Strategic Risk Register – March 2024

This Register details the strategic risks faced by Mole Valley District Council in relation to achieving the priority outcomes and guiding principles as defined in the Council Strategy. It also notes the controls in place to mitigate the risk. These controls do not constitute MVDC internal procedures and may be amended to reflect the assessed risk level. The Register is owned by the Chief Executive.

Corporate Priorities

  • Community wellbeing – active communities and support for those who need it
  • Environment – a highly attractive area with housing that meets local need
  • Prosperity – a vibrant local economy with thriving towns and villages

Council Strategy Guiding Principles

  • Putting People First – Ensuring a people focussed culture in our organisation to provide the best possible experience and services for our residents, businesses, and visitors.
  • Openness & accessibility – Listening to and engaging with people, and giving clear, timely and transparent information that enables residents, businesses, and visitors to help themselves, while still providing support for those who need it.
  • Acting Sustainably – Meeting the needs of the present without compromising future generations requires responsible decision making and innovation.
  • Living within our means – Be mindful of current and future costs in our approach to delivering and developing services.

Surrey Local Resilience Forum Community Risk Register

Surrey’s Local Resilience Forum (LRF) is a multi-agency partnership made up of representatives from local public services, including the Emergency Services, Local Authorities, NHS England and the Environment Agency, which are all Category One Responders under the Civil Contingencies Act 2004. Each year the Surrey LRF publishes the Surrey Community Risk Register which provides public information about the hazards that exist within the County and the control measures that are in place to mitigate their impact. The Register details the lead agency for each hazard identified. The responsibilities (specifically infrastructure/system failure and natural hazards) assigned to Mole Valley District Council are to be read in conjunction with this Strategic Risk Register.

 

Code and TitleProbabilityImpactRisk Score
C1 Financial Sustainability339
C1d Loss of Rental Income from Properties236
C3 Corporate Health and Safety248
C4b IT systems – b) Risk of hacking236
C4c IT systems – c) Operational Resilience122
C5 Data Protection / Information Governance224
C7 Organisational capacity to deliver3412
C8 Safeguarding224
C9 Climate change339
C10 Processing card payments144
C11 Asset development and disposal3412

Controls in place
These are some of the key activities that officers undertake to mitigate the risk. They do not constitute MVDC internal procedures and may be amended to reflect the assessed risk level.

There is a risk, due to the national economic climate and the forthcoming review of local government finance,  that the Council is unable to balance its budget, without impacting significantly on service delivery and performance. This is in the context of a medium term future which may well include:

– A significant loss of government funding linked to Levelling Up

– Material costs of refurbishment of some Council assets

– Re-tendering/mobilisation of a number of Council services which were last re-let when market conditions were very favourable to the Council

– Contract disputes leading to significant costs to the Council

– A significant short / medium term impact of pay / price inflation

Inherent risk level (no controls)

Probability: 4

Impact: 5

Risk score: 20 (red)

Controls in place at MVDC

– Maintaining robust budget monitoring and, if appropriate, corrective action to ensure spending is in line with the Budget

– Robust re-procurement procedures and strong contract management in place

– Transformation savings plan in place for 2024/25, with proactive monitoring and reporting of savings realisation to the Strategic Leadership Team and as part of the regular Business and Budget monitoring reports to Cabinet

– Transformation programme developed for 2024/25 onwards with a variety of projects and actions identified to achieve the majority of savings required in the MTFP. On-going work to identify actions to achieve the residual savings is in progress

– Long Term Financial Strategy and Medium Term Financial Plan in place

– Work with other Surrey local authorities and other local authority representative bodies to lobby Central Government to address local government financial resilience

Residual risk level (after existing controls)

Probability: 3

Impact: 3

Risk score: 9 (amber)

Movement of residual risk since last review

None

Risk appetite

Probability: 3

Impact: 2

Risk score: 6 (green)

Risk owner – Member

Cabinet Member (Finance)

Risk owner – Officer

EHoS – Finance & Strategy

Rents from the property portfolio are a key source of income. Under the Asset Investment portfolio if any one of those occupiers were to become insolvent and default on their rent, this would have a material impact on the Council’s rental income.

More generally, there is an increased risk of tenants struggling to meet their rental obligations and also their repair obligations. The latter would result in either a financial liability for MVDC or result in a decreased rent being achieved.

There is uncertainty as to the ability of MVDC’s commercial  assets achieving an Energy Performance Certificate B rating by 2030. Without that rating it may difficult or impossible to let previously tenanted properties. This creates an on-going financial pressure.

This risk is informed by a number of factors including:

  • Continued economic uncertainty, as a result of forecast increase in interest rates, unprecedented inflationary pressures (energy, workforce costs, supply chain pressures and the invasion of Ukraine)
  • Changes in ways of doing business, such as online shopping and increased potential of working from home
  • The government’s stated ambition that all public sector commercial buildings achieve an EPC B rating by 2030

Inherent risk level (no controls)

Probability: 4

Impact: 4

Risk score: 16 (red)

Controls in place at MVDC

– Proactive, rational and flexible approach to rent negotiations

– Proactively seeking new lettings and maximising income from existing assets

– Good understanding of the local property market and national movement across all sectors

– Positive relationship with tenants and Swan Centre Managing Agents

– Asset Managers confirm that demands have been received 2 weeks prior to the quarter day, then chasing payment after the quarter day on a weekly basis as a minimum, referring to legal at week 4 if the payment is still outstanding

– Performance management of rental income reported to Cabinet in Business and Budget reports

– Proactive engagement with tenants identified to be at risk (factors include covenant deterioration, payment history and business sector)

– Regular monitoring of aged debt to identify any pattern in non-payment

– Payment plans put in place for tenants who are in arrears

– Proactively seeking rent deposits and/or guarantors where possible for new lettings

– Monitoring of tenant covenant strength in relation to AIS properties and annual review of investment assets for market intelligence to manage associated risk

– Asset Managers maintain EPC records for commercial buildings and, where poor energy performance is likely to impact lettings under MEES, produce property specific management plans identifying actions required to address

– Oversight of property portfolio to ensure balance of risk regarding current and future rental income

Residual risk level (after existing controls)

Probability: 2

Impact: 3

Risk score: 6 (green)

Movement of residual risk since last review

None

Risk appetite

Probability: 3

Impact: 3

Risk score: 9 (amber)

Risk owner – Member

Cabinet Member (Property and Projects)

Risk owner – Officer

EHoS – Prosperity

MVDC needs to provide services in a safe manner that protects the health and safety not just of its employees but also members of the public, trainees, contractors, Members and those who undertake work on behalf of MVDC. If we fail to have good Health and Safety arrangements in place, this could lead to loss of service and / or preventable accidents to and ill health of staff, contractors, public or others affected by our undertakings. This is of particular importance due to the nature of some of the services we provide to the public and vulnerable people.

This risk is informed by:

  • Compliance with Health and Safety at Work Act
  • Public duty

Inherent risk level (no controls)

Probability: 5

Impact: 5

Risk score: 25 (red)

Controls in place at MVDC

– Corporate Health and Safety Policy, arrangements and procedures in place and regularly reviewed / audited

– Regular spot check reviews of health and safety arrangements by Health and Safety consultant

– Regular meetings of H&S Group, who escalate any concerns to Corporate Governance Board

– Health and Safety action plan in place

– Employee induction includes focus on Health and Safety and all employees provided with Health and Safety Guidance

– Training in place for new and existing employees with specialist training provided as required

– Health and Safety risk assessments in place for all service areas and regularly reviewed

– Lone working procedure in place for all service areas with bespoke arrangements in relation to individual business areas

– Effective management of property and land assets

– Health and safety integrated into procurement processes

– Arrangements with partner organisations/contractors to ensure appropriate Health and Safety requirements are in place

Residual risk level (after existing controls)

Probability: 2

Impact: 4

Risk score: 8 (amber)

Movement of residual risk since last review

None

Risk appetite

Probability: 2

Impact: 4

Risk score: 8 (amber)

Risk owner – Member

Cabinet Member (Internal Services and Security)

Risk owner – Officer

Deputy Chief Executive

MVDC typically blocks thousands of malicious attempts daily to access MVDC systems and data. The majority are blocked by technical measures. The most significant contributor to this risk is that MVDC employees and members may, for example, inadvertently click on malicious links or attachments in Phishing emails.

If we fail to secure the Council’s accounts and data there is a risk of loss and data protection issues; this could lead to the Council not being able to deliver services, financial cost of rebuilding and ICO fines, and reputational damage.

Inherent risk level (no controls)

Probability: 5

Impact: 5

Risk score: 25 (red)

Controls in place at MVDC

– ICT Security Policy in place and regularly updated

– Access to systems and data is strictly controlled and data is held securely in order to ensure it is only available as permitted and not at risk of loss or compromise

– Regular testing of the ICT security perimeter (firewalls), monitoring for new vulnerabilities of systems and a cycle of ensuring all system versions are up to date is in place. Quarterly review, and if required housekeeping, of Firewall rules

– Regular patching cycle of server and desktop infrastructure, and also monthly review of security systems (Proxy server, firewalls, switches, backup software, HCI software)

– Risk assessment on basis of industry knowledge and government information provided by the National Cyber Security Centre

– Regular mandatory Cyber security awareness training for all Council Officers. Extended on a voluntary basis to Councillors

Residual risk level (after existing controls)

Probability: 2

Impact: 3

Risk score: 6 (green)

Movement of residual risk since last review

None

Risk appetite

Probability: 2

Impact: 2

Risk score: 6 (green)

Risk owner – Member

Cabinet Member (Property and Projects)

Risk owner – Officer

EHoS – Transformation & Partnerships

MVDC needs to make sure that its IT staff and IT systems are available to deliver the services for which it is responsible.

If we fail to do this, there could be a major breakdown and disruption of systems that leads to an inability to deliver key services.

Inherent risk level (no controls)

Probability: 4

Impact: 4

Risk score: 16 (red)

Controls in place at MVDC

–  Automated centralised back-up of data and systems is in place should a systems or data recovery be needed. Off-network data backup regime implemented, including MVDC data held in the microsoft cloud

– On-site arrangements in place for physical environment

– Secondary data centre fully established at specialist data centre hosting facility and now made to be the primary site for council servers

– Disaster Recovery arrangements in place

– All staff have laptops

– Strategic workforce plan in place to ensure business continuity and succession planning

– Streamlining and integration of on-premise systems

Residual risk level (after existing controls)

Probability: 1

Impact: 2

Risk score: 2 (green)

Movement of residual risk since last review

None

Risk appetite

Probability: 1

Impact: 2

Risk score: 2 (green)

Risk owner – Member

Cabinet Member (Property and Projects)

Risk owner – Officer

EHoS – Transformation & Partnerships

MVDC needs to make sure that personal data is secure and that an individual’s right to privacy is protected.

If we fail to effectively act on and embed standards and procedures that enable us to do this, this could lead to distress and harm for data subjects, a loss of public trust, financial penalties to the organisation, or other regulatory action (imposed by the Information Commissioner’s Office)

This risk is informed by a number of issues, including:

  • Potential data protection breaches, misuse of private information, breaches of European Convention of Human Rights (Article 8) and breaches of confidence enabling access to confidential data
  • Loss of data, including as a result of malicious cyber security attacks (Ref:C4b, Risk of Hacking)

Inherent risk level (no controls)

Probability: 5

Impact: 5

Risk score: 25 (red)

Controls in place at MVDC

– Data Protection Policy approved by Council and updated periodically

– Data protection training and updates for new and existing staff

– Member Training on responsibilities under appropriate Code of Conduct, including data protection, for new and existing Members, and training video on MOSS

– Certification obtained on disposal of confidential information

– Information Asset Register in place for each service

– Records Retention Policy and schedule in place and implemented

– Data sharing protocols in place and implemented

– Data protection procedures in place to for all new projects and processes

– New software systems functionality and use evaluated for GDPR compliance

– Procedures in place for compliant use of email by staff/Members and document management arrangements

– Procedures in place to ensure that personal information is not inadvertently made available in the public domain

– Statutory Data Protection Officer and Deputy in place

– GDPR guidance in place to reflect move to hybrid working

– Data security threats (e.g through phishing) addressed in C4b (risk of hacking) controls

Residual risk level (after existing controls)

Probability: 2

Impact: 2

Risk score: 4 (amber)

Movement of residual risk since last review

Down

Risk appetite

Probability: 2

Impact: 2

Risk score: 2 (green)

Risk owner – Member

Cabinet Member (Internal Services and Security)

Risk owner – Officer

EHoS – Corporate & Member Services

If we fail to ensure that the organisation continues to have the capacity to achieve the priorities in the Annual Plan, deliver the Transformation Programme and ensure the effective delivery of services, this could have serious implications particularly in relation to statutory services ultimately leading to service failure and/or significant additional financial implications.

Inherent risk level (no controls)

Probability: 4

Impact: 4

Risk score: 16 (red)

Controls in place at MVDC

– Council Strategy 2024-28 approved to assist with prioritisation from April 2024, including development of Annual Plan and Business Plans

–  Workforce data provided to Business Managers to inform business planning and appraisal process

– Transformation Programme in place supported by a Workforce Strategy,  to review functions, tasks and processes across the Council to ensure that  we are resourced to deliver services at lower cost

– Governance arrangements in place to provide organisational oversight, enabling re-prioritisation of   tasks and available resources where appropriate.

– Effective arrangements in place regarding recruitment and retention which are kept under review. This includes feedback from staff surveys

– Controlled use of interim staff to cover business critical posts for short periods of time

– Annual review of cost of living increase award to ensure it is both affordable and reflective of additional pay inflation, including comparison with other authorities

Residual risk level (after existing controls)

Probability: 3

Impact: 4

Risk score: 12 (amber)

Movement of residual risk since last review

None

Risk appetite

Probability: 2

Impact: 4

Risk score: 8 (amber)

Risk owner – Member

SLT (Head of Paid service has delegated responsibility in the constitution for staffing matters)

Risk owner – Officer

Chief Executive

MVDC needs to ensure that all employees are aware of the organisation’s responsibilities in relation to safeguarding children and vulnerable adults.

This means being able to identify signs of concern and knowing when to share information and to report those. It also means ensuring that employees follow safe practice when delivering services. Due to the impact of ongoing economic uncertainty, more people continue to be vulnerable to changes in circumstances, financial or otherwise.

MVDC also needs to ensure that there is an appropriate response in place in the event of a Domestic Homicide Review or involvement in a Child Safeguarding Practice Review or a Safeguarding Adults Review.

Failure to fulfil our responsibilities in relation to identification of safeguarding risk could delay referrals for early intervention and lead to significant harm or death of a child or vulnerable adult and the potential ensuing legal action and reputational damage for the authority.

Inherent risk level (no controls)

Probability: 3

Impact: 4

Risk score: 12 (amber)

Controls in place at MVDC

– Policies and procedures for safeguarding in place and reviewed as appropriate

– On-line referral forms in place for children’s single point of access (CSPA) and for multi-agency safeguarding hub (MASH) to track and follow up on concerns raised

– Procedures in place for Mole Valley Life services including Telecare

– All employees undertake foundation level awareness training for safeguarding and new employees undertake this as part of their induction

– Enhanced level safeguarding training undertaken by relevant staff as identified according to their responsibilities

– Safeguarding forms part of the Terms of Reference of the Corporate Governance Board, including presentation of annual referral analysis

– Biennial undertaking of S11 audit from Children’s Safeguarding Board and involvement in Adult Safeguarding Board Quality Assurance activity

– Representation on the Surrey Adult Safeguarding Board, the Children’s Partnership Executive Group and the Safeguarding Lead officers Group

– Involvement in Surrey Lead Member and Lead Officer group chaired by SCC Cabinet lead Member

– Procedures in place for conducting Domestic Homicide Reviews, working with a central co-ordination team at Surrey County Council. Involvement in Domestic Homicide Oversight Group

– Safeguarding procedures in place in relation to the Homes for Ukraine scheme as set out in government guidance

Residual risk level (after existing controls)

Probability: 2

Impact: 2

Risk score: 4 (green)

Movement of residual risk since last review

None

Risk appetite

Probability: 1

Impact: 2

Risk score: 2 (green)

Risk owner – Member

Cabinet Member (Community Services)

Risk owner – Officer

EHoS – Community

In declaring a Climate Emergency, MVDC has recognised the current environmental tipping point and is working towards being carbon neutral by 2030.  MVDC is committed to making a positive contribution at a local level through the implementation of the Climate Change Strategy for Mole Valley. The risk is that, if MVDC fails to deliver the actions in the Climate Change Strategy we will not achieve the carbon neutrality target and neither we will support our communities to be resilient to climate change.

This risk is informed by the way we manage our workforce, estate and operations to assist in reducing our carbon footprint and make Mole Valley more resilient to the impacts of climate change.

The impact locally includes:

  • Increased likelihood of flooding impacting on properties
  • Extreme weather (heat and cold) impacting vulnerable residents
  • Extreme weather having a greater impact on the day to day delivery of services
  • Detrimental impact on the local environment

Inherent risk level (no controls)

Probability: 5

Impact: 3

Risk score: 15 (red)

Controls in place at MVDC

– Climate Change Strategy in place setting out the arrangements in place to reduce the impact of climate change at a local level

– An action plan is in place and being implemented

– Annual reporting to Cabinet on progress

– Carbon literacy training in place and being rolled out to inform how the workforce can make an impact through their job roles

– Climate Change Adaptation Strategy in place to identify the impacts of climate change on Mole Valley and the Council’s long term strategy to adapt service delivery in response

– Plans in place for flooding and snow/ice

– Sustainable Procurement Charter in place to ensure climate change sustainability of long-term contracts

Residual risk level (after existing controls)

Probability: 3

Impact: 3

Risk score: 9 (amber)

Movement of residual risk since last review

None

Risk appetite

Probability: 3

Impact: 2

Risk score: 6 (green)

Risk owner – Member

Cabinet Member (Climate Change and Wellbeing)

Risk owner – Officer

EHoS – Planning & Environment

There is a Payment Card Industry Data Security Standard (PCIDSS) that assists the Council to ensure appropriate arrangements are in place to protect customers and the Council.

Non-compliance with the PCI DSS leads to service, and potentially and more probably MVDC in its entirety, being barred from processing card payments. There is also a risk of fraud against the customer due to insufficient control and implementation of data protection arrangements.

This risk is informed by:

– Increased move to online and phone payments being the Council’s preferred payment method

– Increasingly sophisticated fraud tactics employed by external aggressors

– Requirement to protect sensitive customer data through robust data protection and card handling arrangements

Inherent risk level (no controls)

Probability: 3

Impact: 5

Risk score: 15 (red)

Controls in place at MVDC

– PCIDSS Policy and PCIDSS Third Party Provider Policy in place

– Procedure notes agreed with and provided to PCIDSS champions and communicated to Teams

– PCIDSS champions in place for all services where card payments are taken and corporate forum in place to monitor compliance

– Training undertaken by staff in the Customer Services Unit (CSU) and rolled out to PCIDSS champions

– Adelante/SmartPay6 implemented to increase compliance as card payment information put directly into system by the customer

– MVDC website directs anyone wishing to make a payment over the phone to the automated telephone payments system as first/preferred option

–  Staff involved in taking credit card transactions (mainly Dorking Halls and Fairfield Centre, other service areas by exception) instructed not to write down, or otherwise retain, payment card data

–  Call recording paused by staff in CSU when payment card data is taken (mainly Dorking Halls and Fairfield Centre, other service areas by exception) and regular call checks include verification that this is taking place

–  Continued progress to implement actions arising from internal audit

– Annual self-assessment of Payment Card Industry Data Security Standard compliance

Residual risk level (after existing controls)

Probability: 1

Impact: 4

Risk score: 4 (green)

Movement of residual risk since last review

Down

Risk appetite

Probability: 1

Impact: 4

Risk score: 4 (green)

Risk owner – Member

Cabinet Member (Finance)

Risk owner – Officer

EHoS – Finance & Strategy

Proposed development and disposal opportunities fail to proceed. This could lead to capital receipts not being realised, a reduction in rental income either in relation to current properties and potential for enhanced income through alternative investment. It could also lead to continued revenue and capital costs in relation to asset maintenance/management.

This risk is informed by :

– Policy and delivery aspirations pending adoption of the Local Plan

– Market conditions affecting project viability

– Potentially conflicting views from residents and other key stakeholders creating uncertainty

Inherent risk level (no controls)

Probability: 3

Impact: 4

Risk score: 12 (amber)

Controls in place at MVDC

– Asset Management Plan in place

– Regular periodic reviews of business cases for property/project transactions

– Asset Management Working Group in place to review and inform potential asset development and disposals

– Ensuring that recommendations put forward for approval at Cabinet are deliverable and/or that the risks are fully identified and explained with accompanying sensitivity analysis

– Stakeholder and community engagement strategies identified on a case by case basis

– Due diligence undertaken on all potential transactions

– Forward planning and monitoring to enable MVDC to plan for worst case scenarios and plan the response

– Capacity to deliver assessed prior to commitment to delivery

Residual risk level (after existing controls)

Probability: 3

Impact: 4

Risk score: 12 (amber)

Movement of residual risk since last review

None

Risk appetite

Probability: 3

Impact: 4

Risk score: 12 (amber)

Risk owner – Member

Cabinet Member (Property and Projects)

Risk owner – Officer

EHoS – Prosperity

Key: EHoS = Executive Head of Service.

Additions / deletions in last 12 months:-

Additions:

January 2023 – Processing card payments

January 2023 – Asset development and disposal