The Cabinet was informed that the Risk Management Strategy sets out the approach adopted by the Council for identifying, evaluating, managing and recording risks to which it is exposed. A review of the strategy is carried out annually and, where necessary, presented to the Cabinet for approval if it is subject to any updates and amendments.

The Cabinet was informed that there had been no updates or amendments made to the Risk Management Strategy.

In preparing the draft Corporate Risk Register for 2025-26, Management Team, Senior Officers and Members were contacted and requested to identify and evaluate new risks and analyse existing risks currently recorded in the 2024-25 Corporate Risk Register.

During the mid-year review of the 2024-2025 Corporate Risk Register, the Council’s Finance and Audit Committee requested for the following areas to be considered during development of the 2025-2026 Register; the Council’s response to those suggestions were detailed below: -

·         Local Government Devolution.

The Council identified Devolution as a risk which had been incorporated under Risk 2. The title of Risk 2 had also been amended to ‘Changes in national and regional priorities and legislative change’ to further support this risk.

·         Financial stability and lack of Government funding support.

Further details relating to the Government’s autumn statement was subsequently released on 18 December 2024 with a final settlement announced on 3 February 2025. This risk was already covered under Risk 1: ‘Ongoing financial viability of the Council’. However, a trigger on ‘decisions being made by external bodies having a direct financial impact on the Council’ had been expanded to include local authorities and local organisations.

Mitigations/Control had also been expanded to state that whilst there was a single year (2025/26) settlement for the sixth year in succession, the Government had indicated that it was looking towards having a multi-year settlement from 2026/27. 

·         The increased public use of AI, including by the Council’s external partners such as KCC. It was advised that in 2023 the Government added AI to their National Risk Register.

The Council had already identified AI as a risk which was reflected in the draft Corporate Risk Register as being much wider than increased public use via external partners such as KCC. The title of Risk 4 had been amended from ‘Cyberattack resulting in data breach or corruption of data’ to ‘Cyber security threats resulting in loss of system access, data breach or corruption of data’. It had also been made clearer in the triggers, consequences and mitigation/control.

·         Incorporating the risk from the Council’s Capital Programme and several large upcoming projects into the Register.

This had been incorporated into Risk 1: ‘On-going financial viability of the Council’.

The Cabinet was informed that a risk evaluation and analysis exercise was undertaken which had not identified any new high residual risks. The risk concerning implementation of the Elections Act 2022 had been removed as it was no longer deemed to be a high residual risk. 

The risks to be included in the 2025-26 Register were as follows: -

1.    Ongoing financial viability of the Council.

2.    Changes in national and regional priorities and legislative change.

3.    Organisational capacity/resilience.

4.    Cyber security threats resulting in loss of system access, data breach or corruption of data.

5.    Investment Risk.

6.    Adoption and delivery of sound Local Plan.

7.    STG Building Control Partnership – Licensing of Surveyors.

The Cabinet was informed that the draft Corporate Risk Register had been considered by the Finance and Audit Committee.  The Assistant Director (Corporate Services) advised that progress made against the actions in relation to each risk recorded in the Register will be monitored quarterly and progress information will be presented via a half yearly report to the Finance and Audit Committee.

The Leader acknowledged the risk in relation to AI, however stated that there was an opportunity for AI to be used effectively if managed and controlled. The Chief Executive advised that the Council’s Management Team also acknowledged that AI could be used internally, and that work was currently underway and would be reported to Members in due course.

Concern was expressed regarding the timing of the committee schedule in that the Finance and Audit Committee had considered the draft Register prior to the Cabinet and it was requested that the committee schedule be changed moving forwards to prevent this from happening in future years. The Assistant Director (Corporate Services) advised that this was being pursued and will be prevented in future years.

With regard to Local Government Devolution/Reorganisation, it was suggested that consideration be given to including this as a separate risk particularly as it was a significant change/risk. The Assistant Director (Corporate Services) advised that it had not been included as a separate entity within the draft Register for 2025-26 as it was not deemed to be an immediate risk as it would technically not be happening within the period of time covered by the 2025-26 Register however it would be reviewed as part of the half yearly report.

Resolved that the Corporate Risk Register that has been developed for 2025-26 be approved for submission to Full Council for formal adoption.