Risk Management Policy
Originator name:
Ruth AndersonDepartment:
FinanceImplementation
date:
1 August 2013
Date of next review:
1 August 2016Related policies:
Health & Safety Policy, Equality & Diversity PolicyVersion History
Version
Author
Revisions Made
Date
1 R Anderson First Draft July 13
Approval History
Equality Analysis
Version
Reviewed by
Date
1 Jo McCarthy-Holland 11/07/13
Committee Sign Off
Version
Committee Name
Date of Sign Off
1 Executive Board 23/7/13
1 Audit Committee 25/7/13
1
Introduction
1.1
Purpose
This risk management policy forms part of the University’s internal control and corporate governance arrangements.
The internal control system encompasses a number of elements that together facilitate an effective and efficient operation, enabling the University to respond to a variety of operational, financial and commercial risks.
The policy sets out the University’s definition of risk and describes the purpose of risk management. It explains the University’s underlying approach to risk management and documents the roles and responsibilities of key parties.
1.2
Scope
This policy applies to Executive Board members; senior managers; members of Council and its Committees; and the University’s internal audit service.
1.3
Equality Analysis
The University is strongly committed to equality of opportunity and the promotion of diversity for the benefit of all members of the University community. Equality analysis is a tool which helps consider the effect of activities on different groups of people and to ensure that policies, decisions and services work well for everyone.
The policy itself is considered to have a broadly neutral impact for groups with protected characteristics under the Equality Act 2010.
Failure to manage risk effectively, where it relates to an activity involving a particular group / community, could lead to equality issues .Equality analysis is recognised as a useful tool in assessing risk.
1.4
Definitions
• Risk – anything that can impede or enhance an organisation’s ability to achieve its
objectives.
• Risk Management – the process, structure and culture put in place to identify, assess
and control the uncertainties which may impact on the organisation’s ability to achieve its objectives.
• Level 1 Risk Register – the University’s High Level Risk Register, reflecting the key
risks to the University’s strategic aims and objectives.
• Level 2 Risk Register – a risk register owned at individual Executive Board member
level reflecting the key strategic and operational risks within a Faculty or Support Area.
• Risk Appetite - the level of risk that an organisation is prepared to take to achieve its
strategic objectives.
1.5
Legislative / Regulatory Context
Under the terms of its Financial Memorandum with HEFCE, Council must take reasonable steps to ensure that there are sound arrangements for risk management, control and governance within the University.
1.6
Health & Safety Implications
N/A2
Policy
2.1
Principles
2.1.1 Effective risk management is essential to the continuation, growth and prosperity of the University in line with its strategic objectives.
It is not a process for avoiding risk. If used well, it will actively allow the University to take on activities with a higher level of risk because the risks have been identified, are understood and well managed and the residual risk is thereby lower.
2.1.2 The University adopts an open and receptive approach to the management of risk.
2.1.3 Risk management is intrinsic to the management of the University’s business and not simply a compliance issue.
2.1.4 Risk management requires a proactive rather than a reactive approach.
2.2
Procedures
2.2.1 Role of Council
Council has responsibility for overseeing risk management within the University as a whole. Its role is to:
• Set the tone and influence the culture of risk management within the University. • Determine the appropriate risk appetite or level of exposure for the University and
formally document this in a risk appetite statement that is reviewed, and where necessary updated, on at least a triennial basis.
• Approve major decisions which may affect the University’s risk profile or exposure e.g.
major capital investments, mergers and overseas partnerships.
2.2.2 Role of the Audit Committee
On behalf of Council, the Audit Committee is responsible for:
• Ensuring that appropriate arrangements are in place to ensure that risks are identified,
assessed and effectively managed.
• Monitoring the management of significant risks which could threaten the achievement
of the University’s strategic objectives.
• Ensuring that internal auditors have plans to review the adequacy and effectiveness of
risk management and provide an annual assessment of the University’s risk management arrangements.
Audit Committee will:-
• Report to Council on risk management and alert Council members to any emerging
issues.
• Prepare an annual report of its review of the effectiveness of the University’s risk
management, control and governance arrangements for consideration by Council and the President & Vice-Chancellor as Accounting Officer. In preparing its report, the Audit Committee will draw on information provided by the internal audit service, external audit and the Executive Board.
2.2.3 Role of the Executive Board
Key roles of the Executive Board are to:
• Implement policies approved by Council on risk management and internal control. • Own the University’s High Level Risk Register (Level 1 Risk Register), specifically:-
To identify and evaluate the significant risks faced by the University.
To agree ownership of risks.
To ensure that appropriate actions are taken to mitigate risks.
• Ensure that the High Level Risk Register remains effective by: Appraising the register formally on at least an annual basis
Ensuring that emerging risks are added as required and mitigating actions and risk indicators are monitored regularly and updated as appropriate
Reviewing the High Level Risk Register at all regular meetings of the Executive Board
• Develop strategies, policies and procedures to assist in the management of major
risks.
Individual members of the Executive Board are responsible for:-
• Encouraging good risk management practice within their area of responsibility,
ensuring that Faculty and Departmental risks are identified and assessed and that appropriate actions are taken to mitigate the risks. Specifically:-
Establishing and maintaining Level 2 Risk Registers in the same format as the High Level Risk Register for faculties and major support areas (including Corporate Services, Registrar’s Division and IT).
Establishing and maintaining risk registers, in the same format as the University’s High Level Risk Register, for projects of major strategic and/or operational importance
2.2.4 Role of Internal Audit
The Internal Audit Service adopts a risk-based approach to its work with the overall objective of evaluating and improving the effectiveness of the University's risk management, internal control and governance processes.
This involves conducting an annual review of the adequacy of the University's risk management arrangements and a programme of reviews based substantially on the University's assessment of high level risks.
3
Governance & Directory Requirements
3.1
Responsibility
The Chief Financial Officer has overall responsibility for this policy.
The Deputy Director, Corporate Finance, has responsibility for ensuring it is effectively implemented, progress monitored and that the policy is regularly reviewed.
3.2
Implementation / Communication Plan
Finance Department website. It will be communicated directly to members of the Executive Board, Faculty Managers and other Senior Managers responsible for Level 2 and/or Project Risk Registers.
3.3
Exceptions to this Policy
N/A3.4
Supporting documentation
Level 2 Risk Register Guidelines can be found on the Finance website in Resources, then Risk Management: