1) Formal reporting of incidents/ compliance breaches identified

For each area of compliance at the University, do people understand what is ‘formally’ reportable and what isn’t? Who should any kind of compliance breach be reported to and how?

You may wish to refer to the University's Whistleblowing Policy. Whistleblowing is speaking up about certain types of actual or potential wrongdoing that you have seen or know about whilst at work, that may cause a danger to others or be illegal.

2) Internal risk management: recording, mitigating and escalating risks and issues as required before they become an incident/ breach

It is important to have mechanisms for flagging emerging compliance concerns before they become an incident/ breach. If teams or individuals are experiencing barriers in effectively managing their compliance obligations (e.g. university systems, structures, processes), there needs to be a way to report and/ or escalate concerns so that they can be considered and addressed.

Operational risk registers could be one mechanism for doing this, to flag and mitigate emerging concerns before they become an incident / breach. The University's Risk & Resilience team encourage you to contact them to discuss risk management within your department. The team is able to offer guidance and advice in the form of meetings, risk workshops and presentations and can develop bespoke sessions to focus on the issues that are pertinent to individual departments.