Agenda item

The Interim Director of Finance presented the Quarterly Risk Update and in doing so highlighted that even though there had been no changes in the number of Corporate Risks since the meeting in March 2023, the Cyber risk had moved from amber to red as this was the greatest risk currently facing the local government sector.

Members were advised that mitigating factors were in place for each of the Corporate Risks as detailed in the report. With reference to the cyber security risk, it was stressed that the Council had mitigations in place to protect from cyber attack including weekly penetration test, annual PSN Security Audit, and regular internal audits. In addition, a new software tool, KnowBe4, was in place, which enabled both Officers and Members to report suspicious phishing emails and provided simulated phishing attacks to assess organisational readiness for cyber attacks. It was further reported that the Council’s cyber insurance had been extended for a further year but due to the potential severity of impact of the cyber risk it was prudent to increase this risk to red.

It was reported that there were now 51 Departmental Risks of which 1 was a red risk related to Revenues - Performance Indicator data that was not deemed robust as it could not be system generated. This compared with the original baseline in April 2022 of 119 risks. Many of the 51 Departmental Risks that remained were related to Housing and were related to compliance issues. In relation to the Building Control risk it was noted that this risk would become more acute towards the end of the financial year as by that time there would be a requirement for local authorities to only use accredited Building Control staff. This requirement could also possibly limit the number of staff available in the agency market. Additionally, a significant increase in fires had been reported in the Borough, which was linked to people using sub-standard electrical equipment in their homes. This factor would have an affect on the Council’s property insurance renewal figures.

Following the presentation of the report, Members asked a number of questions concerning the risk report to which the responses were given as follows:

·       Choice of KnowBe4 as the Council’s phishing detection/cyber security software – Officers explained that the IT department took advice from the Council’s cyber insurers when deciding to implement this software for phishing detection. It was highlighted that the software was easy to use by enabling users to report phishing emails with a single click and that it monitored users behaviour, including through simulated phishing tests, which enabled the Council to identify areas to improve in their cyber security and/or staff who required additional help to improve their cyber security awareness. Some Members spoke in favour of having more practical phishing tests on a regular basis as this was the best strategy against real-time cyber threats.

·       Effectiveness of mitigations against the Corporate Risks – It was stated that a robust set of mitigations was in place against each Corporate Risk. For example, the updated Workforce Strategy addressed the issue of adequate workforce planning in addition to two new Human Resources (HR) tools which were being used to improve the process of advertising full-time and part-time roles within the Council.

·       Council offer of home contents insurance for council tenants and leaseholders – It was highlighted that many council tenants and leaseholders were unaware that the Council offered this service and Members asked that this offer be promoted. Officers responded that this would be included in the circular sent to council tenants and other ways of disseminating this information would be looked into.

·       Towns Fund governance arrangements – It was explained that there was a Towns Fund Board (Redditch Town Deal Board) comprising elected members (Leader of Redditch Borough Council and Leader of Worcestershire County Council) in addition to representatives from partner organisations and the private sector. In addition, there was an internal Officer Board which was chaired by Redditch Borough Council’s Chief Executive Officer. Both governance boards held meetings every 4-6 weeks.

·       It was highlighted that Towns Fund was a time-limited fund and there was a concern about a lack of capacity among contractors. There was a high risk of project overruns beyond the funding timeframe, for which the Council would be financially liable. However, there were indications that the Government was to permit time slippage on individual projects without liability for councils.

·       It was noted that the North Worcestershire Economic Development and Regeneration (NWEdR) were responsible for Towns Fund project delivery and they reported to the Project Board. Quarterly returns on project delivery were also submitted to the central government. 

RESOLVED that

the present list of Corporate and Departmental Risks be noted.