Agenda Item No 4
The Vale of Glamorgan Council
Audit Committee: 31st January 2018
Report of the Managing Director
Corporate Risk Register Quarter 2 Update
Purpose of the Report
- To outline the Council's new approach to compiling and calculating corporate risks and present this to Audit Committee in the format of the revised Corporate Risk Report and Register.
- To update Audit Committee on the quarter 2 position (April- September 2017) of risks contained within the Corporate Risk Register, as outlined in the Corporate Risk Summary Report.
- That Audit Committee consider and endorse the new format for the Risk Register and its associated reporting arrangements.
- That Audit Committee note the current position of corporate risks, the emerging risk themes and endorses the associated recommendations made by the Insight Board and Corporate Management Team, as contained in this report.
- That Audit Committee refer this report to Cabinet for their consideration and endorsement.
Reasons for the Recommendations
- To ensure that all corporate risks for the Council are effectively monitored, addressed, reviewed and updated on a regular basis.
- To identify the current position of corporate risks across the Council and highlight any emerging risk themes on a quarterly basis.
- To ensure Cabinet receive an up to date position on the Corporate Risk Register and its emerging themes and endorses the recommendations contained within this report.
- The Corporate Risk Management Group (CRMG) previously met on a quarterly basis to review the Risk Register. This group was responsible for evaluating Corporate risks within the Risk Register and the impact of any new mitigating controls that would prompt a re-evaluation of the risk in terms of their score/position. The Corporate Risk Management Group would then provide a monitoring update to CMT and Audit Committee on a 6 monthly basis.
- In September 2016, the Corporate Risk Management Group was disbanded following the establishment of the Insight Board. The purpose of the Insight Board is to act as an overarching governance group that oversees key corporate activities which also includes risk.
- As part of our work to improve internal business planning processes and the ongoing implementation of the Wellbeing of Future Generations Act, the Insight Board reviewed our approach to how we record, monitor and report corporate risks.
- At its June 2017 meeting, Insight Board concluded that:
- The length of the Register was appropriate, but at times difficult to understand in terms of how all elements fit together.
- There were too many risk themes and they were outdated with some no longer applicable.
- It is useful to link controls to themes to better understand how risk controls interact with risk themes in terms of their impact on controlling different aspects of the risk.
- There is the need to embed the requirements of the Wellbeing of Future Generations Act by aligning the Corporate Risks to the Wellbeing Goals and the Five Ways of Working.
- The linkages between Service Plan, Service risks and the Corporate Risk Register need to be strengthened.
- There are multiple audiences for Corporate Risk.
- Taking into account the comments made by the Insight Board above, a new approach to Risk Management was developed which was later endorsed by CMT in July 2017.
Relevant Issues and Options
Revised approach to Risk Management
- In terms of the Risk Management, the new approach is based on three key elements:
- Risk Overview - risk identification and definition
- Risk Evaluation - assessment of risk position/score
- Risk Management Plan - action plan to manage the risk
- These three elements are reflected within sections of the new Risk Register template as follows:
Section 1- Risk Overview
- This section contains a description of the risk and identifies who the risk owner is (i.e. lead officer accountable for the reporting and monitoring of the risk). The risk overview also assesses the alignment of corporate risks to the Wellbeing Goals in terms of the potential impact that risks have on our ability to deliver/meet the Wellbeing Goals.
- Previously there were nine risk themes. This has now been rationalised and there are now four risk categories: political and legislative, resources, service delivery and wellbeing and reputation. Against each of these risk categories corporate risks can be further defined to identify associated sub-risks aligned to each of the risk categories i.e. specific legislative/political, resources, service delivery or reputational risks associated with each corporate risk.
Section 2- Risk Evaluation
- This section evaluates the risk scoring in three stages to enable risks to be documented in terms of the inherent (original) risk and assessing the influence and impact controls have on the overall residual risk score.
- Inherent risk score- the risk is scored in terms of both likelihood and impact assuming an environment where there are no risk controls in place (a pre-control environment). This enables us to fully understand the gravity and severity of risks in terms of the likelihood and impact of them occurring, if there were no control mechanisms in place. The higher the risk score allocated the higher the overall risk status.
- Controlling inherent risk- This considers the effectiveness of our existing controls at managing the risk. It explores the controls which are in place and how effective they are at regulating the likelihood and impact of the inherent risk occurring. The scoring is based on how effective the controls are at reducing the likelihood and the impact of the risk occurring. The higher the score, the better the controls are at managing the risk.
- Residual risk- This provides the remaining risk score, demonstrating the impact that the controls have had on the inherent risk.
- Annex A on page 1 provides a further definition of each of these risk scoring stages with their associated risk matrices.
Section 3- Risk Management Plan
- This section sets out the mitigating actions that will be put in place to further manage/control the risk. These actions are primarily actions that are aligned to Corporate Plan delivery and relevant Service Plans. The management plan takes a similar format to an action plan and includes:
- An action description;
- Alignment to risk categories;
- Alignment to the five ways of working (Wellbeing of Future Generations Act);
- An action owner;
- A completion date;
- A completion status; and
- The latest progress update.
The revised Corporate Risk Register is contained within Annex A pages 5-190.
New Reporting Format
- The new reporting format has been designed to reflect the needs of various audiences. It enables colleagues to identify the risk trends/issues and to better understand the inter-relationship between corporate risks and the associated risk categories. Adopting this approach enables risk owners, the Insight Board, CMT, Audit Committee and Cabinet to look at risk in more holistic way enabling the Council to manage risk robustly and tackle the multiple facets of risk in a more strategic way.
- The quarterly risk summary report contains three sections:
- Corporate Risk Summary - provides an overview of all corporate risks in terms of their inherent, effectiveness of control and residual scores and provides an outline of the direction of travel (both current and forecast).
- Overall Heat Map - uses a risk matrix quadrant to plot the residual risk scores in terms of likelihood and impact for each Corporate Risk in order to illustrate the groups/inter-relationship between risks on a heat map.
- Thematic Risk Heat Map - uses a similar risk matrix quadrant to plot residual risk scores for each corporate risk, but by risk category. This provides a more holistic illustration of the distribution of risks by risk category across the matrix and enables trends and synergies between risks to be identified, with mitigating actions and controls which could be put in place corporately to manage multiple risks.
- The Corporate Risk Summary Report for quarter 2 (April- September 2017) is contained within Annex A pages 2 to 4.
Corporate Risk Summary Report: Quarter 2 Update
- There are currently 14 Corporate Risks on the Register. No risks have been removed from the Register in Quarter 2.
- Of the 14 Corporate Risks, in terms of risk status, one risk was scored high, ten risks scored medium, two risks scored medium/low and one risk was allocated a low risk status. In terms of the exceptions:
Deprivation of Liberty Safeguards
- This risk is reporting a high status. Please refer to the Risk Summary Report (within Annex A) for further details. The pressure on existing resources, especially Council budgets as a result of increased demand for best interest assessments is escalating the risk. Although a good balance of controls are currently in place to manage the risk, there is a limited effect these controls have in terms of controlling demand particularly in an environment where budgetary thresholds are being impacted. It is not forecasted that this risk will decrease over time, but is more likely to be sustained at a high status for at least the short to medium term.
Local Development Plan
- This risk scored a 2, giving it a low status. The recent adoption of the LDP has significantly reduced this risk, as it has shifted away from the risk of challenge/judicial review and the risk instead now focuses on the ability of the LDP to deliver its objectives. As the LDP is newly adopted, there is currently a very low risk that the LDP will not be able to deliver its requirements. However, as time progresses fluctuations in housing demand due to population change and/or uncertainty within the economy could impact on the ability of the LDP to deliver on its commitments.
Safeguarding and Contract Management
- Both the safeguarding risk and the contract management risk scored medium/low (3).
- The safeguarding risk has a robust set of controls in place that are effectively mitigating against this risk. The establishment of a corporate-wide policy on safeguarding covering all council services has provided strategic direction and clearer lines of accountability in terms of our safeguarding practice. During quarter 2, further steps have been taken to strengthen our corporate safeguarding responsibility with the launch of a new Safeguarding hotline. This hotline provides staff with a single point of contact to report any safeguarding concerns. During the quarter we have also placed an increased emphasis on safer recruitment. The latest quarter 2 figures show we achieved overall compliance of 97% (100% corporately and 95% across schools) in relation to our safer recruitment policy. This represents an improvement on the previous year (2016/17) where our compliance overall during the same period last year was 94% (98% corporately and 93% across schools).
- In relation to the contract management risk, the existing controls are proving to be particularly effective, as over 300 staff have now attended procurement and contract management training. There is regular review of the completion of contractual paperwork a system has been established for monitoring non-compliance against agreed service targets. Further work will be progressed during 2017/18 in order to co-ordinate and streamline our corporate approach to contract management.
Risk Heat Map Summary
- The new Corporate Risk Summary report (Annex A) has heat maps that plot on a matrix the residual risk scores of each corporate risk. For quarter 2, the overall heat map on page 3 shows that the majority of corporate risks congregated around Medium. However, when the risks are evaluated by their risk categories there are generally more risks grouped within medium to medium/high bracket for reputation-based risks. This compares to the legislative/political, service delivery and resources risks where on the whole there were more corporate risks sitting within the lower end of the risk quadrant.
- Only one risk, Deprivation of Liberty Safeguards sat in the high category part of the quadrant (with a residual score of 12) across three of the four risk categories with the exception of reputation where it scored medium/high (9).
- Reputational risks probably score more highly across the spectrum of corporate risks because they are governed more by the perceptions of our performance by customers/residents and regulators, which makes it more difficult to manage and mitigate against. This highlights how important the role of effective communication, consultation and engagement alongside delivery of the Reshaping Service programme plays in mitigating the impact of these reputational risks.
Risk Management Plan Summary
- During quarter 2, excellent progress has been made in relation to the Risk Management Plan across all aspects of the Risk Register. The vast majority of mitigating actions outlined in the Risk Management Plans have a green status and are on track (in terms of progress) with 14 actions fully completed by the end of the quarter. Where actions have been completed these will now be removed from the Risk Management Plan and incorporated as controls within the relevant risks. There has been slippage in relation to 18 mitigating actions associated with the Legislative Change, Housing Improvement Programme, Waste Management, Information Security, Environmental Sustainability and the Safeguarding risks. These actions by corporate risk are as follows:
- Legislative Change and Government Reform
- Undertake further development of the DEWIS Cymru portal to expand and extend its use. Progress has been delayed whilst we seek a regional solution. The proposal now contains a Vale only response.
- Conclude the pilot of the Therapeutic Fostering Scheme and undertake a cost/benefit analysis. Proposal is under development and being costed with the view of developing a partnership with the University Health Board to support the development of a therapeutic arm to our fostering service.
- Housing Improvement Programme
- Complete delivery of the Council House Improvement Programme. At present 88.9% of identified improvement works have been completed. There is an action plan in place to deliver the remaining works by 31st March 2018. All identified properties have been surveyed and are being released in blocks by the contractor.
- Implement vehicle savings associated with waste management collection rounds. A grant submission for Welsh Government has been approved and funding obtained to introduce new In-Cab technology for all refuse vehicles. It is intended to progress this action further during quarter 4 through further route optimisation to further reduce costs.
- Develop a five year Waste Management Plan. The completion of the WRAP report which will be formally reported to Cabinet during quarter 3 is awaited. The WRAP report will be used to inform/shape the future waste strategy.
- Review the enforcement policy to reduce litter, fly tipping and dog fouling offences. A draft new policy has been prepared and it will be included in a Cabinet report to Cabinet in quarter 3, updating them with regard to environmental enforcement. This has slipped to late Autumn to coincide with the report that will be presented to members. It will be necessary to advise members of the proposed new policy and obtain permission of the recommend changes.
- Review the provision of public conveniences to deliver a more cost-efficient service. Areas for savings have been identified within public conveniences provided the recommendations that have been produced will be reported to Cabinet in quarter 3.
- Consider the implementation of dog control orders. This work has been delayed as work focused on concluding the alcohol orders that were due to expire in October 2017 before the work on dog control orders could begin.
- Progress the development of a waste transfer station and rationalisation of existing operational depots. Investigatory work has commenced as well as the appointment of a Major Projects Officer to assist with the development of a waste transfer station. The newly appointed project officer will commence work on the feasibility study during quarter 3.
- Further refine the ICT Strategy to ensure it has a clear vision and objectives aligned to the Reshaping Services Programme. Although the Digital Strategy has been endorsed, work continues in identifying the associated project outcomes and actions to implement the strategy. Therefore the refresh of the ICT Strategy will be undertaken following the completion of the Digital Strategy work.
- Investigate and implement the provision of a second internet connection to the Council to provide additional service resilience. A report was presented to Cabinet during quarter 3 (23rd October 2017) with recommendations associated with progressing this action. The recommendations outlined in the report were endorsed, which will now allow this action to be progressed.
- Work towards Payment Card Industry (PCI) compliance. The review work being undertaken by Northgate has not been completed by the advised date of September. A revised date has now yet been agreed, but will continue to be followed up for progress.
- Continual maintenance and compliance with PSN has slipped. We submitted the application to the PSN Cabinet Office where the PSN Assessor raised some issues with the ICT Health Check Company's testing processes. The ICT Health Check Company have agreed to return to site to retest the disputed areas at no additional cost. We are awaiting the new testing date to be confirmed.
- Environmental Sustainability
- Complete the feasibility study for bus, cycling, walking improvements at Cardiff and Barry Road, Dinas Powys. The feasibility study was completed during quarter 1. However the Vissim model (this is a microscopic traffic simulation model) is awaited and will be carried out in terms of WelTAG Stage 2 during the Autumn/Winter.
- Continue to implement conversion of non LED to LED lighting in residential areas. During the Quarter 2 period, an LED lantern supplier was appointed and a lighting trial was completed in Barry during the Summer, which identified a preference for neutral white colour temperature of the LED lanterns to be installed as part of this project. The move to full LED throughout residential areas in accordance with the Council's previously agreed Street Lighting Energy Reduction Strategy using the neutral white LED lanterns with dimming to 50% is now programmed to commence during the last quarter of this financial year. The works will commence in the eastern urban areas of the Vale and likely to take some 4 months to fully complete. The value of the installation contract is £135K.
- Continue to explore the need for fleet and options for better usage. No further work was carried out in quarter 2 other than Passenger Transport Team looking at Social Services transport and where savings can potentially be made.
- Refine the Vale's Financial Inclusion Strategy. The new Head of Housing is going taking over the role of Chair of the Financial Inclusion Group and dates have been arranged for future meetings.
- Develop tools to support staff to feel more confident to safeguard vulnerable people through effective procedures for referral and also use Adult Support Orders (where relevant). A new Operational Manager for Safeguarding and Service Outcomes has been appointed and commenced their role in September. This will be their primary focus to ensure there is ongoing awareness raising and implementation of procedures.
Feedback from Insight Board and Corporate Management Team
- The Insight Board considered the Quarter 2 Risk Register updates and the associated Risk Summary Report at its meeting on the 6th September 2017. Insight reviewed all the Corporate Risks, the heat maps and their interrelationship between the risk categories. Insight highlighted that the:
- LDP risk has significantly reduced since its adoption. Since the LDP is no longer subject to the judicial review period (6 weeks post-adoption), the Insight Board felt that this risk should be removed from the Register, but could be reintroduced at a later date should the need arise.
- Contract management risk is currently scored at medium/low. However, Insight commented that significant progress has been made over the last few months to mitigate this risk through the roll out of the contract management briefing sessions for all team managers alongside a series of other mitigating controls. As a consequence, Insight recommended that this risk also be removed from the Register.
- Following the Insight Board update, CMT reviewed the Risk Register and concurred that the LDP risk be removed from the Register. However, CMT recommended that contract management should remain on the Risk Register, pending the completion of all outstanding monitoring actions.
- It is recommended therefore that the LDP be removed from the Risk Register.
Welsh Community Care Information System
- The Head of Adult Services recently highlighted in an update report to both the Insight Board and CMT the emerging risks associated with any further delay to the revised date of implementation of the Welsh Community Care Information System (WCCIS). WCCIS will be a replacement to the social care information system known as SWIFT.
- The new system will provide an integrated electronic record system for social care, primary and community health services, mental health services across both adult and children and young people services. This will be a national system intended to be used across all local authorities and health boards across Wales.
- In the briefing paper provided, the key emerging risks identified were:
- Business continuity- Although the SWIFT contract has been extended by a further 6 months, the SWIFT Legacy system (read only archive of data) does not easily interface with the WCCIS software. Further work will be undertaken to effectively create an interface between the two systems, but in the meantime SWIFT and WCCIS will work in parallel to ensure continuity of service and access to service user information.
- Staff capacity and training- With the dissolution of the SWIFT Consortium Support team from 1st November there is very little resilience to support the ongoing support of migrating information from SWIFT (e.g. data migration and legacy system) and the transition to the new system. Within the Vale, there is one Systems Administrator who is both familiar with the SWIFT system and is trained on the configuration of WCCIS. Although the individual is supported by a regional team for WCCIS, they do not have knowledge of our localised systems. As a consequence there is minimal resilience within the team to support the full transition to the new system.
- ICT connectivity and support- the consistency of ICT support provided in preparation for the roll out of WCCIS has been challenging alongside issues associated with network connectivity. This could potentially impact on our ability to access and use the system.
- Data sharing- Information sharing protocols are in place, but due the scale of this ICT project and the volume of users there is an increased risk of data protection breaches.
- Performance data- As we will be operating two systems to export performance data, this could impact on our ability to report on a full set of performance data and the timeliness of the reports.
- It is recommended that WCCIS be included on the Risk Register. If Audit Committee agree this recommendation, the risk template will be completed for this risk and included in the Quarter 3 update report.
Corporate Building Compliance
- The Director of Environment and Housing has identified Corporate Building Compliance as a potential emerging corporate risk in terms of failing to comply with our statutory responsibilities for ensuring the health, safety and welfare of both staff and the public when using our premises.
- At present the current controls for the management of compliance and specifically the 'compliance data' for the Council's Corporate Building Stock needs to be improved. Data on compliance of our corporate buildings is not held centrally, and this has been a matter of concern raised by the Wales Audit Office in a recent review and was subsequently identified as a proposal for improvement in the Council's Corporate Assessment.
- In a letter due to be circulated to all Premises Managers/Duty Holders, the associated issues have been outlined as follows:
- The Health and Safety at Work Act 1974 places specific duties on managers in the control of buildings to ensure employees, building users and other members of the general public do not come into harm whilst using the building. Over the years, this Act has been supplemented by a number of supporting regulations to ensure the safe management of electricity, gas, asbestos, legionella, fire, lifts, etc. These duties cannot be discharged to third parties and it is the premises manager/duty-holder that is ultimately responsible for managing the risks and discharging the requirements of all the regulations associated with the building.
- Whilst the legal duty to manage a building's compliance does not in all cases sit directly with the Council (for example in Schools where the duty holder could be the Head teacher), the Council has a vicarious responsibility to ensure the protection of all users of its corporate buildings. It must also ensure that its reputation is protected, therefore suitable processes and procedures must be in place to both establish the extent of the risks that the Council is exposed to and how those risks are being effectively managed.
- In order to better understand the extent of the corporate buildings' compliance risks posed, MSS Consultancy was engaged in July 2016 to undertake a GAP analysis of the current position. The final report concluded that there were significant gaps in the compliance data available and related operational issues such as out of date certificates etc. that, as a consequence, meant the Council could not be satisfied that its corporate buildings' compliance risks were being effectively managed. This report was tabled at the Council's Corporate Management Team in September 2017 and it was agreed that a major review would be undertaken of the Council's current management of compliance arrangements, led by the Director of Environment and Housing.
- Based on consideration of the above, the Director of Environment and Housing has recommended that Corporate Building Compliance be adopted as a Corporate Risk. Following consultation with Insight Board and CMT no objections were received for its inclusion on the Risk Register.
- It is recommended that Corporate Building Compliance is included on the Risk Register. If Audit Committee agree this recommendation, the risk template will be completed for this risk and included in the Quarter 3 update report.
Resource Implications (Financial and Employment)
- Managing and reducing risks effectively helps prevent unnecessary expenditure for the Council, reduces insurance claims and premiums and provides better protection for the Council and its staff and members.
Sustainability and Climate Change Implications
- Corporate Risks are considered in the context of the Wellbeing of Future Generations Act in terms of the impact they could potentially have on our contribution to the Wellbeing Goals. The five ways of working are also a key consideration in relation to our Corporate Risks to show how mitigating actions can be put in place as part of the risk management plans within the Risk Register.
Legal Implications (to Include Human Rights Implications)
- Identifying, managing and reducing risk effectively mitigates against potential legal challenge.
Crime and Disorder Implications
- None directly.
Equal Opportunities Implications (to include Welsh Language issues)
- Mitigating actions and controls to counteract any equalities related risks are outlined in each risk template in the Risk Register and monitored by the Insight Board, CMT, Audit Committee and Cabinet.
- Risk management is an intrinsic part of corporate governance and integrated business planning which underpins the delivery of the Council's Corporate Plan and wellbeing outcomes.
Policy Framework and Budget
- The proposals are within the Council's Policy Framework.
Consultation (including Ward Member Consultation)
- Consultation has taken place with nominated risk owners and members of the Insight Board.
Relevant Scrutiny Committee
- Corporate Performance and Resources
Corporate Risk Register
Rob Thomas, Managing Director (Chair of the Insight Board).
Corporate Management Team
Corporate Risk Owners
Head of Performance and Development
Operational Manager, Performance and Policy
Operational Manager, Internal Audit
Rob Thomas, Managing Director