Controls in place
These are some of the key activities that officers undertake to mitigate the risk. They do not constitute MVDC internal procedures and may be amended to reflect the assessed risk level.

There is a risk, due to the national economic climate and the forthcoming review of local government finance, that the Council is unable to balance its budget, without impacting significantly on service delivery and performance. This is in the context of a medium term future which may well include:

– A significant loss of government funding linked to Levelling Up

– Material costs of refurbishment of some Council assets

– On-going deterioration of town centre activity leading to reduced income and falling value of some assets (eg Swan Centre)

– Re-tendering of a number of Council services which were last re-let when market conditions were very favourable to the Council

– A significant short / medium term impact of pay / price inflation

Inherent risk level (no controls)

Probability: 4

Impact: 4

Risk score: 16 (red)

Controls in place at MVDC

– Maintaining robust budget monitoring and, if appropriate, corrective action to ensure spending in 2022/23 is in line with the Budget

– Long Term Financial Strategy and Medium Term Financial Plan in place

– Savings plan in place for 2023/24, and transformation programme under development for 2024/25 onwards

– Work with other Surrey local authorities and other local authority representative bodies to lobby Central Government to address the potential loss of government funding implied by ‘Levelling Up’

Residual risk level (after existing controls)

Probability: 3

Impact: 4

Risk score: 12 (amber)

Movement of residual risk since last review

None

Risk appetite

Probability: 3

Impact: 3

Risk score: 9 (amber)

Risk owner – Member

Cabinet Member (Finance)

Risk owner – Officer

EHoS – Finance & Strategy

Rents from the property portfolio are a key source of income. Under the Asset Investment portfolio if any one of those occupiers were to become insolvent and default on their rent, this would have a material impact on the Council’s rental income.

More generally, there is an increased risk of tenants struggling to meet their rental obligations and also their repair obligations. The latter would result in either a financial liability for MVDC or result in a decreased rent being achieved.

There is uncertainty as to the ability of MVDC’s commercial  assets achieving an Energy Performance Certificate B rating by 2030. Without that rating it may difficult or impossible to let previously tenanted properties. This creates an on-going financial pressure.

This risk is informed by a number of factors including:

• Continued economic uncertainty, as a result of forecast increase in interest rates, unprecedented inflationary pressures (energy, workforce costs, supply chain pressures and the invasion of Ukraine)
• Changes in ways of doing business, such as online shopping and increased potential of working from home
• The government’s stated ambition that all public sector commercial buildings achieve an EPC B rating by 2030

Inherent risk level (no controls)

Probability: 4

Impact: 4

Risk score: 16 (red)

Controls in place at MVDC

– Proactive, rational and flexible approach to rent negotiations

– Proactively seeking new lettings and maximising income from existing assets

– Good understanding of the local property market and national movement across all sectors

– Positive relationship with tenants and Swan Centre Managing Agents

– Asset Managers confirm that demands have been received 2 weeks prior to the quarter day, then chasing payment after the quarter day on a weekly basis as a minimum, referring to legal at week 4 if the payment is still outstanding

– Performance management of rental income reported to Cabinet in Business and Budget reports

– Proactive engagement with tenants identified to be at risk (factors include covenant deterioration, payment history and business sector)

– Payment plans put in place for tenants who are in arrears

– Proactively seeking rent deposits and/or guarantors where possible for new lettings

– Monitoring of tenant covenant strength in relation to AIS properties and annual review of investment assets for market intelligence to manage associated risk

– Asset Managers to maintain EPC records for commercial buildings and, where poor energy performance is likely to impact lettings under MEES, produce property specific management plans identifying actions required to address

Residual risk level (after existing controls)

Probability: 3

Impact: 3

Risk score: 9 (amber)

Movement of residual risk since last review

None

Risk appetite

Probability: 3

Impact: 3

Risk score: 9 (amber)

Risk owner – Member

Cabinet Member (Projects)

Risk owner – Officer

EHoS – Prosperity

MVDC needs to provide services in a safe manner that protects the health and safety not just of its employees but also members of the public, trainees, contractors and Members. If we fail to have good Health and Safety arrangements in place, this could lead to loss of service and / or preventable accidents to and ill health of staff, contractors, public or others affected by our undertakings. This is of particular importance due to the nature of some of the services we provide to the public and vulnerable people.

This risk is informed by a number of factors, including:

• Compliance with Health and Safety at Work Act
• Moral and public Duty

Inherent risk level (no controls)

Probability: 5

Impact: 5

Risk score: 25 (red)

Controls in place at MVDC

– Corporate Health and Safety Policy, arrangements and procedures in place and regularly reviewed / audited

– Regular spot check reviews of health and safety arrangements by Health and Safety consultant

– Regular meetings of H&S Group, who escalate any concerns to Corporate Governance Board.

– Health and Safety action plan in place

– Employee induction includes focus on Health and Safety and all employees provided with Health and Safety Guidance

-. Training in place for new and existing employees

– Health and Safety risk assessments in place for all service areas and regularly reviewed

– Lone working procedure in place

– Effective management of property and land assets

– Arrangements with partner organisations/contractors to ensure appropriate Health and Safety requirements are in place

Residual risk level (after existing controls)

Probability: 2

Impact: 4

Risk score: 8 (amber)

Movement of residual risk since last review

None

Risk appetite

Probability: 2

Impact: 4

Risk score: 8 (amber)

Risk owner – Member

Cabinet Member (Internal Services)

Risk owner – Officer

Deputy Chief Executive

MVDC typically blocks thousands of malicious attempts daily to access MVDC systems and data. The majority are blocked by technical measures. The most significant contributor to this risk is that MVDC employees and members may, for example, inadvertently click on malicious links or attachments in Phishing emails.

If we fail to secure the Council’s accounts and data there is a risk of loss and data protection issues; this could lead to the Council not being able to deliver services, financial cost of rebuilding and ICO fines, and reputational damage.

Inherent risk level (no controls)

Probability: 5

Impact: 5

Risk score: 25 (red)

Controls in place at MVDC

– ICT Security Policy in place and regularly updated (most recently Feb 2022)

– Access to systems and data is strictly controlled and data is held securely in order to ensure it is only available as permitted and not at risk of loss or compromise

– Regular testing of the ICT security perimeter (firewalls), monitoring for new vulnerabilities of systems and a cycle of ensuring all system versions are up to date is in place. Quarterly review, and if required housekeeping, of Firewall rules in response to Internal Audit Finding November 2021

– Regular patching cycle of server and desktop infrastructure, and also monthly review of security systems (Proxy server, firewalls, switches, backup software, HCI software)

– Risk assessment on basis of industry knowledge and government information provided by the National Cyber Security Centre

– Regular mandatory Cyber security awareness training for all Council Officers. Extended on a voluntary basis to Councillors

Residual risk level (after existing controls)

Probability: 2

Impact: 3

Risk score: 6 (green)

Movement of residual risk since last review

None

Risk appetite

Probability: 2

Impact: 3

Risk score: 6 (green)

Risk owner – Member

Cabinet Member (Projects)

Risk owner – Officer

EHoS – Transformation & Partnerships

MVDC needs to make sure that its staff and IT systems are available to deliver the services for which it is responsible.

If we fail to do this, there could be a major breakdown and disruption of systems that leads to an inability to deliver key services.

Inherent risk level (no controls)

Probability: 4

Impact: 4

Risk score: 16 (red)

Controls in place at MVDC

–  Automated centralised back-up of data and systems is in place should a systems or data recovery be needed. Off-network data backup regime implemented, including MVDC data held in the microsoft cloud

– On-site arrangements in place for physical environment

– Secondary data centre fully established at specialist data centre hosting facility and now made to be the primary site for council servers (Feb 23)

– Disaster Recovery arrangements in place

– All staff have laptops

Residual risk level (after existing controls)

Probability: 2

Impact: 3

Risk score: 6 (green)

Movement of residual risk since last review

None

Risk appetite

Probability: 1

Impact: 2

Risk score: 2 (green)

Risk owner – Member

Cabinet Member (Projects)

Risk owner – Officer

EHoS – Transformation & Partnerships

MVDC needs to make sure that personal data is secure and that an individual’s right to privacy is protected.

If we fail to effectively act on and embed standards and procedures that enable us to do this, this could lead to distress and harm for data subjects, a loss of public trust, financial penalties to the organisation, or other regulatory action (imposed by the Information Commissioner’s Office)

This risk is informed by a number of issues, including:

• Potential data protection breaches, misuse of private information, breaches of European Convention of Human Rights (Article 8) and breaches of confidence enabling access to confidential data
• Loss of data, including as a result of malicious cyber security attacks (Ref:C4b, Risk of Hacking)

Inherent risk level (no controls)

Probability: 5

Impact: 5

Risk score: 25 (red)

Controls in place at MVDC

– Data Protection Policy approved by Council and updated periodically

– Data protection training and updates for new and existing staff

– Member Training on responsibilities under appropriate Code of Conduct, including data protection, for new and existing Members

– Certification obtained on disposal of confidential information

– Information Asset Register in place for each service

– Records Retention Policy and schedule in place and implemented

– Data sharing protocols in place and implemented

– Data protection procedures in place to for all new projects and processes

– New software systems functionality and use evaluated for GDPR compliance

– Procedures in place for compliant use of email by staff/Members and document management arrangements

– Statutory Data Protection Officer and Deputy in place

– GDPR guidance in place to reflect move to hybrid working

– Data security threats (e.g through phishing) addressed in C4b (risk of hacking) controls.

Residual risk level (after existing controls)

Probability: 2

Impact: 3

Risk score: 6 (amber)

Movement of residual risk since last review

Down

Risk appetite

Probability: 2

Impact: 2

Risk score: 2 (green)

Risk owner – Member

Cabinet Member (Internal Services)

Risk owner – Officer

EHoS – Corporate & Member Services

If we fail to ensure that the organisation continues to have the capacity to achieve the priorities in the Annual Plan and to ensure the effective delivery of services, this could have serious implications particularly in relation to statutory services ultimately leading to service failure and/or significant additional financial implications.

Inherent risk level (no controls)

Probability: 4

Impact: 4

Risk score: 16 (red)

Controls in place at MVDC

– Annual review of cost of living increase award to ensure it is both affordable and reflective of additional pay inflation

– Programme to review tasks and processes across the Council, particularly high volume transactions that our customers use most. This is one of five strands of the Council’s overall financial sustainability programme

– Development of a People Strategy

– Continue to identify and deliver practical ways to improve recruitment and retention

– Workforce planning exercise aligned with business and budget planning and appraisal process

– Interim and fixed term arrangements only used in exceptional circumstances

– When new unforeseen projects are added to work programme, re-prioritise existing tasks and available resources. This could include items under the Annual Plan

Residual risk level (after existing controls)

Probability: 4

Impact: 3

Risk score: 12 (amber)

Movement of residual risk since last review

None

Risk appetite

Probability: 3

Impact: 3

Risk score: 9 (amber)

Risk owner – Member

SLT (Head of Paid service has delegated responsibility in the constitution for staffing matters)

Risk owner – Officer

Chief Executive

MVDC needs to ensure that all employees are aware of the organisation’s responsibilities in relation to safeguarding children and vulnerable adults.

This means being able to identify signs of concern and knowing when to share information and to report those. Due to the impact of ongoing economic uncertainty, more people continue to be vulnerable to changes in circumstances, financial or otherwise.

MVDC also needs to ensure that there is an appropriate response in place in the event of a Domestic Homicide Review or involvement in a Child Safeguarding Practice Review or a Safeguarding Adults Review.

Failure to fulfil our responsibilities in relation to safeguarding could lead to significant harm or death of a child or vulnerable adult and the potential ensuing legal action and reputational damage for the authority.

Inherent risk level (no controls)

Probability: 3

Impact: 4

Risk score: 12 (amber)

Controls in place at MVDC

– Policies and procedures for safeguarding in place and reviewed as appropriate

– On-line referral forms in place for children’s single point of access (CSPA) and for multi-agency safeguarding hub (MASH) to track and follow up on concerns raised

– Procedures in place for Mole Valley Life services including Telecare

– All employees undertake foundation level awareness training for safeguarding and new employees undertake this as part of their induction

– Enhanced level safeguarding training undertaken by relevant staff as identified according to their responsibilities

– Safeguarding forms part of the Terms of Reference of the Corporate Governance Board

– Biennial undertaking of S11 audit from Children’s Safeguarding Board and involvement in Adult Safeguarding Board Quality Assurance activity

– Participation in audits of adult safeguarding when requested by Surrey County Council

– Representation on the Surrey Adult Safeguarding Board, the Children’s Partnership Executive Group and the Safeguarding Lead officers Group

– Involvement in Surrey Lead Member and Lead Officer group chaired by SCC Cabinet lead Member

– Procedures in place for conducting Domestic Homicide Reviews, working with a central co-ordination team at Surrey County Council. Involvement in Domestic Homicide Oversight Group

– Safeguarding procedures in place in relation to the Homes for Ukraine scheme as set out in government guidance

Residual risk level (after existing controls)

Probability: 2

Impact: 2

Risk score: 4 (green)

Movement of residual risk since last review

Down

Risk appetite

Probability: 2

Impact: 2

Risk score: 4 (green)

Risk owner – Member

Cabinet Member (Community Services)

Risk owner – Officer

EHoS – Community

Climate Change is a global emergency which requires a global response. In declaring a Climate Emergency, MVDC has recognised the current environmental tipping point and is working towards being carbon neutral by 2030.  MVDC is committed to making a positive contribution at a local level including preparation of a Climate Change Adaption Strategy for Mole Valley.

The impact locally includes:

• Increased likelihood of flooding impacting on properties
• Extreme weather (heat and cold) impacting vulnerable residents
• Extreme weather having a greater impact on the day to day delivery of services
• Detrimental impact on the local environment

Inherent risk level (no controls)

Probability: 5

Impact: 3

Risk score: 15 (red)

Controls in place at MVDC

– Climate Change Strategy in place, together with an action plan for delivery. Annual reporting to Cabinet on progress

– Strategic Land Use Policy (Local Plan) has undertaken a strategic flood risk assessment and has allocated new development in accordance with those outputs taking account of uplift for global warming

– Plans in place for severe weather (snow and flooding)

– Sustainable Procurement Charter in place to ensure climate change sustainability of long-term contracts

Residual risk level (after existing controls)

Probability: 3

Impact: 3

Risk score: 9 (amber)

Movement of residual risk since last review

None

Risk appetite

Probability: 3

Impact: 2

Risk score: 6 (green)

Risk owner – Member

Cabinet Member (Climate Change)

Risk owner – Officer

EHoS – Planning & Environment

There is a Payment Card Industry Data Security Standard (PCIDSS) that assists the Council to ensure appropriate arrangements are in place to protect customers and the Council. Non-compliance with the PCI DSS leads to service, and potentially and more probably MVDC in its entirety, being barred from processing card payments. There is also a risk of fraud against the customer due to insufficient control and implementation of data protection arrangements.

This risk is informed by:

• Increased move to online and phone payments being the Council’s preferred payment method
• Increasingly sophisticated fraud tactics employed by external aggressors
• Requirement to protect sensitive customer data through robust data protection and card handling arrangements

Inherent risk level (no controls)

Probability: 3

Impact: 5

Risk score: 15 (red)

Controls in place at MVDC

– MVDC website directs anyone wishing to make a payment over the phone to either the Customer Services Unit or the automated telephone payments system

– Staff involved in taking credit card transactions instructed not to write down, or otherwise retain, payment card data

– Internal guidance in place across teams

– Training undertaken by staff in the Customer Services Unit (CSU)

– Call recording paused by staff in CSU when payment card data is taken and regular call checks include verification that this is taking place

– Implementation of actions arising from internal audit

– Annual self-assessment of Payment Card Industry Data Security Standard compliance

Residual risk level (after existing controls)

Probability: 2

Impact: 4

Risk score: 8 (amber)

Movement of residual risk since last review

None

Risk appetite

Probability: 1

Impact: 4

Risk score: 4 (green)

Risk owner – Member

Cabinet Member (Finance)

Risk owner – Officer

EHoS – Finance & Strategy

Proposed development and disposal opportunities fail to proceed. This could lead to capital receipts not being realised, a reduction in rental income either in relation to current properties and potential for enhanced income through alternative investment. It could also lead to continued revenue and capital costs in relation to asset maintenance/management.

This risk is informed by :

• Policy and delivery aspirations pending adoption of the Local Plan
• Market conditions affecting project viability
• Potentially conflicting views from residents and other key stakeholders creating uncertainty

Inherent risk level (no controls)

Probability: 3

Impact: 4

Risk score: 12 (amber)

Controls in place at MVDC

– Regular periodic reviews of business cases for property/project transactions

– Ensuring that recommendations put forward for approval at Cabinet are deliverable and/or that the risks are fully identified and explained with accompanying sensitivity analysis

– Stakeholder and community engagement strategies identified on a case by case basis

– Due diligence undertaken on all potential transactions

– Forward planning and monitoring to enable MVDC to plan for worst case scenarios and plan the response

– Capacity to deliver assessed prior to commitment to delivery

Residual risk level (after existing controls)

Probability: 3

Impact: 4

Risk score: 12 (amber)

Movement of residual risk since last review

None

Risk appetite

Probability: 3

Impact: 4

Risk score: 12 (amber)

Risk owner – Member

Cabinet Member (Projects)

Risk owner – Officer

EHoS – Prosperity

Key: EHoS = Executive Head of Service.

Additions / deletions in last 12 months:-

Additions: January 2023 – Processing card payments

January 2023 – Asset development and disposal