Agenda item

In relation to the Corporate Risk Register, the Chair confirmed that the Committee was not there to question scoring but to look at the process only. It was commented by a Member that auditors from the Wales Audit Office make observations, but members of the Committee were not allowed to also make observations. The Chair confirmed that the Audit Committee could be renamed the Audit and Risk Committee in another sector, but this Committee was not part of risk. For this to be altered a change to the constitution and Welsh Regulations should occur but this could not be done.

Members considered an updated version of the Corporate Risk Register for the end of Quarter 3 (31^st December 2018).

·        Head of People and Business Change commented that recent recommendations had been taken on board and any issues that could not be raised here could be taken up with Heads of Service and Corporate Directors.

·        The Head of People and Business Change stated that the Risk Management Strategy detailed how the Council managed its risk assessment processes and detailed how the Council assesses and mitigates risk and that it was a robust process.

·        It was stated that the Risk Report discussed project risk and how there were escalation processes in place for potential corporate wide risks to be escalated into the Corporate Risk Register and these included Civil Contingencies, the Newport Well-Being Plan, Information Governance Risk etc.

It was noted that at the end of Quarter 3 (31^st December 2018) there were 14 corporate risks consisting of 6 high risks and 8 medium risks. At the previous Audit Committee in November 2018, recommendations were made in relation to the Councils Brexit Risk, asset management and partnerships work.

Summary of Risks

·        It was noted that a highlight was Brexit (Risk 4).

Following guidance from the Welsh Local Government Association (WLGA) and using the WLGA tool kit the Council were able to assess the impact of Brexit on services. However, the Risk score had increased from 9 to 16 due to a potential ‘No Deal’ scenario. There is to be a vote on Brexit in the House of Commons on the 29^th March 2019 and the Risk Register will be affected depending on what occurs on that date.

·        Risk 8 (Stability of External Suppliers)- The risk score had increased due to the ongoing uncertainty of a potential ‘No Deal’ Brexit and the impact it could have on private and third sector services. 

·        Risk 9 (Pressure and Infrastructure) - The risk was focused on the recent removal of the Bridge Tolls on the M4 and the impact on the Councils highway infrastructure.

·        Risk 11 and 12 involved IT Modernisation and Cyber Attack, which involved modernisation and its pressures and how this was funded. Cyber Attack was another separate risk and has been previously discussed.

·        Risk 13 (Maintaining the Highways Network) was reduced to 20 and Risk 16 (Council buildings and Assets) was scored at 12.

·        Risk 15 (Newport City Centre Security and Safety) was focused on improving the city centre and its regeneration, an attack that occurred last year on two young people showed a real tangible risk.

Questions and Discussions:

·        A Member commented that the way that the Risk Register was reported, could be construed to be a complacency; a risk was mentioned so all we know is that it was a risk.

·        The Member commented that it should be reported how the Council were covering risks. The Member stated that children with complex care needs were living longer. It was noted that there was a new school at Maes Ebbw but it was questioned how much this costs the Council in terms of austerity. What was the cost to the Council as they are very vulnerable children and it is very costly? It was commented by the Member that this was not just the case of a school place. Schools were reporting concerns regarding cuts being made to services.

·        The Member also remarked on the refurbishment of Oaklands. Oaklands was only able to provide respite for one child and their particular need. The Member stated that the report implied that this was prepared and it was covered. Brynglas Bungalow was provided but this was tiny and was not suitable. It was commented on how the Council chose to report and what the specifics are.

·        The Head of People and Business Change confirmed that they were not able to comment on specifics as not everything could go into the report as it was so detailed. They confirmed that it was a case of managing the mitigated risk. It was commented that there was now a far greater linkage between performance, risk and finance.

·        The Chair commented that the Corporate Risk Register was a summarised version of what has occurred, and the Risk was seen from an authority wide point of view and not to the individual.

·        A Member questioned whether certain items could be left out? The Chair confirmed that the Committee would want the risk to be considered. All aspects needed to be considered, and Members were encouraged to ask questions, so all bases were covered. 

·        A member questioned as to whether the Council was ready for a cyber-attack if it occurred and that they were questioning where the risk was as some of the risks could build up, but the cyber-attack risk could happen suddenly.

The Head of People and Business Change confirmed that Cyber threats would always be present that the Council may not be ready for. It was commented that other organisations spend far more on cyber prevention and may still receive cyber threats. There has been a lot of communication to staff regarding Office 365 which was cloud based and not on a server so it was accessed securely. There has been a significant update to cyber security where more money has been provided for this. The Council has been constantly kept up to date from other companies and Local Government. Emails also come through to users in the Council stating what emails are quarantined which has been far more proactive.

            Risk Score Profile

Members of the Committee were requested to view page 17 on the Risk Score Profile, which displayed the table of risks summary:

·        It was commented that the RO6- Balancing the Councils Medium Term Budget was expected to drop off.

·        The risk was increased due to budgets and financial pressures.

·        The Assistant Head of Finance confirmed that it was not about balancing risk going forward as it was more difficult to deliver savings that were being put forward. They suggested that it was more long term, looking over the next 4 years and the £30 million gap. This was reflected in the scores on the risk register.

·        It was commented that the Risk Register was viewed on an ongoing basis. It was a change of view rather than a change in the environment and that it was subjective.

·        The Chair commented that management should be mitigating this, as risk was a living thing, an issue that needed to be reduced.

·        The Assistant Head of Finance confirmed that external factors such as Brexit and external funding for example affect this so we cannot guarantee.

·        In relation to R4-Decision to Leave the European Union (Brexit) the risk went up in Quarter 3. It was confirmed that Brexit was something that may happen and the risk could be different tomorrow. There has been a Members seminar regarding Brexit covering a range of issues and options. The risk would be reviewed on a fortnight basis. 

·        It was commented that it was crucial to understand the arrangements behind the risk at service level and the role of scrutiny etc that underpins the overall Corporate Risk Register.

·        The Chair commented that about four years ago there was a big debate concerning the Audit Committee and a lot of work was completed on risk and the reports that were now published were very good compared to that time. It was advised by Democratic Services to look at the process as it comes to us. Boundaries are pushed but all comments are taken on board and actioned.

·        In relation to the Audit side, the risk management of Audit was being completed at present. Opinions will be brought to the Committee soon.

·        A member questioned whether Councillors really scrutinise and stated that people do not trust Councillors to scrutinise properly. Scrutiny has improved greatly but it was mentioned that Cabinet Members etc do not like to come and be challenged. The member stated that there was an underlying feeling that councillors do not know enough to be seen.

·        It was remarked that the Brexit seminar did not include everyone that needed to be there. However, it was noted that Newport does very well in scrutiny compared to other authorities.

·        A Member stated that there were three different scrutiny committees and it can get frustrating when they tell members that certain information was incorrect.

·        The Chair commented that a lot of time was now spent on risk compared to previous years; the present Committee scrutinises and asks questions which was very beneficial. 

·        It was questioned by a Member as to who audits the auditor? It was commented that there was a lot of accountability due to external scrutiny.