Agenda item

The purpose of this paper is to present Audit & Governance Committee (A&G) with an update on the key corporate risks (KCRs) for City of York Council (CYC), which is included at Annex A.

Members considered a report that presented the key corporate risks (KCRs) for City of York Council (CYC), which were included at Annex A.

The Director of Finance provided an update, noting that since the last report no new or increased risks had been identified, and that the list of actions had been updated to reflect comments made by the committee.

In response to questions from the committee it was noted that:

·        Under KCR2, failing to meet legal timescales for responding to Freedom of Information Act (FOIA) requests was likely to be an ongoing risk. Overall 85-90% of responses were on time but the legal timescale had recently been reduced to two weeks and the Council had to prioritise the use of limited resources.

·        Cyber-attacks were a constant risk. CYC’s firewall was up to date and its servers were secured, with hundreds of thousands of attempted attacks filtered out annually. With reference to a recent cyber-attack on a neighbouring authority, the ICO had closed its investigation without any action.

·        Councillors could not be forced to use CYC email accounts, but these were far more secure than private accounts with systems being backed-up regularly. The uses of private email accounts for CYC business would still form part of the Council’s record and a court order could be applied for if access were required for a FOIA request.

·        General governance was not considered under KCR2 because it did not entail significant financial risk and CYC generally adhered to its governance requirements. Failure to follow proper governance processes was covered by other KCRs, although officers would look again at this.

·        KCR3 had been updated to include reference to the new Mayoral Combined Authority. There was no reason that Mayoral priorities should not align with those of CYC, but it was important to register the possibility.

·        The next iteration of the report would reflect national changes around planning under KCR8.

·        The net risk under KCR9 remained high despite mitigations as there was no new money available, while increasing the number of community groups being engaged with also increased risk; officers would consider additional actions.

·        Officers would consider how upskilling the workforce in the context of the growth of AI could be incorporated under KCR10.

·        Risk registers were maintained for department and major projects; only significant and ongoing issues were included in KCRs.

·        The Council had met the legislative requirements around the statutory accounts inspection period including online notices; there was no capacity to extend this period without jeopardising the budget process and general financial management. Objections to the accounts could only be registered in the inspection period but questions could be asked at any time.Consideration would be given to expanding publicity for next year’s inspection, including highlighting that the Annual Governance Statement was published and available alongside the accounts.

·        The inspection period remained open until 19 July; interested members of the public could also engage directly with the committee.

Resolved:

(i)              That the key corporate risks, included at Annex A and summarised at Annex B of the report, be noted.

(ii)            That feedback from Members around general governance, upskilling, community engagement, and increased publicity be taken into account in future.

Reason:     To provide assurance that the authority is effectively understanding and managing its key risks.