To consider the report setting out how adequate risk management is in place for RBWM as a fundamental element of its governance arrangements and approve the ‘Approach to Management of Risk 1 April 2023 – 31 March 2024’.

Steve Mappley, Insurance and Risk Manager presented the report setting out how adequate risk management was in place for RBWM as a fundamental element of its governance arrangements and consider the ‘Approach to Management of Risk 1 April 2023 – 31 March 2024’.

He explained that, as set out in paragraph 2.5 of the report, the Strategic Risks were refreshed by the previous Chief Executive Tony Reeves with the Senior Management Team to ensure that they remained current. He stated that the first appendix set out the approach to management of risk and that following the previous year's risk management audit some significant changes had been made such as identifying the difference between strategic and operational risks. The report focused on strategic risks. Previously the operational risks were also included in reports to the Committee however this led to a lengthy report without the key officers who owned those risks attending to be able to answer queries on the detail raised. Part four of the report explains risk review strategies, other risk responses such as risk transfer or termination but noted these options were quite difficult as the Council could not just decide to stop doing an activity, but it was still a valid possibility. He continued that they had also added further information on how the techniques were applied e.g. ISO 31000 and expected controls for emerging risks were now an explicit part of the strategy. The section of the report also explained about risk thresholds for services to help them step up or down as a process. He explained that the Heat Map at Appendix C was a very high-level description of what the risks were, noting that in addition to finance, safeguarding and infrastructure the following had been added fraud, cost of living crisis, mental health and climate change. Appendix D was a longer version which included the controls that were in place, actions being taken and interesting metrics regarding where exposure to risk were. He explained that this then intersects with the activities undertaken by SWAP who checked whether this was accurate. He noted that when everything that can be done is done the Council gets to a ‘control position’. He elaborated that even in a controlled position there may be a certain amount of inherent risk that the Council needed to accept. He explained that the risk appetite of the organisation which was detailed in the Council’s approach to risk and gave a direction of travel as to what level risk the Council was comfortable with once impacts were assessed. He noted that without endless resources available that the Council could be dedicated to managing each risk to the lowest possible level of the lowest tolerable level. He concluded that the identified risk of a change of political control potentially affecting the strategic direction of the Council was no longer a strategic risk on the register.

Councillor Wilson considered it looked like a very robust process in terms of identifying risk. He had noticed that on page 32 of the annual report there were a number of risks listed in there and they did not completely match up so suggested these should be aligned. Within the annual report there had been reference to data breaches and I.T security and he queried where this fit into this strategy.

The Insurance and Risk Manager explained there was a suite of operational risk registers where the implications that tend to fall within the service or the directorate were kept. This could be brought to the Committee for consideration but it would mean a lot of data. IT risks were together on page 239 including a number of different angles such as data loss, cybercrime and the capacity of the organisation to have the right technology in place as well. He added that supporting that operation risk registers were in place with the technical detail explaining what was being done with regard to those protections. He was able to explain that from an insurance perspective they had compared some of those protections against what the insurance market would expect to be in place for example to protect against cyber crime for an organisation of the Council’s size.

The Chair asked for clarification of what was included as some risks appeared to be holistic and though operational affected the whole organisation. The Insurance and Risk Manager explained that the distinction they were trying to make was that anything strategic could affect the organisation as a whole whereas in relation to operational activity the impact tended to be limited to the service area or a directorate. He stated that the important thing was a mechanism in place to identify the risks and those risks were recognised within the registers. He recognised that some operational things may on a certain day have a strategic impact on the organisation such as ICT.

To clarify this further the Insurance and Risk Manager referred the Committee back to paragraph 1.13 which set out the approach to management of risk which included a couple of sentences attempting to demonstrate the difference between the Strategic and Operational risk but these definitions were likely to have an overlap between them. He re-emphasized that the important thing was that risks were recognised and recorded on the register, a risk owner was identified and that they were given the right priority.

Councillor Sharp considered the document to be very good and comprehensive but was surprised that Climate Change was selected as a top risk, the effect would be a long time to be seen and the possible mitigations available to the Council. He asked how many other Councils had identified this as a top risk.

The Insurance and Risk Manager stated that risks were benchmarked against other public sector organisations and he confirmed that climate change did appear on most of them although not always as the top one. He stated that it was a good point regarding the timing of a risk as it this had not been captured in terms of timing of the impact being felt by the organisation if controls failed. He agreed that it might be useful to build in that further level of granularity to capture how quickly, if controls failed, would this risk arise e.g. three, six or 12 months.

Councillor Sharpe asked what the impact was on the Council operationally from the order given to the strategic risks as he assumed it would mean the allocation of more resources to managing the risk. The Insurance and Risk Manager replied that this was not necessarily the case as set out in the more detailed versions report highlighting that the control identified for the climate change risk was the team leading on the four key themes of the environment and climate strategy, the team considered that the risk was very likely and it contained major service delivery and financial implications. The relevant officer was not present at the meeting to provide further clarification on the wording chosen, the rationale and the potential threat. He would ask for further clarification.

It was confirmed that the uncontrolled position of all of the strategic risks identified would be a red risk which is why they had been included as they carry the most damaging implications. He noted that Climate Change, workforce stability and Winter Flu as well as Possible Pathogen variants were all remaining as reasonably high risk even with the controls in place.

The Chair confirmed with the Insurance and Risk Manager that impact was ‘how bad could it be’ and velocity was ‘how quickly could this happen’.

The Chair clarified for the meeting that although it was a useful discussion the report had been brought to the Committee for its members to review the approach to risk rather than the risk register’s contents as this would be done at a future meeting.

Councillor Bond reflected that what had brought the issue of climate change into focus for him an article in the Financial Times stating that property in some parts of America potentially becoming uninsurable.

The Insurance and Risk Manager confirmed that at the end of the strategy information had been added about the Council’s approach to insurance and clarified that the Council was essentially its own insurer as it met the majority of its losses itself. Therefore, it was important to have good data to give them a degree of confidence when setting those levels as was expensive to insure an organisation the size and scope of a local authority. 

The Chair reflected that he had liked the information at pages 215 through 216 regarding confidence level in relation to risk assessment and wondered whether this was being used. The Insurance and Risk Manager confirmed that this was tracked but had not been included in the report.

The Chair requested clarification at appendix B as there appeared to be two scores where he had expected to see three. The Insurance and Risk Manager explained that he had decided to use words for risk appetite rather than numbers and understood that based on this feedback that could be made clearer and more helpful. This would be taken forward.

The Chair clarified what he was expecting to see to reflect a transition from inherent risk and this would be taken forward to amend the report for future. 

The Chair queried at page 223 Appendix 2 risk classification they appeared to be risk areas. The Insurance and Risk Manager explained it was a way of categorising risks into groupings.

RESOLVED UNANIMOUSLY that

i)               the report be noted; and

ii)             the “Approach to Management of Risk 1 April 2023 – 31 March 2024” be approved.