Agenda item

Mark Scrivener (Head of Risk & Delivery Assurance), Alison Petters (Risk & Delivery Assurance Manager) and David Whittle (Director of Strategy, Policy, Relationships and Corporate Assurance) were in attendance for this item.

1.      Mr Gough highlighted the strategic risks that had impacted each respective directorate’s portfolios. The additional risk of CRR0065 related to the implementation of the Oracle cloud programme was noted as having reached a critical phase of implementation.

2.      Further to questions and comments from Members, the discussion covered the following:

•        In response to the queries raised against the medium risk rating for CRR0065 – implementation of the Oracle Cloud Programme, given the significance of its implementation, officers advised that implementation of a not-fit for purpose system would score highly in terms of risk. There were however mechanisms in place and extensive testing to ensure that was mitigated at all costs. For this reason, the risk was rated as medium. However, the risks did not capture the cost of the programme, and this would require a separate risk rating and further conversations should additional funding be required to support the successful implementation of the programme.

•        With regard to the high-risk rating for CRR0053 and the associated policy that had facilitated this originally, it was asked if the new policy was able to mitigate a repeat of the past issues that had been previously observed. Mrs Spore explained that the previous asset management strategy of warm, safe and dry (WSD) past implementations.  It was stated that increased maintenance would not exceed the current WSD strategy. Commitment to key buildings would adhere to statutory regulations. No significant undertakings of maintenance work across the KCC estate would occur. Mrs Spore emphasised the budgetary challenges that had be faced in clearing the backlog of maintenance issues.

•        As to whether the upcoming targeted move from the strategic headquarters had been captured on the risk register, officers clarified that the report had only captured a top-level risk view. Future asset management risks had covered some aspects relating to the move from SHQ. Mr Scrivener confirmed that he would be happy to discuss further with officers and members if required.

•        In response to concerns raised regarding risk CRR0009 and the wording that had been used in regard to the proposed funding from central government, officers acknowledged the concern and added that the metric discussed had remained static at its highest level for a notable period of time. The associated wording for the risk discussed had not reflected current funding concerns.

•        Members enquired about the current risks around cyber security and the impacts KCC had faced. Further queries were raised in relation to staff training on cyber risks and whether mechanisms were in place to measure success rates. Supply chain compromises with 3rd party partners such as Microsoft and Oracle were also discussed as was how current data was stored geographically. The Chair deferred the question to item 20 on the agenda on ‘Cyber Security Update’ which would be held in closed session and which the press and public be excluded from on the grounds that it involves the likely disclosure of exempt information as defined in paragraph 3 of part 1 of Schedule 12A of the Act.

RESOLVED to consider and comment on Risk Management: Chief Executive and Deputy Chief Executive Departments.