Secretariat

A Brief Guide to Risk Management

What is risk?

HEFCE, in its circular 01/28 "Risk management - a guide to good practice for higher education institutions", defines risk as "the threat or possibility that an action or event will adversely or beneficially affect an organisation's ability to achieve its objectives".

This definition links risk to achieving the University's objectives and also identifies that risk management is not just about recognising and mitigating a negative risk but also enables the identification of risk-taking opportunities that may lead to positive benefits.

Risks exist at different levels:

  • Corporate or strategic level - in the case of Cambridge those monitored by the Risk Steering Committee on behalf of the Council;
  • School and Departmental level; and
  • Project level.

The HEFCE risk management website has a number of risk based scenarios and other documents provide useful background information.

What are internal controls?

Internal controls are:

  • the range of Statutes, Ordinances, regulations, procedures and policies the University and Schools and Departments use to govern their work; and
  • any additional controls or mitigating actions taken to deal with a particular situation.

The aim of risk management is to ensure that these controls are effective in identifying, monitoring and controlling the risks the University faces in its day-to-day activities or any future ventures.

Risk Management

HEFCE defines risk management as:

"a process which provides assurance that:

  • objectives are more likely to be achieved;
  • damaging things will not happen or are less likely to happen; and
  • beneficial things will be or are more likely to be achieved."

The risk management method enables:

  • the identification of risks;
  • the evaluation of risks;
  • helps in setting acceptable risk thresholds;
  • the identification and mapping of controls against those risks; and
  • helps identify risk indicators that give early warning that a risk is becoming more serious or 'crystallising'.

Summary of the method (to be read in conjunction with the more detailed risk management method page):

When initiating risk management for a project or activity or across a whole range of activities a risk identification process should be carried out. Having identified the risk or risks using the above it is possible to evaluate and apply a numerical value for probability and impact of the risk crystallising using the Size of Risk - Impact Guide. These documents are all available from the Risk Management Documentation section.

Multiplying together the values for likelihood and impact produces the risk score.

The level of risk faced by an organisation before any internal controls are applied is known as the gross or raw risk.

The level of risk faced by an organisation after internal controls have been applied is known as the net or residual risk. Controls will not eliminate the risk but help to manage it; therefore this is also known as the organisation's "exposure to risk".

The controls are those management actions taken to deal with a particular risk and a judgement has to be made as to the numerical reduction to the raw risk score to produce the residual risk score.

Having identified and quantified its risks an organisation should then:

  • compile a risk register and prioritise its risks according to the risk scores;
  • identify a 'risk owner' for each risk. The owner should be closely involved with the risk, be able to monitor the risk and initiate action if the risk crystallises further; and
  • identify the relevant risk indicators.

Risk Indicators provide the risk owner with a series of 'warning lights' for each risk. Thus providing them with an early warning that action may be required to mitigate that risk through stronger internal controls or if it is outside the University's control to be aware of it and closely monitor. The Risk Steering Committee recommends a minimum of three risk indicators for each risk, however some owners may select four or five to assist them in monitoring.

An organisation also has to determine whether it is 'risk-taking' or 'risk averse'. This assists in identifying risk thresholds, the trigger points where a risk, for example, moves from not being monitored, to being monitored, to being serious and possibly, ultimately, leading to withdrawal from the activity altogether. The amount of risk an organisation is prepared to tolerate before action is required is known as 'risk appetite' or 'risk tolerance'. It is advisable to have a risk tolerance for each risk identified but it is also useful to determine a 'global risk tolerance'. If a risk were to go through this threshold immediate attention, action or escalation might be required.

The Size of Risk - Heat Map represents the University's risk scoring matrix. This has 2 thresholds that trigger changes in monitoring regime. The scoring system for impact and likelihood is shown on the front of the Key Risk Register and the Size of Risk - Impact Guide.

Impact ranges from insignificant (1) to Very serious (5). Likelihood ranges from very low (1) to very high (5). The combined scores on a 5 x 5 matrix produce scores ranging from 1 to 25. The scoring will be on the basis of the risk owner's view of the risk before and after taking into account their judgement of the effectiveness of the existing management controls.

The following monitoring regime is recommended according to the risk score:

  • a residual risk score of 6 or less (low level of risk) should require no mitigating action. However, risk owners should review controls for low risk areas to ensure they are effective and not disproportionate. The risk score should be reviewed annually;

  • a residual risk score of 8 to 12 (medium level of risk) should trigger a review of the existing controls, if a new risk, and may require the implementation of additional controls for existing risks. Risks with this score should be reviewed annually or twice a year if necessary; and

  • a residual risk score of 14 to 20 (high level of risk) should trigger a review of the existing controls, is likely to require the implementation of additional controls and the problem may need to be escalated to the RSC or relevant committee for consultation. Risks with this score should be reviewed at least quarterly or 6 monthly.

  • a residual risk score of 20 or above (top level of risk) should trigger a review of the existing controls, is likely to require the implementation of additional controls and the problem should be escalated to the RSC or relevant committee for consultation. Risks with this score should be reviewed monthly.

The University's Key Risk Register has a summary table ranking each risk according to its score with detailed risk analysis sheets attached as appendices including information on the above. A pro-forma risk register is available from the Risk Management Documentation section.

Once the risk management process has been followed, a risk register produced and owners identified the risk should be monitored. The frequency depending on the seriousness of the risk. A 'very high' risk might be monitored monthly whilst a 'low' risk annually. The Risk Steering Committee's Risk Reporting Template sets out the format for reporting to the Risk Co-ordinator. The Template is available from the Risk Management Documentation section.

The relevant committee should receive regular reports on risk management arrangements in its area, in the case of the University it is the RSC, in other cases it will be a faculty, school or management board.