Agenda Item No 8
The Vale of Glamorgan Council
Audit Committee 19th September 2018
Report of the Managing Director
Corporate Risk Register Quarter 4 Update
Purpose of the Report
- To update Audit Committee on the quarter 4 position (April 2017- March 2018) of risks contained within the Corporate Risk Register, as outlined in the Corporate Risk Summary Report.
- To provide an overview of the emerging risk themes and issues as outlined in the Risk Register.
- That Audit Committee note the end of year position of corporate risks, the emerging risk themes and endorses the associated recommendations made by the Corporate Management Team, as contained in this report.
- That Audit Committee refer this report to Cabinet for their consideration and endorsement.
Reasons for the Recommendations
- To identify the end of year position of corporate risks across the Council and highlight any emerging risk themes and issues.
- To ensure Cabinet receives an end of year position on the Corporate Risk Register and endorses the recommendations contained within this report.
- During June 2017 the Insight Board reviewed our approach to Risk Management through developing a new approach to Risk Management.
- As a result of this review, a new risk methodology has been adopted alongside a revised Risk Register template. The new Corporate Risk Register and its associated Reporting tool was endorsed by Audit Committee on 31st January 2018.
- As a result of reviewing our Corporate Risk Management approach we also undertook a full refresh of the associated Risk Management Strategy. The Risk Management Strategy was developed in consultation with the Insight Board and Corporate Management Team and was endorsed by Audit Committee 1st May 2018.
Relevant Issues and Options
Corporate Risk Summary
- There are currently 15 Corporate Risks on the Register, as outlined within the within Annex A of the Register. Since the last update, no further risks have been removed or added to the Register.
- Of the 15 Corporate Risks, in terms of risk status, one risk was scored high, one risk was scored medium/high, 11 risks scored medium and two risks scored medium/low in terms of their risk status. This position has largely remained unchanged when compared to the previous quarter, with the exception that the Public Buildings Compliance risk has now reduced from a medium/high to a medium status. However during the period, the Welsh Community Care Information System (WCCIS) risk has been elevated from a medium to medium/high risk.
Deprivation of Liberty Safeguards (DoLS)
- The risk remains a high status which reflects that Social Services continues to experience pressures in relation to their existing resources, especially Council budgets as a result of increased demand for Best Interest Assessments which continues to escalate this risk. The existing controls have a limited effect on controlling the demand and there are no controls that could be put in place to further mitigate against this risk. Therefore, we anticipate that this risk is unlikely to diminish over time, but is more likely to be sustained at a high status for at least the short to medium term.
Welsh Community Care Information System (WCCIS)
- During the quarter this risk has increased from a medium to a medium/high status, scoring an 8. Although this is a relatively new risk to the Register, the implementation of the new system continues to be evolving. During any given quarter one facet of this risk may get resolved to be then replaced by another emerging risk. Despite this the implementation has continued to progress well, where some previously identified risks have now been resolved and four of the six actions in the Risk Management Plan have been completed. For example, the Resource Management & Safeguarding division has progressed the purchase of consultancy support to develop our finance functionality of the Welsh Community Care Information System (WCCIS) during 2018/19, where a portion of this money has been secured through ICF funding (2017/18) with a further bid pending agreement of the Regional Project Board (early July) to secure the remaining amount in 2018/19. This funding will enable us to implement a secure, robust system for the recording of financial information and improve our reporting and charging mechanisms.
- However, resilience of staffing continues to be an issue and it is likely that this element of the risk is likely to continue to escalate into quarter 1 of 2018/19. In particular there is vulnerability in relation to the systems administration, which could significantly impact on the development of WCCIS locally and limit our ability to resolve issues and develop forms. A new risk that has emerged during the quarter relates to the print function of the system. All forms that were in place prior to system migration can be printed from the new system, but when developing/modifying new forms within WCCIS, we are unable to print any of these from the system. This has been identified as a Vale-specific issue and is not likely to be related to the overall functionality of WCCIS. It is determined to most likely relate to compatibility issues associated with different software versions. In the interim a work around has been identified to provide these forms via Word and that these documents are attached within WCCIS, however this is only a short-term fix. To address this, IT services are working alongside the Social Services Directorate and the national team to rectify this issue. Therefore the fluctuating nature of this risk has necessitated the need for this risk to be defined as medium/high. It is forecast that this risk will continue to remain medium/high for at least the short term.
- The safeguarding risk remains medium/low (3) on the Register in terms of their risk score. There are a number of robust controls in place that are effectively mitigating against this risk and all actions identified within the Risk Management Plan for 2017/18 have been fully completed.
- During quarter 4 some key developments have included the production of a work plan by the Corporate Safeguarding Group for the monitoring of the safeguarding policy across the Council as well as the development of a designated safeguarding page on the website to contain up to date information on the policy and to further support safeguarding practice. The Regional Safeguarding Board has facilitated Adult Protection Support Order training for relevant Adult Services staff and WCCIS has helped to streamline the adult safeguarding process in terms of recording enquiries and decision making within 7 days. We continue to promote and embed the safer recruitment policy both corporately and within schools with ongoing regular monitoring for compliance. The overall outturn for year end (2017/2018) shows there was 95% compliance across both the Council and schools which is consistent with that of the previous year. The compliance rate in relation to Council/Corporate employment appointments increased from 97% to 99% in 2017/18. However, a decrease in compliance outturn from 94% to 93% occurred in schools over the same period. The weekly performance management process and in particular the internal escalation process will continue to be applied to those schools where breaches of the safer recruitment policy have been identified. Compliance of the policy continues to be a standing agenda item at each Corporate Safeguarding Group meeting where the focus is on achieving 100% compliance. The Group also continually reviews the effectiveness of the policy in order to identify potential improvements.
- Although this risk remains relatively low, it will continue to feature on the Risk Register due to the volatile nature of the risk. Safeguarding is of the utmost importance and our approach to safeguarding needs to be regularly reviewed and updated to ensure we can effectively manage it.
- The contract management risk, continues to remain medium/low (3) on the Register. The existing controls continue to be particularly effective and good progress has been made in delivering the actions outlined in the Risk Management Plan for 2017/18, with nearly all actions completed by year end. During quarter 4, a review of contracting arrangements was completed by internal audit which concluded that 'robust systems were in place and policies and procedure were up to date and relevant'. Slippage has only been reported in relation to the development of electronic Corporate Contracts Register. Although this work had been progressed during 2017/18, it is anticipated the full roll-out will not be completed until 2018/19.
- On the whole this risk has been diminishing, but one emerging risk associated with contract management is the potential failure of externally commissioned providers in delivery of services. Over the past year there have been instances, within Social Services (particularly Adult Services), where providers have been at risk of failing. This reflects the fragility of those externally commissioned services and the potentially detrimental impact a failure could have on our ability to deliver statutory services. Despite this, this facet of risk has been effectively controlled to ensure continuity in service delivery for our service users through the Escalating Concerns Policy. This policy assists us in managing and responding to circumstances where there is potential for provider failure. During 2018/19 the focus will be on further reinforcing and embedding our approach to escalating concerns in relation to externally commissioned Social Services.
- It is forecast that this risk will continue to reduce over time and that it will be removed from the Register once all actions within the Risk Management Plan have been completed.
- Annex A contains the full Risk Register along with a Risk Summary Report outlining the position of all Corporate Risks.
Risk Heat Map Summary
- The Corporate Risk Summary report (Annex A) has heat maps that plot on a matrix the residual risk scores for each corporate risk. On the whole the heat map on page 3 of Annex A shows that the majority of corporate risks congregate around Medium across all risk categories, with the reputational risk category showing the greatest density of medium risks in the quadrant. There were also more green status (medium/low) risks associated with the reputational risk category when compared to the other risk categories.
- In relation to risks with an amber status (medium/high) there is a greater concentration of these in relation to reputation and service delivery & well-being based risks.
- Deprivation of Liberty Safeguards continues to sit in the high category of the quadrant (with a residual score of 12) across three of the four risk categories with the exception of reputation where it scored medium/high (9).
Risk Management Plan Summary
- During the quarter, strong progress has been made in relation to the Risk Management Plans across all aspects of the Register. In total there are 106 actions currently being monitored via the Register that are linked to a corporate risk. The majority of these are also actions that are aligned to the delivery of our Corporate Plan priorities. During quarter 4 we have been able to assign a RAG status to 101 of these mitigating actions. A RAG status was not applicable for five actions as they are new actions that have been added to the Register. Work will commence on these actions in 2018/19 with a progress update reported in quarter 1.
- 74% (75) of mitigating actions outlined in the Risk Management Plans have been completed by year end resulting in a green status. Actions that have been completed by year end will be removed from the Risk Management Plan and incorporated as controls within the relevant sections of the Register. Any actions that will continue as rolling/ongoing actions will continue to remain in the Register for 2018/19 monitoring.
A small proportion of actions, 7% (7) have been assigned an Amber status to reflect that there has been some minor slippage at year end. This represents those actions that were close to completion by year end, but where progress has been delayed. In these cases these actions will be reviewed to identify what remedial action needs to be taken and will be carried forward as actions in the Risk Management Plan for 2018/19.
During quarter 4, 19% (19) actions were assigned a Red Status (where progress has significantly slipped against the designated timescales). The areas of slippage during the quarter were in relation to CR2: Legislative Change &Local Government Reform (one action), CR3: School Reorganisation & Investment (one action), CR4: Housing Improvement Programme (one action), CR5: Waste (three actions), CR6: Workforce (two actions), CR7: Information Security (four actions), CR8: Environmental Sustainability (two actions), CR10: Public Buildings Compliance (one action), CR12: Integrated Health & Social Care (two actions), CR14: Contract Management (one action) and CR15: Welsh Community Care Information System (one action). The greatest proportion of slippage/Red Status actions was in relation to CR7: Information Security, where four of the seven (57.1%) mitigating actions within the Risk Management Plan were assigned a Red Status. In all cases where a Red has been reported in relation to these actions, appropriate remedial action has been identified to progress the actions. These actions will be carried forward as actions in the Risk Management Plan for 2018/19. No red status was assigned to actions in relation to CR1: Reshaping, CR9: Welfare Reform, CR11: Safeguarding and CR13: Unauthorised Deprivation of Liberty Safeguards (DOLs).
Across each of the Risk Management Plans, an overview of progress (RAG Status) in relation to the mitigating actions is provided on page 5 Annex A.
Emerging Issues & Risks
Legislative Change & Local Government Reform
- On the 20th March 2018, the Welsh Government published a Green Paper for consultation on the proposals for reforming local government in Wales. One of these proposals would have seen a merger between the Vale of Glamorgan Council and the Cardiff Council. Although our focus on developing more regional ways of working would continue, this change in direction by the Welsh Government increased uncertainty within local government.
- The Council carefully considered Welsh Government's latest series of proposals for the future of local government and developed its response to these proposals in collaboration with a significant number of colleagues from across the organisation, all elected members, the scrutiny of the Corporate Performance & Resources Committee and finally a discussion at Cabinet. The Council's response was agreed by Cabinet on 6th June and was then submitted to the Welsh Government for consideration.
- The Local Government Secretary has since announced that Welsh Government's proposals have been withdrawn and any mergers would now be voluntary.
- As at end of year, the position of the legislative change and local government reform risk had remained unchanged at a medium. However, given the fluctuating nature of the external policy environment in relation to the local government reform agenda we anticipate that the political and legislative element of this risk has the potential to escalate over time. Further updates on developments in relation to this aspect of risk will continue to be reflected and reported in the next Risk Register update as the position becomes clearer.
Feedback from Insight Board
- The Insight Board considered the Quarter 4 Risk Register update and the associated Risk Summary Report at its meeting on the 19th July 2018. Insight reviewed all the Corporate Risks, the heat maps and their interrelationship between the risk categories.
- The Insight Board noted that although the contract management risk continues to maintain a medium/low position on the Register, the Board felt that it should retained on the Register until all outstanding actions within the Risk Management Plan have been completed.
Feedback from Corporate Management Team
- CMT considered the Quarter 4 Risk Register update and the associated Risk Summary Report at its meeting on the 15th August 2018. CMT reviewed all the corporate risks, the heat maps and their interrelationship between the risk categories and highlighted that:
- CMT recommended that:
- The risk register should be referred to Audit Committee for consideration and endorsement and referral to Cabinet for the same.
- That the forthcoming Additional Learning Needs (ALN) Act be included within quarter one's risk register commentary relating to the Legislative Change and Local Government Reform risk. This Act will have significant implications for the Council and will inform the way in which this risk is evaluated, scored and the controls and mitigating actions required to manage this new legislation.
Resource Implications (Financial and Employment)
- Managing and reducing risks effectively helps prevent unnecessary expenditure for the Council, reduces insurance claims and premiums and provides better protection for the Council and its staff and members.
Sustainability and Climate Change Implications
- Corporate risks are considered in the context of the Wellbeing of Future Generations Act in terms of the impact they could potentially have on our contribution to the Wellbeing Goals. The five ways of working are also a key consideration in relation to our corporate risks to show how mitigating actions can be put in place as part of the risk management plans within the Risk Register.
Legal Implications (to Include Human Rights Implications)
- Identifying, managing and reducing risk effectively mitigates against potential legal challenge.
Crime and Disorder Implications
- None directly.
Equal Opportunities Implications (to include Welsh Language issues)
- Mitigating actions and controls to counteract any equalities related risks are outlined in each risk template in the Risk Register and monitored by the Insight Board, CMT, Audit Committee and Cabinet.
- Risk management is an intrinsic part of corporate governance and integrated business planning which underpins the delivery of the Council's Corporate Plan and wellbeing outcomes.
Policy Framework and Budget
- The proposals are within the Council's Policy Framework.
Consultation (including Ward Member Consultation)
- Consultation has taken place with nominated risk owners, the Insight Board and Corporate Management Team.
Relevant Scrutiny Committee
- Corporate Performance and Resources
Corporate Risk Register
Corporate Risk Management Strategy
Huw Isaac, Head of Performance and Development.
Corporate Management Team
Corporate Risk Owners
Head of Performance and Development
Operational Manager, Performance and Policy
Operational Manager, Internal Audit
Rob Thomas, Managing Director.