Risk Management Policy
Risk Management Policy Third Edition: February 2012
1. The Purpose of this Policy
The University defines risk as the possibility that an action or event will adversely (or beneficially) affect the University's ability to achieve a planned objective. The identification, assessment, monitoring, management and reporting of risks are the responsibility of every member of staff and as a consequence of managing identified risks:
-
The planned objectives are more likely to be achieved
-
Adverse risks are less likely to happen
-
The impact of adverse risks which are realised is reduced.
Effective risk management is therefore regarded as a critically important part of the work of the University because it greatly reduces the chances of surprises adversely affecting the University and, at the same time, increases confidence on the part of the internal and external stakeholders.
The purpose of this policy is to set out the University's approach to risk and describe how this is used to inform the Risk Management System which was devised and first implemented in 2002/3.
2. The Risk Management Policy
The Risk Management Policy informs the approach to the Risk Management System which is the established process by which the University identifies risk, assesses risk and manages risk in order that it should succeed in its planned objectives. This approach is outlined below.
2.1 Corporate Strategy, Risk and the Planning Cycle
Risk arises naturally and directly from the implementation of corporate aims and objectives and the operational business and service plans developed by the faculties and departments. Therefore risk assessment and management is an integral part of all management activity. It is University policy that all substantive activities, should be subject to risk assessment leading to a judgement of the residual risks. This includes all projects, for example, academic developments, commercial developments, human resource initiatives, health and safety, estates projects, communication upgrades and IT developments and externally funded projects. Risks must be regularly monitored and actively managed until the objectives have been achieved (or the risk realised). The risk assessment is formally integrated into the University planning cycle.
2.2 Defining Risk Elements
Risk elements should be described in terms of the harm that may come to the University if the identified risk is realised. The harm is normally expressed in terms of the failure to reach the objective and operational, reputational and financial damage that may be incurred as a result.
2.3 The Risk Assessment template
The risk elements and their assessments should be set out in risk registers using the standard University risk assessment template (Guidance Pack 2011 edition). The risk register should describe the risk element, the actions taken and the planned actions and the residual risk rating. The register should also state the owner of the risk and the manager of the risk. The rating of all risks should be described using the standard University nomenclature with residual risks described as tolerable, moderate, substantial or severe. Risk elements are removed when the objective has been reached (or the risk realised) and new risk elements added when new dangers are detected or new activities are started. Appendix B of the Guidance Pack may be used to record the workings behind the initial assessment of risk and the reasoning behind the calculation of residual risk.
2.4 Assessing the appetite for risk
The University maintains a risk appetite matrix which takes into account the severity of the residual risk and the relative strategic importance of the activity. This matrix provides guidance on the acceptability of the proposed activity. Managers are also expected to consider the current portfolio of risk in coming to a decision whether to accept new risk.
2.5 Risk ownership, risk management and transfers of risk ownership
Every risk has a risk owner who should be identified on the risk register. The risk owner is the designated member of staff (or management group) who carries the ultimate responsibility for ensuring that the impact and likelihood of occurrence of any adverse risks are minimised. Normally, the risk owner is also the risk manager who undertakes the responsibility for implementing the actions that will minimise adverse risks. However, the risk owner may arrange for another manager with relevant expertise to undertake the task of managing the risk on behalf of the risk owner. Thus the Executive may ask a director of a department to manage a risk for which the Executive retains responsibility. In these circumstances, the risk manager is responsible for providing the risk owner with regular updates on the position, particularly if there is a sudden deterioration (see 2.6 below). It is the responsibility of the risk owner to monitor the risk movements and to update the Executive as frequently as necessary.
In certain circumstances a risk may be initially identified and assessed by one faculty or department but following negotiation, the ownership of the risk may be transferred to another department for which the ownership is more appropriate because the actions fall within its normal remit. The distinctive responsibilities of risk ownership and risk management and any transfer of ownership should be set out clearly in the risk register.
2.6 Managerial responsibility to report risk
The managers who have the designated responsibility for managing identified risks are responsible for agreeing the action plan and report the progress including changes in residual risk to their line directors and the owners of the risk (if different). Sudden deterioration in residual risk should be reported to line-directors immediately. It should be noted that the implications of a residual risk rating of severe are so extreme that the rating cannot be tolerated. It is University policy that immediate action is required to moderate the residual risk or terminate the activity.
2.7 Risk Registers
The University maintains a Corporate Risk Register which is updated regularly in line with the Corporate Governance Cycle (or more frequently if there is a significant development). In addition, a Standing Risk Register is maintained which includes long-standing risks that the University monitors.
Each faculty or department is also required to maintain a risk register which should be updated systematically.
In addition, the managers of specific projects are expected to maintain a project risk register for the duration of the project.
It is the responsibility of Faculty and Department Risk Managers to notify the University Risk Manager of any local risks that they consider should be escalated to the Corporate Risk Register.
The Corporate Risk Register, through the Corporate Management team, is considered and approved by the Executive The latest approved version of the Corporate Risk Register is stored on the CMT shared drive for information.
Faculty and Departmental Risk registers are considered and approved by the Dean or Director concerned. Project Risk registers are approved by the Dean or Director responsible. Faculty and Departmental risk registers should be lodged with the University Risk Co-ordinator in order to be made available on the Risk Management shared folder.
2.8 Responsibility for managing the Risk Management System
Although every member of staff carries some responsibility for the management of risk the University identifies a team of risk managers who exercise an overview of the risk management system. It is University policy that the University should appoint a University Risk Manager and that each faculty and department should appoint a senior member as the Faculty or Departmental Risk Manager.
The Risk Managers meet twice yearly and their Terms of Reference are set out in a separate document.
2.9 The Role of the Corporate Management Team
The role of the Corporate Management Team is to:
-
Ensure that each Faculty and Department has an appointed Risk Manager
-
Work with their appointed Risk Manager to ensure that the University Risk Manager is notified of any local risks that may need to be escalated to the Corporate Risk Register
-
Recommend and, once approved by the Executive, implement policies on risk management
-
Review the Corporate Risk Register
-
Ensure that the risk management system is functioning effectively
2.10 Governance and the responsibility for risk and management effectiveness
The University position as reflected by the Corporate Risk Register is critically important in the context of governance. The Governing Council has responsibility for ensuring that the University is managed effectively. It is therefore policy that the Corporate Risk Register is presented to each meeting of the Audit and Risk Committee and the Finance, Employment and General Purposes Committee as well as the Governing Council. This ensures that the members of Governing Council have full opportunity to appreciate the University's position and raise queries relating to individual risks or the collective risk. Audit and Risk Committee also receives regular reports on the developments of the Risk Management System. This information helps the governing body come to an objective view of the effectiveness of management at the University.
2.11 Internal Audit of the Risk Management System
The University appoints internal auditors to advise it on the effectiveness of its operations. The Risk Management System is a key element within the University and as a consequence the internal audit service is expected to maintain a close overview of the Risk Management System and report its findings to the Audit and Risk Committee of the Governing Council. The findings contribute to the overview of assurance which in turn from part of the Annual Report of the Audit and Risk Committee which is approved by the Governing Council and submitted to the Higher Education Funding Council for England.
The external auditors and HEFCE auditors may conduct separate, independent audits of the Risk Management System on an occasional basis.
3. Review of the Risk Management Policy
This Risk Management Policy is kept under review by the University Risk Manager and Faculty/Departmental Risk Managers and updated periodically in the light of operational experience. The policy is approved by the Executive and endorsed by the full Governing Council.
Andrew Hartley
University Risk Manager
Third Edition: Approved by the Executive February 2012.
Original policy - February 2002 (June Hughes, Chair of the Risk Management Group)
