Agenda item

This report provides the Committee with an update on the Council’s Strategic Risks as of September 2025.

Darren Armstrong (Deputy Director, Organisational Assurance and Resilience) was then invited to introduce a report from the Corporate Director Finance & Resources which provided an update on the Council’s strategic risks as of September 2025.

In introducing the report, members noted that it summarised those risks which senior management had assessed as having a significant impact and/or likelihood of materialising, with the potential to adversely affect the achievement of the Council’s objectives. It was further noted that the format of the report remained broadly consistent with previous iterations, although minor presentational improvements had been made. It was additionally stated that the Council’s overall risk profile continued to reflect the heightened risk environment in which it operated.

Of the 13 strategic risks, 12 remained outside their target risk scores, and none were showing a downward trend. However, 11 risks were reporting stable trends, with scores unchanged since the previous update in March 2025. A key change in the report was highlighted in terms of the increase in the risk score for noncompliance with statutory housing duties. This score had risen from 10 to the maximum of 25, indicating that the risk had materialised. This escalation was attributed to issues surrounding the Council’s self-referral to the Regulator of Social Housing. No new risks had been added to the register, and no existing risks had been closed or de-escalated.

Having thanked Darren Armstrong for introducing the report, the Chair then moved on to invite questions and comments from the Committee, with the following comments and issues discussed:

• Members queried the lack of detail in the report regarding Risk E: Climate and Ecological Emergency Mitigation and questioned how progress against the action plan would be monitored and reported.  Details were also sought regarding management of the risk identified in relation to financial resilience and sustainability, particularly in the context of the upcoming local elections. In response, Darren Armstrong advised that progress on Risk E should be tracked across subsequent iterations of the report. It was explained that two previously separate climate-related risks had been merged into a single entry, although the risk details in the content remained unchanged. The current risk score was aligned with its target score, indicating that officers believed the risk could not be further reduced at present with ongoing monitoring of the impact of mitigating actions to be included as part of the ongoing updates to Committee on which member’s feedback would be relayed to the relevant risk owners, with a view to providing more specific updates on progress and outcomes. Minesh Patel (Corporate Director, Finance and Resources) addressed the second query, clarifying that political pledges made during election campaigns were not representative of the Council’s formal position. Should such pledges be adopted by a newly appointed administration, the Council would assess their affordability and determine whether they could be implemented within existing financial constraints.

As a point of clarification, the Chair confirmed that Darren Armstrong (as Deputy Director, Organisational Assurance and Resilience) was responsible for drawing together the Strategic Risk Register, but not for the ownership or management of individual risks, responsibility for which rested with the designated risk owners.

• Independent members raised concerns regarding pressures on the SEND system, particularly the increasing reliance on the independent sector. It was observed that the independent sector was facing fragility due to factors such as National Insurance and reductions in rate relief, which were contributing to rising costs. It was questioned what mitigation measures were in place should the independent sector decline. In response, Darren Armstrong (Deputy Director, Organisational Assurance and Resilience) undertook to refer the member’s comments and queries to the appropriate risk owner and to seek a response following the meeting.

• Independent members took the opportunity to share observations from practice identified elsewhere, noting that sustainability and resilience were increasingly being addressed holistically across sectors. It was suggested that the Council consider appointing dedicated officers for sustainability and resilience, in line with emerging practices in the private sector. In response, Darren Armstrong (Deputy Director, Organisational Assurance and Resilience) acknowledged the suggestion and confirmed that it had been noted for consideration.

• Members sought details on whether there had been a cultural shift across the Council in terms of understanding and managing risk at departmental and strategic levels. As a supplementary question, members queried the implications of outsourcing cyber security services, and whether this had led to a reduction in internal expertise, particularly in relation to emerging technologies such as artificial intelligence (AI). In response, Darren Armstrong confirmed that he would refer the cyber security query to the relevant risk owner. It was noted that an internal review of cyber security and third-party risk had been undertaken in the previous financial year, which had provided assurance regarding the use of outsourced services. In relation to the broader question of risk culture, it was conveyed that the Council demonstrated a positive approach to risk management, particularly at senior levels. The strategic risk report was led and agreed by the Council Management Team (CMT) and was subject to detailed review and the current register reflected a more transparent and comprehensive approach. It was acknowledged that while some departments maintained thorough and regularly updated risk registers, others required additional support and encouragement. Efforts were ongoing to strengthen risk maturity across all directorates, building upon the existing strategic risk register and the wider risk management strategy and framework.

• Members requested further details regarding the non-compliance of statutory housing duties. In response, Darren Armstrong informed the Committee that non-compliance with statutory housing duties was a recurring item on the Council’s annual audit plan. It was stated that internal audit activity consistently included work in this area. Ongoing discussions were taking place with Spencer Randolph (Director Housing Services), and housing colleagues to determine how best to utilise audit time to focus on the highest risk areas. The intention was to avoid duplication of existing work while identifying opportunities to add value from an internal audit perspective. It was further noted that concerns and risks associated with data transfer would be incorporated into those discussions.
• As an additional issue, members referred to security access levels, noting that this issue had arisen in both external and internal audits, and sought clarification on measures in place to ensure appropriate access and prevent manipulation of system data. In response, Darren Armstrong advised that in addition to the annual review of non-compliance statutory housing duties, the Council also conducted annual reviews of IT applications. These reviews included an assessment of security and permission levels. Although the reviews focused in depth on specific applications, the findings were distributed across all systems to ensure that risks were identified and mitigated consistently. It was confirmed that the Council had previously undertaken a review of the NEC application and continued to conduct such reviews on a rolling basis. Any concerns identified in one application were shared across others to promote best practice and strengthen overall system integrity.

• Members observed that a number of risks remained unchanged and that several continued to be categorised as high. Particular reference was made to Risk K, which related to serious incidents or wider safeguarding concerns involving vulnerable adults. It was queried whether there had been any material change and whether the score had been increased to align with Risk H, as indicated in paragraph 3.3.3 of the committee report. In response, Darren Armstrong explained that this matter had been subject to ongoing discussion at CMT level. Previous iterations of the risk register had shown differing scores for safeguarding risks relating to children and adults. Directors and risk leads had been tasked with reviewing the rationale for this discrepancy and determining whether alignment was appropriate. It was agreed that the impact of safeguarding risks should be considered equivalent for both groups. Consequently, the decision was taken to align the scores, with the adult safeguarding risk (Risk K) increased to match that of the children’s safeguarding risk (Risk H). It was clarified that this adjustment was not driven by any material change in risk factors. Rather, these were considered inherent risks that would persist unless there were significant failings, adverse regulatory outcomes, or legislative changes. It was additionally noted that such risks were unlikely to be reduced below the current level.

• Independent Members referred to the forthcoming implementation of Martyn’s Law, expected to come into effect within approximately 18 months and queried what resources would be required by the Council to fulfil its responsibilities under the legislation, particularly in relation to risk reviews and compliance scrutiny. In response, Darren Armstrong stated that the Council was approaching Martyn’s Law as a cross-cutting responsibility. While the Emergency Planning and Resilience Team was leading coordination efforts, resources were being drawn from across the organisation, including Property Services, Facilities Management, and Public Realm teams. It was confirmed that the Council did not anticipate the need for additional resources at this time. The necessary expertise and capacity were already present within the organisation, and the focus was on collaborative working to ensure effective implementation.

• Returning to the issue of Risk K, members noted its alignment with Risk H and expressed concern that the Council appeared to be accepting a level of risk that could not be mitigated. In response, Darren Armstrong clarified that the target score for both risks was 8, which represented a change from previous iterations. It was explained that while the impact of certain risks could not be reduced due to their inherent severity, efforts were focused on managing and reducing the likelihood through enhanced controls and mitigation measures. The current score of 12 reflected the severity of impact, which remained constant, while the target score of 8 was aspirational and based on reducing likelihood. It was emphasised that the risk leads were working towards achieving this target, and that it represented the lowest feasible level given the nature of the risks.

In seeking to bring consideration of the item to a close, the Chair thanked officers and members for their contributions and the Committee AGREED to note the update provide with the following identified as specific actions:

(1)  Feedback in relation to Risk E: Climate and Ecological Emergency Mitigation be relayed to the relevant risk owners, with a view to providing more specific updates on progress and outcomes.

(2)  Comments concerning the need for mitigation measures in the event of a decline in the independent sector, arising from increased pressures on the SEND system and growing reliance on independent provision, be relayed to the relevant risk owners, with a view to providing more detailed updates and outcomes.

That members’ queries regarding the implications of outsourcing cyber security services be relayed to the relevant risk owners.