Agenda item

To undertake a Deep Dive exploration on the subject of the strategic risk presented to Brent Council from the ongoing development of AI technology recognising the way in which Brent is expanding its use of AI and automation to enhance efficiency and modernise service delivery.

To assist in the review, a paper has been attached which outlines the strategic risks along with the gaps identified in a recent internal audit. It provides an in?depth overview of the newly added AI Strategic Risk within the Council’s Strategic Risk Register and summarises the internal audit findings, governance improvements and planned actions designed to provide the necessary oversight and mitigation.

(Please note the agenda has been republished on 28 January 26 to include an updated version of the AI Strategic Risk Register attached as Appendix 1 to the report)

The Chair welcomed Tony Afuwape (Head of Digital Transformation) to the meeting who was invited to introduce a report from the Head of Digital Transformation as part of a deep dive commissioned by the Committee in relation to the development of Artificial Intelligence (AI) and automation expansion for use across the Council along with the benefits as well as strategic risks identified and oversight and mitigations being developed in response.

Olurotimi Adeniji (Digital Programme Manager) and Derrik Boyce (Head of ICT Solutions) were also introduced as co-presenters of the report. As a starting point, members were advised of the way in which Brent, like many organisations, was expanding its use of AI and automation as a key element of Brent’s digital transformation agenda to enhance efficiency, innovation and modernise service delivery, productivity and the resident experience.  Whilst recognising the benefits identified, the use of AI was also acknowledged to carry inherent strategic and cyber risks that required careful governance and oversight, which the Committee were advised had been detailed within sections 5 and 6 of the accompanying report circulated with the agenda and had also been captured within the newly developed AI Strategic Risk, attached as Appendix 1 to the report, included within the Strategic Risk Register

Key issues highlighted during presentation of the report were as follows:

·            Members were advised of the focus in developing Brent’s AI approach thought the establishment of an effective in?house automation function, the Intelligent Automation Centre of Excellence (CoE).  The CoE had been responsible for identifying, designing and delivering automation solutions that streamlined manual, repetitive and high?volume processes across the council and by leveraging the use of a leading platform for Robotic Process Automation (RPA) (i.e. UIPath) and agentic automation had also been able to actively develop staff capability with the aim of promoting a culture of continuous improvement.  As a result, the CoE had (to date) been able to successfully deliver around 50 automations, generating significant efficiency savings, reducing administrative burden and improving the speed and quality of services for residents, with Brent noted to be one of the few local authorities that had the capability of maintaining an internal team solely for this purpose positioning the Council as a leading authority within the sector and with examples of its use provided within section 4 of the report.

·            Having highlighted the significant progress made to date, members were advised that the approach had been subject to an Internal Audit review commissioned by Brent and conducted by PriceWaterhouse (PwC) in August 2025 which had concluded that whilst the overall, the arrangements for AI were maturing they had not yet been identified as consistent with the required corporate-level recommended.  This had resulted in a Limited Assurance rating being provided identifying important gaps needing to be addressed to ensure the Council remained compliant, secure and operationally resilient as AI adoption was accelerated.  Whilst recognising that significant progress had been made in establishing governance, strengthening controls and deploying early AI use cases, the audit had identified a number of areas for improvement including the need for a council-wide AI strategy or roadmap to set priorities and standards; further strengthening of governance arrangements involving AI; AI risks to be included on the digital risk register and strategic risk register; development of staff training and awareness in relation to AI risks and the adaptation of procurement guidance to reflect AI.  The Committee was advised that all recommendations arising from the audit had been accepted, with actions scheduled for completion by 31 July 2026 with a range of mitigations developed to strengthen governance, build organisational capability, and ensure the safe and effective use of AI across the organisation.

These measures included the introduction of a governance first approach to prioritise the establishment of ethical, legal, and operational guardrails before the widespread technical deployment of AI systems designed to ensure safe, ethical, and transparent AI adoption along with a clear risk assessment, approval and monitoring process supported by oversight from the Data Ethics Board, Technical Design Authority (TDA), AI & Data Board and the Cyber Security Board. In addition, strategic and operational risks associated with AI, such as those related to data privacy, security, model performance, and ethical considerations, were formally reported to the Senior Information Risk Owner (SIR) in order to ensure significant risks were escalated appropriately and to maintain effective oversight and timely decision-making regarding risk mitigation and compliance.  An outline was also provided (within section 7.4 of the report) of the wider governance controls and foundations in place, which it was noted included mandatory Data Protection Impact Analysis and AI Impact Analysis, strengthened cyber assurance and a restriction on use of unauthorised artificial intelligence (AI) software to safeguard council data and ensure responsible technology usage, supported by regular monitoring and management of AI activity across the organisation with work also ongoing to develop a dedicated AI strategy that would define the council’s vision, principles, governance, priority use cases, success measures, and delivery roadmap which had been scheduled for completion during 2026-27.  Alongside the dedicated in house expertise available within Brent, the Council also continued to work closely with sector partners to ensure its AI approach was aligned with emerging best practice and the collective public?sector standard with the council not only continuing to monitor and assess its AI maturity on an ongoing basis but also an active participant in pan?London collaboration through organisations such as the London Office of Technology and Innovation (LOTI) and the West London Alliance (WLA), contributing to shared learning on AI governance, risk management, and resident?centred design and also seeking to incorporate national best practice by adopting guidance from the Government Digital Service (GDS) and the Local Government Association (LGA), ensuring its frameworks, ethical safeguards, and delivery models remain consistent with sector wide standards.

Having noted the initial update in support of the deep dive process, the Chair thanked Tony Afuwape, Olurotimi Adeniji and Derrick Boyce for the outlined provided highlighting the benefit of the co-sourced approach adopted by the Council’s internal audit function in seeking to support and provide the necessary level of expertise in delivering the required level of assurance in relation to the audit process.  Members were then invited to raise any questions or comments, with the following discussion summarised and highlighted below:

·            In beginning the discussion, details were sought on the potential application of AI within finance and in order to assist in areas such as IFRS 16 as part of the external audit process. In response, Minesh Patel (Corporate Director Finance and Resources) advised that there was no specific AI tool yet available to support this specific type of finance activity although work continued to see how it may be possible to utilise existing tools in the future, particularly around audit work involving sample checks and transactional, process-driven activities with potential identified within those areas. Tony Afuwape added that one of the principal goals of the Digital Transformation Team was to have a dedicated team within the Council, operating outside of specific departments, to examine what could be achieved with AI and data.

·            On the strategic perspective, members raised a potential concern that different departments might work in silos or at different paces with details sought over what strategic coordination was being undertaken to bring these efforts together and ensure the necessary oversight was in place.  In response, members were advised this was being coordinated through development of the digital strategy, to ensure the benefits and investment in AI could be utilised more extensively and shared across the organisation enabling the whole Council to understand the possibilities AI offered. One challenge in achieving this was that AI represented an ever-evolving field, with what might currently be considered as optimal being quickly superseded. Therefore, officers noted it was necessary to commence implementation relatively quickly and then build upon those foundations as developments continued.

·            In seeking further details regarding development of the strategy, clarification was provided on timescales with the aim to have the strategy finalised and operational by July 2026.  Tony Afuwape highlighted the work currently being undertaken to develop the draft strategy with confirmation provided this would be cross cutting and organisational in nature rather than defined by specific types of service.

·            In relation to a query regarding PwC's involvement in the process to date, clarification was provided this had been as a co-sourced partner in the internal audit function providing specific expertise and did not involve their engagement in Brent’s AI implementation itself.

·            Referencing the level of automations already generated across Brent, further details and assurance were sought on the associated testing and monitoring arrangements and whether this practice would be incorporated as a routine element of the forthcoming AI strategy.  In response, Olurotimi Adeniji (Head of Automation) outlined the testing arrangements followed and what was felt to be the robust nature of the governance system utilised, with UI Path being employed as one of the leading automation platforms for Robotic Process Automation (RPA).  This was followed by careful monitoring to ensure performance was and remained as expected.  As additional assurance, confirmation was provided that the process also involved human oversight and collaboration with the monitoring process covering all systems under the automation team's support.

·            Focussing on the AI Strategic Risk Register, further assurance was sought on the mitigations in place to address the risks identified arising from the use of AI in relation to weak information governance and associated reputational damage and potential for resident mistrust.  In response, Derrick Boyce felt it important to assure members on the key controls and mitigations developed in response to the level of risk identified including the establishment of the AI and Data Board, supported by a dedicated Data Ethics Board to provide expert guidance on the responsible development and deployment of AI systems.  The use of AI would also involve a human element to verify and validate the data and ensure content and processes generated were checked and monitored with the aim to use automation and AI to increase performance, efficiency and output and allow staff more time to undertake other resident focussed tasks and interaction.

In seeking to address issues on trust, it was seen to be essential to ensure sufficient controls were in place regarding AI with members reminded of the governance arrangements already in place. In terms of transparency, members were advised that if information generated through AI was being shared or communicated to residents, there would be a statement indicating that it was generated by AI or that AI was involved in the process. As further context, Darren Armstrong (Deputy Director Organisational Assurance and Resilience) reminded members that the risk as presented on the register was designed to reflect the inherent level of risk identified, with an extensive range of mitigations identified designed to avoid these materialising based on the key controls established.

·            In seeking further clarification on the Intelligent Automation Centre of Excellence (CoE) model, members were advised that Brent was currently one of only three London boroughs operating this style of model in house and with the Council therefore recognised as being ahead of the curve in this respect.

·            Returning to the level of automation already implemented across the Council, further details were sought on the examples provided regarding the impact of their use and whether any type of negative outcomes had been identified.  In response, Olu Adeniji advised of the systems in place to ensure that Brent, as a resident-centred organisation, was able to utilise AI to ensure that what was being delivered met the needs of residents and also assisted staff in delivering their work effectively. Through the RPA system, if a process was not performing as expected or meeting desired outcomes assurance was provided that deployment would either not proceed or cease. Once deployment occurred, use would be carefully monitored to ensure it continued to perform as expected supported by the in-house team.  Should issues subsequently be identified the bots in use would either be corrected or removed in order to minimise any negative impact with the growing level of automation capacity based on specific criteria and rules designed to strengthen operational efficiency.

·            Highlighting the considerations outlined in relation to climate and environmental impact, further details were sought on the impact of data centres being used and how these were being managed and measured.  In response, Derrick Boyce recognised the concerns raised with the current approach in Brent reflecting a mix between use of on and off-site data centres. Brent had two physical data centres (one located at Brent and the other at Croydon operated as part of a shared IT service arrangement with Lewisham and Southwark) with the physical and environmental outputs measurable. In addition, the Council also utilised a cloud-based data centre located within London, shared with a number of other Microsoft clients.  Monitoring the environmental impact of the external cloud based data centre was recognised to be more challenging with energy use between those members of the shared IT service apportioned in terms of cost based on a calculation reflecting the number of users per partner council.

·            Members were also keen to explore the reference in the report to the trial of recent AI initiatives including the first conversational parking chatbot and use of AI to assist with responses to housing complaints in terms of user experience.  In response, Olu Adeniji provided further details on the trial use of the parking chatbot which, whilst still being optimised, was designed to enable residents to interact with the Council on a 24/7 basis in order to signpost residents to relevant parking support and payment options including available parking provision and fees for different locations. Feedback had been received regarding the effectiveness in reducing the volume of calls needing to be dealt with although it had been recognised that additional awareness raising activity was required to ensure the availability of the facility was highlighted in encouraging more use. Regarding the housing complaints application, this had been a pilot project undertaken to assist housing complaint officers in streamlining their work and reducing work pressures. Whilst assisting in generating responses to complaints, assurance was once again provided that a human element was retained in terms of checking and validating responses to ensure that those generated were accurate and could be trusted. The pilot had been successful and had demonstrated that it could assist in compiling responses from repair notes and case notes in a timely manner. The trial had demonstrated what it might be possible to achieve although the system had not yet been deployed whilst further consideration was given as to how its use could be implemented transparently with residents.

·            In response to the area of improvement identified as part of the internal audit relating to staff training and awareness, further details were sought on the programme of annual data protection training undertaken with staff across the organisation both from a security and data management perspective and in relation to recognised good practice.   In response, Minesh Patel assured members of the seriousness with which the Council treated data management and protection, with staff required to complete a mandatory training programme on an annual basis.  Completion rates were subject to ongoing monitoring with compliance levels (as of January 2026) showing 93.18% of all staff having completed the required training. Processes were in place whereby if staff failed to complete training within a specified period this would be followed up by managers and, if required, access to relevant systems disabled pending completion.

·            As a final issue, confirmation was sought on the July 2026 timescale identified for completion of the actions arising from the internal audit process.  In response Tony Afuwape clarified that the timescales provided reflected the dates within the management response with officers confident that they would be delivered within the timescale indicated.

With no further comments raised the chair closed by thanking members and officers for their contributions as part of the deep dive process.  As key reflections it was felt the inclusion of additional AI training and awareness for both members and officers across the organisation would be valuable given the growing utilisation of AI and automation as an increasingly important area of activity. In recognising the early stage of the journey in terms of maturity level identified relating to development of the use of AI and automation, the importance in maintaining a resident centred and co-design approach to its development was also felt to be key, with members advised of the work already underway in relation to development of an enhanced training offer to increase levels of knowledge and awareness across the Council.

In once again thanking Tony Afuwape (Head of Digital Transformation), Olurotimi Adeniji (Digital Programme Manager) and Derrick Boyce (Head of ICT Solutions) for their contributions it was RESOLVED to note the contents of the report and outcome of the deep dive activity, including the overview of the newly added AI Strategic Risk within the Council’s Strategic Risk Register internal audit findings, governance improvements and arrangements put in place to ensure the growing use of AI across the organisation was undertaken in a safe and responsible manner and with the necessary oversight.