Audit & Governance Committee


14 April 2021


Report of the Chief Finance Officer


Monitor 2 2020/21 - Key Corporate Risks





1.        The purpose of this paper is to present Audit & Governance Committee (A&G) with an update on the key corporate risks (KCRs) for City of York Council (CYC), which is included at Annex A. 


2.        A detailed analysis of KCR10 (Workforce/ Capacity) is included at Annex B.





3.        The role of A&G in relation to risk management covers three major areas;

·        Assurance over the governance of risk, including leadership, integration of risk management into wider governance arrangements and the top level ownership and accountability for risk

·        Keeping up to date with the risk profile and effectiveness of risk management actions; and

·        Monitoring the effectiveness of risk management arrangements and supporting the development and embedding of good practice in risk management


4.        Risks are usually identified in three ways at the Council;


·        A risk identification workshop to initiate and/or develop and refresh a risk register. The risks are continually reviewed through directorate management teams (DMT) sessions.

·        Risks are raised or escalated on an ad-hoc basis by any employee

·        Risks are identified at DMT meetings


5.   Due to the diversity of services provided, the risks faced by the authority are many and varied. The Council is unable to manage all risks at a corporate level and so the main focus is on the significant risks to the council’s objectives, known as the key corporate risks (KCRs).


6.   The corporate risk register is held on a system called Magique. The non KCR risks are specific to the directorates and consist of both strategic and operational risk. Operational risks are those which affect day to day operations and underpin the directorate risk register. All operational risk owners are required to inform the risk officer of any updates.


7.   In addition to the current KCRs, in line with the policy, risks identified by any of the Directorates can be escalated to Council Management Team (CMT) for consideration as to whether they should be included as a KCR. KCRs are reported quarterly to CMT. 


8.   The Risk and Insurance Officer attends DMTs to update directorate risks.  



Key Corporate Risk (KCR) update



9.   There are currently 12 KCRs which are included at Annex A in further detail, alongside progress to addressing the risks.


10.        Annex C is a one page summary of all the KCR’s and their current gross and net risk ratings.


11.        In summary the key risks to the Council are:


·        KCR1 – Financial Pressures: The Council’s increasing collaboration with partnership organisations and ongoing government funding cuts will continue to have an impact on Council services

·        KCR2 – Governance: Failure to ensure key governance frameworks are fit for purpose.

·        KCR3 – Effective and Strong Partnership: Failure to ensure governance and monitoring frameworks of partnership arrangements are fit for purpose to effectively deliver outcomes.

·        KCR4 – Changing Demographics: Inability to meet statutory deadlines due to changes in demographics

·        KCR5 – Safeguarding: A vulnerable child or adult with care and support needs is not protected from harm

·        KCR6 – Health and Wellbeing: Failure to protect the health of the local population from preventable health threats. 

·        KCR7 – Capital Programme: Failure to deliver the Capital Programme, which includes high profile projects

·        KCR8 - Local Plan: Failure to develop a Local Plan could result in York losing its power to make planning decisions and potential loss of funding

·        KCR9 – Communities: Failure to ensure we have resilient, cohesive, communities who are empowered and able to shape and deliver services.

·        KCR10 – Workforce Capacity: Reduction in workforce/ capacity may lead to a risk in service delivery.

·        KCR11 – External market conditions: Failure to deliver commissioned services due to external market conditions.

·        KCR12 – Major Incidents: Failure to respond appropriately to major incidents.


12.        The risks in relation to Covid-19 affect most council services and have an impact on 11 out of 12 existing KCRs.


13.        Risks are scored at gross and net levels. The gross score assumes controls are in place such as minimum staffing levels or minimum statutory requirements. The net score will take into account any additional measures which are in place such as training or reporting. The risk scoring matrix is included at Annex D for reference.


14.        The following matrix categorises the KCRs according to their net risk evaluation. To highlight changes in each during the last quarter, the number of risks as at the previous monitor are shown in brackets.

















6 (6)

1 (0)




1 (1)

3 (5)

1 (1)



















Highly Probable




15.        By their very nature, the KCRs remain reasonably static with any movement generally being in further actions that are undertaken which strengthen the control of the risk further or any change in the risk score. In summary, key points to note are as follows;  


·        New Risks- No new risks have been added since the last monitor

·        Increased Risks –KCR 1 Financial Pressures and KCR6 Health and Wellbeing have increased their net risk score since the last monitor

·        Removed Risks – KCR13 Brexit has been removed since the last monitor

·        Reduced Risks – No KCRs have reduced their net risk score since the last monitor


Updates to KCR risks, actions and controls



16.        KCR1 – Financial Pressures. The gross risk score has increased from probable likelihood, major impact (20) to highly probable likelihood, major impact (21). The net risk score has increased from possible likelihood, moderate impact (14) to probable likelihood, major impact (20). A new control was added as the Financial Strategy 21/22 was approved by Council in February.


17.        KCR2 – Governance. New controls have been added as follows;

·        Ongoing Health and Safety Training programmes at all levels

·        Ongoing regular review of internal audit reviews and recommendations

·        Senior Information Risk Officer (SIRO) role has changed to Director of Governance and the relationship between the SIRO and the Caldicott Guardian is being strengthened

·        Process for consistent completion of Data Protection Impact Assessments (DPIA) is being reviewed and will be circulated across the council

·        Customer Complaints toolkit has been reviewed to be launched imminently

And new actions are as follows;

·        Plans in development for the end of remote meetings from 7th May 2021 when remote meeting guidance legislation ends

·        Delivery of a comprehensive member development programme covering all aspects of governance and decision making

·        Member training is required in respect of the Code of Conduct and conflict of interests.  The Council is considering the implementation of the Model Code issued by the LGA



18.        KCR4 – Changing Demographics. Further risk recognising the impact of Covid-19 has on accentuating the risk of widening inequalities. Outstanding actions are now completed and including in controls.


19.        KCR5 – Safeguarding. The Improvement Plan for Children’s social care is now in place and the Improvement Plan for Adult Social Care to be in place by the end of April 2021 


20.        KCR6 – Health and Wellbeing. The net risk score has increased from possible likelihood, moderate impact (14) to probable likelihood, moderate impact (15). The 2020 Director of Public Health Annual Report will have a focus on health protection including the response to COVID-19, provides an additional control.


21.        KCR7 – Capital Programme. A new control was added as the Capital Strategy 21/22 was approved by Council in February.


22.        KCR8 – Local Plan. A new control was added to note that the Corporate Director for Place and Assistant Director undertake weekly monitoring and management of the process.


23.        KCR9 – Communities. New controls are included to recognise the new role of the Community hubs as agreed in Oct 2020 and appointment to the new role of Director Of Customers and Communities.


24.        KCR10 Workforce/ Capacity. The control has been updated as the Organisational Development Plan replaces Workforce Strategy/ People Plan. There are addition controls including the set up of a Vacancy Control Group as a result of budgetary savings and to mitigate any compulsory redundancies and noting the improved frequency of informal and formal meetings with Trade Unions to improve communications and relationships. These are covered in further detail in Annex B.


25.        KCR11 External Market Conditions. New controls are including attendance at Independent Care Group Provider Conference, the New Director of Commissioning post will improve proactive efforts in market development and market shaping and recognition that the Council’s market position statement is up to date.


26.        KCR13 Brexit. This risk has been removed since it is no longer considered a key corporate risk.





27.        Not applicable.



Council Plan 2019-2023


28.        The effective consideration and management of risk within all of the council’s business processes helps support achieving all eight of the key outcomes identified in the Council Plan. 





29.        There are no further implications.



Risk Management


30.        In compliance with the council’s Risk Management Strategy, there are no risks directly associated with the recommendations of this report.  The activity resulting from this report will contribute to improving the council’s internal control environment.





31.        Audit and Governance Committee are asked to:


(a) consider and comment on the key corporate risks included at Annex A, summarised at Annex C; 

(b) consider and comment on the information provided in relation to KCR10 Workforce/Capacity included at Annex B;

(c) note that the 2020/21 Monitor 2 report will include a detailed analysis of KCR11 External Market Conditions;

(d) provide feedback on any further information that they wish to see on future committee agendas




To provide assurance that the authority is effectively understanding and managing its key risks



Contact Details


Chief Officer Responsible for the report:



Sarah Kirby

Principal Accountant (Corporate Finance)

01904 551635



Lisa Nyhan

Corporate Risk and Insurance Manager

01904 552953



Debbie Mitchell

Chief Finance Officer





Report Approved ü




Date 24/03/21





Specialist Implications Officer(s) 

Trudy Forster

Head of Human Resources

01904 553984




Wards Affected  All










A – Key Corporate Risk Register

B – Analysis of KCR10 Workforce/ Capacity

C – Summary of Key Corporate Risks

D - Risk Scoring Matrix