Agenda and minutes

Councillor Bonham substituted for Councillor Joel.

Councillor Russell substituted for Councillor Clarke.

Councillor Chauhan substituted for Councillor Rae Bhatia.

There were no declarations of interest.

The minutes of the meeting held on 11 February 2025 are attached and Members will be asked to confirm them as a correct record.  

RESOLVED:

That the minutes of the meeting of the Governance and Audit Committee held on 11 February 2025 be confirmed as a correct record.

The Director of Corporate Services submits the Strategic and Operational Risk Registers to the Governance and Audit Committee.

The Governance and Audit Committee are recommended:

·         To note and make any comments on the latest versions of the SRR and ORR, as provided.

·         To note and make any comments on the proposal of reporting Strategic Risks at Appendix 1c.

The Director of Corporate Services submitted and presented the Strategic and Operational Risk Registers to the Governance and Audit Committee.

Points highlighted included:

• The report considered updated the status around operational and strategic risk.
• The risk control action plans are not included in the report but exist and are maintained by the respective risk owners.
• No new strategic risks had been identified during this review. Of the 14 strategic risks identified, 13 had remained the same risk score as the previous cycle. 
• It was noted that future iterations of the report would aim to explicitly demonstrate how risk controls relate to the strategic risk profile.
• The second part of the report that was presented was the operational risk register. Four risk scores had changed. Two of the risks were reduced, scoring below 15 so were removed from the operational risk register but retained within the respective divisional risk register. Two risks remained high after re-scoring and one new risk had been added.
• A risk that was removed was ‘the inability to deliver savings’ within Adult Social Care’. The risk score had now reduced to eight. 
• Another risk removed was around Children’s Social Care and Community Safety, in relation to a potential reduction of service due to savings.
• The risks still rated ‘High’ included the budgetary risks and the use of data. The budgetary risk for Public Health had now reduced to 16, attributed to increased certainty from the Public Health Grant.
• The risk around the use of data increased to 20, due to restructuring around services which had affected the access to critical information.
• The new risk related to Post-16 SEND home-to-school transport was rated high at 16.

Members sought further clarification and raised the below points:

• A query was raised regarding the presentation of strategic risks and risk controls. It was noted that in future reports, the impact of controls would be considered to demonstrate their effectiveness.
• In response to a query about the detail around strategic risks, it was clarified that in previous reporting, risk controls in place for Strategic Risks were presented to the committee. A consideration for future reporting is that some information could be sensitive and would be required to be considered in private session if it was brought to the Committee.
• With regard to a query on the Post-16 SEND home-to-school transport risk, it was proposed that a discussion around the proposal, options and timescale would be more appropriately considered by the Children, Young People and Education Scrutiny Commission.
• Members were informed that the Operational Risk Register process is covered in corporate risk training.
• A question was raised about what is captured in the ‘cost of risk’ which included the cost of current controls, the cost of the target controls, and the potential impact if the risk materialised. It was noted the financial risk can be difficult to accurately to predict. 
• In response to a query about political risk, it was expected that the organisation would have wider conversations on local government reorganisation, following  ...  view the full minutes text for item 4.

The Director of Corporate Services submits the Corporate Risk and Business Continuity Policies and Strategies reports to the Governance and Audit Committee.

The Governance and Audit Committee is recommended:

·         That the updated Corporate Risk Management Policy Statement and Strategy (appendix 1) be noted.

·         That the Corporate Business Continuity Management Policy Statement and Strategy (appendix 2) be noted.

The Director of Corporate Services submitted and presented the Corporate Risk and Business Continuity Policies and Strategies reports to the Governance and Audit Committee.

Points highlighted included:

• There was a focus on better alignment with the risk and governance structure and having ownership of risk.
• Divisional Risk Registers (DRR) exist, and periodic updates are made to the management team to ensure that are current and that the process is embedded and implemented
• There is an annual training schedule in place for staff who will be, or are, completing risk assessments.
• In terms of assurance, the risk policy statement and strategy were aligned with national risk management standards and Council practice compared well against the industry standard.
• In terms of business continuity, recent events indicate that Council processes are robust and effective in responding to internal incidents.  However, it is crucial to maintain delivery of critical services and as such business continuity plans needed to be robust, tried and tested.
• It is important to have response plans in place to meet requirements under the Civil Contingencies Act as a Category 1 responder.
• A professional standard is implemented to meet best practice.
• A key focus for next year is to review the Business Continuity Plan (BCP) Template and for critical services to update their BCP’s and their respective business impact analysis. In addition to this to   test Critical Services BCPs with Risk, Emergency and Business Resilience facilitating these.
• Each Director self-certify annually that they have BCPs in place for all their services and they are reviewed periodically, updated and tested.
• It is necessary to embed good BCPs and risk management to meet governance requirements and obligations under the Civil Contingencies Act of 2004.  Implementation of these two disciplines looks favourable with insurers.

Members sought further clarification and raised the below points:

• In response to a queried how the operational risks associated within social work and case management were factored into the overall risk register and risk management processes. It was clarified that this was a specific for the divisional area to consider the day-to-day risk and was significant enough to be reflected in the divisional risk register.  Additionally, the Committee were informed that council-wide corporate training is offered so staff understand what to consider process related in identifying and assessing risk.
• It was further noted that risk level is reduced when officers/staff have on the job professional training and safeguards are in place.

RESOLVED

That the updated Corporate Risk Management Policy Statement and Strategy (appendix 1) be noted.

That the Corporate Business Continuity Management Policy Statement and Strategy (appendix 2) be noted.

The City Barrister and Head of Standards submits the Regulation of Investigatory Powers Act 2000

Bi-Annual Performance Report July 2024 – December 2024 to the Governance and Audit Committee.

The Governance and Audit Committee is recommended to:

·         Receive the Report and note its contents.

·         Approve the proposed amendments to the Council’s Surveillance Policy.

·         Make any recommendations or comments it sees fit either to the Executive or to the City Barrister and Head of Standards.

The City Barrister and Head of Standards submitted the Regulation of Investigatory Powers Act 2000 (RIPA) Bi-Annual Performance Report July 2024 – December 2024 to the Governance and Audit Committee. The Principal Lawyer presented the report.

Points highlighted included:

• There had been no use of RIPA since the last update and no access to communications data.
• The Council had been inspected by the Investigatory Powers Commissioners Office (IPCO) as was due every three years. This was a paper-based exercise, and questions had been responded to. The outcome had been positive. Recommendations were made for minor amendments to the Council’s Surveillance Policy. But they were satisfied with the Council’s compliance and the next inspection would be in 2028.
• The proposed amendments to the Surveillance Policy were noted in the report.
• In the final recommendations from the IPCO, it was recommended that the Council continues to train its staff on RIPA. This is primarily due to the risk factor that staff may engage in activity that may fall under RIPA without being aware.
• Other assurances were set out in the report.

Members sought further clarification and raised the below points:

• In response to a query around how RIPA was reported and what constituted covert surveillance, it was reiterated that the report stated that there were no authorisations for direct surveillance or communications data between July and December 2024.  However, the need to awareness and training was recognised so as to ensure officers understand the legal boundaries on what is and is not permitted under RIPA.  It was further clarified that if people were made aware that they were under surveillance, it did not fall under the scope of RIPA.
• It was confirmed that external trainer would be engaged to deliver. training. This would include the use of case studies, both fictional and those from legal cases/case law to improve understanding
• Examples of situations where RIPA could be used included trading standards, whereby officers could go under-cover in workplaces.  While test purchases could typically be done without RIPA authorisation, if the operation involved covert surveillance, it would fall under the remit of RIPA.
• In response to a query on surveillance of Council houses, the Principal Lawyer advised that they were not aware of any such cases, However, but it was acknowledged that it was necessary to be mindful that any covert or undercover activity relating to Council houses would be subject to RIPA requirements.  Regarding Right to Buy applications, checks were carried out by the Council to confirm the source of funds and the identity of the purchaser, but these checks are not conducted covertly and are not considered surveillance and therefore do not fall under RIPA.
• In response to a query about potential uses of RIPA, it was suggested following the upcoming training, opportunities to use RIPA more effectively could be explored. An update on this could be included in the August update.

RESOLVED

The Governance and Audit Committee:

•      Received the Report and note its contents.

•      Approved the proposed amendments  ...  view the full minutes text for item 6.

The Director of Finance submits the Internal Audit Work Progress Report 2024/25 and the Internal Audit Work programme 2025/26 to the Governance and Audit Committee.

The Governance and Audit Committee is recommended to:

·         Note the progress made in delivering the 2024/25 internal audit work programme, and current delivery intentions over the remainder of the year.

·         Approve the 2025/26 internal audit work programme.

The City Barrister and Head of Standards submitted the Regulation of Investigatory Powers Act 2000 (RIPA) Bi-Annual Performance Report July 2024 – December 2024 to the Governance and Audit Committee. The Principal Lawyer presented the report.

Points highlighted included:

• There had been no use of RIPA since the last update and no access to communications data.
• The Council had been inspected by the Investigatory Powers Commissioners Office (IPCO) as was due every three years. This was a paper-based exercise, and questions had been responded to. The outcome had been positive. Recommendations were made for minor amendments to the Council’s Surveillance Policy. But they were satisfied with the Council’s compliance and the next inspection would be in 2028.
• The proposed amendments to the Surveillance Policy were noted in the report.
• In the final recommendations from the IPCO, it was recommended that the Council continues to train its staff on RIPA. This is primarily due to the risk factor that staff may engage in activity that may fall under RIPA without being aware.
• Other assurances were set out in the report.

Members sought further clarification and raised the below points:

• In response to a query around how RIPA was reported and what constituted covert surveillance, it was reiterated that the report stated that there were no authorisations for direct surveillance or communications data between July and December 2024.  However, the need to awareness and training was recognised so as to ensure officers understand the legal boundaries on what is and is not permitted under RIPA.  It was further clarified that if people were made aware that they were under surveillance, it did not fall under the scope of RIPA.
• It was confirmed that external trainer would be engaged to deliver. training. This would include the use of case studies, both fictional and those from legal cases/case law to improve understanding
• Examples of situations where RIPA could be used included trading standards, whereby officers could go under-cover in workplaces.  While test purchases could typically be done without RIPA authorisation, if the operation involved covert surveillance, it would fall under the remit of RIPA.
• In response to a query on surveillance of Council houses, the Principal Lawyer advised that they were not aware of any such cases, However, but it was acknowledged that it was necessary to be mindful that any covert or undercover activity relating to Council houses would be subject to RIPA requirements.  Regarding Right to Buy applications, checks were carried out by the Council to confirm the source of funds and the identity of the purchaser, but these checks are not conducted covertly and are not considered surveillance and therefore do not fall under RIPA.
• In response to a query about potential uses of RIPA, it was suggested following the upcoming training, opportunities to use RIPA more effectively could be explored. An update on this could be included in the August update.

RESOLVED

The Governance and Audit Committee:

•      Received the Report and note its contents.

•      Approved the proposed amendments  ...  view the full minutes text for item 7.

The Director of Finance submits the Annual Review of the Council’s Local Code of Corporate Governance to the Governance and Audit Committee.

The Governance and Audit Committee is recommended to approve the Local Code of Corporate Governance 2025/26, at Appendix 1.

The Director of Finance submitted the Annual Review of the Council’s Local

Code of Corporate Governance to the Governance and Audit Committee. The Director of Finance presented the report.

RESOLVED

The Governance and Audit Committee approved the Local Code of Corporate Governance 2025/26, at Appendix 1.

The Director of Finance submits the Finance Update – Final Accounts Processes report to the Governance and Audit Committee.

The Governance and Audit Committee is recommended to note the report. 

The Director of Finance submitted the Finance Update – Final Accounts Processes report to the Governance and Audit Committee. The Director of Finance presented the report.

Points highlighted included:

• The report followed up on the last meeting with the annual accounts at which external auditors had concerns on the valuation figures.
• The report therefore focussed on improving processes, including outsourcing the valuation process, as well as training and resourcing teams. The Chief Accountant had worked on getting the right resources in the corporate team.

RESOLVED

The Governance and Audit Committee noted the report.

The Director of Finance submits the Governance and Audit Annual Report 2024/25.

The Governance and Audit Committee is recommended to approve this report for submission to the Council, subject to any amendments that it may wish to make.

Council is recommended to receive this report.

The Director of Finance submitted the Governance and Audit Annual Report 2024/25. The Director of Finance presented the report.

It was noted that this was an annual report that would go to Full Council and confirmed activities and that the terms of reference were complied with.

RESOLVED

The Governance and Audit Committee approved this report for submission to the Council, subject to any amendments.

Council is recommended to receive this report.

The Committee is recommended to note progress on actions agreed at the previous meeting and not reported elsewhere on the agenda (if any).

The Committee noted the Action Tracker.

The meeting was declared closed at 18:37 as there was no other urgent business.