To receive the reports.
Minutes:
Background:
· The report contained fifteen strategic risks which were presented to the Committee to inform of the latest results for quarter two.
· Most risks presented were in the higher brackets of the heat map which represented a major or severe score.
· The report provided details of the risk implications which were reviewed, monitored, and managed on a regular basis.
Points raised by the Committee:
|
Responses received from Officers or Cabinet Members: |
How were the risks monitored to ensure actions were carried out as frustrations were felt that progress was not shown.
|
It was explained that the policy contained six key stages. Risk owners provide actions against the mitigation/control stage which was a significant part to the process. It was further added that detailed information and challenge could be sought directly from risk owners. The Portfolio Holder added that some risks would remain on the register and migration was required due to the nature of the risk for example the ICT0010 GDPR due to the size of the organisation and individuals involved. |
A query was raised around the terminology used within the risk register and the consistency of officer standards. And asked if sufficient monitoring was undertaken. |
Definition and clarification were provided for ‘actions completed’ and ‘actions withdrawn,’ reassurance was provided that work was ongoing with officers around risk management and the Section 151 Officer seeks assurance to ensure risks were actioned appropriately. |
It was asked how scoring took place and if guidance had been followed. |
It was explained that there was a policy and framework containing a matrix in place and that scoring, and moderation took place with officers to keep the risk relevant which provided assurance to the Committee. |
Email received from Ellen Sullivan (risk owner) A query on risk was raised, as the residual rating of risk number ICT0010 remained the same even though there were mitigating actions. |
Email received - Risk ICT0010 If the Council is found non-compliant with either UK General Data Protection Regulations (GDPR) and or the Data Protection Act (DPA) 2018 then, it could be subject to monetary penalties or other regulatory action, data protection audits, civil action, and associated consequences, including suffering reputational damage, and resultant detriment to the affected data subjects. Response Even with mitigations staff can still cause a breach of the legislation or a personal data breach thorough not following instruction or through human error. The mitigations enable us to argue our position as a controller of personal data committed to processing personal data appropriately and in line with the individual's rights, with the right measures in place. This can help us with Information Commissioner's Office (ICO) decisions over taking regulatory action. The breach is still the same, the impact on the individual is still the same, but the decision of the ICO can be improved by the measures being in place. ?The risk of the event happening is the same it is the outcome that can be assisted by the measures in place. ? |
It was asked if a general trend had been identified and if registers remain static as the summary received. |
As each risk was so different and with an overview of service and project risk registers, it was emphasised that there was no pattern to risks being added and removed from registers. |
· The committee felt that the risk register document provided a fair, accurate account with scoring profiles being produced with the support of the policy and guidance in place.
Resolved: The Strategic Risk Register be noted.
Supporting documents: