Risk Management for Academic Departments
This guidance is aimed at groups and individuals who are completing a Departmental Risk Assessment and who may be unfamiliar with undertaking a Risk Assessment at Warwick. It is not designed to be a comprehensive guide to developing Departmental strategy or analysing uncertainty in relation to risk and new opportunities. You may wish to review the summary of previous returns which gives some examples of the range of issues the Department may wish to consider.
This Guidance outlines how academic departments can (please see separate guidance for non-academic departments) :
- Undertake a Risk Assessment against the Department’s strategic objectives;
- Use this information to inform the Department’s Strategic Plan and the Department’s Five Year Financial Plan;
- Assess the uncertainty or ‘risk’ in undertaking, or not undertaking, the Department’s planned activities.
Please use the Academic Department Risk Assessment form to record the outcomes of the Departmental Risk Assessment. Contained within the spreadsheet are additional hints and tips to support you in completing the form.
Completing your Departmental Risk Assessment
1. Identify your Key Risks
- Identify between 6-10 key risks to achieving your Departmental objectives (and, if applicable, University goals and objectives where there are direct links to the achievement of these).
- Consider combining closely related risks into one key risk, noting the various elements within it under the broad risk title, in order to keep to a maximum of 10 key risks per department.
- Consider timescales when identifying risks: (a) risks over the life of the Department’s strategic and financial plans, and in relation to any activities proposed within it, and (b) consider the more distant horizon of 10 – 15 years, particularly whether there are any key areas of uncertainty that can be identified which would hinder Departmental strategic objectives.
- Review supporting documents to help indentify risks: e.g. Business Continuity Plans, any recently undertaken reviews (e.g. Strategic Departmental Reviews, Teaching and Learning Reviews, ASDARs, etc.), or health and safety or audit assessments may inform some of the risks faced by the Department. In addition, it may be appropriate to consult the recently introduced University Anti Bribery Policy, and consider the risks of bribery occurring or being perceived to have occurred during the course of the department’s activities.
What is a 'risk' for the purposes of the Departmental Risk Assessment? Risk can be defined as any area where you cannot be sure of the outcome (i.e. key areas of weakness, threat or uncertainty) and that, if realised, would hinder the Department in achieving its objectives. There may also be risks associated with new opportunities which the Department wishes to develop or with strengths that may not be fully exploited. In order to aid assessment and monitoring of risks, the ‘risk’ should be written as a negative statement rather than a neutral or positive one.
2) Classify the Risks
- Assign a category to each risk. The University uses eight general categories to classify risks. Each key risk should be classified within the most relevant category. Where risks cover a number of the categories select the category with the closest fit from the list provided. The Risk Assessment form incorporates a drop-down list to aid selection.
- Identify the context of the ‘risk’. Brief bullets can be included in the Risk Assessment form under ‘Contributing Factors’ in column C.
- Outline the departmental/University strategic objectives impacted by the risk. Use column D in the Risk Assessment form to identify those objectives whose achievement would be most affected by the uncertainties described in the risk.
3) Analyse and Evaluate your Key Risks
- Indentify the GROSS LIKELIHOOD and IMPACT of the risk. Risks should be classified against the 1-4 scale of likelihood (enter in column E of the form) and the 1-4 scale of impact (enter in column F of the form)
What is gross risk? Risks should be considered in relation to their ‘gross risk’ as well as their ‘net risk’. Inherent or gross risk is the likelihood and impact of the risk before any actions have been taken to manage it. Analysis of the inherent risk helps to assess the effectiveness of current activities being undertaken so that the Department and the University does not lose sight of their significance when considering new ventures or the University’s changing portfolio of activities (for example, if consideration is being given to discontinuing certain activities).
- Outline activities or management measures being undertaken to minimise (a) the likelihood of each identified risk occurring and/or (b) its level of impact (or in the case of a new opportunity, to maximise the possibility and/or scale of success). Enter these in bullet form under the ‘Management Measures in Place’ on the Risk Assessment form (column H)
- Identify the team/position of the person responsible for implementing these measures. Measures may be undertaken within the Department, be managed within the central administration, or in liaison between both.
- Assess the mitigated (NET) LIKELIHOOD and IMPACT of the risk in the light of these management measures in place (assuming they are being effectively undertaken). This is the net risk, and can be scored against the 1-4 scale of likelihood and the 1-4 scale of impact. Enter these scores in columns I and J respectively on the Risk Assessment form.
-
NB: Overall risk status score is automatically calculated in the spreadsheet. Likelihood and Impact are are added to establish the overall risk status.
Should the status for gross and net risk differ? Yes! It is expected that the measures your department has in place (or will shortly be implementing) will help to reduce the overall status of the risk. As such a lower score would be expected to be entered under the net risk assessment than is entered under the gross risk assessment.
Example risks are given on the Risk Assessment form for reference. These sample risks will not be relevant to all departments, and are given as an indication only of the breadth of key risks that might be faced by your department. The summary of previous Departmental Risk Assessments can also offer useful examples.
Mitigating Action
When considering the risks a department or the University faces there are four options for action which can be categorised under the four ‘Ts’:
| Take/Tolerate | The risk may be worth accepting with no further action. This may particularly be the case if any mitigation would be more resource intensive than the risk itself or indeed if the ability to do anything about the risk is limited. |
| Treat | The risk may still not rest within the threshold that is tolerable by the Department and/or the University but we would not wish to terminate the activity so we endeavour to undertake further action to minimise the risk. The majority of risks will probably fall in this category. |
| Terminate | The risk may be outside the threshold that is tolerable and bringing it within the threshold would be prohibitively resource intensive so the activity creating the risk would be stopped or the new activity proposed would not be pursued |
| Transfer | This typically relates to insurance or other mechanisms for releasing the burden of risk such as outsourcing. |
Departments should consider its key risks and the ‘4 Ts’ when planning its management measures and proposed future actions. Activities outlined in the ‘Proposed Future Action(s)’ section may treat more than one of the risks identified. However, where the costs of taking action may be disproportionate to the potential benefits, the department may decide to simply tolerate the risk. The University does not wish to create a culture of risk aversion by undertaking Risk Assessment – a certain amount of risk is needed for future success. However, the University’s Risk Management process must ensure that risks are identified and the institution is aware of the full portfolio of risks that it is accepting.