Agenda item - Strategic Risk Focus: SR2, S10, SR18, SR25 and SR34

Report of the Executive Lead for Strategy, Governance & Law

That the Audit & Standards Committee:

1)    Note in paragraph 3.3 the changes to the council’s SRR as agreed at the Executive Leadership Team (ELT) on 15 May 2019.

2)    Note Appendix 1 for details of SR2, SR10, SR18, SR25, and SR34.

3)    Note Appendix 2: Information on the council’s risk management process relative to Strategic Risks (SRs); and Suggested questions for Members to ask Risk  Owners and officers on Strategic Risks.

4)    Having considered Appendix 1 and any clarification and/or comments from the officers, the Committee makes any recommendations it considers appropriate to the relevant council body.

8.1          The Committee considered the report of the Executive Lead for Strategy, Governance & Law that was presented to enable the Committee to monitor and form an opinion an opinion on the effectiveness of risk management and internal control. As part of discharging this role the committee focussed on at least two Strategic Risks (SRs) at each of their meetings. The Risk Management Lead introduced the report and the changes to the strategic risk register agreed by the Executive Leadership Team (ELT) at their most recent quarterly review. She drew Member’s attention to Table 1 which tracked changes and summarised that their remained 18 SRs in total and included the new SR for climate change, SR36.

8.2          The Chair clarified that recommendation 2.4, Having considered Appendix 1 and any clarification and/or comments from the officers, the Committee makes any recommendations it considers appropriate to the relevant council body, was open ended and that members could propose any additional recommendations to be voted upon.

8.3          Councillor Hugh-Jones spoke on Item 3.3, Table 1 and firstly referred to SR20 asking what the Council had planned to address unplanned budget reductions in the climate of system wide reconstruction of the Clinical Commissioning Group (CCG) to achieve integration. They secondly referred to SR2 and asked what progress the Council had made in retaining a portion of business rates to improve financial stability. They thirdly asked what progress had been made on SR32 and SR35 and lastly what the timeframe was for achieving SR36.

8.4          Officers stated that these queries would be addressed in the presentations that would follow consideration of the report itself, The Risk Management Lead agreed that the CAMMS Risk report detailing SR35 and SR 36 would bee included in the minutes which could be found on the following link:

https://present.brighton-hove.gov.uk/Published/C00000699/M00009543/$$Supp31790dDocPackPublic.pdf

8.5          Councillor West asked whether the corporate plan that was currently in development would address or mitigate any or the SRs and how would it be different from the previous plans due to the alarming magnitude of the risks.

8.6          The Executive Director Finance & Resources responded that of the five SR risks which were the subject of the Risk Focus Item at this meeting, two were related to budgets and capacity and that continuing no overall political control in the authority  reduced the likelihood of major policy shifts, because it was difficult to secure a majority decision that focussed on cutting one service in favour of another. Much of the risk BHCC held related to this, and the consequence of further salami-slicing as opposed to clear and strategic decision making.

8.7          Councillor West asked if the potential for the Council to reduce risks centrally relied upon removing services that could not continue to function properly and if the scenario to lose a service provision was more desirable than the risk of failure.

8.8          The Executive Director Finance & Resources responded that this was a question for all parties, including the minorities, and needed clear determination of the administration. Other local authorities who had a less favourable tax base, for example near-neighbours East Sussex Country Council, had shifted policy to deliver mainly basic services however this was not a BHCC practice to date.

8.9          Councillor Appich stated that there would be plenty of opportunity to discuss and make policies within a framework using the delivery of the new corporate strategy.

SR2: The Council is not financially sustainable

8.10       The Deputy Chief Finance Officer introduced the SR2 presentation and explained why this was a key risk which issues included the Future Social Care and Homelessness costs and demographic pressures, Economic performance of the City, 4-year Comprehensive Spending Review (2020/21 to 2023/24), Fair Funding Review, 75% Local retention of Business Rates (growth and grants), New Homes Bonus scheme, Excessive Council Tax increase legislation and Options for the long term funding of health and social care. The Deputy Chief Finance Officer described the First Line of Defence: Management Controls, the Second Line of Defence: Corporate Oversight and the Third Line of Defence: Independent Assurance.

8.11       In relation to SR2, Dr David Horne pointed out the partner risk in reference to the Clinical Commissioning Group (CCG) and other partners, such as the universities who had their own financial pressures and asked if there was a risk of the sustainability of BHCC in demand of their own resources.

8.12       The Deputy Chief Finance Officer responded that they did not yet know how the Long-Term NHS Plan would impact on the CCG and they needed to work together to tackle costs and government funding mechanisms on a member and officer level by meeting to understand the position early on.

SR10: Corporate Information Assets are inadequately controlled and vulnerable to cyber-attack

8.13       The Head of Strategy & Engagement introduced the SR10 presentation which covered the risk overview, prevention and response and recovery. The risk overview included why cyber-security was critical, the main threat factors and how ‘real’ the threat was. The cyber-attack prevention, response and prevention included Leadership, Governance and Technical/Operational strategies.

8.14       In relation to SR10, Councillor Appich asked why the progress scores were low and what an Access Management Project was to which The Executive Director for Finance and Resources responded that since transferring to Orbis IT&D mitigation was a long-term project which had grown beyond what was originally expected.

8.15       In relation to SR10, the Chair asked whether BHCC would become a larger target for cyber-attacks with advancing integration and whether the Orbis partnership made the authority safer. They noted that the paper suggested that services could continue without IT&D and asked how this would be possible.

8.16       The Executive Director for Finance and Resources replied that BHCC was potentially more vulnerable with further integration with Orbis, but there was a strong business case to justify the trade-off of maintaining sustainable corporate service, and there were several methods to mitigate this and that information security would always be an existing threat.  They secondly replied that services were required to have business continuity plans in place, focussing on the worst-case scenarios, and agreed that the loss of IT services would be catastrophic.

SR18: The organisation is unable to deliver its functions in a modern, efficient way due to the lack of appropriate technology

8.17       The Head of Strategy & Engagement introduced the SR18 presentation which firstly described Projects & Programmes including the Digital Organisational Programme, Digital and Major Projects, secondly Completed Projects of the Digital Organisation Programme 2018-2010 and lastly the future planned activity for projects and programmes 2019/20.

SR25: The lack of organisational capacity leads to sub-optimal service outcomes, failure to meet statutory obligations, and reputational damage

8.18       The Executive Director for Finance and Resources introduced the SR25 presentation and described the risk consequences which included partnership working becoming harder, loss of staff resilience, not being able to meet statutory requirements, difficulties in recruitment and a reduction in change capacity and explained the three lines of defence.

8.19       Councillor Hugh-Jones indicated that SR25 was not so much a risk but already in motion and secondly raised that BHCC employees on average took 10-11 sickness days per year even if this was an overall 4.43% organisational improvement from 2017/18 to 2018/19 and asked how this compared to other authorities.

8.20       The Executive Director for Finance and Resources agreed there was evidence that services were experiencing a lack in capacity and the focus was to mitigate this in the way of managing staff, utilising appropriate technology and improving budgetary decision making. The Executive Director of Finance and Resources secondly responded that other authorities and the private sector respectively averaged approximately 9 days and 5/6 sickness days lost respectively. They cited that the civil service where the figure has reduced by around 4 days over two decades as evidence that long-term approached was required.

SR34: Our People Promise ambitions may not be realised

8.21       The Executive Director for Finance and Resources introduced the SR34 presentation which addressed the People’s Promise risks, mitigation, measured impact of Our People Promise and focused actions and an overview of the test results. The Executive Director for Finance and Resources also presented the sickness and equalities trend data.

8.22       In response to Councillor Nemeth asking how many employees took zero sickness days, the Executive Director for Finance and Resources responded that he could provide a written answer after the meeting.

8.23       The Committee noted that the approach to present the risks with a further slides show was helpful, and asked that this approach be considered for future meetings, including with a view on the resources required to do so.

8.24       RESOLVED -

That the Audit & Standards Committee:

1)    Note in paragraph 3.3 the changes to the council’s SRR as agreed at the Executive Leadership Team (ELT) on 15 May 2019.

2)    Note Appendix 1 for details of SR2, SR10, SR18, SR25, and SR34.

3)    Note Appendix 2: Information on the council’s risk management process relative to Strategic Risks (SRs); and Suggested questions for Members to ask Risk Owners and officers on Strategic Risks.

4)    Having considered Appendix 1 and any clarification and/or comments from the officers, the Committee did not to decide to make any recommendations to any other council body.