The purpose of this report was to provide the Committee with an updated Corporate Risk Assessment 2023-24.
There are currently 11 risks on the Corporate Risk Register and every one of those risks has been reviewed by the Corporate Management Board.
Mitigating actions remain in place with no changes made to the categorisation of the risks since the review in January 2023.
It was noted at a previous meeting that Members wanted to see improvements in the presentation of the document. A new risk management software program is being tested currently and this could improve the quality of the report so that we can look at targets, dates and action plans and also make it clearer where changes have been made to the corporate risk assessments. It is hoped that a new report will be available for Members when the Corporate Risk Assessment is next presented to the Committee.
As part of the process of highlighting the risks for Members, the Group Manager, ICT made a presentation on cybersecurity.
To highlight the importance of the issue, and a specific current concern, he drew attention to the fact that the Council’s email security gateway blocks 450 phishing emails per day.
Using the National Cyber Security Centre’s 10 Steps to Cyber Security to structure his presentation, he discussed issues as follows:
1. Risk Management – taking a risk-based approach to securing data and systems.
2. Engagement and Training – collaboratively building security that works for people in the organisation.
3. Asset Management – knowing what data and systems we have and what business needs they support.
4. Architecture and Configuration – designing, building, maintaining and managing systems securely.
5. Vulnerability Management – keeping systems protected throughout their lifecycle. It should be noted that a recent regional internal audit of this area of work received an audit opinion of substantial assurance.
6. Identity and Access Management – controlling who and what can access systems and data.
7. Data Security – protecting data where it is vulnerable.
8. Logging and Monitoring – designing systems to be able to detect and investigate incidents.
9. Incident Management – planning a response to cyber incidents in advance.
10.Supply Chain Security – collaborating with suppliers and partners.
In response to the presentation, a Member asked how we back up our systems. The Group Manager, ICT responded by saying the Council’s systems were run, day-to-day, out of the data centre in Bridgend, but the Council also has a co-hosting agreement with Rhondda Cynon Taff. All the Council’s data was held on a live synchronous backup at the Rhondda Data Centre.
Another Member discussed the issue of training and keeping up with developments such as AI, false QR codes, and the misuse of personal identities. The Group Manager, ICT responded by highlighting this was an ever-changing threat and that it is necessary to address the issue of how we educate staff about cybersecurity. He suggested he could speak to his line manager and the Chief Officer – Finance, Performance and Change to progress that and report back.
The Chairperson also drew attention to the issue of training and in particular, ensuring and evidencing that staff undertake it. He noted that some authorities withdraw access to computing facilities for staff that have not completed training. He also highlighted the issue brought to the Council’s attention by Audit Wales of cardboard boxes being left in the server room, causing a potential fire hazard.
A Lay Member highlighted the issue of business continuity in response to cybercrime, and the authority’s approach to the use of cloud computing, especially in respect of internal governance.
In response, the Group Manager, ICT noted that Cloud computing, like the use of Microsoft Teams for example, was utilised extensively by the Council, and the Welsh Government wants local authorities to adopt a Cloud-first approach to computing.
In terms of internal governance, the Council has a Digital Transformation Board to approve all new ICT systems. The proforma for proposing new systems asks if it is Cloud-based. The current Membership consists of officers, with representatives from every directorate. The Chief Officer - Finance, Performance and Change chairs it. It was suggested that the current membership could be circulated to Members.
In terms of how the Council would recover in response to a successful cybersecurity attack, the Group Manager, ICT emphasised there was an extensive business continuity plan.
The Chairperson concluded this item by asking if the Welsh Government, given it wants local authorities to be Cloud-based, is providing any extra grant funding to support that initiative. The Group Manager, ICT noted that grant funding was available, usually for innovative developments working with a partner, but anything the Council wants to do has to come out of its own budget.
The Chairperson thanked the Group Manager, ICT for delivering the presentation and answering the questions transparently.
A Member raised an additional issue, unrelated to the presentation. It was around the issue of setting a robust budget and the risks associated with that. In particular, he highlighted the governance issues surrounding the process, and the fact that the Council does not have a policy to support non-Cabinet affiliated councillors in putting recommendations or an alternative budget forward. He noted that he was a firm believer that all 51 councillors could come up with good ideas that help this authority set a balanced and robust budget but that currently the authority does not have processes in place that would enable that to happen.
In response to this, the Chief Officer – Finance, Performance and Change agreed that it was a risk if not all Councillors have had the opportunity to comment on what is being done. Some work is going on to see what can be done to support political groups if they want to put forward budget proposals. Some of it is about the resource and the capacity that officers have to do that, as well as timing, and currently there is not the capacity to support all fifty-one members if they all wanted to put forward their own budget proposals. She sought to reassure the Member that the issue was being addressed.
The Chairperson suggested there were issues here for the Monitoring Officer and governance issues in regard to the Constitution of the authority. He hoped Members would allow the Chief Officer – Finance, Performance and Change to find a resolution to this issue.
Another Member spoke in support of the view
that proper officer support should be made available for
alternative budgets, and the Constitution is clear that opposition
groups are entitled to submit alternative budget proposals and it
is clear that they should have appropriate officer support for
that. Currently, there is a disconnect between what the
Constitution allows to happen and the practicalities of making that
The Committee considered and noted the Corporate Risk Assessment 2023-24 (Appendix A).