Shropshire Council’s risk management system is 'limited' - audit

That is the verdict of an internal audit assessment that looked into the processes for reviewing and updating operational risk registers, the capture and monitoring of them, and the reporting of risks to senior management.

Audit findings are evaluated to provide a level of assurance on the effectiveness of the system of internal control.

The evaluations are defined as “good”, “reasonable”, “limited” and “unsatisfactory”. However, while it was found there is basically a sound system of control in place, it was deemed that Shropshire Council’s risk management system contains weaknesses which leave some risks unaddressed. There is also evidence of non-compliance with some key controls.

The report stated that an opportunity risk management strategy (ORMS) is in place and was signed off by interim chief executive Tanya Miles last October.

It sets out the roles and responsibilities for risk management across the council. However, it has been acknowledged that a full re-draft of the strategy is required to align with the new council plans following their publication in 2026, and to incorporate process changes recommended within the audit report.

It was also found that the board and management do not receive periodic reports on the risk management process.

The report does note, however, that a comprehensive risk management timetable is in place, and a clear process exists for the reporting of incidents and near misses.

It was also found that risk registers were found to be “populated” in sufficient detail. However, while the council’s ‘conducting ongoing monitoring activities to periodically reassess risk and the effectiveness of controls to manage risk’ was assessed as satisfactory, there was one exception, leading to a “requires attention” recommendation. The proposed improvement is to focus on amendments to strengthen the layout, functionality, and controls within the risk register format.

The Audit and Governance Committee will discuss the report at its meeting this Thursday (February 5).

Ahead of the meeting, John Palmer, a member of the public, asked if the chairman (Councillor Duncan Kerr) is concerned with the assessment, and whether details behind the judgment “may have negligible resonance”.

This, according to Mr Palmer, may be due to the “often precarious nature of staff’s full-pelt 24/7 dedicated valiant attempts to preserve the highest possible standards of service delivery taking precedence”.

In response, Councillor Kerr said: “We fully recognise the pressures faced by managers and staff across the organisation, including the resource demands you refer to. However, the purpose of internal audit’s work is to evaluate whether the governance framework is operating effectively, regardless of the pressures on individual services.

“The limited assurance rating therefore is not a reflection on the commitment of staff, but highlights weaknesses in the wider system of oversight and risk management. Accurate and routinely updated risk registers are essential to ensure that risks are recognised, escalated, and managed appropriately.

“Risk management is fundamental to the council as it underpins the successful deliver of the council’s objectives and priorities.

“It is especially critical given the council’s current financial emergency where clear visibility on risks is needed to support decision making and prioritise essential service delivery.

“The committee takes the audit findings seriously. We are assured that management is already acting on the recommendations, and we will monitor progress closely to ensure that the improvements required are delivered.”