January 2025 as part of the Monitor 3 review.

 

Consultation Analysis

 

22.        Not applicable

 

Risks and Mitigations

 

23.        In compliance with the council’s Risk Management Strategy, there are no risks directly associated with the recommendations of this report.  The activity resulting from this report will contribute to improving the council’s internal control environment.

 

Contact details

 

For further information please contact the authors of this Report.

 

Author

 

Name:

Helen Malam

Job Title:

Principal Accountant (Budget & Collection Fund)

Service Area:

Finance & Procurement

Telephone:

01904 551738

Report approved:

Yes

Date:

23/08/2024


Background papers

 

None


Annexes

 

·        Annex A: Key Corporate Risk Register

·        Annex B: Summary of Key Corporate Risks

·        Annex C: Risk Scoring Matrix

 

 

Abbreviations

A&G - Audit & Governance Committee

DMT - Directorate Management Team

CYC – City of York Council

KCRs - Key Corporate Risks