Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

Corporate Risk Policy - My.Anglia Homepage

advertisement 
Anglia Ruskin University
Risk Management
Title
Corporate Risk Policy
Reference
Number
AR-RM-CR01
DOCUMENT HISTORY
Issue
Date
Details
0.1
0.2
0.3
0.4
Apr-02
Feb 04
July 04
Aug 04
Draft Risk Management Policy
Draft Risk Management Policy
Draft Risk Management Policy
Risk Management Policy (for consideration by Directorate)
1.0
Nov-04
Corporate Risk Policy Statement and Procedures
2.0
May-05
Corporate Risk Policy
3.0
Dec-05
Draft Corporate Risk Policy
4.0
Feb 06
Corporate Risk Policy review
5.0
Dec 06
Annual policy review and update
6.0
Dec 07
Annual policy review and update
7.0
Nov 08
Annual policy review and update to include new reporting arrangements
Agreed by Audit & Compliance Committee Feb 2009
8.0
May 2011
Policy review and update
9.0
Nov 2012
Annual Policy Review
Author
Name A. Chapman
:
Signature
Date
Reviewer
Name S. Bennett
:
P.Varley
Signature
Date
Authorised Name A & C Committee
by
:
Signature
Date
Issued by
Signature
Date
Name Risk
:
Management
AR-RM-CR01/Issue9.0
Nov 2012
Anglia Ruskin University
Risk Management
Executive Summary
Corporate Risk Policy Statement and Procedures
AR-RMD-CR01
This document is intended to assist Anglia Ruskin University and its subsidiaries in controlling
business risks, sometimes referred to as ‘Corporate Risk’. As such this document forms part
of the Anglia Ruskin’s internal control and corporate governance arrangements.
This policy explains Anglia Ruskin's underlying approach to corporate risk management,
documents the roles and responsibilities of the Board of Governors, Vice Chancellor’s Group
(VCG) and the Corporate Management Team (CMT). It also outlines key aspects of the risk
management process, and identifies the main reporting procedures.
In carrying out their duties, all employees must have regard for the possible risks. Employees
must recognise that, such risk, if uncontrolled, can result in failure to meet Anglia Ruskin’s
objectives and cause a drain on resources that could better be directed to front line student
provision.
This document must be implemented within every Faculty, Support Service, and where the
Board and senior management consider necessary, within Joint Venture and Subsidiary
Companies.
Faculty Pro Vice Chancellors and Deans, and Heads/Directors of Support Services have the
responsibility and accountability for managing the risks within their areas of responsibility.
The policy is accompanied by guidance on carrying out effective corporate risk assessments,
and the pro-forma to be used for such assessments.
Main Sections
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
1
Aims
General Principles
Legal Framework
Who has responsibility
How is the policy applied
Training
Communication
Monitoring & Review
Important Links
Related Policies and Procedures
Appendix A
Risk Management as Part of the System of Internal Control
Appendix B
Corporate Risk – Detailed Procedures
Aims
The aims of this policy are primarily to support the Anglia Ruskin’s strategic objectives, but
also to:
AR-RM-CR01/Issue9.0
Nov 2012
Anglia Ruskin University
Risk Management










2
Support Anglia Ruskin’s risk management strategy
Fully meet our legal and regulatory requirements with regard to risk management
Have risk management systems and processes that are generally recognised within
the sector as “best practice”.
Ensure every employee of Anglia Ruskin has regard for the management of risks in
everyday work situations and decision making processes
Where practicable reduce the likelihood and impact of risk events
Reduce property and liability losses and claims
Ensure that all staff are suitably trained to deal with the risk issues relevant to their
position
Provide suitable and sufficient information, instruction, training and supervision to
all relevant staff
Ensure effective liaison with external bodies where appropriate
Create a culture within which risk management becomes embedded as a routine
management discipline.
General principles
2.1
3
These are as set out in the Risk Management Strategy
Legal & regulatory requirements
3.1
HEFCE's Accounts Direction for 2009-10 financial statements (
http://www.hefce.ac.uk/pubs/circlets/2010/cl19_10/ ) requires Higher Education
Institutions to ensure that they maintain a sound system of internal control and that
the following key principles of effective risk management have been applied.
Effective risk management:

covers all risks – including governance, management, quality, reputational and
financial – but is focused on the most important risks

produces a balanced portfolio of risk exposure

is based on a clearly articulated policy and approach

requires regular monitoring and review, giving rise to action where appropriate

needs to be managed by an identified individual and involve the demonstrable
commitment of governors, academics and officers

is integrated into normal business processes and aligned to the strategic objectives
of the organisation.
Further regulatory and supporting guidance can be found in section 9 – Important Links
4
Who has responsibility
AR-RM-CR01/Issue9.0
Nov 2012
Anglia Ruskin University
Risk Management
4.1
The Board of Governors is ultimately responsible for ensuring that effective systems
are in place for the identification, evaluation and management of risk.
The Corporate Management Team has overall responsibility for the establishment,
ongoing development, implementation, monitoring and review of corporate risk
policies and procedures
4.2
4.3
The Corporate Management Team have been delegated operational responsibility for
planning and guiding the ongoing development, implementation, monitoring and
review of corporate risk policies and procedures.
4.4
The Corporate Management Team is responsible for:


4.5
Supporting, advising and implementing the policies approved by the Board of
Governors
Proposing quarterly, a priority listing of key risks that require constant evaluation
throughout the year. These are confirmed by members of the Audit and Compliance
Committee and ratified by the Board of Governors
The Corporate Management Team is responsible for:





4.6
Implementing policies on risk management and internal control.
Undertaking, at least quarterly, a risk identification exercise (see Appendices A, and B
Identifying and evaluating the significant risks faced by Anglia Ruskin for consideration
by the Board of Governors
Providing adequate information in a timely manner to the Board of Governors, and its
committees, on the status of risks and controls
Undertaking an annual review of effectiveness of the system of internal control as an
embedded part of the strategic planning process
The Board of Governors are responsible for:









Overseeing risk management within Anglia Ruskin as a whole
Adopting an open and receptive approach to solving risk problems
Setting the tone and influencing the culture of risk management within Anglia Ruskin.
This includes:
 Determining what types of risk are acceptable and which are not
 Setting the standards and expectations of staff with respect to conduct/probity
Determining the appropriate level of exposure to risk for Anglia Ruskin
Approving major decisions affecting the Anglia Ruskin’s risk profile or exposure
Monitoring the management of significant risks to reduce the likelihood and
significance of adverse risk events occurring
Satisfying themselves that the less significant risks are being actively managed, with
the appropriate controls in place and working effectively
Annually reviewing the Anglia Ruskin’s approach to risk management and approving
changes or improvements to key elements of its processes and procedures
Evaluating the effectiveness of Anglia Ruskin’s internal control process, based on
information provided by the Corporate Management Team. For each significant risk
identified, the Board will:
 Review the previous year and examine the Anglia Ruskin’s track record on risk
management and internal control
 Consider the internal and external risk profile of the coming year and consider if
current internal control arrangements are likely to be effective
 Consider the following aspects whilst making its decisions:
Control environment:
~ Anglia Ruskin’s objectives and its financial and non-financial targets
~ Organisational structure and calibre of the senior management team
~ Culture, approach, and resources with respect to the management of risk
~ Delegation of authority
~ Public reporting
AR-RM-CR01/Issue9.0
Nov 2012
Anglia Ruskin University
Risk Management
On-going identification and evaluation of significant risks
~ Timely identification and assessment of significant risks
~ Prioritisation of risks and the allocation of resources to address areas of high
exposure
Information and communication
~ Quality and timeliness of information on significant risks
~ Time taken for control breakdowns to be recognised or new risks to be
identified
Monitoring and corrective action
~ Ability of Anglia Ruskin to learn from its problems
~ Commitment and speed with which corrective actions are implemented
4.7
Faculty Pro Vice Chancellors and Deans and Heads/Directors of Support Services are
responsible for:



4.8
Risk Management is responsible for:





5
5.1
6
6.1
6.2
On-going identification and evaluation of significant risks
o Timely identification and assessment of significant risks
o Prioritisation of risks and the allocation of resources to address areas of high
exposure
o Closely monitoring and reviewing risks and controls on a regular basis
o Maintaining registers containing details of the most significant risks
o Reporting on these risks in accordance with the agreed timetable (see
procedures)
Following the Project Compliance Unit Procedures in relation to new and ongoing
projects including submission of a detailed risk reviews of projects
Ensuring that ethics approval is obtained where required.
Providing support to all staff required to carry out corporate risk assessments, if
requested and appropriate
Carrying out corporate risk assessment training, if requested and appropriate
Monitoring the quality of individual assessments via a random sampling process
Reviewing Faculty and Support Service risk registers and collating information to
enable the Corporate Management Team to produce a high level register representing
the most significant risks facing Anglia Ruskin.
Providing reports in accordance with the Board and Audit & Compliance Committee
timetable to enable them to meet their regulatory responsibilities.
How is the policy applied
The procedures and guidance notes provide detailed instructions.
Training
Training for staff is set out in “A guide to your employment, training and development”.
This includes Corporate Risk Awareness training, which is available online and can be
arranged through Risk Management, and Corporate Risk in the Decision Making
Process which is delivered through workshops.
Training for Board members is arranged separately.
AR-RM-CR01/Issue9.0
Nov 2012
Anglia Ruskin University
Risk Management
7
Communication
7.1



8
Monitoring and review
8.1
The effectiveness of the policy and procedures are monitored through:



8.2
9
9.1
Communication is achieved through a range of methods including:
Anglia Ruskin’s main website
Risk Management website http://my.anglia.ac.uk/sites/risk/default.aspx
Reports to appropriate committees.
Performance indicators
Internal Audit
External Audit
The Head of Risk Management will review this policy and the supporting procedures
on an annual basis.
Important links
Risk Management website http://my.anglia.ac.uk/sites/risk/default.aspx
HEFCE's Accounts Direction to higher education institutions for 2009-10
http://www.hefce.ac.uk/pubs/circlets/2010/cl19_10/)
Risk management in higher education: a guide to good practice' (HEFCE 2005/11)
A guide to good practice for higher education institutions' (HEFCE 01/28).
Handbook for Members of Audit Committees in Higher Education Institutions
http://www.hefce.ac.uk/pubs/hefce/2008/08_06/
10
Related policies & procedures
Corporate Risk Management Strategy
Health & Safety Policy Statement (AR-RMD-HSMS01)
Risk Assessment Policy (AR-RMD-HSMS22)
Insurance Strategy and Policy (AR-RMD-INS -1)
Insurance Claims Procedures (AR-RMD-INS-2)
Fraud Prevention Policy
Anti-Bribery Policy
AR-RM-CR01/Issue9.0
Nov 2012
Anglia Ruskin University
Risk Management
Appendix A
Risk Management as Part of the System of Internal Control
The system of internal control incorporates risk management. This system encompasses a
number of elements that together facilitate an effective and efficient operation, enabling Anglia
Ruskin to respond to a variety of operational, financial, and commercial risks. These elements
include:
1. Policies and procedures
Attached to significant risks are a series of policies that underpin the internal control
process. The policies are set by the Board of Governors and implemented and
communicated by managers to staff. Written procedures, where appropriate, support the
policies.
2. Regular Reporting
Comprehensive and regular reporting is designed to monitor key risks and their controls.
The Audit and Compliance Committee will receive regular updates on the monitoring of
key risks.
3. Business Planning and Budgeting
The business planning and budgeting process is used to set objectives, agree action
plans, and allocate resources. Progress towards meeting business plan objectives is
monitored regularly.
4. High level risk framework (significant risks only)
This framework is compiled by Corporate Management Team and helps to facilitate the
identification, assessment and ongoing monitoring of risks significant to Anglia Ruskin.
The document is formally appraised quarterly, although emerging risks are added as
required. Improvement actions and risk indicators are monitored regularly.
5. Faculty and Support Service Risk Registers
These should be developed and used to ensure that significant risks in their Faculty or
Support Service are identified, assessed and monitored. The document is formally
appraised within the annual strategic planning process, although emerging risks are
added as required. Improvement actions and risk indicators are monitored quarterly by all
Faculty Pro Vice Chancellors and Deans and Heads/Directors of Support Services,
6. Joint Venture & Subsidiary Company Risk Registers
Where the Board and senior management consider appropriate based on the nature,
complexity, and significance of the risks faced, Joint Ventures and Subsidiary Companies
will develop and manage their own risk registers. These will be managed in the same way
as Faculty & Support Service registers, with the Executive Directors taking primary
responsibility for the identification, assessment, monitoring and reporting of risks.
7. Audit & Compliance Committee (A&C)
The A&C Committee is required to report to the Board of Governors on internal controls
and alert them to any emerging issues. In addition, the A&C Committee oversees internal
audit and external audit.
AR-RM-CR01/Issue9.0
Nov 2012
Anglia Ruskin University
Risk Management
8. Internal audit programme
Internal audit is an important element of the internal control process. Apart from its
normal programme of work, internal audit is responsible for aspects of the annual review
of the effectiveness of the internal control system within the organisation. Furthermore,
Anglia Ruskin’s risk registers will, to a great extent, inform the development of a risk
based internal audit programme.
9. External audit
External audit provides feedback to the A&C Committee on the operation of the internal
financial controls reviewed as part of the annual audit.
10. Third party reports
From time to time, the use of external consultants may be necessary in areas such as
health and safety or human resources. The use of specialist third parties for consulting
and reporting can increase the reliability of the internal control system.
AR-RM-CR01/Issue9.0
Nov 2012
Anglia Ruskin University
Risk Management
Appendix B
Corporate Risk – Detailed Procedures
The Risk Management Process
Risk management is part of every manager’s day to day responsibilities. It is an integral part of
strategic planning, business planning, projects, partnerships and operational management.
For risk management to be effective it has to be a methodical continuous process.
The risks associated with each strategic decision, policy or service delivery option, should be
systematically identified, analysed, controlled and monitored.
Risk Identification

The Faculty Pro Vice Chancellor and Dean or Head of Support Service should carry out a
risk identification exercise to ensure that all potentially significant loss making situations
have been identified. This will be based on the activities carried out within Anglia Ruskin,
the Faculty or Support Service.
It will also include activities planned, as well as the activities of external bodies that may
impact on Anglia Ruskin’s objectives and operations.
In the same way that all activities should ultimately contribute to the attainment of Anglia
Ruskin’s strategic objectives, the risks identified should by definition have an impact on the
achievement of these goals.
The method or tools used for risk identification may vary according to circumstances. A
selection of different tools and techniques can be found on the Risk Management website:
http://my.anglia.ac.uk/sites/risk/default.aspx
The Faculty Pro Vice Chancellor and Dean or Head of Support Service will draw up a
schedule of risks (risk register). In determining this schedule they will take into account
perceived likelihood of the corporate risk levels, and the impact of these risks on Anglia
Ruskin.
The full risk register is available at: http://my.anglia.ac.uk/sites/risk/default.aspx
Particular care should be taken when describing the risks on the schedule, as this will facilitate
the identification of appropriate control measures.
AR-RM-CR01/Issue9.0
Nov 2012
Anglia Ruskin University
Risk Management
Risk – This should be a brief description of the risk. Most descriptions will start with phrases
such as “poor”, “lack of”, “failure”, “breach” and so on, e.g. Poor staff retention.
Cause – These will be the underlying causes that give rise to the risk. In the above example
these might be unattractive benefits package, uncompetitive pay, lack of promotional
prospects, etc.
Impact – These are the consequences of the risk occurring. The Assessment Criteria (see
below) may provide some clues as to where the main impacts might be, e.g., staff
injuries, damage to reputation, financial loss. Where possible these should be
quantified.
Risk Analysis
Using the Risk Assessment Criteria on the following pages, individual Faculty/Support Service
risk assessments should be carried out for each risk identified, looking at the impact that the
risk could cause for Anglia Ruskin, the Faculty or Support Service and the likelihood of the
risk occurring. These criteria are not exhaustive, but should be used as a guide. The impact
and likelihood scores can then be plotted on the Risk Matrix to establish an overall risk score.
The risk owner must then decide, taking due account of any existing controls, whether the
level of risk exposure is acceptable. If it is not, a strategy must be adopted to manage the risk.
There are fundamentally five options
Tolerate Treat Transfer -
Terminate Take an opportunity –
accept the current level of risk exposure
implement actions/controls to reduce the risk to an
acceptable level.
consider options, including insurance and other contractual
arrangements, as a means of transferring all or part of the
risk to another party.
cease the activity that gives rise to the risk
risk management should not be always be seen in a negative
context. There are many instances where the risks of not
pursuing a particular activity outweigh the risks of doing so.
Risks with scores exceeding the “Tolerance level”, which is currently set at 19 (based on the
Assessment Criteria scores) will be the subject of a review by the Corporate Management
Team to establish whether they are considered acceptable to the organisation. In order to
provide greater assurance as to the effectiveness of controls for these most significant risk
exposures ,all of these risks should be supported by a Controls Self Assessment, completed
by the Dean/Head of Service. These provide a more detailed analysis of the risk, controls and
strategy for reducing the risk. As part of the CMT’s review they may additionally request form
Pro Vice Chancellors and Deans/Heads of Support Services action plans to reduce the risks
to a more acceptable level.
Risk Control
Risk Control is the process of implementing actions which are designed to reduce the
likelihood of the risk event taking place, or lessen the impact of the consequences if it does
occur. New controls/mitigations will normally result in procedural changes, may give rise to
additional costs, and sometimes can produce new risks. These factors will need to be
considered, and a compromise achieved to ensure that the balance between risks and
controls is appropriate.
Controls usually fall into the following categories:
Detective
These controls by definition operate after the event. They show when an
unfavourable outcome has occurred, so that remedial action can be taken.
Examples include: stock and asset checks, exception reports.
AR-RM-CR01/Issue9.0
Nov 2012
Anglia Ruskin University
Risk Management
Directive
These are rules, instructions, policies etc, which are designed to ensure that a
desirable outcome is achieved. Examples include: staff code of conduct,
Preventative
These are actions taken to reduce the likelihood of an undesirable outcome,
and are the most common type of control. Examples include: the use of
passwords, the separation of duties.
Corrective
These are controls that provide the route to recovery after an undesirable
event. These might include: insurance; contingency plans.
Details of the controls, both existing and proposed should be recorded on the risk register,
with timescales/dates for implementation clearly indicated.
Performance/ Early Warning Indicators
As part of the risk monitoring process it is important to identify triggers which might alert you to
the risk occurring, deteriorating or improving, so that early actions can be taken to address
these changes, and manage the risk exposure. The triggers might include a range of key
management information, such as budget forecasts, complaint data, accident reports, human
resource data, and so on.
Risk Registers
Once completed the an electronic copy of the Risk Register should be forwarded to Risk
Management, where it will be collated with all the other Faculty/Support Service registers to
produce a Corporate Risk Register for the whole organisation.
In the case of new or existing projects these should undergo the separate assessment
procedures detailed by the Project Compliance Unit (PCU).
Monitoring
The risk management process does not finish with the implementation of controls and actions.
These will need to be constantly monitored to ensure that they remain appropriate and
effective.
The risks should also remain under constant review and reappraisal, to take account of the
ever changing risk environment.
Review of risks
As a minimum risks that fall within the categories "Major" and "Fundamental" should be
reviewed quarterly; those that are within the bands "Moderate and "Significant" should be
reviewed six monthly, and "Minor" risks should be reviewed at least annually.
Reporting
Faculties/Support Services should arrange their own internal reporting arrangements to
ensure that all risks, controls and actions are properly monitored, and any new risks are
identified, assessed, and documented.
Additionally at as part of the reporting process, the most up to date versions of the
Faculty/Support Service/Joint Venture/Subsidiary Company registers should be submitted to
Risk Management quarterly. The exact reporting dates will be determined by the Board
reporting cycle, and Faculties/Support Services will be notified of these well in advance.
The overall process can be summarised as follows:
AR-RM-CR01/Issue9.0
Nov 2012
Anglia Ruskin University
Risk Management
AR-RM-CR01/Issue9.0
Nov 2012
Anglia Ruskin University
Risk Management
Risk Assessment Criteria 2012-13
Risk Impact
Score
5
4
Range
High
Medium
High
Staffing &
Culture
Health & Safety
Service Delivery
Multiple fatalities
and/or injury of
students, staff,
board members
and/or general
public
Disaster – severe,
prolonged impact
on service
affecting whole
organisation
Severe impact on
employee
motivation leading
to dissatisfaction
and industrial
unrest Universitywide
Individual
fatalities and/or
serious injuries
Serious disruption
to service delivery
from one or more
faculties/support
department
Legal &
Regulatory
Compliance
Reputation
Financial
Time*
Quality*
Major breach
leading to
suspension or
discontinuance of
business or
outsourcing/
privatisation of core
services and/or
functions
Very substantial
adverse media
comment at National
level with long-term
impact such as
resignation of key
senior staff and/or
HEFCE enquiry.
Over £5m
Delay
jeopardises
the viability of
a major
project
Major project
outcomes
effectively
unusable
Significant impact
on employee
motivation
resulting in poor
quality service.
delivery at
faculty/support
department level
Serious breach
causing
intervention,
sanctions, and
legal action.
Serious short-term
damage to reputation,
with adverse media
comment at regional
level
£1m to £5m
Failure to
meet key
deadlines in
relation to the
academic
year or
strategic plan
Failure to
meet the
needs of a
large
proportion of
stakeholders
Or recurring
annual
losses of
£2m over 3
or more
years
3
Medium
Moderate
number of
injuries – not life
threatening
Significant impact
on service delivery
at faculty/ support
department level
Moderate impact
on employees
motivation at
single faculty/
support
department level
Significant breach
leading to
reprimand or
sanctions, legal
action
Significant, adverse
local media
comment/public
perception - short
term impact
Between
£500k and
£1m
Delay affects
key
stakeholders
– loss of
confidence in
the project
Significant
elements of
scope or
functionality
will be
unavailable
2
Medium
Minor injuries
affecting
relatively small
numbers of
individuals
Moderate impact
on customer
service at faculty/
support
department level
Affects motivation
of small groups of
employees.
Moderate impact
leading to warning,
threat of sanctions
Minor, local adverse
media
comment/public
perception
Between
£100k and
£500k
Slight
slippage
against key
milestones or
published
targets
Failure to
include ‘nice
to have’
elements
Affects very
small number of
individuals, only
superficial
injuries
Minor impact on
customer service
e.g. small number
of complaints –
faculty/ support
department level
Impact limited to
individuals at
faculty/ support
department level
Minor impact only,
no reprimand,
sanction, or legal
action
Damage very
localised, does not
result in adverse
media comment
Up to £100k
Slight
slippage
against
internal
targets
Slight
reduction in
quality/scope
with no
overall
impact
Low
1
Low
Anglia Ruskin University
Risk Management
Score
Range
Risk Likelihood
5
High
Likely
The risk is likely to happen within the next 3 months or is occurring at the present
4
Med
High
Probable
The risk could probably occur within the next 3 – 12 months
3
Med
Possible
The risk could possibly occur at least once every 1 to 3 years
2
Med
Low
Remote
The risk is remote and may do so within the next 3 to 10 years
1
Low
Improbable
The risk is extremely unlikely to occur, but may do so in at least 10 years time
Risk Matrix and Responses
Impact/Severity
Risk tolerance line
5
15
19
22
24
25
4
10
14
18
21
23
3
6
9
13
17
20
2
1
3
5
8
12
23 25
Major
15 22
Significant
10 14
Acceptable level of risk exposure subject to
regular active monitoring measures
Moderate
4-9
Acceptable level of risk exposure subject to
regular passive monitoring measures
Minor
1-3
Acceptable level of risk exposure subject to
periodic passive monitoring measures
16
1
2
4
7
11
1
2
3
4
5
Likelihood
Unacceptable level of risk exposure which
requires immediate corrective action to be
taken
Unacceptable level of risk exposure that
requires constant active monitoring, and
measures to be put in place to reduce risk
exposure.
Fundamenta
l
Related documents
acevedoHRD Forum – Sustainable Universities
acevedoHRD Forum – Sustainable Universities
ISG no 117 - Cryptography - Anglia Ruskin University
ISG no 117 - Cryptography - Anglia Ruskin University
Curriculum Development: Planning Approval for new Academic
Curriculum Development: Planning Approval for new Academic
here - Anglia Ruskin University
here - Anglia Ruskin University
Student Communication Policy
Student Communication Policy
International Admissions Application Form
International Admissions Application Form
For an ENTRY FORM please CLICK HERE
For an ENTRY FORM please CLICK HERE
Quality Assurance Check list for organisations seeking Credit
Quality Assurance Check list for organisations seeking Credit
Download
advertisement