To consider a report from the Director of Finance (Section 151 Officer).
A report was considered from the Director of Finance (s151 Officer) regarding the 2019/20 Quarter 2 Corporate Risk Report. The report provided Members with a progress update on the Council’s 2019/20 corporate risks for the second quarter to 30 September 2019. The report included a proposal to separate the combined Children and Adults Safeguarding risk to provide greater clarity of the improvements being made in the area of Adults Safeguarding. As a consequence, one additional Corporate Risk had been added to the register compared to the last quarter. Overall, no risk scores had changed since the last quarter.
The Senior Risk Officer updated the members in detail on the progress made since the last quarter. This included a summary of the Corporate Risks, changes to the Corporate Risks compared with the previous quarter, new and closed off risks, rescored risks and emerging risks. She advised that the Quarter 2 risks had been reviewed by the Risk Owners Group, at Cabinet Briefing and by the Corporate Management Team. It was noted that there had been no changes to the risk scores in the last quarter at the mid-point of the year. Notable Emerging Risks in 2019/20 were explained.
Members were informed that the separation of the Safeguarding of Children and Adults into two corporate risks had been approved by the People Directorate Management Team and Corporate Management Team.
Members’ attention was drawn to an administrative error in Risk 3 (Deliver a Financially Sustainable Authority) where the previous quarter risk score should have been 20 not 15. It was confirmed that there had been no change to the Risk scores in Quarter 2.
The Assistant Director - Organisational Change reported on the reasons why the risk scores relating to Information Security Arrangements and ICT Cyber Security remained higher than the end of the year target scores. Cyber risk was explained to be both a national and regional risk which was due to the potential for increased criminal and disruptive attacks. Local authorities held large volumes of sensitive personal and commercial data which if targeted, corrupt or lost, may have significant impacts on the Council’s operations and business continuity arrangements. The implications of a significant data breach or security failure was outlined for the Committee. He reported on the significant progress made on this risk (including the appointment of a dedicated officer and improved ICT Firewalls and externally accredited PSN certificate) and was pleased to also report that Internal Audit had undertaken an independent review and the outcome had been a positive ‘reasonable’ assurance.
In terms of Data Protection, the Assistant Director - Organisational Change reported on the extensive GDPR and Information Security training provided for and taken up by officers and members and the dedicated officer responsible for this work. The risk therefore related to the likelihood of a data breach. The Assistant Director - Organisational Change reported on the number of breaches per month, explaining that the reason for data breaches was mainly due to human error. He stated that this corporate risk score should not be reduced at this time due to the small increase in the number of breaches and it was proposed that further reminders, lessons learned and communications should be issued to staff and the score would be reviewed again in Quarter 3.
A member reported on a recent phishing email which he had received and reported to ICT but had not had a response or progress update. The member offered a suggestion for following up this type of email across the Council once one had been reported. The Assistant Director - Organisational Change undertook to ascertain the outcome of the member’s email and explained the triage process within the ICT team for dealing with phishing emails.
Discussion ensued on Risk 2 - Workforce Capacity, Skills, Relationships, Safety and Wellbeing. A member highlighted that progress had not been made on absence management and figures were still high. The Assistant Director - Organisational Change reported on the recent deep dive on this undertaken by the Scrutiny Management Board and the recommendations which would be made to Cabinet in January 2020. He explained that absence management work was focussed in specific service areas all of which had Action Plans but did highlight that previous years’ trends resulted in ill health cases increasing typically during the winter months. A member considered that certain long-term illnesses could lead to the recording of a number of instances of illness and called for a more appropriate method of recording long/short term illnesses. This was acknowledged by the Assistant Director - Organisational Change. He stated that a number of suggestions made by members had been implemented within the People Management Service and explained how managers were using a self-service system for recording staff absence.
A member stressed that absence management was a management wide issue and not just a ‘personnel’ issue. He considered it a manager’s responsibility to ensure staff performed and he advocated the use of appraisals. The Assistant Director - Organisational Change concurred, explaining there was an emphasis on managing and not just monitoring performance across all services, by all managers.
The Director of Finance explained about the score for Risk 3 – Deliver a Financially Sustainable Authority. She talked about the financial uncertainty facing the Council which related to increased demand pressure for care related services in particular Children Looked After and Younger Adults with complex needs. In addition, the Council was awaiting confirmation of the Provisional Grant Settlement for next year. Future funding beyond next year remained uncertain in the absence of a spending review and information on Fair Funding, which had been discussed in previous meetings
A member highlighted that if there was a cyber-attack, this could have a huge impact on businesses and contractors. This led the Assistant Director - Organisational Change to outline the Council’s importance when working with partners and ensuring supply chains were secure and robust. He stressed the importance of the business continuity and ICT disaster recovery work being progressed by the Council.
In summing up, the Chair acknowledged that the information presented to members regarding absence management at a previous meeting of the Committee had been comprehensive but did note that at the time, members had raised that there was merit in separating out long and short term absence figures. She noted the difficulty in being able to understand from the data whether absences related to a long term illness or were as a consequence of a number of individual days’ absence. Consequently it was a challenge for the Committee to be able to assess the effectiveness of the controls in place. The Assistant Director - Organisational Change reported on how this request had been incorporated into Manager’s absence reporting mechanisms.
1 Members note the content of the Quarter 2 report, and agree that it provides sufficient assurance that the current Risk Management arrangements are both robust and effective.
2 Members receive the presentation on the corporate risk; Learning Disability Partnership Arrangements (Minute 42).