Secretariat

Risk Management Policy

The Council first approved the Risk Management Policy in June 2002; it explains the University's underlying approach to risk management. It gives key aspects of the risk management process, and identifies the main reporting procedures. The policy is reviewed and amended, if appropriate, on an annual basis by the Risk Steering Committee.

Purpose

1. This risk management policy (the policy) forms part of the University's internal control and governance arrangements.

2. The policy explains the University's underlying approach to risk management. It gives key aspects of the risk management process, and identifies the main reporting procedures.

3. It describes the process the Council will use to evaluate the effectiveness of the University's internal control procedures.

Approach to risk management

4. The following key principles outline the University's approach to risk management:

  • As the principal executive and policy-making body of the University the Council are responsible for risk management
  • The Council are responsible for maintaining a sound system of internal control that supports the achievement of policies, aims and objectives, while safeguarding the public and other funds and assets for which it is responsible, in accordance with the Statutes and Ordinances and the Financial Memorandum with HEFCE.
  • There should be an open and receptive approach to solving risk problems
  • The Risk Steering Committee advises the Council on risk management
  • The University makes conservative and prudent recognition and disclosure of the financial and non-financial implications of risks
  • Councils of Schools and Heads of Departments are responsible for encouraging and implementing good risk management practice within Schools and Departments
  • Early warning mechanisms will be put in place and monitored to alert the University so that remedial action can be taken to manage any potential hazards

Role of the Council

5. The Council has a significant role to play in the management of risk. Its role is to:

  1. Set the tone and influence the culture of risk management within the University. This includes:
    • determining whether the University is 'risk taking' or 'risk averse' as a whole or on any relevant individual issue
    • determining what types of risk are acceptable and which are not
    • setting the standards and expectations of staff with respect to conduct and probity
  2. Determine the appropriate risk appetite or level of exposure for the University
  3. Determine the University's risk prioritisation protocol
  4. Approve major decisions affecting the institution's risk profile or exposure
  5. Monitor the management of fundamental risks
  6. Satisfy itself that the less fundamental risks are being actively managed, with the appropriate controls in place and effective
  7. Review annually the University's approach to risk management and approve changes or improvements to key elements of its processes and procedures

Role of Heads of Institutions

6. Key roles of Heads of Institutions are to:

  1. Implement policies on risk management and internal control.
  2. Identify and evaluate the fundamental risks faced by the University for consideration by the RSC.
  3. Provide adequate information in a timely manner to the RSC on the status of risks and controls.
  4. Assist the RSC to undertake an annual review of risk management and the effectiveness of the system of internal control.
  5. Embedding risk management as part of the system of internal control

7. The system of internal control incorporates risk management. It encompasses a number of elements that together facilitate an effective and efficient operation, enabling the University to respond to a variety of risks. These elements include:

  1. Policies and procedures.
    Attached to fundamental risks are a series of policies that underpin the internal control process. The policies are set by Council. Written procedures support the policies where appropriate.

  2. Business planning and budgeting.
    The business planning and budgeting process is used to set objectives, agree action plans, and allocate resources. Progress towards meeting business plan objectives is monitored regularly.

  3. High level risk framework (fundamental risks only).
    This framework is compiled by the Risk Steering Committee and helps to identify, asses, and monitor risks significant to the University. The risk register is revised formally annually but emerging risks are added as required, and improvement actions and risk indicators are monitored regularly.

  4. School and Department risk frameworks.
    Councils of Schools and Heads of Department develop and use this framework to ensure that risks in Schools and Departments are identified, assessed and monitored. The risk register is revised formally annually but emerging risks are added as required, and improvement actions and risk indicators are monitored regularly.

  5. Audit Committee.
    The Audit Committee reports to Council on internal controls and alerts Council on any emerging issues. In addition, the Audit Committee oversees internal audit, external audit and management as required in its review of internal controls. The Audit Committee should provide advice to the Council on the effectiveness of the RSC on the internal control system, including the University's system for the management of risk.

  6. Internal audit programme.
    Internal audit is responsible for aspects of the annual review of the effectiveness of the internal control system within the University. The internal audit strategy will be developed around the University's objectives and use the assessment of the fundamental risks. The work programme should include an assessment of the effectiveness of the risk management process.

  7. External audit.
    External audit informs the Audit Committee on the operation of the internal financial controls reviewed as part of the annual audit.

  8. Third party reports.
    From time to time, the use of external consultants may be appropriate in areas such as health and safety, and human resources. The use of specialist third parties for consulting and reporting can increase the reliability of the internal control system.

8. Council's annual review of effectiveness

The Council, advised by the RSC, will undertake an annual review to consider:

  • whether risk management continues to be linked to the achievement of the University's objectives;
  • the appropriate risk appetite or level of exposure for the University as a whole;
  • whether risk review procedures cover fundamental reputational, governance, staff, research, teaching, operational, compliance, student experience, estates, financial and other risks to achieving the University's objectives;
  • whether risk assessment and risk-based internal control are embedded in ongoing operations and form part of its culture;
  • changes in the nature and extent of fundamental risks and the University's ability to respond to changes in its internal and external environment since the last assessment;
  • the scope and quality of management's on-going process of monitoring the system of internal control including such elements as the effectiveness of internal audit and other assurance functions;
  • the extent and frequency of reports on internal control to Council and whether this is sufficient for Council to build up a cumulative assessment of the state of control and effectiveness of risk management;
  • the incidence of any fundamental control failings or weaknesses identified at any point within the year and the impact that they have had or could have on financial results;
  • the effectiveness of the University's public reporting processes;
  • the effectiveness of the overall approach and policy to risk management and whether changes or improvements to processes and procedures are necessary.