Corporate Risk Policy Statement and Procedures AR-RMD-CR01 Executive Summary This document is intended to assist Anglia Ruskin University, its subsidiaries and Joint Ventures in controlling business risks, sometimes referred to as Corporate Risk. As such this document forms part of the Anglia Ruskin s internal control and corporate governance arrangements. This policy explains Anglia Ruskin's underlying approach to corporate risk management, documents the roles and responsibilities of the Board of Governors, Vice Chancellor s Group (VCG) and the Corporate Management Team (CMT). It also outlines key aspects of the risk management process, and identifies the main reporting procedures. In carrying out their duties, all employees must have regard for the possible risks. Employees must recognise that, such risk, if uncontrolled, can result in failure to meet Anglia Ruskin s objectives and cause a drain on resources that could better be directed to front line student provision. This document must be implemented within every Faculty, Professional Service, and where the Board and senior management consider necessary, within Joint Ventures and Subsidiary Companies. Faculty Pro Vice Chancellors and Deans, and Heads/Directors of Professional Services have the responsibility and accountability for managing the risks within their areas of responsibility. The policy is accompanied by guidance on carrying out effective corporate risk assessments, and the pro-forma to be used for such assessments. Main Sections 1. Aims 2. General Principles 3. Legal Framework 4. Who has responsibility 5. How is the policy applied 6. Training 7. Communication 8. Monitoring & Review 9. Important Links 10. Related Policies and Procedures 11. Appendix A as Part of the System of Internal Control 12. Appendix B Corporate Risk Detailed Procedures 13.
1 Aims The aims of this policy are primarily to support the Anglia Ruskin s strategic objectives, but also to: Support Anglia Ruskin s risk management strategy Fully meet our legal and regulatory requirements with regard to risk management Have risk management systems and processes that are generally recognised within the sector as best practice. Ensure every employee of Anglia Ruskin has regard for the management of risks in everyday work situations and decision making processes Where practicable reduce the likelihood and impact of risk events Reduce property and liability losses and claims Ensure that all staff are suitably trained to deal with the risk issues relevant to their position Provide suitable and sufficient information, instruction, training and supervision to all relevant staff Ensure effective liaison with external bodies where appropriate Create a culture within which risk management becomes embedded as a routine management discipline. 2 General principles 2.1 These are as set out in the Strategy 3 Legal & regulatory requirements 3.1 HEFCE's Accounts Direction for 2014-152017-18 financial statements ( http://www.hefce.ac.uk/pubs/year/2017/cl,272017/equires Higher Education Institutions to ensure that they maintain a sound system of internal control and that the following key principles of effective risk management have been applied. Effective risk management: covers all risks including governance, management, quality, reputational and financial but is focused on the most important risks produces a balanced portfolio of risk exposure is based on a clearly articulated policy and approach requires regular monitoring and review, giving rise to action where appropriate needs to be managed by an identified individual and involve the demonstrable commitment of governors, academics and officers is integrated into normal business processes and aligned to the strategic objectives of the organisation. Further regulatory and supporting guidance can be found in section 9 Important Links
4 Who has responsibility Anglia Ruskin University 4.1 The Board of Governors is ultimately responsible for ensuring that effective systems are in place for the identification, evaluation and management of risk. 4.2 The Vice Chancellor is responsible for reporting to the Board at each of its scheduled meetings, a summary of the university s top three risks. 4.3 The Vice Chancellor s Group is responsible for a termly review of the university s strategic (CMT) risk register, and reporting to the CMT the outcomes and recommendations following this review. 4.24.4 The Corporate Management Team has overall responsibility for the establishment, ongoing development, implementation, monitoring and review of corporate risk policies and procedures Formatted: List Paragraph, No bullets or numbering Formatted: List Paragraph, No bullets or numbering 4.34.5 The Corporate Management Team has been delegated operational responsibility for planning and guiding the ongoing development, implementation, monitoring and review of corporate risk policies and procedures. 4.44.6 The Corporate Management Team is responsible for: Supporting, advising and implementing the policies approved by the Board of Governors Proposing quarterlytermly, a priority listing of key risks (CMT Risk Register) that require constant evaluation throughout the year. These are confirmed reviewed by members of the Audit and Compliance Committee and ratified by the Board of Governors 4.54.7 The Corporate Management Team is responsible for: Implementing policies on risk management and internal control. Undertaking, at least quarterlytermly, a risk identification exercise (see Appendices A, and B Identifying and evaluating the significant risks faced by Anglia Ruskin for consideration by the Board of Governors Providing adequate information in a timely manner to the Board of Governors, and its committees, on the status of risks and controls Undertaking an annual review of effectiveness of the system of internal control as an embedded part of the strategic planning process 4.64.8 The Board of Governors, acting primarily through the Audit & Compliance Committee, is responsible for: Overseeing risk management within Anglia Ruskin as a whole Adopting an open and receptive approach to solving risk problems Setting the tone and influencing the culture of risk management within Anglia Ruskin. This includes: Determining what types of risk are acceptable and which are not Setting the standards and expectations of staff with respect to conduct/probity Determining the appropriate level of exposure to risk for Anglia Ruskin Approving major decisions affecting the Anglia Ruskin s risk profile or exposure Monitoring the management of significant risks to reduce the likelihood and significance of adverse risk events occurring Satisfying themselves that the less significant risks are being actively managed, with the appropriate controls in place and working effectively
Annually reviewing the Anglia Ruskin s approach to risk management and approving changes or improvements to key elements of its processes and procedures Evaluating the effectiveness of Anglia Ruskin s internal control process, based on information provided by the Corporate Management Team. For each significant risk identified, the Board will: Review the previous year and examine the Anglia Ruskin s track record on risk management and internal control Consider the internal and external risk profile of the coming year and consider if current internal control arrangements are likely to be effective Consider the following aspects whilst making its decisions: Control environment: ~ Anglia Ruskin s objectives and its financial and non-financial targets ~ Organisational structure and calibre of the senior management team ~ Culture, approach, and resources with respect to the management of risk ~ Delegation of authority ~ Public reporting On-going identification and evaluation of significant risks ~ Timely identification and assessment of significant risks ~ Prioritisation of risks and the allocation of resources to address areas of high exposure Information and communication ~ Quality and timeliness of information on significant risks ~ Time taken for control breakdowns to be recognised or new risks to be identified Monitoring and corrective action ~ Ability of Anglia Ruskin to learn from its problems ~ Commitment and speed with which corrective actions are implemented 4.74.9 Faculty Pro Vice Chancellors and Deans and Heads/Directors of Professional Services are responsible for: On-going identification and evaluation of significant risks o Timely identification and assessment of significant risks o Prioritisation of risks and the allocation of resources to address areas of high exposure o Closely monitoring and reviewing risks and controls on a regular basis o Maintaining registers containing details of the most significant risks o Reporting on these risks in accordance with the agreed timetable (see procedures) Following the Project Compliance and Support Procedures in relation to new and ongoing projects including submission of a detailed risk reviews of projects Ensuring that ethics approval is obtained where required. 4.84.10 is responsible for: Providing support to all staff required to carry out corporate risk assessments, if requested and appropriate Carrying out corporate risk assessment training, if requested and appropriate Monitoring the quality of individual assessments via a random sampling process Reviewing Faculty and Professional Service risk registers and collating information to enable the Corporate Management Team to produce a high level register representing the most significant risks facing Anglia Ruskin. Providing reports in accordance with the Board and Audit & Compliance Committee timetable to enable them to meet their regulatory responsibilities.
5 How is the policy applied 5.1 The procedures and guidance notes provide detailed instructions. 6 Training 6.1 Training for staff is set out in A guide to your employment, training and development. This includes Corporate Risk Awareness training, which is available online and can be arranged through, and Corporate Risk in the Decision Making Process which is delivered through workshops as required. 6.2 The Corporate Risk & Compliance Officer will attend Faculty and Professional Service senior management team meetings at least annually to ensure that senior management are kept fully apprised of the current strategy, policy and procedures. 6.3 Training for Board members is arranged separately. 7 Communication 7.1 Communication is achieved through a range of methods including: Anglia Ruskin s main website website http://my.anglia.ac.uk/sites/risk/default.aspx Reports to appropriate committees. 8 Monitoring and review 8.1 The effectiveness of the policy and procedures are monitored through: Performance indicators Internal Audit External Audit 8.2 The Head of will review this policy and the supporting procedures on an annual basis. Board approval will be sought to any significant changes to this policy. 9 Important links 9.1 website http://my.anglia.ac.uk/sites/risk/default.aspx Higher education Code of Governance http://www.universitychairs.ac.uk/wpcontent/uploads/2015/02/code-final.pdf HEFCE's Accounts Direction to higher education institutions for 2014-15http://www.hefce.ac.uk/pubs/year/2014/CL,252014/ Risk management in higher education: a guide to good practice' (HEFCE 2005/11) A guide to good practice for higher education institutions' (HEFCE 01/28). Handbook for Members of Audit Committees in Higher Education Institutions http://www.hefce.ac.uk/pubs/hefce/2008/08_06/
10 Related policies & procedures Corporate Strategy Health & Safety Policy Statement (AR-RMD-HSMS01) Risk Assessment Policy (AR-RMD-HSMS22) Insurance Strategy and Policy (AR-RMD-INS -1) Insurance Claims Procedures (AR-RMD-INS-2) Fraud Prevention Policy Anti-Bribery Policy Appendix A as Part of the System of Internal Control The system of internal control incorporates risk management. This system encompasses a number of elements that together facilitate an effective and efficient operation, enabling Anglia Ruskin to respond to a variety of operational, financial, and commercial risks. These elements include: 1. Policies and procedures Attached to significant risks are a series of policies that underpin the internal control process. The policies are set by the Board of Governors and implemented and communicated by managers to staff. Written procedures, where appropriate, support the policies. 2. Regular Reporting Comprehensive and regular reporting is designed to monitor key risks and their controls. The Audit and Compliance Committee will receive regular updates on the monitoring of key risks. 3. Business Planning and Budgeting The business planning and budgeting process is used to set objectives, agree action plans, and allocate resources. Progress towards meeting business plan objectives is monitored regularly. 4. High level risk framework (significant risks only) This framework is compiled by Corporate Management Team and helps to facilitate the identification, assessment and ongoing monitoring of risks significant to Anglia Ruskin. The document is formally appraised quarterly, although emerging risks are added as required. Improvement actions and risk indicators are monitored regularly. 5. Faculty and Professional Service Risk Registers These should be developed and used to ensure that significant risks in their Faculty or Professional Service are identified, assessed and monitored. The document is formally appraised within the annual strategic planning process, although emerging risks are
added as required. Improvement actions and risk indicators are monitored quarterly termly by all Faculty Pro Vice Chancellors and Deans and Heads/Directors of Professional Services, 6. Joint Venture & Subsidiary Company Risk Registers Where the Board and senior management consider appropriate based on the nature, complexity, and significance of the risks faced, Joint Ventures and Subsidiary Companies will develop and manage their own risk registers. These will be managed in the same way as Faculty & Professional Service registers, with the Executive Directors taking primary responsibility for the identification, assessment, monitoring and reporting of risks. 7. Audit & Compliance Committee (A&C) The A&C Committee is required to report to the Board of Governors on internal controls and alert them to any emerging issues. In addition, the A&C Committee oversees internal audit and external audit. 8. Internal audit programme Internal audit is an important element of the internal control process. Apart from its normal programme of work, internal audit is responsible for aspects of the annual review of the effectiveness of the internal control system within the organisation. Furthermore, Anglia Ruskin s risk registers will, to a great extent, inform the development of a risk based internal audit programme. 9. External audit External audit provides feedback to the A&C Committee on the operation of the internal financial controls reviewed as part of the annual audit. 10. Third party reports From time to time, the use of external consultants may be necessary in areas such as health and safety or human resources. The use of specialist third parties for consulting and reporting can increase the reliability of the internal control system.
Appendix B Corporate Risk Detailed Procedures The Process Risk management is part of every manager s day to day responsibilities. It is an integral part of strategic planning, business planning, projects, partnerships and operational management. For risk management to be effective it has to be a methodical continuous process. The risks associated with each strategic decision, policy or service delivery option, should be systematically identified, analysed, controlled and monitored. Risk Identification The Faculty Pro Vice Chancellor and Dean or Head of Professional Service should carry out a risk identification exercise to ensure that all potentially significant loss making situations have been identified. This will be based on the activities carried out within Anglia Ruskin, the Faculty or Professional Service. It will also include activities planned, as well as the activities of external bodies that may impact on Anglia Ruskin s objectives and operations. In the same way that all activities should ultimately contribute to the attainment of Anglia Ruskin s strategic objectives, the risks identified should by definition have an impact on the achievement of these goals. The method or tools used for risk identification may vary according to circumstances. A selection of different tools and techniques can be found on the website: http://my.anglia.ac.uk/sites/risk/default.aspx The Faculty Pro Vice Chancellor and Dean or Head of Professional Service will draw up a schedule of risks (risk register). In determining this schedule they will take into account perceived likelihood of the corporate risk levels, and the impact of these risks on Anglia Ruskin. The full risk register is available at: http://my.anglia.ac.uk/sites/risk/default.aspx Particular care should be taken when describing the risks on the schedule, as this will facilitate the identification of appropriate control measures.
Risk This should be a brief description of the risk. Most descriptions will start with phrases such as poor, lack of, failure, breach and so on, e.g. Poor staff retention. Cause These will be the underlying causes that give rise to the risk. In the above example these might be unattractive benefits package, uncompetitive pay, lack of promotional prospects, etc. Impact These are the consequences of the risk occurring. The Assessment Criteria (see below) may provide some clues as to where the main impacts might be, e.g., staff injuries, damage to reputation, financial loss. Where possible these should be quantified. Risk Analysis Using the Risk Assessment Criteria on the following pages, individual Faculty/Professional Service risk assessments should be carried out for each risk identified, looking at the impact that the risk could cause for Anglia Ruskin, the Faculty or Professional Service and the likelihood of the risk occurring. These criteria are not exhaustive, but should be used as a guide. The impact and likelihood scores can then be plotted on the Risk Matrix to establish an overall risk score. The risk owner must then decide, taking due account of any existing controls, whether the level of risk exposure is acceptable. If it is not, a strategy must be adopted to manage the risk. There are fundamentally five options Tolerate - Treat - Transfer - Terminate - Take an opportunity accept the current level of risk exposure implement actions/controls to reduce the risk to an acceptable level. consider options, including insurance and other contractual arrangements, as a means of transferring all or part of the risk to another party. cease the activity that gives rise to the risk risk management should not always be seen in a negative context. There are many instances where the risks of not pursuing a particular activity outweigh the risks of doing so. Risks with scores exceeding the Tolerance level, which is currently set at 19 (based on the Assessment Criteria scores), will be the subject of a review by the Corporate Management Team to establish whether they are considered acceptable to the organisation. In order to provide greater assurance as to the effectiveness of controls for these most significant risk exposures. As part of the CMT s review they may additionally request form from Pro Vice Chancellors and Deans/Heads of Professional Services action plans to reduce the risks to a more acceptable level. Risk Control Risk Control is the process of implementing actions which are designed to reduce the likelihood of the risk event taking place, or lessen the impact of the consequences if it does occur. New controls/mitigations will normally result in procedural changes, may give rise to additional costs, and sometimes can produce new risks. These factors will need to be considered, and a compromise achieved to ensure that the balance between risks and controls is appropriate. Controls usually fall into the following categories: Detective Directive These controls by definition operate after the event. They show when an unfavourable outcome has occurred, so that remedial action can be taken. Examples include: stock and asset checks, exception reports. These are rules, instructions, policies etc., which are designed to ensure that a desirable outcome is achieved. Examples include: staff code of conduct,
Preventative Corrective These are actions taken to reduce the likelihood of an undesirable outcome, and are the most common type of control. Examples include: the use of passwords, the separation of duties. These are controls that provide the route to recovery after an undesirable event. These might include: insurance; contingency plans. Details of the controls, both existing and proposed should be recorded on the risk register, with timescales/dates for implementation clearly indicated. Methods of Assurance/ Early Warning IndicatorsPerformance/ Early Warning Indicators As part of the risk monitoring process it is important to identify triggers which might alert you to the risk occurring, deteriorating or improving, so that early actions can be taken to address these changes, and manage the risk exposure. The triggers might include a range of key management information, such as budget forecasts, complaint data, accident reports, human resource data, and so on. Furthermore, it is important to ensure that management are satisfied that the measures taken to control risks are effective. This assurance can be achieved by a range of methods including regular reviews, sample testing, etc. these should also be recorded on the register. Risk Registers Once completed the an electronic copy of the Risk Register should be forwarded to Risk Management, where it will be collated with all the other Faculty/Professional Service registers to produce a Corporate Risk Register for the whole organisation. In the case of new or existing projects these should undergo the separate assessment procedures detailed by the Project Compliance Unit (PCU). Monitoring The risk management process does not finish with the implementation of controls and actions. These will need to be constantly monitored to ensure that they remain appropriate and effective. The risks should also remain under constant review and reappraisal, to take account of the ever changing risk environment. Review of risks As a minimum risks that fall within the categories "Major" and "Fundamental" should be reviewed quarterlytermly; those that are within the bands "Moderate and "Significant" should be reviewed six monthly, and "Minor" risks should be reviewed at least annually. Reporting Faculties/Professional Services should arrange their own internal reporting arrangements to ensure that all risks, controls and actions are properly monitored, and any new risks are identified, assessed, and documented. Additionally at as part of the reporting process, the most up to date versions of the Faculty/Professional Service/Joint Venture/Subsidiary Company registers should be submitted to quarterlytermly. The exact reporting dates will be determined
by the Board reporting cycle, and Faculties/Professional Services will be notified of these well in advance. The overall process can be summarised as follows: Corporate Risk Registers Reporting Process Faculty/Support Services Faculty/Professional Service/Joint Venture/Subsidiary Review Strategic Objectives, Business Plans & Operations Vice Chancellor s Group & Vice Chancellor VCG review RM report, and report their recommendations to the CMT Corporate Management Team CMT Review VCG recommendations Strategy, Business Plans, Operations & Faculty & Support Service Risks Risks Identified, Assessed, Evaluated & Strategy agreed to Manage Risks Assessed, Evaluated & Strategy agreed to Manage Significant Risks Documented and Recorded in Risk Registers Significant Risks Documented and Recorded in CMT Risk Register Risks Monitored & Regularly Reviewed Risks Monitored & Regularly Reviewed Faculty/Professional Service/Joint Venture/Subsidiary Risk Registers updated and submitted to RM termly Vice Chancellor reports to the Board at each of its scheduled meetings, a summary of the university s top three risks CMT Risk Register updated RM check, review, and collate information. Top risks and recommended changes reported to VCG RM submit CMT Risk Register & selected subordinate risk registers to Audit & Compliance Committee in accordance with reporting timetable Audit & Compliance Committee Updated CMT Register and selected subordinate risk registers reviewed by the Audit & Compliance Committee at each meeting Board of Governors Board receives and reviews VC s summary of top three risks Board reviews CMT Risk Register at least annually
Anglia Ruskin University
Risk Assessment Criteria 20176-187 Anglia Ruskin University Risk Impact Score Range Health & Safety Service Delivery Staffing & Culture Legal & Regulatory Compliance Reputation Financial Time* Quality* 5 High Multiple fatalities and/or injury of students, staff, board members and/or general public Disaster severe, prolonged impact on service affecting whole organisation Severe impact on employee motivation leading to dissatisfaction and industrial unrest University-wide Major breach leading to suspension or discontinuance of business or outsourcing/ privatisation of core services and/or functions Very substantial adverse media comment at National level with longterm impact such as resignation of key senior staff and/or HEFCE enquiry. Over 10m Or recurring annual losses of 5m over 3 or more years Delay jeopardises the viability of a major project Major project outcomes effectively unusable 4 Medium High Individual fatalities and/or serious injuries Serious disruption to service delivery from one or more faculties/professional services Significant impact on employee motivation resulting in poor quality service. delivery at faculty/professional service level Serious breach causing intervention, sanctions, and legal action. Serious short-term damage to reputation, with adverse media comment at regional level 5m to 10m Failure to meet key deadlines in relation to the academic year or strategic plan Failure to meet the needs of a large proportion of stakeholders 3 Medium Moderate number of injuries not life threatening Significant impact on service delivery at faculty/ professional service level Moderate impact on employees motivation at single faculty/ professional service level Significant breach leading to reprimand or sanctions, legal action Significant, adverse local media comment/public perception - short term impact Between 1m and 5m Delay affects key stakeholders loss of confidence in the project Significant elements of scope or functionality will be unavailable 2 Medium Low Minor injuries affecting relatively small numbers of individuals Moderate impact on customer service at faculty/ professional service level Affects motivation of small groups of employees. Moderate impact leading to warning, threat of sanctions Minor, local adverse media comment/public perception Between 500k and 1m Slight slippage against key milestones or published targets Failure to include nice to have elements 1 Low Affects very small number of individuals, only superficial injuries Minor impact on customer service e.g. small number of complaints faculty/ professional service level Impact limited to individuals at faculty/ professional service level Minor impact only, no reprimand, sanction, or legal action Damage very localised, does not result in adverse media comment Up to 500k Slight slippage against internal targets Slight reduction in quality/scope with no overall impact
Score Range Risk Likelihood 5 High Likely The risk is likely to happen within the next 3 months or is occurring at the present 4 Med High 3 Med 2 Med Low 1 Low Probable Possible Remote Improbable The risk could probably occur within the next 3 12 months The risk could possibly occur at least once every 1 to 3 years The risk is remote and may do so within the next 3 to 10 years The risk is extremely unlikely to occur, but may do so in at least 10 year s time Risk Matrix and Responses Risk tolerance line Fundamenta l 23-25 Unacceptable level of risk exposure which requires immediate corrective action to be taken Impact/Severity 5 15 19 22 24 25 4 10 14 18 21 23 3 6 9 13 17 20 2 3 5 8 12 16 1 1 2 4 7 11 Major Significant 15-22 10-14 Moderate 4-9 Minor 1-3 Unacceptable level of risk exposure that requires constant active monitoring, and measures to be put in place to reduce risk exposure. Acceptable level of risk exposure subject to regular active monitoring measures Acceptable level of risk exposure subject to regular passive monitoring measures Acceptable level of risk exposure subject to periodic passive monitoring measures 1 2 3 4 5 Likelihood