Risk Management Procedure 2011-12
1. Enhancing Knowledge and Understanding
Continued effort will be invested in a communications campaign highlighting the benefits of risk management and opportunity identification to academic, commercial, administrative and support departments, endeavouring to link this where possible with the University’s Business Continuity planning, Health and Safety, and Estates Management processes through the Operational Risk Management Group. This will include the compilation and dissemination of good practice in the practical application of risk management and advice on the University’s approach and its application, in particular highlighting where good risk management has added value.
2. Identification of the University’s Significant Risks and Associated Controls
All departments are asked to undertake an annual assessment of departmental risks and potential opportunities in relation to the department’s strategic priorities. Heads of Department are encouraged to engage a wide group of staff in the process of developing the Departmental Risk Assessment with the aim of ensuring opportunities and risks from the full range of a department’s activities are identified. This may be achieved by discussing the Risk Assessment at least annually with the Departmental Management Group (or equivalent), in association with those staff with responsibility for managing specific areas of risk and for departmental business continuity arrangements.
2.1 Academic Departments
All academic departments are required to submit and report on their Departmental Risk Assessment as part of the annual Strategic Planning process managed by the Academic Resourcing Committee. The Departmental Risk Assessment will identify those major strategic and operational risks faced by the department and should consider both internal and external factors in assessing the likelihood and impact of these risks.
All Risk Assessments submitted by academic departments will be considered at the Strategic Planning Meetings with Heads of Departments undertaken by the Chair of the Academic Resourcing Committee and relevant Faculty Chair. The Risk Assessments will also be provided to the Finance Office, to inform five-year financial planning discussions with departments; to the Governance Team, for further comparative analysis; and to the Internal Audit Team. In addition, the University’s Operational Risk Management Group will consider each Departmental Risk Assessment in detail and will propose to the Steering Committee any amendments to the University’s Risk Register to reflect issues which pose significant institutional risk.
2.2 Non-academic Departments
All administrative and commercial departments are required to submit and report on their Departmental Risk Assessment as part of the annual Five Year Financial Planning process. All such departments are requested to submit a SWOT (Strengths, Weaknesses, Opportunities and Threats) Analysis along with their Departmental Risk Assessment.
2.3 Reporting
Consideration of the Departmental Risk Assessments (and SWOT Analysis where applicable) will be undertaken by the following bodies for the relevant departments:
| University Group or committee | Departments considered |
| Academic Resourcing Committee (ARC) | All academic departments |
| Operational Risk Management Group | All departments |
| Commercial and Related Activites Group (CRAG) | All commercial and earned-income departments |
| Academic and Service Departments Annual Reivew (ASDAR) | All central administrative departments |
| Financial Plan Sub-Committee (FPSC) |
All devolved academic departments and those not included above (together with reports from ORMG, ARC, ASDAR and CRAG) |
In addition, a summary report will be produced to identify common themes and to advise on department risk management and business continuity processes. This summary report will be considered by the Operational Risk Management Group, the Academic Resources Committee, the Commercial and Related Activities Group, the Financial Plan Sub-Committee and the Steering Committee. Detailed advice and guidance to support departments in undertaking risk analysis will be considered on an annual basis by the Operational Risk Management Group and the Steering Committee. Additional support and advice is provided by the University’s Governance Team within the Deputy Registrar’s Office.
The main purposes of the Risk Assessment exercise are threefold:
(a) To provide a focused opportunity for individual departments to consider existing and future opportunities and the associated current and future risks against their strategic objectives;
(b) To provide relevant and consistent information to University decision-making bodies to enable them to prioritise effectively the allocation of University resources;
(c) To aid in the identification and assessment of the University’s key risks and contributing factors to be included in the University Risk Register and to ensure the University is aware of the total risk profile and the cost (including opportunity cost) of risk mitigation activity.
Any significant risks, including those opportunity costs as a result of opportunities that may not be taken up, will be considered at the relevant management group or committee as identified above. The relevant groups and committees will also take the Risk Assessments into account when prioritising newly proposed bids and will report any significant risks to the Financial Plan Sub-Committee. In addition, as outlined in section 2.1, the ARC Strategic Planning meetings with discuss the department’s identified risks with each Head of Department
Alongside these this processes, the Operational Risk Management Group will review the risk assessments provided by academic departments (as part of their Strategic Planning documentation) and the SWOT Analyses and Risk Assessments provided by non-academic departments (as part of the Five Year Financial Planning process). Following this consideration, the Group will propose to the Steering Committee any amendments to the University’s Risk Register to reflect Departmental Risk Assessments.
The proposed University Risk Register for the following year will be considered by the Steering Committee following consultation with Senior Officers and the Senior Management Team. The Council will receive the full list of University Risks normally in the Summer Term, with an outline of the key risks and the associated management measures being implemented and proposed to reduce the risk status.
The University risks presented to the Council will focus primarily on those University strategic risks which cut across a number of areas of the University and which are not necessarily fully covered within the delegated responsibility of the sub-Committees of the Council.
The University classifies risks into the following eight categories based on those categories suggested by the HEFCE:
| R | Reputation |
| T | Teaching / Student Experience |
| Res | Research |
| S | Staffing issues |
| SA | Estates and Facilities / Health and Safety |
| F | Financial issues |
| O | Organisational issues |
| IT | Information and IT |
While these categories can be helpful in identifying the key are of the risk and they are used in the University Risk Register, risks will often be interdependent and may cross a number of the above categories.
3. Monitoring and Evaluation of University Risks
Risks are managed on a daily basis by those responsible for the wide-range of activities undertaken by the University. This distribution of responsibility for risk management highlights the importance of ensuring that understanding of the University’s approach to risk management is communicated widely to University decision-makers as set out above. The University also needs to ensure that key institutional risks are monitored against the University’s agreed strategic objectives. Additionally, decisions must be taken in the knowledge of an accurate assessment of the current level of risk faced by the University and whether a certain decision will increase or decrease the University’s risk profile. To facilitate this, a summary report from the Governance Team (Deputy Registrar’s Office) will be considered at one meeting of the Council each term. The report will outline the current status of the University’s key risks as reported by Risks Holders and whether the risks have increased, decreased or stayed the same. A brief summary will be included of any additional controls established or planned to minimise the risk for those where the risk has increased.
University Risk Holders will be requested to review the University Risk Register each term and to assess the current status of the residual risk (i.e. the risk after all actions planned and being taken to mitigate the risk have been taken into account). This risk status update will be facilitated primarily by consideration of the University Risk Register at the Senior Officers’ Group with a revised Risk Status Summary report being considered at the Steering Committee in advance of it being submitted to the Council. In the Summer Term, a review and assessment of the University’s Risk Register in addition to the current status of any new and existing risks will take place as set out above.
University Risks will be ranked by both the scale of the impact and the likelihood that the risk will occur on a numerical scale from one to four. The impact and likelihood scores of the risk will be calculated after taking into account all of the mitigation measures being taken to reduce the level of both the severity of impact and the probability of the risk.
To assist in scoring the likelihood and impact of the risk, the following notional definitions will be considered.
Likelihood Score (of occurring within the next 4 years)
|
1 |
Improbable (1-20%) |
| 2 | Not likely (21-50%) |
| 3 | Likely (51-80%) |
| 4 | Very likely (81-100%) |
Impact Score
| 1 |
Will impair achievement of one or a small number of strategic goals. (Financial impact on University annual surplus under approximately £250,000) |
| 2 |
Will impair achievement of a number of strategic goals and/or significantly impair one strategic goal. (Financial impact on University annual surplus between approximately £250,000 and £500,000) |
| 3 |
Will significantly impair a small number of strategic goals. (Financial impact on University annual surplus at approximately between £500,000 and £1 million) |
| 4 | Will significantly impair a small number of strategic goals and/or halt the achievement of one or more strategic goal(s). (Financial impact on University annual surplus over approximately £1 million) |
Risk Status
The following four-tier ‘traffic light’ system of status indicators will then be applied to establish the overall status of the risk by adding the likelihood score and the impact scores together:
| 7 or 8 | Red | Problematic | Requires urgent attention and decisive action |
| 5 or 6 | Amber | Mixed | Requires substantial attention, some aspects need urgent attention |
| 3 or 4 | Amber Green | Satisfactory | Some aspects require substantial attention, some good |
| 2 | Green | Good | Requires refinement and systematic implementation |
This method of assessing threats will also be used, where appropriate, by Heads of Departments when considering departmental risks, the Academic Quality and Standards Committee (AQSC) in assessing teaching quality risks, and when proposals for significant new initiatives are considered. The approximate financial impact associated with each risk impact score, however, is relevant at a University-wide level. The amounts given are notional only for those predominately financial risks, acknowledging that most University risks will have wider implications and, therefore, impact is primarily defined against the achievement of the goals set out in the University Strategy.
NOTE: The definitions of the impact scores and overall status scores for the level of institutional may be subject to change following the Risk Management review.
4. Review of the Risk Management Policy and Procedure
The Governance Team (Deputy Registrar’s Office) will submit to the Audit Committee in the Summer Term a brief annual summary report on the risk management measures taken throughout the year as well as any proposed changes to the University Risk Management Policy or Procedure. In compiling this report, Senior Officers and the Senior Management Team will be consulted. The report and the views of the Audit Committee will be considered by the Council to provide the appropriate assurance that the University Risk Management process is operating effectively. Consideration of the Risk Management Annual Report by the Audit Committee in the Summer Term will also allow the Committee to consider risk management issues alongside the consideration of the Annual Internal Audit Strategy and Plan.