Agenda item

Monitoring of 2022/23 Quarter 2 Corporate Risk Register

Minutes:

The Head of Strategic Finance and Property introduced the report which covered Quarter Two of 2022/2023. He said that the usual report officer had now left the Council and so this responsibility had now passed to an Officer from the Communications, Strategy and Policy Team.

 

The Head of Strategic Finance and Property drew Members’ attention to page 196 of the report which gave a summary of the updates to risks.

 

Councillor Fernando said that he noted that the register still had the resilience of IT scored as an A3 risk. He said that as per the recent Council IT outage, it was likely that despite ongoing works this may reoccur more than annually. He said he was therefore concerned that the risk may be being underemphasized. The Chairman said that conversations regarding the upgrade of this risk had been had at previous meetings of the Committee and he shared Councillor Fernando’s concerns. The Head of Strategic Finance and Property said that he would feed the Committee’s comments regarding this risk back to the Deputy Chief Executive.

 

The Chairman asked if the Risk Matrix should have been included in the report. The Head of Strategic Finance and Property said that it should, but that the matrix could be viewed on line via the Pentana portal.

 

The Head of Strategic Finance and Property said that lots of the Council’s IT systems currently sat in isolation from the website. He said that this was advantageous as it made them difficult to attack, but that planned digital enhancements would raise risks.

 

Councillor Crofton asked if the Council was able to find a different IT partner. The Executive Member for Financial Stability said that change was needed, but that care was needed to ensure that any change was not disadvantageous. He said that a new Joint Information and Technology Committee had been formed, comprising of three members each from East Herts Council and Stevenage Council plus Senior Officers. He said that it was however, reasonable for the Council to scope out alternative options. 

 

The Chairman asked Members if they were in agreement that the risk score given to IT should be moved from A3 to A4. After discussion Members agreed that the IT risk should be moved from A3 to A4 in the Risk Register.

 

The Chairman referred to paragraph 3.1 of the report and asked for clarification of the risk tolerance levels set by the Leadership Team. The Head of Strategic Finance and Property explained that risks above the tolerance level were actively managed, he reminded the Committee that IT was already in this ‘hot zone’ with its current risk score of A3.

 

Councillor Fernando referred to page 207 of the report and said that the risk register triggers relating to the performance of IT systems needed to be expanded. He said that the Council’s recent IT outage would not have been seen as a trigger in the current summary of corporate risks. Members agreed that the Deputy Chief Executive should review the risks, triggers, consequences and mitigation/controls relating to the performance of the Council’s IT systems.

 

Members discussed their concerns and the issues surrounding the other risks as detailed in the summary of corporate risks. The Head of Strategic Finance and Property gave explanation for the scoring of these risks and their mitigation/controls. Members agreed that no further action was required in relation to these risks at this time.

 

It was moved by Councillor Fernando and seconded by Councillor Bell that the recommendations, as detailed in the report and appendix, be approved with the following additions;

 

·       that the risk score for the performance, resilience and security of IT systems be upgraded from A3 to A4 in the Corporate Risk Register

·       that the Deputy Chief review the risks, triggers, consequences and mitigation/controls relating to the performance of the Council’s IT systems.

 

After being put to the meeting, and a vote taken, the motion was declared CARRIED. 

 

RESOLVED – that the 2022/2023 Quarter Two Corporate Risk register be reviewed, and that the score for the performance, resilience and security of the Council’s IT systems be upgraded from A3 to A4 in the Corporate Risk Register, and that the Deputy Chief Executive review the risks, triggers, consequences and mitigation/controls relating to the performance of the Council’s IT systems.

 

Supporting documents: