Agenda item

Monitor 4 2017/18 - Key Corporate Risks

The purpose of this paper is to present Audit & Governance Committee (A&G) with an update on the key corporate risks (KCRs) for City of York Council (CYC), which are included at Annex A. A detailed analysis of KCR2 (Governance) is included at Annex B.

Minutes:

Members considered a paper presenting the Committee with an update on the key corporate risks (KCRs) for City of York Council (CYC), which were included at Annex A, together with a detailed analysis of KCR2: Governance, included at Annex B. The Principal Accountant, Information Governance & Feedback Team Manager and Head of ICT were in attendance to answer potential questions.

 

In response to Members’ queries, the following was noted:

·        KCR6: Health and Wellbeing risk mitigation was, to some extent,  dependent on external partners but the risk was managed accordingly;

·        moving to the 100% retention of business rates did not result with risk being higher than in previous years;

·        a number of processes were in place to ensure that any new software packages were thoroughly tested before being implemented in the organisation.

 

Members discussed the CYC’s transition to the General Data Protection Regulation (GDPR) with the enforcement date of 25 May 2018. It was confirmed that the new legislation required that evidence of meeting data protection requirements be collected, which raised the compliance standards. Members were reassured that there had been no significant changes in relation to data protection compliance at the individual level and that additional support such as introduction of a brand-new toolkit would be provided to meet any outstanding requirements. It was confirmed that all Members and CYC employees would have an opportunity to complete either a paper or an on-line data protection training and that systems were put into place to ensure that everyone completed it. The Officers added that it was unlikely that any large organisation would be fully compliant with GDPR by 25 May 2018; nonetheless, CYC was not complacent on that matter and was underway with administration of new resources, training and processes to implement GDPR. Following on Members’ questions, it was explained that, depending on the nature of potential data protection breach committed by Councillors, the breach could be investigated by CYC. Finally, it was confirmed that restrictions to the system access were not currently in place for anyone who would not complete the training.

 

The Officers confirmed that the internal policy on Information Systems’ Security & Acceptable Use was in place to protect the organisation and its employees from compromising integrity and security of the ICT systems. Members requested that the policy be circulated to the Committee.

 

Consideration was given to making a careful distinction between ‘probable’ and ‘possible’ when assessing risks in the KCR Register as well as to making any changes in future updates more (physically) visible.

 

Resolved:                     (a) That the key corporate risks included at Annex A be considered and commented upon; 

 

(b) That the information provided in relation to KCR2: Governance included at Annex B be considered and commented upon;

 

(c) That the fact that the 2018/19 monitor 1 report will include a detailed analysis of KCR3: Effective and Strong Partnerships be noted;

 

(d) That feedback on any further information that the Committee wishes to see on future committee agendas be provided;

 

(e) That the internal policy on the ICT security be circulated to all Members.

 

Reason:                        To provide assurance that the authority is effectively understanding and managing its key risks.

Supporting documents:

 

Feedback
Back to the top of the page