The Head of Internal Audit and the Head of the Insurance Service presented and reported that a serious cyber incident was listed as Risk 10 on the Strategic Risks Dashboard at appendix 1 of the report. This had been set at the highest risk score possible, 25, prior to the November 2025 incident, and the planned mitigations were now being fast-tracked.

The Committee was then invited by the Chair to make comments and ask questions to officers. During the discussion, the Committee:

1.    Noted the 481% increase in phishing attacks per month over 18 months to Council email addresses and asked what the Council was doing to mitigate these attacks. Officers responded that the Council ran mock-phishing exercises to test officer responsiveness and that all officers were given cybersecurity training. The increase most likely represented a broader increase in phishing attempts across large organisations rather than a targeted attack against the Council.

2.    Asked for clarity on the different roles served by the Strategic Risks Dashboard at pages 71-72 of the report and the Strategic Risks Heatmap at page 73 of the report and queried if there were any discrepancies between the two tables. Officers explained that the Strategic Risks Dashboard showed the risk score and trend for the last 5 reporting periods. The movement from the last reporting period was represented by a downward, upward or level arrow. The Strategic Risks Heatmap visually set out the current risks in the Strategic Risk Register as it stood in January 2026, with the heatmap for May 2025 included for reference. Officers added that these documents would be updated with feedback from the Committee and other bodies and recirculated to the Committee ahead of its March meeting.

3.    Queried why Risks 8 and 18 had been removed from the Strategic Risks Heatmap for January 2026. Officers responded that Risk 8, Corporate Performance Monitoring, was removed from the corporate risk register in June 2025 because several related actions were completed and that the monitoring could be managed on the departmental risk register. Risk 18, Care Quality Commission (CQC) inspections, was included within Risk 22 regarding regulatory oversight inspections and removed as a standalone risk.

4.    Requested that future Strategic Risks Heatmaps be broken down more effectively to aid the Committee’s understanding of the Risk Register.

Action for: Head of Internal Audit

5.    Expressed that the impact score of 4 for Risk 9 (failure in service continuity/safeguarding arrangements) appeared lower than expected. Officers advised that impact scores were set by the relevant service areas and undertook to discuss the matter with the service and report back on how the score had been determined.

Action for: Head of Insurance Service

6.    Queried the effectiveness of partner working was assessed in the context of Risk 1 regarding working effectively to with partners to support Grenfell bereaved and survivors. The Chair noted that detailed, granular points such as this would be the responsibility of the relevant select committee to scrutinise and that the Audit and Transparency Committee would not be able to scrutinise each mitigation of each risk in detail. The Committee noted that the inclusion of the relevant scrutiny body for each risk within the Strategic Risk Register would be useful, as would the receipt of select committee reports on issues of concern for the Audit and Transparency Committee. The Committee also expressed the view that the Strategic Risk Register’s current format was overly detailed, making a strategic overview by the Committee more difficult.