skip to content


Risk can be defined as "the threat or possibility that an action or event will adversely or beneficially affect an organisation's ability to achieve its objectives" (HEFCE 01/24). Risk management is the process of identifying and analysing risk, and controlling the level of exposure to any given risk.

Under HEFCE's definition (HEFCE 21/2012), effective risk management:

  • covers all risks – including governance, management, quality, reputational and financial – but is focused on the most important risks;
  • produces a balanced portfolio of risk exposure;
  • is based on a clearly articulated policy and approach;
  • requires regular monitoring and review giving rise to action where appropriate;
  • needs to be managed by an identified individual and involve the demonstrable commitment of governors, academics and officers;
  • is integrated into normal business processes and aligned to the strategic objectives of the organisation.


The process of identifying risks and the introduction of internal controls to help mitigate such risks helps support effective strategic and business planning, avoids excessive risk-taking and helps to improve an institution's ability to respond quickly and effectively to opportunities and threats in the internal and external environment. Risk management is central to the achievement of objectives, whether at strategic, operational or project level.

Compliance and reporting

Under the terms of the Financial Memorandum between the HEFCE and Higher Education Institutions (HEIs) it funds, HEIs must ensure that there are appropriate arrangements in place to promote effective risk management, control and governance (HEFCE 2010/19); this is a condition of the HEFCE grant.

The Audit Code of Practice, also part of the Financial Memorandum, sets out minimum reporting requirements. HEI Audit Committees must produce an annual report to their governing body, including an opinion on the adequacy and effectiveness of the system of risk management, control and governance (HEFCE 2010/19).

HEFCE's annual Accounts Direction also requires HEIs to issue a Statement of Internal Control as part of their audited financial statements. This statement must include an account of the risk management arrangements in place and how risk assessment and internal control is embedded in the organisation's operations.

In the event of an emergency...

Even under the most robust risk management practices, emergencies cannot always be prevented. The University's Emergency Management Plan operates at an institution-wide level and can be invoked directly in response to a major or widespread incident or as the result of a local management team asking for help in responding to an emergency. The Emergency Management Plan and other guidance can be found on the Emergency planning pages.

Further information

The following web sites provide more detailed risk management information: