Agenda item - Corporate Risk Assurance Framework (CRAF) 2017-18

Report of the Executive Lead Officer, Strategy, Governance & Law

That the Audit & Standards Committee:

1)         Note the Internal Audit opinion of assurance levels on the third line of defence within the CRAF at Appendix 1 and agree for Internal Audit to update these where other sources of assurance have been identified by Risk Owners in the Strategic and Directorate Risk Registers in advance of finalising the Annual Governance Statement for 2017-18

2)         Note the full Strategic Risk Register Report at Appendix 2

3)         Note the full Directorate Risk Register Report at Appendix 3

38.1    Officers introduced the second annual report on the Corporate Risk Assurance Framework and highlighted the three lines of defence model shown in the report. The Executive Leadership Team had reviewed the Strategic Risk Register on 22 November 2017 and made no changes.

38.2    Ms Bushell asked the officers to clarify why the revised impact and likelihood risk ratings were higher than the initial risk ratings for Strategic Risks SR17 and SR24 after the controls had been put in place. She also asked officers to explain how the CRAF RAG ratings are reached.

38.3    Officers responded that they would not have expected this to be case and they would need to speak to the risk owners and review this. The CRAF RAG ratings and the Risk Ratings are based on different criteria and do not assess the same things. The CRAF RAG ratings are based on policies.

38.4    Ms Bushell welcomed the inclusion of lead members in the report and asked officers what their role would be.

38.5    Officers stated that lead members have spheres of influence as chairs of committees. The lead member would have a role in developing policy and in determining the agenda for committee meetings.

38.6    In response to Councillor Robins’ concerns, Offers stated that future versions of the table would be reformatted to make it clear that the Lead Member was not responsible for causing the risk.

38.7    In response to Councillor Allen, Officers clarified that the RAG rating for a policy as a whole was independent from the ratings for individual components of the policy.

38.8    Officers responded to Councillor Allen that initial risk ratings in the Risk Register were based on a scenario with no existing controls in place; and the second rating, the revised risk score, took into account the listed existing controls which were intended to manage the risk. The initial risk score rating was therefore expected to be higher and the revised risk score to be lower.

38.9    Councillor Sykes thanked the resident who had written to several committee members about the language of audit reports and the Corporate Risk Assurance Framework in particular and stated that officers needed to seek to make reports understandable for the lay person.

38.10  Responding to Dr Horne’s suggestion that contract management could be a worthwhile area for a deep dive, Officers stated that it was an issue across the organisation and the further scrutiny this would be beneficial.

38.11  Resolved:

1)         Noted the Internal Audit opinion of assurance levels on the third line of defence within the CRAF at Appendix 1 and agree for Internal Audit to update these where other sources of assurance have been identified by Risk Owners in the Strategic and Directorate Risk Registers in advance of finalising the Annual Governance Statement for 2017-18

2)         Noted the full Strategic Risk Register Report at Appendix 2

3)         Noted the full Directorate Risk Register Report at Appendix 3