The Liverpool City Council Audit Committee convened to discuss risk management, cybersecurity, and the governance of council companies, among other key issues. The committee reviewed and approved the revised Corporate Risk Management Policy and Strategy, received a briefing on cyber security threats and mitigation measures, and discussed improvements to the governance and oversight of the council's wholly-owned companies and joint ventures. The committee also reviewed assurance reports on procurement, health and safety, and treasury management, highlighting areas of compliance and opportunities for further improvement.

Risk Management Update

The committee reviewed the Risk Management Update, which provided assurance on the mitigations in place to manage the council's most significant risks. The committee agreed to note the report and approve the revised Corporate Risk Management Policy and Strategy.

The Head of Corporate Anti-Fraud, Victoria Gallacher, presented the report, noting that there were no material changes to the registers. However, concerns were raised about the management assessment of risks related to families and children outside the system, including school exclusions and inconsistencies highlighted by Ofsted¹. The committee was informed that work was underway with Children's Services to ascertain the risk controls and mitigations needed, with a report due at the next meeting.

The committee also agreed to a proposal to present the Corporate Risk Register on a quarterly basis, rather than at every meeting, and to make Appendix 3 of the report, the full Corporate Risk Register, exempt from publication due to the sensitivity around disclosing specific risk narratives.

Cyber Security Deep Dive

The committee received a Cyber Security Deep Dive report from Darren Gill, Director IT & Digital, which provided a summary of the main cyber threat risks and the council's current position. The report referenced Corporate Risk Register item CR4, which addresses the potential impact of a successful cyber-attack on the council's infrastructure, including compliance with the General Data Protection Regulation (GDPR)² and the availability of ICT systems.

The report outlined several key threats:

• Ransomware Attacks: Malicious software encrypts data and demands payment for its release. Mitigations include firewalls, intrusion prevention services, patching servers, Multi Factor Authentication (MFA), Role Based Access Control (RBAC), and an air-gapped backup solution.
• Phishing and Social Engineering: Deceptive emails or messages trick staff into revealing credentials or installing malware. Mitigations include a multi-vendor, multi-layer email security system, content controls, a reject DMARC policy³ on the liverpool.gov.uk email domain, and attack simulation training for users.
• Data Breaches (Human Error & Malicious Access): Unauthorized access or accidental exposure of sensitive data. Mitigations include blocking access to unmanaged personal email and web storage platforms, managed access to M365⁴ with conditional access controls and DLP monitoring, content filters, Microsoft Purview modules, and internal file monitoring software.
• Denial of Service (DoS/DDoS) Attacks: Overwhelming systems with traffic to disrupt services. Mitigation includes Internet Service Provider (ISP) level anti-DDoS services, firewalls, IPS, and traffic management systems.

Council Companies Governance Report

The committee reviewed the Council Companies Governance Report, which detailed ongoing progress on improving the governance of council-owned companies. The report noted that there are four wholly owned subsidiary Local Authority trading companies (LATCos) and eight joint venture or minority shareholdings.

The four wholly owned subsidiaries are:

• ACC Liverpool Group Ltd
• Liverpool Streetscene Services Ltd
• School Improvement Liverpool Ltd
• Liverpool Foundation Homes Ltd

The eight joint venture and minority shareholdings are:

• Sciontec Developments Ltd
• Liverpool Airport (Intermediate) No.1 Ltd
• Liverpool Airport Property Holdings Ltd
• Liverpool Partnership LLP
• Briggs Automotive Company Ltd
• Stanley Park Company Ltd
• Liverpool Futures CIC
• Kings Waterfront (Estates) Ltd

The report highlighted ongoing enhancements to the governance, oversight, and management of council companies, including the formalised governance structure with the Companies Governance Board, refreshed Company Stakeholder Framework, and legal governance agreements.

However, the report also noted a setback due to the vacant Principal Companies & Commercial Accountant post, which has impacted the council's ability to scrutinise the financial performance of its companies. The council is looking to recruit appropriately skilled capacity in this area.

The committee noted the report.

Improvement Sub-Committee Assurance Report

The committee received an Improvement Sub-Committee Assurance Report, which provided assurance as to the purpose and work of the Improvement Sub-Committee, a sub-committee of the Cabinet. The report set out how the sub-committee discharges its role and gives assurance on the processes in place to enable it to properly fulfil that role.

The report noted that the mandate for the Improvement and Assurance Board (I&AB) came to an end on 31 March 2025, marking the conclusion of any form of external intervention at the council. The Improvement Committee was established in April 2025 to support the council's continuous improvement journey.

The Improvement Committee has identified a work programme to May 2026, which focuses on four key areas:

• Maintaining strong governance, integrity and transparency
• Improving corporate systems
• Improvements in social care and housing
• Improvements in delivery of services and the interface with citizens

The committee agreed to note the contents of the report and provide any feedback or recommendations in relation to the purpose and operation of the Improvement Sub-Committee.

Annual Procurement Assurance Report

The committee received the Annual Procurement Assurance Report, which provided an update on procurement governance and procedures and the related transformation workstreams. The committee was asked to note the assurance provided in the report that the Head of Procurement and Contracts has provided that procurement arrangements, including process and procedures, are up to date, fit for purpose and effectively communicated.

The report noted that the council is progressing a significant Procurement Transformation Programme as part of the Finance Improvement Programme, with workstreams including Contract Standing Orders, Procurement Planning, the Procurement Act 2023⁵, Reporting & Governance, Social Value, Contract Management, Target Operating Model, and Communications.

The report also provided the following information:

• External spend in 2025/26 to date is approximately £371m.
• There have been no successful procurement challenges in the period to which this report relates.
• The number of exemptions in 2025/26 to date is 72 to a value of £6m, down from 228 during the 12-month period.
• Suppliers committed to delivering social value initiatives with a proxy value of £7.1 million.
• Spend with suppliers within the Liverpool City Region equates to 60% (£224m) of expenditure in 2025/26 to date.

The committee noted the assurance provided in the report.

Annual Health and Safety Assurance Report

The committee received the Annual Health and Safety Assurance Report, which provided an overview of the governance, controls, and performance management arrangements in place across Health and Safety (H&S). The report highlighted progress made during the past year and outlined the areas that have been highlighted for improvement.

The report noted that the council has a legal responsibility for the health and safety of all employees, council premises and maintained schools, which extends to all users of premises and those who may be affected by council activities.

During the 2024/25 reporting period, a total of 843 incidents were reported to Health & Safety (H&S) concerning both council and maintained school employees and non-employees. Incident rates were highest within Neighbourhoods and Housing, City Development, and Adult Social Care & Health. Near misses accounted for 30% of all reported incidents, while slips, trips, and falls, physical assaults, and manual handling injuries were identified as the primary causes across both the council and schools. H&S conducted investigations into 300 incidents, representing 36% of the total cases. Additionally, 84 incidents were reported under RIDDOR⁶, equating to just under 10% of all incidents. There were seven claims submitted relating to H&S incidents across the council's estate in 2024/25.

The committee agreed to note the assurance provided in relation to Health and Safety governance, controls, systems, processes and controls, and to note the progress achieved and the plans for improvements identified.

Assurance Statement: Treasury Management

The committee received an Assurance Statement on Treasury Management, which provided an overview of the Treasury Management Assurance Statement for the 2024/25 financial year. The report provided details of the control environment and the key activities undertaken by Treasury Management.

The report noted that a key objective of the council's treasury management function is to ensure that cashflows are effectively managed, so that cash is available when it is needed and that surplus cash is invested having regard to risk, liquidity and yield.

The committee agreed to note the contents of the report and that Treasury Management activities for 2024/25 have been carried out in compliance and within an effective control environment.