Secretariat

Risk Management in Faculties, Schools and Departments

The RSC has, since 2002, developed risk management processes for the University at a corporate level. The next stage of the risk management process, as required by HEFCE, is to embed risk management within the day to day activities at a more local level in the University's structure. This includes academic and service departments.The Council, at its meetings held on 26 July 2004 and on 25th July 2005 approved the actions taken and proposals to continue embedding risk management at the University. The RSC followed the risk management method detailed below and is applicable to local risk management. Faculties, Schools and Departments are advised follow this method in order to ensure consistency of approach across the University.

The Office of Government Commerce has a Risk Management Successful Delivery Toolkit, which defines nine stages:

  • Define a framework
  • Identify the risks
  • Identify probable risk owners
  • Evaluate the risks
  • Set acceptable levels of risk
  • Identify suitable responses to risk
  • Implement responses
  • Gain assurances about effectiveness
  • Embed and review

Those stages are summarised below with a commentary on the arrangements at Cambridge.

Define a framework

When initiating a risk management programme the first stage is to set a framework that takes into account: context, objectives, constraints, techniques to be used, policies and any legal or compliance requirements.

In the case of the University of Cambridge the Risk Steering Committee has undertaken this work and the results can be seen on the Risk Management at Cambridge page.

Identify the risks

This is the first stage heads of department or project managers will use at the university. This is where the range of risks that may affect a particular new activity, existing operational activity or project are listed. At this point opportunities can be considered and risks grouped. This work forms the basis of the risk register.

At Cambridge this process is facilitated by the Risk Management Form (RM1) and the detailed risk analysis forms which form the basis of the risk register (RM 4).

Identify probable risk owners and a risk co-ordinator

Risk owners are individuals who assess and monitor a particular risk. Risk owners for those risks that affect the whole University level tend to be Pro-Vice-Chancellors or a senior officer. At a faculty/school/departmental level it will be necessary to determine where the risk lies, i.e. is it a departmental risk or it a risk that affects the whole school. It is then possible to identify whether the risk owner should be the chair of the school or head of department. Risk owners should be added to the risk register.

A risk co-ordinator collates all the risks to create a risk register and manages the risk reporting process. At a faculty/school/departmental the risk co-ordinator is likely to be a senior administrator.

Risk owners would be required to assess their risk and report to the relevant risk co-ordinator and relevant committee on a regular basis the status of the risk. Should a risk be identified or crystalise further (become more serious), which the risk owner considers could affect the University as a whole the risk owner should alert the risk co-ordinator who will escalate to the RSC or relevant committee if necessary.

Evaluate the risks

Having identified the risks and the risk owner the risk should then be evaluated for impact and likelihood. An assessment of the proximity (timing) of the risk can also be made.

The scales used at Cambridge for impact and likelihood are as follows:

Impact:

  1. Insignificant
  2. Minor
  3. Moderate
  4. Serious
  5. Very Serious

Likelihood:

  1. Very Low
  2. Low
  3. Medium
  4. High
  5. Very High

The combined scores on a 5 x 5 matrix will give scores ranging from 1 to 25 depending on the severity of the risk. These numbers are indicative, the process is not an exact science but most importantly is assists risk owners in thinking about the risk.

At Cambridge the total risk score divisions are as follows:
  • 1 - 6 Low
  • 8 - 12 Medium
  • 14 - 20 High
  • Over 20 - Very high

The Size of Risk - Impact Guide provides examples for likelihood, impact and total risk score. This was developed for the RSC but is also applicable to Faculties, Schools and Departments.Once this has been completed the risks should be prioritised and ranked according to score and proximity. The risk register should be updated accordingly.

Set acceptable levels of risk

The overall level of risk or 'exposure' that an organisation or part of an organisation is prepared to tolerate needs to be determined. This level may be different for different risks and the level may change depending on circumstances. Once determined risk thresholds provide triggers for action, changes in monitoring regime and can help determine what information is escalated to senior management. The thresholds are determined in the same way as the risks, using the impact and likelihood scales. The risk thresholds or appetite should be included in the risk register. Although each risk should have a threshold a global threshold also assists in monitoring the risk register. Where a risk score increases and passes the global threshold action is triggered. The global threshold currently identified by the RSC is 15/25 and will be reviewed in due course. Using the scales above these are the risks that are 'High' and 'Very High' and they should be closely monitored.

Identify suitable responses to risk

During this stage a range of practical responses to each significant risk on the risk register should be identified. There is likely to be a number of responses in each case. The Risk Register should be updated with this information.

There is a range of responses (controls) to a risk:

  • Reduce - taking action to reduce either the probability of the risk crystallising further, or its impact.
  • Accept - when the probability and impact are low producing a total risk score below 7, or when it would be too expensive to mitigate a risk.
  • Transfer - transferring the risk to a third party, e.g. insurance.
  • Terminate - identifying actions to eliminate the risk such as withdrawing from the activity.
  • Contingency - having a plan of action to be implemented when a risk crystallises further or passes through a risk threshold or goes beyond the global threshold.
  • Prevent - identifying measures to prevent a risk having an impact on an organisation.

The response should be proportional to the risk and should be mapped against the risks on the risk register. See the University's Key Risk Register for examples of control measures.

Implement responses

During this stage the most appropriate responses to each risk must be selected and implemented. The risks that have been prioritised on the register and the most serious risks should be dealt with first. The responses to be implemented should be those that bring the most serious risks below the risk tolerance thresholds determined earlier (both individual and global thresholds).

Once implemented the responses should be monitored to see if there are any knock-on effects on other activities and amended as necessary. Responsibility for risks and the responses to risk should be clearly allocated in order to ensure the responses reduce the overall risk exposure. It should be noted here that the implementation of responses or controls may have financial costs and adequate resources should be made available.

Gain assurances about effectiveness

In this section the risk responses implemented above are assessed for effectiveness, i.e. are the controls keeping the risk within the agreed tolerance levels? The risk owners should determine this through their own monitoring. A risk-based internal audit programme can provide further assurance on effectiveness as can external auditing.

If the total risk score has increased it would indicate further controls may be necessary or, if the risk is outside the University's control and deemed too risky, withdrawal from the activity altogether.

If the total risk score has reduced a relaxation of control may be required in order to prevent any loss of opportunity.The responses selected should be measurable e.g. in the case of health and safety, an increase in accident reports across the University. The risk tolerance threshold should also be reassessed at this point and the risk benchmarked against it.

Embed and review

Having gone through all the stages above the management of risk should become part of the way the organisation works. It should be referred to in annual reports, governing body (Council, Faculty or School Board) minutes, project proposals and proposals for any new activity.

The risk management arrangements should be reviewed on an annual basis including a review of the risk register using the risk reporting template and a report produced for the governing body or relevant committee or board. The report should assess the risk management culture, its processes, its effectiveness and suggestions for improvement or development.

The Risk Steering Committee reviews the University's risk management arrangements annually in the summer and reports to Council. Faculties, Schools and departments will need to undertake a similar exercise.This is the complete risk management 'cycle'. How the risk management arrangements at the University of Cambridge are undertaken can be seen via the Risk Management at Cambridge page.