Controls in place
These are some of the key activities that officers undertake to mitigate the risk. They do not constitute MVDC internal procedures and may be amended to reflect the assessed risk level.

There is a risk, due to the national economic climate, action taken in response to Local Government Reform and the forthcoming review of local government finance,  that the Council is unable to balance its budget, without impacting significantly on service delivery and performance. This is in the context of a medium term future which may well include:

– A significant loss of government funding as a result of a review of local government finance

– Material costs of refurbishment of some Council assets

– Re-tendering/mobilisation of a number of Council services which were last re-let when market conditions were very favourable to the Council

– Contract disputes leading to significant costs to the Council

– A significant short / medium term impact of pay / price inflation and higher interest rates

– Rising demand for services, such as homelessness

Please also see Risk C11 on Asset Management, Development and Disposal

Inherent risk level (no controls)

Probability: 4

Impact: 5

Risk score: 20 (red)

Controls in place at MVDC

– Maintaining robust budget monitoring and, if appropriate, corrective action to ensure spending is in line with the Budget

– Robust re-procurement procedures and contract management arrangements in place

– Transformation savings plan in place for 2024/25, with proactive monitoring and reporting of savings realisation to the Strategic Leadership Team and as part of the regular Business and Budget monitoring reports to Cabinet

– Transformation programme developed for 2024/25 onwards with a variety of projects and actions identified to achieve the majority of savings required in the MTFP. On-going work to identify actions to achieve the residual savings is in progress as part of contingency planning for future years

– Long Term Financial Strategy and Medium Term Financial Plan in place

– Work with other Surrey local authorities and other local authority representative bodies to lobby Central Government to address local government financial resilience

Residual risk level (after existing controls)

Probability: 3

Impact: 3

Risk score: 9 (amber)

Movement of residual risk since last review

None

Target risk level

Probability: 3

Impact: 2

Risk score: 6 (green)

Risk owner – Member

Cabinet Member (Finance)

Risk owner – Officer

EHoS – Resources

Rents from our investment property portfolio are a key source of income and the capital value of the property is a significant asset on the Council’s balance sheet. This risk is informed by a number of factors including the national economic climate; uncertainty in the property and financial markets; recent government budget changes (e.g., to national insurance); potential reform (or lack of reform) of business rates; material changes in the way of doing business such as online shopping and hybrid working.

Factors that can increase the risk are:

• Loss of rent and reduction of income to MVDC (e.g. tenants struggling to pay their rent; tenants not renewing their leases or exiting leases early, leading to a rise in empty premises and void periods; the need to provide incentives to attract new tenants)
• Inability to maximise income to the Council through reviewing rents at appropriate rent review dates within leases (including those with ‘time is of the essence’ clauses)
• A reduction in the capital value of the assets on the council’s balance sheet, and (for assets funded by borrowing), the value of the asset no longer being sufficient to repay the remaining debt, resulting in a potential additional MRP charge to the Council’s revenue account
• Inability of MVDC’s commercial  assets to achieve an Energy Performance Certificate B rating by 2030 (as stated by the previous government). Without that rating it may difficult or impossible to let previously tenanted properties.

Inherent risk level (no controls)

Probability: 4

Impact: 4

Risk score: 16 (red)

Controls in place at MVDC

– Proactive, rational and flexible approach to rent negotiations (rent reviews) and service charge liability

– Proactively seeking new lettings and maximising income from existing assets, or pursuing change of use / disposal strategy

– Good understanding of the local property market and national movement across all sectors

– Positive relationship with tenants and Swan Centre Managing Agents

– Asset Managers confirm that demands have been received 2 weeks prior to the quarter day, then chasing payment after the quarter day on a weekly basis as a minimum, referring to legal at week 4 if the payment is still outstanding

– Performance management of rental income reported to Cabinet in Business and Budget monitoring reports

– Proactive engagement with tenants identified to be at risk (factors include covenant deterioration, payment history and business sector)

– Regular monitoring of aged debt to identify any pattern in non-payment

– Payment plans put in place for tenants who are in arrears

– Proactively seeking rent deposits and/or guarantors where possible for new lettings

– Monitoring of tenant covenant strength in relation to AIS properties and annual review of investment assets for market intelligence to manage associated risk

– Asset Managers maintain EPC records for commercial buildings and, where poor energy performance is likely to impact lettings under MEES, produce property specific management plans identifying actions required to address

– Oversight of property portfolio to ensure balance of risk regarding current and future rental income and regular reporting to Corporate Governance Board

-Use of property advisors to provide guidance on hold strategy

-Internal audit, CIPFA review of asset management and completion of agreed actions to joint Audit and Scrutiny Committee (January 2025)

Residual risk level (after existing controls)

Probability: 3

Impact: 3

Risk score: 9 (amber)

Movement of residual risk since last review

Up

Target risk level

Probability: 2

Impact: 3

Risk score: 6 (green)

Risk owner – Member

Cabinet Member (Property and Projects)

Risk owner – Officer

EHoS – Resources

MVDC needs to provide services in a safe manner that protects the health and safety not just of its employees but also members of the public, trainees, contractors, Members and those who undertake work on behalf of MVDC. If we fail to have good Health and Safety arrangements in place, this could lead to loss of service and / or preventable accidents to and ill health of staff, contractors, public or others affected by our undertakings. This is of particular importance due to the nature of some of the services we provide to the public and vulnerable people.

This risk is informed by:

• Compliance with Health and Safety at Work Act
• Public duty

Inherent risk level (no controls)

Probability: 5

Impact: 5

Risk score: 25 (red)

Controls in place at MVDC

– Corporate Health and Safety Policy, arrangements and procedures in place and regularly reviewed / audited

– Regular spot check reviews of health and safety arrangements by Health and Safety consultant

– Regular meetings of H&S Group, who escalate any concerns to Corporate Governance Board

– Health and Safety action plan in place

– Employee induction includes focus on Health and Safety and all employees provided with Health and Safety Guidance

– Training in place for new and existing employees with specialist training provided as required

-Organisational stress risk assessment in place and reviewed annually

– Health and Safety risk assessments in place for all service areas and regularly reviewed

– Lone working procedure in place for all service areas with bespoke arrangements in relation to individual business areas

– Effective management/inspection of property and land assets

– Health and safety integrated into procurement processes

– Arrangements with partner organisations/contractors to ensure appropriate Health and Safety requirements are in place

Residual risk level (after existing controls)

Probability: 2

Impact: 4

Risk score: 8 (amber)

Movement of residual risk since last review

None

Target risk level

Probability: 2

Impact: 4

Risk score: 8 (amber)

Risk owner – Member

Cabinet Member (Internal Services and Security)

Risk owner – Officer

Deputy Chief Executive

MVDC typically blocks thousands of malicious attempts daily to access MVDC systems and data. The majority are blocked by technical measures. The most significant contributor to this risk is that MVDC employees and members may, for example, inadvertently click on malicious links or attachments in Phishing emails.

If we fail to secure the Council’s accounts and data there is a risk of loss and data protection issues; this could lead to the Council not being able to deliver services, financial cost of rebuilding and ICO fines, and reputational damage.

Inherent risk level (no controls)

Probability: 5

Impact: 5

Risk score: 25 (red)

Controls in place at MVDC

– ICT Security Policy in place and regularly updated

– Access to systems and data is strictly controlled and data is held securely in order to ensure it is only available as permitted and not at risk of loss or compromise

– Regular testing of the ICT security perimeter (firewalls), monitoring for new vulnerabilities of systems and a cycle of ensuring all system versions are up to date is in place. Quarterly review, and if required housekeeping, of Firewall rules

– Regular patching cycle of server and desktop infrastructure, and also monthly review of security systems (Proxy server, firewalls, switches, backup software, HCI software)

– Risk assessment on basis of industry knowledge and government information provided by the National Cyber Security Centre

– Regular mandatory Cyber security awareness training for all Council Officers. Extended on a voluntary basis to Councillors

Residual risk level (after existing controls)

Probability: 2

Impact: 3

Risk score: 6 (green)

Movement of residual risk since last review

None

Target risk level

Probability: 2

Impact: 2

Risk score: 4 (green)

Risk owner – Member

Cabinet Member (Property and Projects)

Risk owner – Officer

EHoS – People

MVDC needs to make sure that its IT staff and IT systems are available to deliver the services for which it is responsible.

If we fail to do this, there could be a major breakdown and disruption of systems that leads to an inability to deliver key services.

Inherent risk level (no controls)

Probability: 4

Impact: 4

Risk score: 16 (red)

Controls in place at MVDC

–  Automated centralised back-up of data and systems is in place should a systems or data recovery be needed. Off-network data backup regime implemented, including MVDC data held in the microsoft cloud

– On-site arrangements in place for physical environment

– Secondary data centre fully established at specialist data centre hosting facility and now made to be the primary site for council servers

– Disaster Recovery arrangements in place

– All staff have laptops

– Strategic workforce plan in place to ensure business continuity and succession planning

– Streamlining and integration of on-premise systems

Residual risk level (after existing controls)

Probability: 1

Impact: 2

Risk score: 2 (green)

Movement of residual risk since last review

None

Target risk level

Probability: 1

Impact: 1

Risk score: 1 (green)

Risk owner – Member

Cabinet Member (Property and Projects)

Risk owner – Officer

EHoS – People

MVDC needs to make sure that personal data is secure and only processed in accordance with the relevant legislation and that an individual’s right to privacy is protected.

If we fail to effectively act on and embed standards and procedures that enable us to do this, this could lead to distress and harm for data subjects, a loss of public trust, financial penalties to the organisation, or other regulatory action as imposed by the Information Commissioner’s Office

This risk is informed by a number of issues, including:

• Potential data protection breaches, misuse of private information, breaches of European Convention of Human Rights (Article 8) and breaches of confidence enabling access to confidential data
• Loss of data, including as a result of malicious cyber security attacks (Ref:C4b, Risk of Hacking)

Inherent risk level (no controls)

Probability: 5

Impact: 5

Risk score: 25 (red)

Controls in place at MVDC

– Data Protection Policy approved by Council and updated periodically

– Data protection training and updates for new and existing staff

– Member Training on responsibilities under appropriate Code of Conduct, including data protection, for new and existing Members, and training video on MOSS

– Certification obtained on disposal of confidential information

– Information Asset Register in place for each service

– Records Retention Policy and schedule in place and implemented

– Data sharing protocols in place and implemented

– Data protection procedures in place to for all new projects and processes

– New software systems functionality and use evaluated for GDPR compliance

– Procedures in place for compliant use of email by staff/Members and document management arrangements

– Procedures in place to ensure that personal information is not inadvertently made available in the public domain

– Statutory Data Protection Officer and Deputy in place

– GDPR guidance in place to reflect move to hybrid working

– Data security threats (e.g through phishing) addressed in C4b (risk of hacking) controls

Residual risk level (after existing controls)

Probability: 2

Impact: 2

Risk score: 4 (green)

Movement of residual risk since last review

None

Target risk level

Probability: 2

Impact: 2

Risk score: 2 (green)

Risk owner – Member

Cabinet Member (Internal Services and Security)

Risk owner – Officer

EHoS – Commercial

If we fail to ensure that the organisation continues to have the capacity to achieve the priorities in the Annual Plan, deliver the Transformation Programme and ensure the effective delivery of services, this could have serious implications particularly in relation to statutory services ultimately leading to service failure and/or significant additional financial implications.

A significant factor that will affect this risk is Local Government Reform.

Inherent risk level (no controls)

Probability: 4

Impact: 4

Risk score: 16 (red)

Controls in place at MVDC

– Council Strategy 2024-28 approved to assist with prioritisation from April 2024, including development of Annual Plan and Business Plans

–  Up to date workforce data available to Business Managers to enable effective management of workforce, inform business planning,  and the appraisal process

– Transformation Programme in place supported by a Workforce Strategy,  to review functions, tasks and processes across the Council to ensure that  we are resourced to deliver services at lower cost

– Governance arrangements in place to provide organisational oversight, enabling re-prioritisation of  tasks and available resources where appropriate, including bespoke detailed analysis where potential issues are identified

– Effective arrangements in place regarding recruitment and retention which are kept under review. This includes feedback from staff surveys

– Controlled use of interim staff to cover business critical posts for short periods of time

– Annual review of cost of living increase award to ensure it is both affordable and reflective of additional pay inflation, including comparison with other authorities

-Regular staff survey and implementation of action plan arising from feedback

Residual risk level (after existing controls)

Probability: 3

Impact: 4

Risk score: 12 (amber)

Movement of residual risk since last review

None

Target risk level

Probability: 2

Impact: 4

Risk score: 8 (amber)

Risk owner – Member

SLT (Head of Paid service has delegated responsibility in the constitution for staffing matters)

Risk owner – Officer

Chief Executive

MVDC needs to ensure that all employees are aware of the organisation’s responsibilities in relation to safeguarding children and vulnerable adults.

This means being able to identify signs of concern and knowing when to share information and to report those. It also means ensuring that employees follow safe practice when delivering services. Due to the impact of ongoing economic uncertainty, more people continue to be vulnerable to changes in circumstances, financial or otherwise.

MVDC also needs to ensure that there is an appropriate response in place in the event of a Domestic Abuse Related Death Review or involvement in a Child Safeguarding Practice Review or a Safeguarding Adults Review.

Failure to fulfil our responsibilities in relation to identification of safeguarding risk could delay referrals for early intervention and lead to significant harm or death of a child or vulnerable adult and the potential ensuing legal action and reputational damage for the authority.

Inherent risk level (no controls)

Probability: 3

Impact: 4

Risk score: 12 (amber)

Controls in place at MVDC

– Policies and procedures for safeguarding in place and reviewed as appropriate

– On-line referral forms in place for children’s single point of access (CSPA) and via the SCC portal for multi-agency safeguarding hub (MASH) to track and follow up on concerns raised

– Procedures in place for Mole Valley Life services including Telecare and the Community Responder Service

– All employees undertake foundation level awareness training for safeguarding and new employees undertake this as part of their induction

– Enhanced level safeguarding training undertaken by relevant staff as identified according to their responsibilities

– Safeguarding forms part of the Terms of Reference of the Corporate Governance Board, including presentation of annual referral analysis

– Annual undertaking of S11 audit from Children’s Safeguarding Board, and involvement in Adult Safeguarding Board Quality Assurance activity

– Representation on the Surrey Adult Safeguarding Board, the Children’s Partnership Executive Group and the Safeguarding Lead officers Group

– Involvement in Surrey Lead Member and Lead Officer group chaired by SCC Cabinet lead Member

– Procedures in place for conducting Domestic Abuse Related Death Reviews, working with a central co-ordination team at Surrey County Council. Involvement in Domestic Abuse Related Death Oversight Group

– Safeguarding procedures in place in relation to the Homes for Ukraine scheme as set out in government guidance

Residual risk level (after existing controls)

Probability: 2

Impact: 2

Risk score: 4 (green)

Movement of residual risk since last review

None

Target risk level

Probability: 1

Impact: 2

Risk score: 2 (green)

Risk owner – Member

Cabinet Member (Community Services)

Risk owner – Officer

EHoS – Community

In declaring a Climate Emergency, MVDC has recognised the current environmental tipping point and is working towards being carbon neutral by 2030.  MVDC is committed to making a positive contribution at a local level through the implementation of the Climate Change Strategy for Mole Valley. The risk is that MVDC fails to deliver the Climate Change Strategy,  meaning that we do not to maximise achievement of carbon reduction and /or fail to fail to maximise support to residents.

This risk is informed by the way we manage our workforce, estate and operations, coupled with competing priorities for financial resources, to assist in reducing our carbon footprint and make Mole Valley more resilient to the impacts of climate change.

The impact locally includes:

• Increased likelihood of flooding impacting on properties
• Extreme weather (heat and cold) impacting vulnerable residents
• Extreme weather having a greater impact on the day to day delivery of services
• Detrimental impact on the local environment

Inherent risk level (no controls)

Probability: 5

Impact: 3

Risk score: 15 (red)

Controls in place at MVDC

– Climate Change Strategy in place setting out the arrangements in place to reduce the impact of climate change at a local level

– An action plan is in place and being implemented

-Active seeking of grant funding opportunities

– Annual reporting to Cabinet on progress

– Carbon literacy training in place and being rolled out to inform how the workforce can make an impact through their job roles

-Carbon reduction initiatives to be included in Business Plans

– Climate Change Adaptation Strategy in place to identify the impacts of climate change on Mole Valley and the Council’s long term strategy to adapt service delivery in response

-New Local Plan contains supportive policies for new developments and refurbishments

– Plans in place for flooding and snow/ice

– Sustainable Procurement Charter in place to ensure climate change sustainability of long-term contracts

Residual risk level (after existing controls)

Probability: 3

Impact: 3

Risk score: 9 (amber)

Movement of residual risk since last review

None

Target risk level

Probability: 3

Impact: 2

Risk score: 6 (green)

Risk owner – Member

Cabinet Member (Climate Change and Wellbeing)

Risk owner – Officer

EHoS – Planning & Place

Proposed development and disposal opportunities fail to proceed. This could lead to capital receipts not being realised or receipt delayed. Where assets are identified for redevelopment or disposal this could limit the Council’s ability to let because of the need to retain flexibilities. Prolonged delays can lead to the need for higher expenditure on otherwise unnecessary revenue and capital costs in relation to asset maintenance/management.

If capital values fall potentially MOVA would not be able to lawfully declare and pay dividends to MVDC.

This risk is informed by :

– Falls in capital values of assets due to market conditions

– Market conditions affecting project viability

– Potentially conflicting views from residents and other key stakeholders creating uncertainty

Please also see Risk C1d Reduction in capital value of and rental income from Investment Properties

Inherent risk level (no controls)

Probability: 3

Impact: 4

Risk score: 12 (amber)

Controls in place at MVDC

– Asset Management Plan in place. It will be reviewed and updated post adoption of a new Asset Management Strategy

– Twice yearly report from external property investment advisors on the Asset Investment assets

– Finance Team commission IFRS valuations from an independent valuer on a five year rolling programme

– Regular periodic reviews of business cases for property/project transactions

– Strategic Asset Management Working Group and Pippbrook Working Group in place to review and inform potential asset development and disposals

– Ensuring that recommendations put forward for approval at Cabinet are deliverable and/or that the risks are fully identified and explained with accompanying sensitivity analysis and independent advice received

– Pipeline opportunities identified to reduce impact of any one transaction not proceeding

– Stakeholder and community engagement strategies identified on a case by case basis

– Due diligence undertaken on all potential transactions

– Forward planning and monitoring to enable MVDC to plan for worst case scenarios and plan the response

– Capacity to deliver assessed prior to commitment to delivery

Residual risk level (after existing controls)

Probability: 3

Impact: 4

Risk score: 12 (amber)

Movement of residual risk since last review

None

Target risk level

Probability: 3

Impact: 4

Risk score: 12 (amber)

Risk owner – Member

Cabinet Member (Property and Projects)

Risk owner – Officer

EHoS – Resources

MVDC needs to make sure that arrangements are in place to ensure an effective response in an emergency situation.

As a Category one responder MVDC is required to comply with the duties set out in Civil Contingencies Act 2004.

If we fail to act effectively, this could lead to distress and harm, a loss of public trust, and a failure to provide civil protection to residents, businesses and the wider community.

This risk is informed by a number of issues, including:

• Local or national level of emergency response required
• The nature of the emergency, which could include for example power outage, flooding or other extreme weather conditions.

Inherent risk level (no controls)

Probability: 4

Impact: 5

Risk score: 12 (red)

Controls in place at MVDC

-Emergency Plans in place that comply with the duties of the Civil Contingencies Act 2004

-Emergency planning duty officer rota in place 365 days a year

-Named incident liaison officers

-Corporate Organisational Resource Strategy and Incident Management Plan in place that sets out key actions to be taken in response to an emergency

-All services have business continuity plans in place (on-going training re business resilience)

-Severe weather plan in place

-Multi-agency flood plan in place

-Emergency Assistance Centre Plan in place

-Winter preparedness plans in place

-Regular review of all emergency planning documents

-Access to Resilience Direct Portal

-Lessons learnt from both local and major national incidents

-Active member of the Surrey Local Resilience Forum which publishes the Surrey Community Risk Register. This provides public information about the hazards that exist within the County and the control measures that are in place to mitigate their impact. The Register details the lead agency for each hazard identified. The responsibilities (specifically infrastructure/system failure and natural hazards) assigned to Mole Valley District Council are to be read in conjunction with this Strategic Risk Register.

Residual risk level (after existing controls)

Probability: 3

Impact: 3

Risk score: 9 (amber)

Movement of residual risk since last review

None

Target risk level

Probability: 3

Impact: 3

Risk score: 9 (amber)

Risk owner – Member

Cabinet Member (Internal Services and Security)

Risk owner – Officer

EHoS – People

Contract Management across the organisation is inconsistent. Despite corporate contract management guidance and some areas of good practice, we have found that contracts may not be consistently recorded on the Council’s contract register and that monitoring of expenditure against contracts and supplier performance is inconsistent.

This may result in:-

• Lack of compliance with the Procurement Act 2023 and Transparency code reporting requirements
• Poor services to residents due to contractor poor performance not being address
• Additional costs or loss of income to the Council

Inherent risk level (no controls)

Probability: 4

Impact: 3

Risk score: 12 (amber)

Controls in place at MVDC

-Contract management procedure rules in Constitution

-Contract Management Guidance Notes on the intranet

-Contracts Register in place and reviewed quarterly

-Internal Audit reviews

Residual risk level (after existing controls)

Probability: 3

Impact: 3

Risk score: 9 (amber)

Movement of residual risk since last review

None

Target risk level

Probability: 2

Impact: 3

Risk score: 6 (green)

Risk owner – Member

Cabinet Member (Finance)

Risk owner – Officer

EHoS – Resources

MVDC is required to make strategic decisions in terms of the future delivery of services whilst there is significant uncertainty at a central government level.

This risk is informed by:

• Impact of the white Paper on Local Government reorganisation
• Uncertainty from central government in terms of future strategic waste plans and related targets
• Functional and service geography
• First term of current waste collection contract expires in 2027

Inherent risk level (no controls)

Probability: 5

Impact: 5

Risk score: 25 (red)

Controls in place at MVDC

-Options appraisal for future waste collection services to Cabinet in 2025

-Consideration of investment required in our assets to support service delivery

-Cabinet approval of Material Recycling Facility contract extension to enable a strategic options paper to be considered in 2025

-Building in flexibility to future arrangements

-Making use of expertise and capacity in Joint Waste Solutions (JWS) to undertake horizon scanning

-S151 officers attends regular cross council and partnership meetings to be assured that financial implications are built into the Medium Term Financial Plan as far as possible

Residual risk level (after existing controls)

Probability: 3

Impact: 3

Risk score: 9 (amber)

Movement of residual risk since last review

None

Target risk level

Probability: 2

Impact: 3

Risk score: 6 (green)

Risk owner – Member

Cabinet Member (Community Services)

Risk owner – Officer

EHoS – Commercial

Central government has confirmed its intention to implement the Reform of Local Government. Government has agreed to Surrey County Council’s request to fast-track the local government reorganisation in Surrey.

MVDC will continue to exist until at least April 2027. During this time the council needs to continue provide essential services, achieve its corporate objectives and deliver against strategies and plans.   There is risk that during this transition phase MVDC will neither have the staffing resource (as a result of staff leaving MVDC and staff needing to focus on planning and preparing for the integration into the new authority), nor access to funding (as a result of the implementation of restrictions that may be imposed) required to do this.

There is a risk that staff become demoralised and there is a reduction in performance.

Please also see Risk C1, Financial Sustainability and Risk C7, Organisational Capacity to Deliver.

Inherent risk level (no controls)

Probability: 5

Impact: 4

Risk score: 20 (red)

Controls in place at MVDC

• Monitoring staffing resources and the impact on capacity
• Consider ways in which we can encourage the retention of key staff
• Continue our focus on recruitment
• Consider use of interim staff where necessary for key posts
• Work with authorities that will make up the successor organisation to assist in covering key roles
• Review of strategies and plans with members as required to ensure they remain deliverable and appropriate within existing resources
• Ensuring that decision making continues to be in the best interest of the Mole Valley community, taking a balanced approach to risk
• Establishment of an efficient and effective approach to project managing the transition
• Effective and continuous communication with staff, including staff surveys and identifying personal development needs

Residual risk level (after existing controls)

Probability: 3

Impact: 4

Risk score: 12 (amber)

Movement of residual risk since last review

None

Target risk level

Probability: 4

Impact: 3

Risk score: 12 (amber)

Risk owner – Member

Leader of the Council

Risk owner – Officer

Chief Executive

Key: EHoS = Executive Head of Service.

Additions / deletions in last 12 months:-

Additions:

• December 2024 – C12 Emergency Planning
• December 2024 – C13 Contract Management
• December 2024 – C14 Waste services
• December 2024 – C15 Local Government Reform

Deletions:

• July 2024 – C10 Processing card payments