Risk management guidance

1. Purpose of the guidance

1.1 This guidance is aimed at ensuring the Heads of Schools/Colleges/Professional Services and Project Sponsors are aware of the requirements of the risk management policy. It outlines how risks should be managed and escalated where appropriate.

2. Aim of the University’s risk management policy

2.1 The aim of the University’s risk management policy is to ensure that policies and procedures are in place to identify and manage risks (and also opportunities) in accordance with the agreed risk appetite statement and thereby enable the University to meet its strategic objectives.

2.2 To inform the management of risk, the University will take a measured approach to risk management that enables:

• an understanding of the level of risk exposure that can be tolerated;
• an understanding of the type of risks faced and how to measure them;
• where the level of risk exposure is too high that a suitable level of mitigation exists;
• the on-going assessment of the effectiveness of mitigation;
• prompt action where existing arrangements are found to be inadequate or ineffective;
• an awareness of risk at all levels of the University to ensure that risks should be escalated to a level of management that can effectively respond to them.

2.3 The risk management policy is approved by the Board of Governors.

3. School/College/Professional Service risk management

3.1 The role of the Head of School/College or Service is to manage risk at the School/College/Service level. These risks should be identified alongside appropriate controls and reported to VCE through the annual planning process and through regular review of risk registers.

3.2 The aim of risk management at the School/Professional/Service level is to ensure that:

• operational risks are managed effectively;
• that risks that might affect the strategic development of Schools/Services are identified and managed;
• that risks which have University wide implications are identified and escalated where appropriate.

3.3 Managing risk entails putting appropriate controls in place to mitigate and manage risks effectively. All risks must be given a risk owner who is responsible for ensuring that the mitigating action takes place.

4. Identification of risk and risk registers

4.1 Heads of School/Services should ensure that fundamental risks in their School/Service are identified, assessed, mitigated and monitored.

4.2 Heads of School/Service should maintain a risk register for their school/service which sets out the risks relating to their area. These documents are formally reviewed each term with the Finance Manager.

4.3 Emerging risks should be added as required, and improvement actions or mitigation should be indicated and monitored. Where appropriate, any improvement actions or mitigation should have a specific timeline for completion.

4.4 The Risk Register should be updated regularly as outlined in the Risk Management Process attached at Appendix A. The updates are timed so that any new risks identified can be escalated if appropriate to VCE or the Senior Management Group when they consider the University Risk Register which is then considered by the Audit and Risk Committee of the Board of Governors.

5. Scoring of risks

5.1 The University has adopted a scoring scale of (Likelihood x Impact) + impact as set out in Appendix 2. This is to ensure that risks are sufficiently differentiated, and that appropriate focus is given to mitigating the highest risks.

5.2 When scoring risks, the University’s Strategic Risk Register should be the starting point at which school/service should calibrate the risk scoring.

5.3 The review of risks should also take into account the University’s risk appetite statement.

6. Consideration of risk and escalation

6.1 As outlined in 3.3 above, the University Risk Register is reviewed three times a year by the Senior Management Group (SMG) following its consideration by the Vice Chancellor’s Executive. The purpose of this consideration is to ensure that SMG is aware of the University level risks and that there is also an opportunity for schools and services to discuss and escalate risks.

6.2 All risks with a gross rating of ‘red’ should be escalated as should those that are increasing. Any risks with a net risk rating that reaches ‘amber’ should be escalated. Escalation should take place through the regular meetings with Finance, raised in discussion with the VCE line manager and where appropriate raised at SMG.

6.3 Schools and Services should also raise escalating risks with their Finance Manager who will feed these into the review of the University’s Risk Register.

6.4 Finance will request an update to the risk register from each school and department following the updates. Each school/service will either respond with an updated risk register or that no changes are required to the register since the previous update.

6.5 A summary of any key changes received is prepared by Finance. This is then presented at the Strategic Risk Register update attended by Finance and key members of VCE. Any the changes fed into the overall review of the Strategic Risk Register that takes place at that meeting.

6.6 Heads of School/Service should also monitor their risks through their School/Service Executive meetings and flag any emerging risks or risks which are increasing to their line VCE member and to Finance.

7. Risk management for projects

7.1 For all projects, there must be a consideration of risks and their mitigation. For major projects, this must be formalised by use of the Project Management Risk Register Template. Similarly, risks must be outlined in the Project Initiation Document (PID) and the Project Mandate. Reference in the PID and the project mandate must be made to how the project has been assessed against the University’s risk appetite statement.

7.2 The scoring of risks must be in line with the scoring system outlined in Appendix 2. As for School/Service risks, the starting point should be the University Strategic Risk Register to ensure that they are calibrated effectively.

7.3 All risks must be allocated a risk owner who is responsible for undertaking any risk mitigation. The effectiveness of this mitigation must be reviewed and the changes in risks tracked over time.

7.4 The risks associated with projects must be considered regularly to the Project Board and reported to the appropriate group (e.g. ECPG or ISG).