Risk Management Policy
January 2015
1
Risk Policy
The risk management policy forms part of the University’s internal control and corporate
governance arrangements. Good risk management practice is about having a holistic
approach, driven by a desire to balance stability and innovation.
The policy explains the University’s underlying approach to risk management, documents
the roles and responsibilities of the board of governors (Council), the senior management
team (UMAG), and other key parties. It also outlines key aspects of the risk management
process, and identifies the main reporting procedures.
In addition, it describes how Council evaluates the effectiveness of the institution’s internal
control procedures.
Risk is often defined as “the threat or possibility that an action or event will adversely or
beneficially affect an organisation’s ability to achieve its objectives”.
There are many potential benefits of implementing and embedding risk management as a
management tool, some of which are listed below:








2.1
Supports strategic and business planning
Allows new opportunities to be grasped
Enhances communication across the University
Supports effective use of resources
Promotes a continuous improvement culture
Helps to focus the internal audit programme
Reassures stakeholders
Reduces shocks and surprises
Underlying approach to risk management
The following key principles outline the University’s approach to risk management and
internal control. Specific roles are outlined in sections 3 to 5:




maintaining an environment where issues can be raised and discussed openly
between Management and Council;
the University makes conservative and prudent recognition and disclosure of
the financial and non-financial implications of risks;
risk is considered as an embedded part of every key project (capital, revenue
or other);
key risk indicators will be identified and closely monitored on at least a
quarterly basis by UMAG and reported on to Council.
2
2.2.
Role of Council
Council has responsibility for overseeing risk management within the institution as a whole.
Its role is to:





2.3.
set the tone and influence the culture of risk management within the University.
This includes:
 determining the appropriate risk appetite or level of exposure for the
University as a whole or on any relevant individual issue;
 determining what types of risk are acceptable and which are not;
 setting the standards and expectations of staff with respect to conduct and
probity;
approve major decisions affecting the University’s risk profile or exposure;
monitor the management of significant risks to reduce the likelihood of
unwelcome surprises;
ensure that there is an overall system of management control for identification
and management of less significant risks;
annually review the University’s approach to risk management and approve
changes or improvements to key elements of its processes and procedures.
Role of the Audit Committee
The Audit Committee’s annual report to Council must include the Committee’s opinion on
the adequacy and effectiveness of the University’s risk management, control and
governance arrangements. The committee oversees internal audit, external audit and risk
management, as required in its review of internal controls. The committee is therefore well
placed to provide advice to the Council on the effectiveness of the internal control system,
including the institution’s system for the management of risk.
2.4.
Role of the Senior Management Team (UMAG)
UMAG assumes the operational role of risk committee with prime responsibility for
managing and reporting on risk issues regularly to Council. Key roles of UMAG are to:
(a)
(b)
(c)
identify and evaluate the significant risks faced by the institution for
consideration by the Council;
provide adequate information in a timely manner to the Council and its
committees on the status of risks and controls and recommend to Council
policies on risk management;
the Emergency Planning and Risk Committee is a sub group which has been
established to progress the embedding of emergency planning management,
business continuity management and risk management across the University.
3
2.5
Risk Management as Part of the System of Internal Control
The system of internal control incorporates risk management. This enables the University to
respond to a variety of operational, financial, and commercial risks. These elements
include:
(a)
Policies and Procedures
Attached to significant risks are a series of policies that underpin the internal
control process. The policies are set by Council or by other groups under
delegations established by Council and implemented and communicated to
staff by senior management. Written procedures support the policies where
appropriate.
(b)
Monthly Reporting – financial and key projects
Comprehensive monthly reporting is designed to monitor key risks and their
controls. Examples include the Monthly Management Accounts and monthly
Project Executive meetings. Decisions to rectify problems are made at
regular meetings of UMAG and the Council if appropriate.
(c)
Strategic Risks Register
This is compiled quarterly for review by UMAG and helps to facilitate the
identification, assessment and ongoing monitoring of risks significant to the
University. The document is formally appraised annually but emerging risks
are added as required, and improvement actions and risk indicators are
monitored regularly.
(d)
Faculty Risk
Faculty Deans and equivalents are responsible for encouraging good risk
management practice within their area and need to ensure that significant
risks in their faculty or division are identified, assessed and monitored. The
risks should be fully appraised annually but emerging risks are added as
required, and improvement actions and risk indicators are monitored
regularly.
(e)
Internal Audit Programme
Apart from its normal programme of work, internal audit is responsible for
the annual review of the effectiveness of the internal control system within
the University.
4
(f)
External Audit
External audit provides feedback to the Audit Committee on the operation of
the internal financial controls, reviewed as part of the annual audit.
The University’s Annual Report includes a Statement on Internal Control. The full
text of this statement, as included in the 2014 Annual Report, is attached.
2.6.
Risk Management Strategy
The Risk Management Policy is implemented operationally at a number of levels. Good risk
management practice is about having a holistic approach, driven by a desire to balance
stability and innovation.
2.6.1 Risk Rating
At University level an initial assessment of gross risk (with scores attached based on
‘Impact’ – severe to insignificant and ‘Probability’ – very high to very low). Next it
considers the safeguards in place to reduce the gross risk to a residual risk level. It
also considers any additional safeguards planned and the target residual risk level.
Probability
Impact
Severe (5)
Very
Low
(1)
Low
(2)
Medium
(3)
High
(4)
Very
High
(5)
Major (4)
Moderate (3)
Minor (2)
Insignificant (1)
2.6.2 Responsibility
Each risk is scored out of five for Impact (ranging from 1 for insignificant, to 5 for
severe impact), and out of five for Probability (1 being very low, 5 being very high),
producing a Total Risk Score out of 25.
5
Total risk
25
20
15
10
5
Income Impact
Disastrous
Critical
Severe
Moderate
Negligible
Very High
High
Medium
Low
Total Gross risk score – risk assessed as if no controls are in place.
Total residual risk score – risk assessed after those controls, which have been
assessed as effective, have been taken into account.
The Risk Register identifies those with senior managerial responsibility for ensuring
that there is management of the particular risk, and within that, assigns lead
responsibility to individuals. Other staff are involved in managing the activities and
in taking appropriate action, should an adverse event occur; but those with such
operational responsibilities are not identified in the Risk Register.
2.6.3 Dynamic or Static
Risks are also categorised into either ‘Dynamic’ or ‘Static’. Dynamic risks are those
considered to be live and changing in response to the current external environment.
Static risks would be those present in the background over a longer period.
2.6.4 Potential Income Impact
This summary list will include assessment of the potential financial impact of
particular risks on achievement of the Strategic Plan using a scale of Very
High/High/Medium/Low. For this purpose, Very High is defined as in year impact
>£10M, High between £5M and £10M, Medium between £2M and £5M, Low as
<£2M.
(a)
Reviewed by Council (quarterly)
An extract from the full strategic risks register showing high-level risks,
identified in the risk matrix as either Red or Amber. This is accompanied by a
covering report which highlights new, increasing and decreasing risks. It
would be expected that no more than 10 to 12 risks in number would be
brought to Council’s attention to ensure that discussion focussed on the most
significant.
The full register will be reviewed annually.
6
(b)
Reviewed by Audit Committee (quarterly)
The extract from the full strategic risks register as presented to Council,
supplemented by information on responsibility and controls. The full register
will be reviewed annually.
(c)
Reviewed by UMAG (quarterly)
A copy of the full strategic risks register showing scores, responsibilities and
control actions. Each issue highlights new, increasing and decreasing risks.
Faculty and Divisional Risk Registers are considered on a rotational basis. The
agenda of one meeting a year will be focussed on risk management.
(d)
Reviewed by Project Executive Committees established for key projects (in
particular capital and major IT projects) (monthly)
A copy of the full Project related register showing scores, responsibilities and
control actions.
(e)
Reviewed by Faculties (termly) and Divisions (or equivalent) (quarterly)
A copy of the full Faculty/Divisional related register showing scores,
responsibilities and control actions.
2.7.
Annual review of effectiveness
Council is responsible for reviewing the effectiveness of internal control of the institution.
Its view will be informed by the whole range of information provided to it throughout the
year and also an independent report from the Audit Committee. Its approach is outlined
below.
For each significant risk identified, Council will:


review the previous year and examine the University’s track record on risk
management and internal control;
consider the internal and external risk profile of the coming year and consider if
current internal control arrangements are likely to be effective.
In coming to a view on the effectiveness of internal controls the Council will consider the
following aspects.
(a)
Control environment:



the University’s objectives and its financial and non-financial targets;
organisational structure and calibre of the senior management team;
culture, approach, and resources with respect to the management of risk;
7


(b)
On-going identification and evaluation of significant risks:


(c)
timely identification and assessment of significant risks;
prioritisation of risks and the allocation of resources to address areas of
high exposure.
Information and communication:


(d)
delegation of authority;
public reporting.
quality and timeliness of information on significant risks;
time it takes for control breakdowns to be recognised or new risks to be
identified.
Monitoring and corrective action:


ability of the University to learn from issues that arise;
commitment and speed with which corrective actions are implemented.
Audit Committee prepares a report of its review of the effectiveness of the internal
control system annually for consideration by Council.
8