HEFCE has defined risk as "the threat or possibility that an action or event will adversely or beneficially affect an organisation's ability to achieve its objectives" (HEFCE 01/24).
HEFCE defines risk management as "a process which provides assurance that:
- objectives are more likely to be achieved;
- damaging things will not happen or are less likely to happen; and
- beneficial things will be or are more likely to be achieved"
Risk management is not limited to the identification and mitigation of negative risks. It also concerns the recognition of opportunities that may involve some level of risk, but that also have the potential to lead to positive outcomes in support of the achievement of objectives.
At Cambridge risks can be seen to exist at different levels:
- Corporate or strategic level, i.e. those monitored by the Risk Steering Committee on behalf of the Council;
- School and non-School institution level;
- Faculty and/or Department level; and
- Project level.
A summary of the main stages in the risk management process follows. A more detailed overview of the risk management process is available on HEFCE's website, which provides risk management guidance specific to the Higher Education sector. For those drawing up a risk register for the first time, the risk prompt list may be particularly helpful.
There are a number of different approaches that might be taken to identify risks. Workshops and brainstorming sessions, drawing on past experience, examining core assumptions and considering internal and external factors are all relevant approaches. The key point is to ensure that risks relate to an objective or set of objectives. It can be helpful to use an "if���...then���" prompt.
A specific risk owner should be identified for each risk. Ideally the risk owner will also be the owner of the related objective or a person with significant influence over the achievement of the objective. Ownership of risk makes it much more likely that a risk will be understood and monitored, and that appropriate controls are put in place.
Risk owners for those risks that affect the whole University tend to be Pro-Vice-Chancellors or a senior officer. At a School / Faculty / Departmental level the risk owner is likely to be the Head of School, Chair of the Faculty Board or Head of Department.
There are two main parameters for assessing risk:
– likelihood i.e. how likely is it to happen
– impact i.e. how significant might the consequences be
Each risk is assigned a score for each parameter. At Cambridge, the scoring is based on a 5x5 scoring matrix as given below. Multiplying the values for impact and likelihood produces the risk score, of which there are two types; raw risk and residual risk. The raw risk score does not take into account any internal controls. In comparison, the score for residual risk takes into account the application of internal controls. Examples of internal controls at Cambridge would include Statutes and Ordinances; financial planning parameters; policies and procedures; and contingency planning. More guidance on the scoring of impact and likelihood is available on the Documentation page.
1 – Insignificant
2 – minor
3 – Moderate
4 – Serious
5 – Very Serious
1 – Very low
2 – Low
3 – Medium
4 – High
5 – Very high
The overall score for residual risk can be graded from "low" to "very high" and assigned a traffic light to denote the level of monitoring required.
1 to 6 – Low (GREEN traffic light)
7 to 12 – Medium (GREEN or ORANGE traffic light)
13 to 20 – High (ORANGE or RED traffic light)
Over 20 – Very high (RED traffic light)
The traffic lights are defined as follows:
The risk is under control and represents no immediate threat or impact.
The risk has the potential to move to red. It needs managing and close monitoring but there is no immediate threat which would have a significant impact.
The risk requires active management. It poses an immediate threat and its impact would be significant.
The overall level of risk or 'exposure' (i.e. the residual risk) that will be tolerated needs to be determined. This level may differ according to the risk in question. Once determined, risk thresholds provide triggers for action and changes in monitoring regimes. The RSC identified the current threshold for the University to be 15/25, which covers the risks that are rated "High" and "Very high". These risks are closely monitored. If management consider the level of exposure to be unacceptable then further action may be required. This can include:
– Reducing the likelihood or impact of risk via the application of additional controls or the establishment of a contingency plan;
– Transferring risk to a third party such as an insurer;
– Accepting risk subject to regular monitoring;
– Eliminating risk such as withdrawing from a particular activity.
Having identified and assessed each risk, a register should be compiled and risks prioritised according to residual score. A template is available here comprising a tabular summary of risks in the Register and a more detailed risk analysis sheet.
The amount of information provided in the risk analysis sheet will need to be determined locally, but it is important to point out that a concise, focused analysis of one or two pages is preferable to one that is long and wordy (over 3 pages), which may obscure the key issues in unnecessary detail.
The risk analysis sheet includes a section 'Risk Indicators'. The purpose of this section is to provide some early warning indicators that the likelihood or impact of a risk may be due to change. By way of an example the risk indicators for Risk#8 'Competition' on the University's Key Risk Register include:
– Drop in ranking in international and national league tables;
– Unsatisfactory performance in the three key national student surveys: NSS, PRES and PTES;
– Inability to recruit and retain high quality staff;
– Inability to maintain adequate levels of capital and recurrent funding;
– Fall in research income compared with UK and US competitors.
Once a Risk Register has been produced it is important to monitor risks, especially those with a "High" or "Very high" residual risk score. Reports should be produced on a regular basis and provided to the appropriate body responsible for overseeing risk management. For example, the Risk Steering Committee meets biannually to review the University's Key Risk Register and risk owners are asked to reassess and update their risks before each meeting. Schools have been asked to review their Registers termly. School Councils are responsible for undertaking a review of Faculty and/or Departmental Registers on an annual basis.