- This risk management policy (the policy) forms part of the University's internal control and governance arrangements.
- The policy explains the University's underlying approach to risk management. It gives key aspects of the risk management process, and identifies the main reporting procedures.
- It describes the process the Council uses to evaluate the effectiveness of the University's internal control procedures.
Approach to risk management
The following key principles outline the University's approach to risk management:
- As the principal executive and policy-making body of the University, the Council is responsible for risk management.
- The Council is responsible for maintaining a sound system of internal control that supports the achievement of policies, aims and objectives while safeguarding the public and other funds and assets for which it is responsible in accordance with the Statutes and Ordinances and the Financial Memorandum with HEFCE.
- There should be an open and receptive approach to mitigating risk.
- The Risk Steering Committee advises the Council on risk management.
- The University makes conservative and prudent recognition and disclosure of the financial and non-financial implications of risks.
- Councils of Schools and Heads of Departments are responsible for encouraging and implementing good risk management practice within Schools and Departments.
- Heads of Non-School Institutions and University services are responsible for encouraging and implementing good risk management practice within their areas of responsibility.
- Early warning mechanisms will be put in place and monitored to alert the University so that remedial action can be taken to manage any potential hazards.
Role of the Council
The Council has a significant role to play in the management of risk. Its role is to:
- Set the tone and influence the culture of risk management within the University.
- determining whether the University is 'risk taking' or 'risk averse' as a whole or on any relevant individual issue;
- determining which risks are acceptable and which are not; and
- setting the standards and expectations of staff with respect to conduct and probity.
- Determine the appropriate risk appetite or level of exposure for the University.
- Determine the University's risk prioritization protocol.
- Approve major decisions affecting the institution's risk profile or exposure.
- Monitor the management of fundamental risks.
- Satisfy itself that the less fundamental risks are being actively managed with appropriate and effective controls in place.
- Review annually the University's approach to risk management and approve changes or improvements to key elements of its processes and procedures.
Role of the Risk Steering Committee (RSC)
(Terms of Reference first approved by Council on 10 June 2002 and confirmed annually to 2010–11; approved thereafter for three years to 31 December 2014).
The RSC is an operational committee set up by the Council to oversee the risk management process of the University. The RSC reports to the Council. The RSC:
- Oversees the Risk Management process of the University as a whole, on behalf of Council.
- Recommends an appropriate risk appetite or level of exposure for the University.
- Ensures compliance with HEFCE guidelines.
- Identifies and quantifies fundamental risks affecting the University, and ensures that arrangements are in place to manage those risks.
- At least annually, reviews fundamental risks and their controls and reports to Council.
- Informs the Audit Committee on risks and controls that should be included in the Audit needs assessment, ensuring the integration of Internal Audit into risk management.
- Oversees arrangements for emergency and continuity management on behalf of the Council to include maintaining the University's policy and receiving the annual report summarizing the results of a programme of annual reviews of local emergency action plans and the outcome of associated exercises to test them.
- Helps embed a risk management culture into major decision-making through risk education, high level controls and procedures.
- Considers major decisions affecting the University's risk profile or exposure.
- Recommends to Council a suitable risk management policy for the University.
The RSC will in addition bring reports as necessary to the General Board, Audit Committee, the Planning and Resources Committee and the Finance Committee, and other central committees.
The RSC was established in the first instance to 31 December 2003 and, up to 2010–11, its term has been extended seven times by 12 months each time. In November 2011, it was agreed by Council that its term be extended by three years to 31 December 2014.
Role of Heads of Institutions
Key roles of Heads of Institutions are to:
- Implement policies on risk management and internal control.
- Identify and evaluate the fundamental risks faced by the institution and therefore the University for consideration by the RSC, as and when necessary.
- Provide adequate information in a timely manner to the RSC, when required, on the status of risks and controls.
- Assist the RSC and internal auditors to undertake an annual review of risk management and the effectiveness of the system of internal control, where appropriate.
Embedding risk management as part of the system of internal control
The system of internal control incorporates risk management. It encompasses a number of elements that together facilitate an effective and efficient operation, enabling the University to respond to a variety of risks. These elements include:
Policies and procedures.
Attached to fundamental risks are a series of policies that underpin the internal control process. The policies are set by Council. Written procedures support the policies where appropriate.
Business planning and budgeting.
The business planning and budgeting process is used to set objectives, agree action plans, and allocate resources. Progress towards meeting business plan objectives is monitored regularly. Risk management is built into this process.
High level risk framework (fundamental risks only).
This framework is compiled by the Risk Steering Committee and helps to identify, assess, and monitor risks significant to the University. The risk register is revised formally annually but emerging risks are added as required, and improvement actions and risk indicators are monitored regularly.
School, Department, and major Non-School Institution risk frameworks.
Councils of Schools, Heads of Departments and major Non-School Institutions develop and use this framework to ensure that risks in Schools, Departments and major Non-School Institutions are identified, assessed and monitored. Each School and major Non-School Institutions has its own risk register. The central risk register is revised formally annually, taking account of School and major Non-School Institution registers, to ensure emerging risks are added as required, and improvement actions and risk indicators are monitored regularly.
The Audit Committee reports to Council on internal controls and alerts Council on any emerging issues. In addition, the Audit Committee oversees internal audit, external audit and management as required in its review of internal controls. The Audit Committee should provide advice to the Council on the effectiveness of the RSC on the internal control system, including the University's system for the management of risk.
Internal audit programme.
Internal audit is responsible for aspects of the annual review of the effectiveness of the internal control system within the University. The internal audit strategy will be developed around the University's objectives and use the assessment of the fundamental risks. The work programme should include an assessment of the effectiveness of the risk management process.
External audit informs the Audit Committee on the operation of the internal financial controls reviewed as part of the annual audit.
Third party reports.
From time to time, the use of external consultants may be appropriate in areas such as health and safety, and human resources. The use of specialist third parties for consulting and reporting can increase the reliability of the internal control system.
Council's annual review of effectiveness
The Council, advised by the RSC, will undertake an annual review to consider:
- whether risk management continues to be linked to the achievement of the University's objectives;
- the appropriate risk appetite or level of exposure for the University as a whole;
- whether risk review procedures cover fundamental reputational, governance, staff, research, teaching, operational, compliance, student experience, estates, financial and other risks to achieving the University's objectives;
- whether risk assessment and risk-based internal control are embedded in ongoing operations and form part of its culture;
- changes in the nature and extent of fundamental risks and the University's ability to respond to changes in its internal and external environment since the last assessment;
- the scope and quality of management's on-going process of monitoring the system of internal control including such elements as the effectiveness of internal audit and other assurance functions;
- the extent and frequency of reports on internal control to Council and whether this is sufficient for Council to build up a cumulative assessment of the state of control and effectiveness of risk management;
- the incidence of any fundamental control failings or weaknesses identified at any point within the year and the impact that they have had or could have on financial results;
- the effectiveness of the University's public reporting processes;
- the effectiveness of the overall approach and policy to risk management and whether changes or improvements to processes and procedures are necessary.