Lewisham Council is actively reviewing and updating its Corporate Risk Register to better manage potential threats to its objectives, including key risks such as cyber security and IT asset management. The register also addresses risks around IT asset management, particularly concerning the programme to refresh council laptops.

The Audit and Risk Committee convened on 11 November 2025, to discuss the latest iteration of the register, a crucial document that identifies and assesses risks that could impede the council's progress. The Corporate Risk Register Update included an assessment history of the past three assessment scores for each risk, illustrating the movement of each risk. This allows the council to track the effectiveness of its risk management strategies over time.

Risk Matrix showing likelihood vs impact of risks.
Risk Matrix showing likelihood vs impact of risks.

Richard, whose role was not specified, introduced the report, highlighting ongoing efforts to improve risk management across the council. He noted that Kelly O, the risk officer, and Colin, whose role was not specified, have been actively engaging with management to enhance risk awareness and mitigation strategies. According to Richard, this engagement is beginning to permeate down to the service level, with Kelly being invited to service management teams. A risk workshop was completed with the corporate resources directorate, focusing on reviewing and documenting risks, and ensuring mitigation strategies are in place with accurate scoring. One example was cyber security, where mitigating actions are being reviewed to ensure target scores are achievable. The report includes the assessment history of the past three assessment scores for each risk, including cyber security. Mitigating actions are being put in place to achieve the target scores, and the target score for cyber security was being revised since the papers were released. Further risk workshops are planned, including one for the chief executives directorate.

Councillor Stephen Penfold commented on the addition of the risk assessment history, calling it exceptionally healthy and noting it provides greater insight into trends. He said it would help the committee identify areas where the council may not be paying enough attention or where there is significant concern or changing positions. Councillor Penfold said it was very useful information for us to have and it's certainly going to make our work easier going forward .

Councillor Eva Kestner echoed these comments, adding that it was reassuring to hear about the engagement at both management and directorate levels. She emphasized the importance of having realistic target risks and clear, achievable mitigation measures. She noted the change in the cyber security target risk as an example of adapting to circumstances outside of the council's control.

An internal audit, conducted externally for independence, is planned to assess risk management, and is due to be completed this year. The outcomes of the audit will be fed into a service improvement plan.