Agenda item

The Head of Corporate Assurance submitted a report that provided and update to the Committee on the current thirteen strategic risks and introduced the next scheduled strategic risks for the Audit and Governance Committee meeting.

Members were informed that when reviewing the Audit and Governance Committee work programme it was noted that the Committee had not received a full update report on the strategic risks for some time. Therefore, this report provided detail on all strategic risks with a further deep dive on Threat of Fraud/Cyber and Collaboration and Partnership Governance.

It was noted that the Strategic Risk Register was reviewed by the Senior Management Team (SMT) on 5 September 2023 and continued to contain thirteen risks. Three risks were classified as high (red response rating), ten risks were classified as medium (amber rating). No risks were classified as low (green rating).

In regard to the Threat of Fraud/Cyber strategic risk, the following key points were highlighted:

•       There was a need to recognise the increasing and constant threat of fraud against the Council. This threat also included the possibility of a cyber enabled fraud attack being perpetrated against the Council.

•       Action One (rag rating complete) – a specific annual fraud vulnerability questionnaire had been complete by each Business Unit.

•       Action Two (rag rating green) – POD training had been reviewed to ensure practical guidance and training was available for all employees.

•       Action Three (rag rating amber) – there was a need to develop POD training for specific roles where the risk of fraud is greatest.

•       Action Four (rag rating amber) - A communication plan / strategy to ensure important messages are publicised across the Council and in the press as appropriate was currently being developed.

•       Action Five (rag rating green) - SMT and the Information Governance Board had been provided with updates regarding the latest cyber threats and assurances regarding the technical measures in place and their effectiveness.

•       Action Six (rag rating amber) – the Council had developed a Cyber Recovery Plan, and this was evaluated as part of a cyber exercise in early December 2023. A meeting was planned in February 2024 to review the plan, based on feedback from the exercise, and then further desktop internal testing within IT would be undertaken to assess the updated plan.

In regard to Partnership and Collaboration Governance, the following key points were highlighted:

•       Many public services were delivered through partnerships or collaboration as well as emerging devolution arrangements. These must be robust, well governed but flexible and responsive to ensure objectives are met.

•       Key partnerships of the Council included Berneslai Homes, the Integrated Care Partnership Board and Barnsley FC.

•       Action one (rag rated green) – the Council had developed a corporate framework and guidance to support partnership and collaborative working.

•       Action two (rag rating amber) - assurance was required regarding the arrangements in place for each partnership and collaboration covering matters such as the make-up of boards and their supporting governance.

•       Action three (rag rating complete) - financial monitoring and reporting for Boards and Partnerships was included in the quarterly budget management process for DMT's/BU's.

•       Action four (rag rating amber) – there was a need to ensure the new framework for the management and governance of partnerships and collaborations was woven into the annual governance review process.

Discussion arose regarding the  risk in regard to cyber, it was noted that the Council were moving to the cloud-based system which provided better resilience, and the supplier  would use partitions to further reduce risk.

It was also suggested by Members that the Risk of Fraud / Cyber be separated into 2 risks. The Head of Corporate Assurance agreed to discuss this with SMT at its meeting in February

In discussions regarding Partnership and Collaborative Governance, it was noted that the Council ensured a rigorous contract management process with account managers routinely reviewing service level agreements.

RESOLVED that the Committee noted the current thirteen strategic risks and the updates from the two risks presented at the meeting.