Whilst far from a comprehensive list of risk scenarios a council will face, below are a few of the most significant. The types of risk issues within each scenario are not intended to be a complete list: each council’s context and way of working will have a bearing on what the risks are.
Partnerships, collaborations, and shared services risks
These present a different risk profile and exposure where the council is not necessarily in complete control and is therefore reliant upon others to engage and share in the objectives. Such arrangements need clarity, openness, and good information. How mutual risks are identified and managed should be a key element of the guiding governance arrangements of the partnership. At the outset, there needs to be a risk-based approach in building the right governance structures and shared ownership. Creating an initial risk register for the establishment of a partnership arrangement could be useful.
The key risks or threats to effective partnership working are:
- poor or waning partner engagement and commitment
- scope or goal creep
- one dominant partner taking over
- poor information sharing and openness
- disputes arising from poor performance
- expectations of external funder not being met
- lack of agility to change course or respond to changed circumstances
- not knowing when it might be best to end the partnership
- poor communication within and outside the partnership.
This warrants inclusion on the strategic risk register as an area of strategic focus requiring continuous assurance.
Projects and programmes risks
These can range significantly in overall size, complexity, cost, timeframe, and methods of delivery and so there is ‘no one size fits all’ approach to managing risks in projects and programmes. However, there are some standard areas of risk that are worth considering:
Scope creep: A type of project risk that occurs when tasks are added to the project scope without the proper approval of the project management team, causing the scope to grow without control, which has a direct impact on the project schedule and budget.
Performance risk: This occurs whenever work is not progressing as expected, and deliverables and milestones are not accomplished. This can compromise project completion as more resources are potentially needed to complete the project plan.
Financial or cost risk: This occurs when the project goes over the budget initially set. Cost risk can occur because of an unrealistic budget or lack of detailed budgeting in the project planning phase and then subsequent poor financial control, procurement, and supply chain management.
Schedule risk: This is the risk of individual tasks in the project taking longer than expected. Delayed task timelines often impact other things like the budget, completion date or overall performance. This is probably the most common risk in projects, particularly where there are many participants and understanding the dependencies and careful scheduling is critical. Projects are also often over optimistic or set unrealistic timescales by senior management or external funders, for example.
Resource risk: This occurs if insufficient resources have been allocated to complete the project. Resources may include time, skills, money, or tools. Again, along with the project timeline, the resources needed are often underestimated.
Operational changes: This involves unplanned changes such as in project staffing, changes in senior management, structure changes, savings requirements, or new processes. Such changes can create distractions, require significant adjustments in workflows, and ultimately impact on project timelines.
Lack of clarity: This may come in the form of miscommunication from stakeholders, vague project scopes, or unclear deadlines. The result can be a lack of visibility due to siloed work, going over budget, falling behind project deadlines, changing project requirements, having to change project direction, or disappointing project outcomes.
Often there is great expectation from a project or programme and therefore there is even more pressure for it to be successful in all respects – to deliver its intended benefits, to time and to budget. The biggest single risk to projects and programmes is to underestimate and under-resource the oversight needed.
Project and programme risks – and any major projects or programmes - should also be considered for inclusion on the strategic risk register, regardless of the inherent risk as an area requiring continuous assurance.
Procurement and contract management risks
A large and increasing proportion of council spend is through contracts in some shape or form. This highlights the importance of ensuring procurement and contract management are efficient and effective, to deliver value for money, maximise added social value and consider environmental factors (to name three critical areas). This is another category of risk that needs careful consideration and assurance.
The council will have specialist procurement staff and contract managers to advise and deal with the strategic and operational aspects, but it is also critical that leaders have an awareness that the key risk areas are being identified and managed appropriately.
The key procurement risks include:
- inaccurate internal needs analysis and specification writing
- poor vendor sourcing – not ‘casting the net’ wide enough
- cartels and price-fixing and other fraud
- ineffective supplier and vendor onboarding
- inadequate vendor management
- price instability
- resistance to digitalisation leading to poor e-procurement adoption
- supply chain disruptions
- manual procurement processes
- inaccurate forecasting and contract planning
- weak compliance management and compliance
- budget overspends (and underspends)
- talent shortage
- inefficient contract management.
Internal audit and the audit committee should be reviewing the overall arrangements to manage these risks to provide senior management with the necessary assurances. There should also be specific assurances provided for individual and major procurements which are often associated with new IT systems, long-term maintenance, or outsourcing contracts. These carry a higher risk should they fail to deliver the intended outcomes.
Fraud risks
Fraud risk, unfortunately, is an ever-present issue. The profile of fraud is now significantly technology driven or e-enabled with organised crime groups targeting councils as perceived soft targets. Attempts at bank mandate and impersonation fraud are common and so particular attention is needed to have robust vendor checking and layered controls in the ‘procure to pay’ process. There have been cases of significant frauds against councils and other public sector organisations. The increasing use of AI to commit fraud presents a particular threat.
The insider threat has not disappeared of course, and fraud opportunities can emerge particularly where layers of supervision and management have been removed. The financial pressure that individuals and families are under can also give risk to fraud risks. Effective supervision and management may perhaps be harder when staff are working remotely. A new area of fraud risk emerging from the agile approach to work is from duplicate employments. This is when someone is employed in two or more places and does not disclose the fact to the other(s), and due to not being required to go into the place of work at all or infrequently, effectively gets paid twice for the same time. Again, there are cases of this occurring in councils.
Most councils will have an anti-fraud team, perhaps linked to internal audit. They should be prompting fraud risk / vulnerability assessments periodically (and as part of the process to prepare the annual governance statement) to raise awareness amongst management particularly where the fraud risks are.
A suite of easy-to-understand anti-fraud policies, procedures and training are the basic risk mitigations. These should be reviewed regularly, and awareness tested. Having an accessible whistleblowing / confidential reporting process is another key element of tackling fraud and other irregularities. This policy should be well communicated, and its use reported to the audit committee at least annually to give assurances of its effectiveness. The overall risk culture should support openness and an empowered workforce who are able and encouraged to speak up.
This is another wide-ranging area of risk and can touch any part of the council. What is important from a leadership assurance perspective is that the audit committee are looking at the corporate arrangements for preventing fraud, and that if a suspected fraud occurs, an investigation has been undertaken and any lessons from the incident communicated widely. The anti-fraud team should also be proactive in ensuring there is accessible training for general fraud awareness and developing role-specific fraud training in areas like procurement, contracting, payments, cash handling, benefits and other claims, grants, and physical assets.
There is an obvious public expectation and a duty on councils to protect public funds and resources. Ensuring there is a continuous senior management oversight of fraud risk by its inclusion on the strategic risk register would be an effective way to keep this important area visible.
Cyber and IT risk
This area of risk has links and an overlap with fraud. However, what poses an equally significant threat to councils is the risk of disruption to systems, denial of service, viruses, hacking, and ransomware. There have been several incidents where councils have been rendered inoperable for weeks and even months because of a cyber-attack with the costs of recovery rising to millions of pounds: unfortunately, it is probably a matter of ‘when’ rather than ‘if’ an attack is successful.
This requires a strategic approach, and councils need to invest in cyber protection and resilience. This adds an additional element to risk management, a focus on business continuity and resilience, with consideration of how best to respond and deal with an incident occurring. One risk mitigation is cyber-attack simulations, an effective way to test a council’s arrangements and generate better awareness of the threat.
A range of technical risk mitigations will inevitably be in place. To obtain assurance about the effectiveness of these mitigations, senior management, the audit committee, and executive should all receive regular briefings on the council’s cyber resilience measures and particularly its response to any attacks. There should be a designated Senior Information Risk Officer (SIRO) and a Chief Information Security Officer (CISO) as well as the Data Protection Officer (DPO) who together should provide the necessary assurances about cyber, IT and information risk management.
This is another area of council threat that will never go away, and so should feature on the strategic risk register as another area requiring continual oversight and assurance.
It is sometimes helpful to consider potential risks in terms of their general category. Annexe 3 provides a list of risk categories typically used in the identification of risks.