University of Greenwich Risk Management Guide Revised October 2017

Transcription

1 University of Greenwich Risk Management Guide Revised October 2017 Purpose of the Guide 1. This document supplements the Risk Management Policy of the University of Greenwich. It explains why risk management is an important element of the University s governance arrangements, and how the various committees, management groups and individuals in the University who have risk management responsibilities under the Policy should carry these out. 2. Risk Management is not the same as risk assessments in terms of the health and safety of staff, students and visitors. Guidance on health and safety risks can be found via the University s website here. Why we need to manage risk 3. Taking risk is an essential part of the business of the University. Understanding and reacting appropriately to the risks involved in all the University s operations, both academic and supporting activities, is an essential part of the planning process. Risk cannot always be eliminated, but it can be managed to reduce any adverse impact ( mitigation ). Risk management is therefore a management tool to enable us as far as possible to quantify, prioritise and contain risk at all levels of the University s operation. It is a means to make informed decisions as to the acceptability of a course of action in the light of those risks. 4. The University is required to comply with the UK Corporate Governance Code on good governance. One of the major issues within these codes is adoption of a riskbased approach to management and the embedding of this approach within the University s usual processes. 5. HEFCE s Guide for Members of Governing Bodies in the UK (published February 2009, ref. 2009/02) on Governance Code of Practice and General Principles states that The institution s governing body shall adopt a Statement of Primary Responsibilities which should include provisions relating to ensuring the establishment and monitoring of systems of control and accountability, including financial and operational controls and risk. 6. Risk Management serves a number of purposes: It documents to HEFCE, NHS, the Teaching Agency and other funding sources that we are carrying out our obligations to operate a risk management programme, as required by HEFCE. It helps us to take better-informed decisions about opportunities, and to constructively address new patterns of risk (Risk management in higher education: a guide to good practice, prepared for HEFCE by PricewaterhouseCoopers: February 2005/11) 1

2 It informs our actions and decisions in achieving the University s objectives, set out in the Strategic Plan and indicated by the Key Performance Indicators approved by Court. It demonstrates a responsible and professional approach to business planning, and the monitoring of performance against plans. Responsibilities 7. The Court will: Through Audit Committee monitor the management of significant risks to ensure that appropriate controls are in place identify any strategic risks that require inclusion or updating in the Institutional Risk Register approve major decisions taking into account the University s risk profile or exposure satisfy itself that less significant risks are being actively managed, and that appropriate controls are in place and working effectively to ensure the implementation of policies approved by the Court satisfy itself that appropriate risk management arrangements are in place as part of Major Capital Investment Projects through appropriate reports and documentation review the University s approach to risk management and approve changes where necessary to key elements of its processes and procedures receive and consider updates to the Institutional Risk Register. 8. The Vice-Chancellor s Office will: ensure the implementation of the risk management policy receive recommendations from Faculties and Directorates twice annual review of the Institutional Risk Register to enable it to evaluate the significant risks faced by the University for consideration by Court receive advice from the Court on the need for inclusion or amendment of strategic risks in the Institutional Risk Register ensure that adequate information is provided for the Court and its Committees, as appropriate, on the status of risks and controls ensure that an annual report is provided to the Court on the effectiveness of the system of internal controls 2

3 ensure that local risk registers are reviewed regularly. 9. Pro Vice-Chancellors and Directors of Professional Services will implement policies on risk management identify and evaluate at least twice annually, in spring and autumn, the significant risks faced by each senior manager s area of responsibility, based on the institutional risks identified in the Institutional Risk Register and, in the case of Faculties, on the content and objectives of the FMRD develop and maintain a local Risk Register and submit the Register at least twice annually to the Risk Manager for review and for consolidation in the Institutional Risk Register, either by escalation of risks to or de-escalation of risks from the IRR, or by adjustment of the assessment of risks already present on the IRR. 10. The Risk Manager, on behalf of the University Secretary, will: Develop and maintain the Institutional Risk Register for consideration by Faculties and DIrectorates and by Vice Chancellor s Office for submission to the Audit Committee Ensure that information on policies and processes in relation to risk is provided to Faculties and Directorates to enable them adequately to assess risk in their areas of operation in order that an accurate and up-to-date local Risk Register is maintained Ensure that strategic risks identified by Court and senior management review are included in the Risk Register and are up to date Ensure that Faculties and Directorates Risk Registers are mapped to the Institutional Risk Register Monitor key risks and report to Vice Chancellor s Office as necessary Submit annually a report on Risk Management to the Audit Committee identifying the status of risks and controls. 11. All staff of the University have a responsibility to be aware of, and understand, the risk framework, the policies on risk and how these apply to their own roles and responsibilities. In particular, senior staff need to understand and manage the risks relating to their activities and the impact on the University s key strategic risks. Recording of Risks 12. Faculties and Offices will have access to the institutional risk register via the University website and regular updates will be generated after consideration by the relevant Faculty and Office management groups. 3

4 13. The format of the local risk register will mirror that of the Institutional Risk Register and will be used both to inform and to enable comparison with the institutional assessment of risk. This will embed within the existing cycle of institutional planning a consistent basis for the measurement, control, monitoring, follow-up and reporting of risk across the University. 14. Alongside the preparation of the Faculty Monitoring and Reporting Document (FMRD), prepared annually by Faculties, Faculties and Directorates are required to provide to the Risk Manager twice yearly, in spring and autumn, a summary and assessment of the risks identified locally, in the same format as the institutional risk register. These summaries form the basis of the local risk register. 15. Risk management is a continuous process. Faculties and Directorates need to take account of the risks identified at an institutional level, and the controls required to mitigate the risks, in determining their local risk analysis; the high-level (institutional) risk register in turn is informed by the perceptions of risk identified at local levels. The process is both cyclical and continuing, and enables the University to take a dynamic and evolving approach to the management of its risks. 16. The key objectives of the framework and policy are to ensure a consistent basis for the measurement, control, monitoring, follow-up and reporting of risk across the whole institution that is based on the University s appetite for risk, not those of individuals. 17. Spreadsheets will be used to record the University s risks, controls and actions across all areas of the institution. 18. The University s risk register will be held at two levels: a) Institutional Risk Register up to a maximum of 15 key risks linked directly to the University s Strategic Plan and Key Performance Indicators and underpinning strategies articulated in the operating statement submitted annually to HEFCE. In order to ensure completeness and consistency, the seven categories as identified by HEFCE as most pertinent to HEIs are used as a basis for evaluating the scope of institutional risk. These are: Reputation Student experience Staffing Estate and Facilities Financial Issues Organisational Issues Information and IT b) Local Risk Register risks identified at Faculty and Directorate level, arising both from the Faculty / Directorate operating experience and from assessment of the impact of institutional risks in a local context. 4

5 19. Both the Institutional and Local Risk Registers will include the following fields: - Risk description - Risk owner - Cause and effects of risk - Inherent risk score (inherent impact and likelihood assessment) - Relevant KPI - Existing mitigation / controls - Assurance / evidence for control (how do we know the control is being implemented?) - Assurance level (high, medium, low) - Residual risk score (residual impact and likelihood assessment). - Planned action - Progress on action Measurement of Risk 20. The process for risk assessment will be the same at each level: the impact and likelihood for each risk, before and after controls, will be considered and a 1 to 5 scoring mechanism used to give a position on a 5 X 5 matrix. This will result in scores ranging from 1 to 25, with 25 being the highest score. In order to ensure consistent application across the University, criteria for the impact and likelihood scores should be in accordance with the following guidelines: 21. Size of Risk Impact Descriptor Impact Guide 1 Insignificant No impact 2 Minor Financial loss up to 1,500,000 (Faculties/Directorates: less than 5% of budget) No regulatory consequence No impact outside local system Minor reversible injury Internal adverse publicity 3 Moderate Financial loss up to 3,000,000 (Faculties/Directorates: up to 10% of budget) Limited regulatory consequence Impact on other processes or products Major reversible injury Local adverse publicity 4 Major Financial loss up to 15,000,000 (Faculties/Directorates: up to 20% of budget) Significant regulatory consequence Impact on many other processes or products Irreversible injury or death 5

6 National adverse publicity HEFCE interest 5 Catastrophic Financial loss above 15,000,000 (Faculties/Directorates: more than 20% of budget) Substantial regulatory consequence Impact at strategic level Irreversible multiple injury or death International adverse publicity HEFCE intervention Closure of business 22. Size of Risk Likelihood Descriptor Likelihood Guide 1 Rare 5% likely to happen or hasn't happened within the last 5 years 2 Unlikely 20% likely to happen or has happened once or twice in the last 5 years 3 Possible 50% likely to happen or has happened once or twice within the last 24 months 4 Likely 75% likely to happen or has happened at least once or twice in the last 12 months 5 Almost certain 99% likely to happen or has happened on a regular basis over the last 12 months Risk Before and After Controls 23. In order to assess the effectiveness of controls, risk will first be scored before considering the operation of the University s controls this is termed the Inherent Risk Score. For each risk, the controls in place will then be identified and assessed and the risk score generally reduced to arrive at the Residual Risk Score. 24. The control should either reduce the likelihood that a risk will occur or the impact of that risk were it to occur. Residual risk is what is left after considering controls. Where the score after controls is still at an unacceptably high level, additional actions may be required in order to reduce the risk level further. 25. The University s objective is to optimise its controls, i.e. to ensure the most costeffective controls are in place for each risk and the cost versus the benefit of the control is considered. This may mean that certain risks have a high residual score because the cost of reducing the risk still further may be higher than the potential cost if the risk actually happens the level of residual risk will however need to be considered for compliance with this policy. Monitoring and Review of Risks 6

7 26. Risk registers will be kept up to date via a review by management to indicate they have considered changes in the risk profile within their area of responsibility. The Vice-Chancellor s Office will review the institutional risks usually on a termly basis, Audit Committee will review the register up to three times a year on behalf of the Court and the Court will review the risk register at least once per annum. The update may take the form of new risks, changes to or additional controls, and changes to risk scores. Key triggers for significant changes to risk registers may be new regulations, implementation of new projects, high staff turnover, changes in the external environment, risk events, and Internal Audit reviews. 27. Using the framework above, a consistent methodology for measuring and scoring risks will be applied throughout the University. The risk appetite what is an acceptable level of risk for the University can be read against the following scores: A residual risk score of 6 or less is considered acceptable to the institution and will require no further action other than to ensure the relevant controls are operating effectively. Managers should however review the controls for low risk areas carefully to ensure there is not over control. These risks appear green in the traffic light system used in the institutional risk register. A residual risk score of 7 to 14 will require the implementation of additional controls unless subject to VCO agreement and acceptance. These risks appear amber in the traffic light system used in the institutional risk register. A residual risk score of 15 or more will require the implementation of additional controls unless subject to Court agreement and acceptance. These risks appear red in the traffic light system used in the institutional risk register. Where the residual impact of risk is considered major (impact score of 4) or the likelihood is considered almost certain (likelihood score of 5), these will be submitted to VCO for review and acceptance. These risks appear amber or red in the traffic light system used in the institutional risk register. Where the impact of risk is considered catastrophic (impact score of 5), these will be submitted to Court for review and acceptance. These risks appear red in the traffic light system used in the institutional risk register. Faculty and Directorate actions For local risk registers, residual risk scores appearing amber according to the criteria given above should be actively considered at regular Faculty/Directorate management meetings. For local residual risk scores appearing red, the PVC / Director of Professional Service should confer with his/her line manager before referring the risk to the University Risk Manager for updating the institutional risk register. 28. The table below shows the range of risk scores: 7

8 Impact Red Amber Green Likelihood Reporting of Risks 29. Court will each year approve the Institutional Risk Register, risk appetite and reporting protocols as part of the annual planning process. This will entail confirmation of the financial thresholds used to gauge the severity of impact on the University as detailed above. 30. Court will also be required to review and sign off residual risk scores appearing in the red area on the risk matrix above. 31. In order to provide Court with the necessary assurance, VCO will review and sign off the residual risk scores appearing in the red and amber areas on the risk matrix above before submission to the Court. 32. Faculties and Directorates will, at least twice annually, consider local updates to inform the Institutional Risk Register compiled by and in conjunction with the Risk Manager. The results of this review will be passed to VCO for consideration and recommendation to Audit Committee. 33. Internal Audit, via the Audit Committee, will provide Court with independent assurance on the adequacy and effectiveness of the risk management process. Project Management 34. An integral part of the University s project methodology is that all significant new projects require a risk register to be prepared at the outset of the project. A template for making project risk assessments is provided on the University s website. 35. At the beginning of the project, the focus is on identifying the key risks and what controls should be put in place to mitigate these risks. As the controls have not yet been implemented, it is the Inherent Risk Score that is the primary focus as this is effectively the residual risk to the University. As the project progresses and controls are implemented, the residual risk score should fall. Sources of assurance that mitigating actions are being implemented should be documented. PVCs / Directors of Professional Service, in conjunction with the Project Manager, are responsible for reporting on the start and progress of major projects which may have an impact on the Institutional Risk Register. 8

9 36. Industry guidelines will determine the assessment of risk in estates-based projects. Academic projects are also subject to quality assurance review procedures. Project managers are expected to make an assessment of risk throughout the lifetime of a project in the light of generally accepted good practice, and to report to and advise Senior Management appropriately. 37. Major new projects change the University s risk profile and it is important that Court is able to approve and accept these projects before implementation or any significant investment / outlay has been made. The criterion that has been established is as follows: An inherent risk score of 20 or more will require Court agreement and acceptance. 38. The use of an inherent risk score of 20 reflects the fact that risks are being looked at before controls. Any residual risk scores that are scored at 15 or greater at the time the project is implemented would require Court approval through the normal process of referring all red risks to Court. Definitions 39. Some important definitions used in the Risk Management Policy and Guide are: i. Risk: the threat or probability that an action or event will adversely or beneficially affect an organisation s ability to achieve its objectives (HEFCE, A Guide to Good Practice for Higher Education Institutions, 01/28 May 2001) ii. iii. iv. Risk Management: All activities performed by the University to identify, assess and control the uncertainties which may impact on the University s ability to achieve its aims, objectives and opportunities. Risk appetite: the range of exposure that is judged tolerable for the organisation. Mitigation: Actions that are taken, or which could be taken, to address risks faced either by reducing the likelihood that they will occur, or by managing their impact if they do occur. v. Inherent risk: the risk of something happening before any controls or safeguards are applied to mitigate the risk. vi. vii. Sources of Assurance: ways (preferably external) in which the controls on a risk are confirmed as actually taking place and being effective. Residual risk: the level of risk remaining after the application of controls and other safeguards to mitigate the risk. Oct 2017: Risk Manager Next review date Autumn