Risk management policy

1. Introduction

1.1 This policy sets out the University’s approach to risk management. It documents the roles and responsibilities of the Board, the Audit and Risk Committee, the Vice-Chancellor’s Executive, Heads of Schools/Colleges and Professional Services and other key parties. It also outlines key aspects of the risk management process and identifies the main reporting procedures including those for projects. In addition, it describes the process used by the Audit and Risk Committee on behalf of the Board to evaluate the effectiveness of the University’s internal control procedures.

2. Aim and objectives of the risk management policy

2.1 The University is committed to achieving its aims as defined in the Achievement 2023 Strategic Plan. In doing so, the University recognises that it will face a variety of risks.

2.2 The key aim of the University’s risk management policy is to ensure that policies and procedures are in place to identify and manage risks and thereby enable the University to meet its strategic objectives. The policy should, however, also enable the University to appraise and take advantage of opportunities.

2.3 To inform the management of risk, the University will take a measured approach to risk management that enables:

• an understanding of the level of risk exposure that can be tolerated through an articulated risk management statement;
• an understanding of the type of risks faced and how to measure them;
• where the level of risk exposure is too high, that a suitable level of mitigation exists;
• the on-going assessment of the effectiveness of mitigation;
• prompt action where existing arrangements are found to be inadequate or ineffective;
• an awareness of risk at all levels of the University to ensure that risks can be escalated to a level of management that can effectively respond to them.

2.4 The establishment of effective risk management is recognised as being fundamental in ensuring good corporate governance. These arrangements are therefore endorsed and upheld by the Board of Governors through the implementation of cyclical risk management reporting and monitoring regimes. These arrangements are intended to be both robust and transparent, underpinning the production of the annual Corporate Governance Statement. 

3. Principles underlying risk management at the University

3.1 The following key principles outline the University’s approach to risk management and internal control:

i) The Board of Governors will take steps to understand the nature and magnitude of any risk involved before taking important decisions to avoid circumstances that might seriously threaten:

• Academic quality and standards
• The student experience
• Staff and student health, welfare, safety or security
• The University's reputation
• The University’s financial viability and sustainability
• Compliance with regulatory and statutory requirements

ii) The Audit and Risk Committee, on behalf of the Board, has responsibility for overseeing risk management within the University.

iii) The University makes conservative and prudent recognition and disclosure of the financial and non-financial implications of risks.

iv) The University Secretary and Chief Compliance Officer is responsible for risk management within the University and for identifying key risks, reporting them to the Audit and Risk Committee on behalf of the University and ensuring that they are monitored on a regular basis through a Strategic Risk Register. 

v) The Strategic Risk Register informs the annual internal audit plan to ensure that it is aligned with key risks.

4. Roles and responsibilities

4.1 The Board, advised by the Audit and Risk Committee, has a fundamental role in the management of risk which is to:

i) Set the tone and influence the culture of risk management within the University. This includes:

• a) Determining whether the University is ‘risk taking’ or ‘risk averse’ as a whole or on any relevant individual issue;
• b) Determining what types of risk are acceptable and which are not;
• c) Setting the standards and expectations of staff with respect to conduct and probity;
• d) Articulating a risk appetite statement.

ii) Approving major decisions taking into account the University’s risk profile or exposure and risk appetite.

4.2 On the Board’s behalf the Audit and Risk Committee:

• i) Monitors the management of fundamental risks and actions to mitigate them;
• ii) Satisfies itself that the less fundamental risks are being actively managed, with appropriate controls in place;
• iii) Annually reviews the University’s approach to risk management and approves changes or improvements to key elements of its processes and procedures and reports on these through its annual report to the Board.

4.3 The Vice-Chancellor’s Executive is responsible for the active management of risk. The responsibility for risk management rests with the University Secretary and Chief Compliance Officer who works with the Vice-Chancellor’s Executive, particularly the APVC and Director of Strategic Planning, to ensure that key risks are identified, actions implemented and that progress is reported to the Audit and Risk Committee on behalf of the Board. This responsibility is discharged through the Vice-Chancellor’s Executive meetings where risk is a regular agenda item.

4.4 The role of members of the Vice-Chancellor’s Executive is to:

• i) Develop and implement policies on risk management and internal control;
• ii) Identify and evaluate the fundamental risks faced by the University for consideration by the Audit and Risk Committee on behalf of the Board;
• iii) Undertake regular reviews of the effectiveness of the system of internal control and provide reports to each meeting of the Audit and Risk Committee on behalf the Board;
• iv) Ensure the management of key risks at School/College or Professional Services level and ensure that any emerging key risks are identified in the overall risk register;
• v) Provide adequate information in a timely manner to the Board and its Committees on the status of risks and controls.

4.5 The role of the Head of School/College or Professional Services is to manage risk at the school/service level.  These risks should be identified and appropriate controls determined and reported to VCE through the annual planning process and through regular review.

4.6 The role of the Project Sponsor for key projects is to ensure that risks for projects and identified and monitored and that there is appropriate escalation to VCE.

5. Risk appetite

5.1 The risk appetite in the institution will vary from time to time, influenced by both internal and external events. It is the view of the Board that, wherever possible, mitigating action should be taken to keep the overall level of risk at the lowest possible level, consistent with the University being able to pursue its strategic objectives and enable it to take advantage of key opportunities.  

5.2 The Board will agree a risk appetite statement and keep it under regular review.

6. Risk management as part of the system of internal control

6.1 The system of internal control incorporates risk management. This system encompasses a number of elements that together facilitate an effective and efficient operation, enabling the University to respond to a variety of operational, financial, and commercial risks. These elements include:

i) Policies and procedures

• Attached to fundamental risks are a series of policies that underpin the internal control process. The policies are set by the Board and implemented and communicated by senior management to staff. Written procedures support the policies where appropriate.

ii) Reporting

• Comprehensive reporting is designed to monitor key risks and their controls. The risk register should be reviewed at regular meetings of the Vice Chancellor’s Executive and also the Senior Management Group.

iii) Business planning and budgeting

• The business planning and budgeting process is used to set objectives, agree action plans, allocate resources and identify key risks. Progress towards meeting business plan objectives is monitored regularly.

iv) Strategic Risk Register (fundamental risks only)

• The Strategic Risk Register is maintained by Strategic Planning. This is informed by both internal and external factors, an assessment of risks against the University Strategic Plan and also an assessment of risk registers produced by each School/College and Professional Service Department to facilitate the identification, assessment and ongoing monitoring of risks fundamental to the University. The document is formally reviewed each term to ensure emerging risks are added as required, and improvement actions and risk indicators are monitored regularly.

v) School/College and Professional Service Department risk frameworks

• Heads of School/College and Heads of Professional Service Departments ensure that fundamental risks in their School/College/Department are identified, assessed and monitored. These documents should be formally reviewed by the local senior management team and in regular meetings with Finance. Emerging risks should be added as required and escalated where appropriate. Improvement actions and risk indicators should be monitored regularly.

vi) Audit and Risk Committee

• The Audit and Risk Committee has delegated authority to report to the Board on internal controls and alert Governors to any emerging issues. In addition, the Committee oversees internal audit and external audit. The Committee provides advice to the Board on the effectiveness of the internal control system, including the University’s system for the management of risk.

vii) Internal audit programme

• Internal audit is an important element of internal control processes. The internal audit’s programme of work, reported directly to the Audit and Risk Committee, is predicated upon the University’s risk profile as outlined in the Strategic Risk Register.

viii) External audit

• External audit provides feedback to the Audit and Risk Committee on the operation of the internal financial controls reviewed as part of the annual audit of the financial statements.

ix) Project risk management

• The project sponsor plays a key role in ensuring that risks for any major project are identified and mitigated. The sponsor is responsible for ensuring that there is an identification of risk for each project and that these risks are effectively mitigated and reported.

7. Annual review of effectiveness

7.1 The Audit and Risk Committee under delegated authority from the Board is responsible for reviewing the effectiveness of the University’s systems of internal control, based on information provided by the Vice-Chancellor’s Executive and internal and external audit.

7.2 On an annual basis, and following a formal determination, the Audit and Risk Committee presents to the Board their assessment of the adequacy of the systems of internal control and includes a statement of their view in the published accounts.