Risk Management Policy and Procedures.

Similar documents
Risk Management. Policy and Procedures

Risk Management Framework

University of the Sunshine Coast (USC) Risk Appetite Statement

Queen s University Belfast. Risk Management. Policy and Procedures

Nagement. Revenue Scotland. Risk Management Framework. Revised [ ]February Table of Contents Nagement... 0

Version: th November 2010 RISK MANAGEMENT POLICY

Risk Management Policy

RISK MANAGEMENT POLICY AND STRATEGY

Nagement. Revenue Scotland. Risk Management Framework

Risk Management Framework

Bournemouth Primary MAT Risk Management Policy

RISK MANAGEMENT FRAMEWORK

RISK MANAGEMENT FRAMEWORK

RISK MANAGEMENT FRAMEWORK

South Lanarkshire College Risk Management Policy and Procedures

Risk Management Policy and Framework

Perpetual s Risk Management Framework

Risk Appetite Statement

Risk Management Strategy January NHS Education for Scotland RISK MANAGEMENT STRATEGY

Risk Management Framework

Kidsafe NSW Risk Management Plan. August 2014

Risk Management Framework. Group Risk Management Version 2

BERGRIVIER MUNICIPALITY. Risk Management Risk Appetite Framework

Risk Management Policy

MEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework

Enterprise Risk Management Program

Risk Management Policy. September 2015

West Coast District Municipality. Risk Management Policy

Risk Management Framework. Metallica Minerals Ltd

RISK MANAGEMENT FRAMEWORK

Main Sections. Corporate Risk Policy Statement and Procedures AR-RMD-CR01. Executive Summary. Anglia Ruskin University Risk Management

Executive Board Annual Session Rome, May 2015 POLICY ISSUES ENTERPRISE RISK For approval MANAGEMENT POLICY WFP/EB.A/2015/5-B

CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK MANAGEMENT POLICY

ENTERPRISE RISK MANAGEMENT POLICY FRAMEWORK

Procedure: Risk management

University Risk Management Policy

Risk Management Strategy

ENTERPRISE RISK MANAGEMENT (ERM) POLICY Republic Glass Holdings Corporation. Purpose. Goals

RISK MANAGEMENT POLICY

The Australian National University Fraud Control Framework. Corporate Governance & Risk Office

RISK MANAGEMENT POLICY October 2015

Risk Management Policy

Scouting Ireland Risk Management Framework

RISK REGISTER POLICY AND PROCEDURE

Approved by: Diocesan Council 17 December 2015

Risk Management. Policy No. 14. Document uncontrolled when printed DOCUMENT CONTROL. SSAA Vic

Topic RISK MANAGEMENT Procedure Category Risk Management Updated 07/2011

Risk Management Strategy

Risk Management Policy Adopted by:

RISK MANAGEMENT STRATEGY Version 3

RISK MANAGEMENT FRAMEWORK

HSC Business Services Organisation Board

WHS Risk Assessment and Control Form

28 July May October 2016

Practical aspects of determining and applying a risk appetite for SMEs

Risk Management. Webinar - July 2017

Risk Management Policy Coface Singapore

Policy Number: 040 Risk Management August 2018

Risk management procedures

BERGRIVIER MUNICIPALITY

NHS North Somerset Clinical Commissioning Group Risk Management Strategy and Framework

An Introductory Presentation for ECU Staff

Board Risk Appetite Statement

Risk Management. Seminar June Compiled by: Raaghieb Najjaar, Yaeesh Yasseen & Rashied Small

Integrated Risk Management Framework Sept Page 1 of 17

Risk Management Plan PURPOSE: SCOPE:

LONDON BOROUGH OF ENFIELD RISK MANAGEMENT STRATEGY

Policy Number Functional Field. Governance and Management. Related Policies. Policy of Making University Policies.

INTEGRATED RISK MANAGEMENT FRAMEWORK (STRATEGY AND POLICY)

University of Greenwich Risk Management Guide Revised October 2017

British Library Risk Management Policy Framework (2017)

Risk Assessment Procedure

Risk Management Framework

Risk management policy

An Update On Association Policies, Health Checks & Guidelines To A Safer Hockey Association. Lauren Woods Member Engagement & Operations

Risk Management Strategy

Integrated Risk Management Framework

Risks and uncertainties facing the business

RISK MANAGEMENT POLICY

Internal Audit Report

APPENDIX 1. Transport for the North. Risk Management Strategy

Fraud Risk Management

JFSC Risk Overview: Our approach to risk-based supervision

RISK MANAGEMENT PROCEDURE GUIDANCE

RISK MANAGEMENT FRAMEWORK OVERVIEW

UNIVERSITY OF ABERDEEN RISK MANAGEMENT FRAMEWORK

Risk Management Policy and Strategy

AUSTRAC Guidance Note. Risk management and AML/CTF programs

Risk Management at Central Bank of Nepal

GUIDELINE ON ENTERPRISE RISK MANAGEMENT

ENTERPRISE RISK MANAGEMENT (ERM) GOVERNANCE POLICY PEDERNALES ELECTRIC COOPERATIVE, INC.

PILLAR 3 DISCLOSURES MERCER UK AUGUST 2016

The Central Bank of Ireland Risk Appetite: A Discussion Paper

TONGA NATIONAL QUALIFICATIONS AND ACCREDITATION BOARD

Risk Management Policy

RISK MANAGEMENT GUIDELINES

Risk Management Strategy Highland Council Pension Fund

Procedures for Management of Risk

Conceptualisation Stage Continued

Risk Management Guideline

Transcription:

Risk Management Policy and Procedures. Rev Date Purpose of Issue/Description of Change Date 1. June 2006 Initial Issue 2. November 2009 Revised and updated 6 th November 2009 3. September 2010 Revised and updated 1 st September 2010 4. June 2013 Revised and updated 24 th June, 2013 5. September 2015 Revised and updated 28 th September 2015 6. September 2017 Revised and updated Policy Officer Senior Responsible Officer Approved By Date Margaret Jones Director of Finance University Council 9 th October 2015 Margaret Jones Director of Finance University Council October 2017 1

1. Introduction The University acknowledges that there are a number of risks inherent in its business, and is committed to managing those risks that pose a significant threat to the achievement of its strategic objectives and financial health. The University aims to use risk management to identify risk, and the actions to mitigate it, to inform and improve its decision-making. 2. Policy Statement Bangor University has adopted a risk based approach to internal control which is designed to provide reasonable assurance that it will achieve the corporate objectives and overall mission. The University recognises that in pursuit of its mission and objectives it may choose to accept varying levels of risk. It will do so subject always to ensuring that potential benefits and risks are fully understood before developments are authorised and that sensible measures to mitigate risk are established. Risk management is fundamental to good management practices and forms part of the corporate governance arrangements. It is an integral part of the University s decision making and routine management, and will be incorporated within the strategic and operational planning processes at all levels across the University. The Council, the Audit and Risk Committee and Executive need a mechanism through which they can gain assurance regarding the ability to meet the University s objectives, and the risk based approach to internal control described in the procedure that follows provides a basis for the provision of assurance regarding the achievement of the University s objectives. The University will maintain a regularly reviewed strategic risk register. Similarly all Colleges and Departments will maintain, and regularly review the operational risk registers. The University will regularly review and monitor the implementation and effectiveness of the risk management process. 3. What is Risk? RISK can be defined as the threat or probability that an action or event, will adversely or beneficially affect an organisations ability to achieve its objectives 1. In simple terms risk is Uncertainty of Outcome, either from pursuing a future positive opportunity, or an existing negative threat in trying to achieve a current objective. RISK MANAGEMENT may be defined as the planned and systematic approach within the University to identify, assess and mitigate the impact of these uncertainties which may impact on the achievement of the University s aims, objectives and opportunities. 1 [1] HEFCE, Risk Management A Guide to Good Practice for Higher Education Institutions, 01/28 May 2001. 2

4. Approach to Risk Management The approach to risk management, set out in this Policy and Procedures, has been approved by the Risk Management Task Group, the Audit and Risk Committee and the University Council. The approach allocates responsibility for risk management and establishes a framework within which risks are identified and evaluated so that an appropriate response can be determined and effected. Risk management needs to allow for the effective assessment and exploitation of opportunities while also identifying what will prevent the University from achieving its objectives, and ensuring it has in place procedures to minimise, or manage, those risks. Risk management therefore involves a planned and systematic approach to the identification, assessment and mitigation of the risks that could hinder the achievement of strategic objectives. The University s risk management process involves the following main steps: identifying the key strategic risks that would prevent achievement of objectives assigning responsibility for co-ordinating the management of risk evaluating the significance of each risk articulating the Council s risk appetite identifying suitable responses to each risk ensuring the internal control system helps manage the risks developing the assurance mechanism to the Vice-Chancellor and the Chair of Council regular review. To coordinate the risk management process, the approach combines oversight by the Risk Management Task Group, the Audit & Risk Committee and the Executive. Members of the Executive are responsible for ensuring that relevant Task Groups within their individual areas take responsibility for the management of specific risks. It is the responsibility of the Task Groups to prepare a Risk Schedule that identifies how specific risks are managed. The Risk Register forms the basis for action plans designed to address weaknesses in controls identified and mitigate risks where this is considered to be necessary. Where there is no relevant Task Group identified members of the Executive should ensure that an appropriate individual or group carries out the same task for their spheres of responsibility. 5. Key Principles The following key principles outline the University s approach to risk management: The risk appetite of the University will emanate from the Strategic Plan which is considered and approved by the Council. The Audit and Risk Committee will be responsible for providing the Annual Assurance to Council on the adequacy of risk management. The Audit and Risk Committee will receive quarterly reports and an annual report via the Risk Management Task Group. The Executive and its Task Groups will ensure that the necessary steps are taken to actively manage the major risks facing the University, and it will regularly receive the institutional Risk Register and monitor the management of the key risks. 3

A Strategic Risk Register, built around the key strategic risk areas (as identified by the objectives of the Strategic Plan), will be created and maintained and will be subject to at least quarterly review by risk owners and the Risk Management Task Group (which will report to the Executive). Heads of College and Central Service Departments are responsible for the management of all risks within their areas of control, including ensuring appropriate systems are created to identify, assess, manage and review risks in line with the University Risk Management process. Each College and Central Service Department will be required to maintain, create and quarterly review its own Risk Register, using the University s risk management software. New initiatives and projects will undergo a risk assessment, and where appropriate a risk register for the project will be generated. Reporting and escalation of risks will be carried out when risks cannot be managed within the College or Central Service in accordance with the procedure outlined under point 6 below. The Internal Audit function will consider annually the risk management process at a University and College / Departmental level. 6. Risk Management Responsibilities Role of the University Council The University Council is responsible for ensuring there is an effective system of internal control, of which risk management is a key area. The Council sets the tone and influences the culture of risk management at the highest level including determining the risk appetite which is the extent to which the University is risk taking or risk averse as a whole and sets the University s risk tolerance line. Role of the Audit and Risk Committee The Council has a standing Audit and Risk Committee who have delegated responsibility for overseeing risk and risk management and providing advice to Council on the effectiveness of the internal control system and any emerging issues.. The Terms of Reference of the Committee are set out in Ordinance XVI Role of the Executive The Executive is responsible to Council for ensuring that the University s risk appetite is applied and that there is an effective process of risk assessment, management, evaluation and review in place. This is to both support the achievement of the University s strategy and to ensure that risks connected to core operations are appropriately managed. The Executive also provides direction and guidance to all relevant managers and officers in the institution. Members of the Executive (the risk owners of strategic risks) will ensure all risks are managed appropriately within their relevant areas of responsibility, and that actions on risks affecting multiple areas of responsibility are co-ordinated. This includes tasking the relevant Task Group or Management Group with oversight of risk management within their spheres of responsibility. Where risks cannot 4

be managed within a specific College or Department, the Executive will need to provide direction as to the University s approach to responding to the risk. Role of Task Groups, Sub Groups of Senate, and College Boards Task Groups are responsible for reviewing the specific risks within their area of concern on a regular basis (at least annually but significant risks being reviewed more often as appropriate) by ensuring that the key risks are recorded and are being effectively managed. Also reporting to the Risk Management Task group following each review with a risk schedule that identifies how specific risks are managed and assurances gained. Role of Internal Audit The Internal Auditors will develop a risk-based audit plan, in consultation with members of Executive and approved by the Audit and Risk Committee, so that audit assurance is focussed on the effectiveness of controls in place to manage the most significant risks. Internal Audit is also responsible for providing an annual opinion on the adequacy and effectiveness of the University s corporate governance, risk management and internal control based on the risk-based audit plan. Role of the Risk Management Task Group The Risk Management Task Group:- Establishes, reviews and oversees the effectiveness of the University s Risk Management processes including the effective implementation and operation of the Quarterly Review and Reporting Cycle (See Appendix 1) Reviews and amends the Strategic Risk Register when appropriate. Identifies any omissions or significant deficiencies in the management or controls of Strategic risks and submits recommendations for improvements to the senior manager, the monitoring management group/committee and / or the Executive. Receives regular reports from senior managers / lead officers, committees and Task Groups on the risk management and control strategies for both strategic and operational risks. Provides a quarterly report for the Audit and Risk Committee on the adequacy of the overall risk management system. Reports quarterly to the Executive. The Risk Management Task Group should meet at least quarterly to review and approve the updated Strategic Risk Register. Role of Heads of College and Central Departments Heads of College and Central Departments are responsible for actions to manage all risks within their areas and are responsible for implementing appropriate procedures to manage and monitor these risks, and for ensuring that all changes in key risks are reflected in the College / Departmental level 5

risk register. Where a risk cannot be managed at this level it should be escalated to the appropriate member of the Executive for guidance. Role of Project Boards Project Boards are responsible for overseeing that the assessment and management of risks within projects are in line with the project methodology set out Project Management Framework. Role of Risk Assurance Section Advising on the development and implementation of the risk management policy and procedures and facilitating implementation together with maintaining the Strategic Risk Register. Risk reviews will be examined by Risk Assurance to challenge risk controls and sources of assurance together with monitoring the implementation of action plans. Role of Individual Members of Staff Individual members of staff within a College or Department are responsible for ensuring individual risks are controlled and monitored, including the implementation of actions identified to strengthen controls, and where appropriate escalating any changes or concerns to their line manager.. 7. Evaluating Risks Risks will be assessed on the likelihood of occurrence and the potential impact on the strategic aims and objectives of the University should they be realised. This provides a hierarchical assessment of the risks as illustrated in Appendix 2. This methodology helps to prioritise the response to risk, to determine which risks the University needs to manage and which are less critical.. 8. Assessing Risk Appetite The level of risk that is acceptable, the University s Risk Appetite, will be advised and determined by the Council who, in turn, are advised by the Audit and Risk Committee and the Executive. Risk appetite may vary on a case by case basis depending on the perceived benefits of the issue being considered. 9. Risk Registers The University s Strategic Risk Register and College and Central Service Department Registers will be held and updated using the University s risk management software. Approved by the Risk Management Task Group, 6 th November, 2009 Amended and approved by the Risk Management Task Group, 1 st September 2010 Amended and approved by the Risk Management Task Group, 24 th June, 2013 Reviewed, amended and approved by the Risk Management Task Group, 11 th September 2015. Reviewed, amended and approved by the Risk Management Task Group/Executive, June 2017 6

APPENDIX 1 Risk Management Cycle and Assessment Process Risk Management is a process that affects all areas of planning, decision making and operations and because circumstances change an important part of managing risk is regular review. Key stages in the risk management process are set out below: 1. Identify risks 6. Monitor and review 2. Evaluate the risks 5. Gain assurance on the effectiveness 3. Assess risk appetite 4. Identify suitable risk responses The University s risk assessment process is operated at three different levels covering strategic, project and operational risk. The underlying principles and framework of risk assessment is the same at all levels. 1. Identifying Risks Risk is grouped according to the strategic area that it relates to: Strategic Priority 1: An Excellent Education and Student Experience Strategic Priority 2: Enhancing Research Success Strategic Priority 3: An International University for the Region Strategic Priority 4: Welsh Language and Civic Engagement Strategic Enablers: People Resources Governance and Management Brand and Marketing Sustainability 7

Owner and Lead Officer The Owner has overall responsibility for the management and reporting of the risk. The Lead Officer has operational responsibility for the risk, ensuring that mitigating actions (controls) are in place and ensuring that they are operating effectively. 2. Evaluate Risks Having identified the key risks an assessment of the likelihood of the event occurring and the potential impact on the University s objectives should the risk be realised needs to be considered. The University have adopted standard criteria for scoring risks (See Appendix 2) Impact This indicates the seriousness of the risk materialising, and is scored on a scale of 1 5: 1. Negligible 2. Minor 3. Moderate 4. Major 5. Critical Likelihood This represents the likelihood of the risk happening, and is scored on a scale of 1 5 1 Rare 2 Unlikely 3 Possible 4 Likely 5 Almost Certain Risk Score This is a product of the impact score multiplied by the likelihood score. The score is calculated twice: once to represent the initial estimation of the severity of the risk i.e. gross (inherent) score before controls are assessed, and a second time to calculate the residual risk score once the assessment of the effect of the controls have on the impact and likelihood. 3. Assess Risk Appetite The level of residual risk that is acceptable, risk appetite has been determined by Council, who are advised by the Audit and Risk Committee and Executive and is set out in the Risk Appetite Statement (see Appendix 3) 4. Identify suitable risk response Controls These are actions that are intended to manage risk by reducing its impact, its likelihood of occurrence, or both. They should be genuine, practicable and realistic, and help achieve the objectives set 8

Control is an activity that prevents or detects errors to mitigate risk, and there are different types of controls to help manage risks e.g.: Directive controls such as setting corporate policies, departmental policy/procedure, setting budgets etc. Preventive controls such as training on applicable policies, department policy/procedures, review and approval processes, and authorisation controls etc. Detective controls, for example would include such actions as bank reconciliations, review of payroll reports, monitoring actual results to those planned, review of operational performance/kpis etc. 5. Gain assurance on the effectiveness. Assurances are derived from a number of different sources to confirm that risk management systems and processes are appropriately identifying and managing risks. For example: Performance reports to Executive via Task Groups outlining achievement against key performance and strategic objectives. Compliance with Regulatory Standards Assurance from internal and external audit reports Annual review The assurance framework has been based on a three lines of defence model, as outlined below. All three lines have a specific role to play in the internal control environment. 1st line: 2nd line: 3rd line: Source: The Colleges/Schools and Departments that perform the day to day activity. Oversight this is separate from day to day activity but is not independent of the management arrangements. Independent assurance. Examples include: Performance data, risk registers, other management information and reports. The setting of boundaries by implementing policies, Task Group and Executive oversight of business processes and risks. Selfevaluation of performance. Assurance provided from outside / independent of the University Management. This type of assurance can lack independence and objectivity, but its value is that it comes from those who know the business, culture and day-to-day challenges. Sources of second line assurance is considered more objective than first line assurance. This relates to independent and more objective assurance, including internal audit, whose work is specifically designed to provide the Audit and Risk Committee with an independent 9

and objective opinion on the framework of governance, risk management and control. Other sources of external assurance include external audit, HEFCW and Regulatory bodies. For each source of assurance identified the effectiveness of the control it covers has been rated as follows: No Assurance given Partial Assurance Reasonable Substantial Poor or breakdown in control. Significant breakdown in the application of controls. Controls are applied but with some lapses Controls are applied continuously or with minor lapses. 6. Monitor Review and Reporting Cycle The relevant risk owner will, on at least a quarterly basis, fully review and, where necessary, update the risks within their sphere of responsibility. The Risk Management Task Group will, on receiving the updated Strategic Risk Register: Review the previous quarter and examine the University s track record on risk management and internal control relating to risks. Consider the internal and external risk profile of the coming quarter and consider if current internal control arrangements are likely to be effective. Assess and review the control environment for each significant risk. This will include: o The University s objectives and its financial and non-financial targets o Organisational structure and effectiveness of the Executive o Culture, approach and resources with respect to the management of risk o Delegation of authority o Public reporting Ensure that there is a process for the on-going identification and evaluation of significant risks. This will include: o Timely identification and assessment of significant risks o Prioritisation of risks and the allocation of resources to address areas of high exposure o Assessment of the University s Risk Register, reports by senior managers to the relevant Task Groups / committees and assessment of Colleges and Central Departments risk registers. o Receive and assess sources of assurance. 10

Consider the effectiveness of information and communication on risk management. This will include: o Quality and timeliness of information on significant risks o The time it takes for control breakdowns to be recognised or new risks to be identified Monitor and take corrective action. This will include: o Ability of the University to learn from its problems o Commitment and speed with which corrective actions are implemented Reporting Cycle A quarterly review of the Strategic Risk Register, College and Central Service Department Risk Registers by risk owners will take place. There will be quarterly reporting to Risk Management Task Group and onwards to the Executive, and also quarterly reports to Audit and Risk Committee. The Audit and Risk Committee will receive the Risk Management Annual Report and a full Strategic Risk Register for review at the September meeting 11

Appendix 2 Risk management scoring methodology Likelihood Rating: Evaluation Criteria This table will help determine how likely it is that the University will be exposed to each specific risk considering factors such as: o Anticipated frequency of occurrence o The external environment (e.g. regulatory, economic, community expectations etc.) o History of previous events The Impact Rating Evaluation Criteria This table defines the consequences or impact criteria, assessed against potential financial loss, reputation impact, safety, disruption etc. Risk Ranking Matrix This table has ranked potential risks as Extreme, High, Moderate and Low. Review Having identified and prioritised the risk this table give a guide to determine the level of review required to monitor the assessed risks. 12

Guidance to support the assessment of impact and likelihood Guidance to support the assessment of impact: Some risks may only have an impact in one of the areas listed below whereas others may have an impact in a number of areas to differing degrees. When recording the impact the highest level within any one of the areas should be noted. Impact Rating Description Possible Consequences/Examples 1: Negligible Very little or no impact. Objectives: No or insignificant impact on the University s / College s / Department s / Subsidiary Company s strategic objectives. 2: Minor Negative outcomes from risk or lost opportunities unlikely to have a permanent or significant effect on the University s/college s/department s / Subsidiary Company s reputation or performance. 3: Moderate Negative outcomes from risks or lost opportunities having a moderate to significant impact on the University s / College s / Department s / Subsidiary Company s reputation and / or performance. Such a Financial: Financial impact is less than 1% of total income/budget in any one financial year. Regulatory/Legislation: No or limited regulatory consequence. Reputation/Adverse Publicity: No or very limited adverse publicity there is no impact on external parties or awareness of the problem. Disruption: Minor service disruption of less than 1 day. Health and Safety: No risk of injury. Health and Safety compliant. Objectives: Limited impact on the University s / College s / Department s/ Subsidiary Company s strategic objectives which can be addressed and managed quite quickly and with a small degree of effort. Financial: Financial impact is less than 2% of total income / budget in any one financial year. Regulatory/Legislation: Limited regulatory consequences e.g. legal action with limited potential for decision against. Some limited regulatory changes expected. Reputation/Adverse Publicity: Some external parties aware of problem, but impact is minimal. Minor local short term adverse publicity. Disruption: Minor but noticeable service disruption of 1 or 2 days. Health and Safety: Small risk of minor injury. Minor laps in Health and Safety systems and procedures. Objectives: Adverse impact, of a moderate nature, on the University s / College s / Department s/ Subsidiary Company s strategic objectives which can be managed in the short term. Financial: Financial impact up to 3% of total income/budget in any one financial year. 13

risk can be managed relatively straight forwardly, without major impact, in the short to medium term. Regulatory/Legislation: Limited regulatory consequences, i.e. modest recent changes or some changes anticipated. Any legal action probably settled out of court. Reputation/Adverse Publicity: Local adverse publicity of the subject area for a short defined period. A number of external parties aware of problem. Disruption: Disruption to a specific service of 1 4 weeks with longer term service delivery implications. Health and Safety: Risk of injury, leading to loss of staff time. Appropriate systems in place but a breach of Health and Safety standards occurs as an isolated incident. 4: Major Negative outcomes from risks or lost opportunities with a significant effect that will require major effort to manage and resolve in the medium term but do not threaten the existence of the University / College / Department / Subsidiary Company in the medium term. 5: Critical Negative outcomes from risks or lost opportunities which if not resolved in the medium term will threaten the existence of the University / College/ Department / Subsidiary Company. Objectives: The achievement of the University s/ College s / Department s/ Subsidiary Company s strategic objectives will not be met in the medium term. Financial: Financial loss up to 4% of total income / budget in any one financial year. Major savings programme required to break-even in the medium term. Regulatory/Legislation: Significant changes to regulatory framework. Legal action against the University for major violation with limited potential for quick settlement. Reputation/Adverse Publicity: Long and short term local reputational damage. Negative adverse publicity in national media. Disruption: Immediate impact on majority of services or one specific service. Health and Safety: Serious risk of injury. Appropriate systems in place but these are not always adhered to or implemented fully. HSE involvement. Objectives: The achievement of the University s/ College s / Department s/ Subsidiary Company s strategic objectives will not be met. Financial: Financial loss (or loss of potential financial surplus) over 4% of total income / budget for consecutive years. Regulatory/Legislation: Major complex changes to regulatory framework. Major negative sanction by HEFCW. Multiple breaches of legislation and prosecution for breaches of statutory duty. 14

Reputation/Adverse Publicity: Long and short term reputational damage, third parties suffer loss. Adverse publicity in national (possibly international) media. Disruption: Immediate impact on the University s strategic mission. E.g: Loss of core systems, financial systems fail completely and cannot be recovered, major fire prevents substantial part of the university delivering courses, collapse in student applications. Health and Safety: Potential to cause one or a number of fatalities/ serious life changing injury. Serious and/or systemic failure to address risks to health and safety. Guidance to support the assessment of Likelihood Likelihood rating Description 1. Rare Has not occurred before, but could occur at some time in the next 10 years. 2. Unlikely Do not expect it to happen but it is possible it may do so at some time in the next 5-10 years. 3. Possible Could be difficult to control due to external influences. May occur in the next 3 year period. 4. Likely Very difficult to control. Will probably occur more than once in the next 3 years. 5. Almost Certain Will occur this year. May occur at frequent intervals over the next 3 year period. Risk Scores Overall Risk Rating Review 20-25 Extreme Top level of risk, should be constantly monitored and reviewed monthly. Possible escalate to Executive/Strategic Risk Register if required. 15-16 High High level of risk should be constantly monitored and reviewed quarterly. Possibly escalate to higher level if required. 5-14 Medium Medium level of risk should be monitored and reviewed every 6 months. 0-6 Low Low level of risk should not require much attention but should be reviewed at least annually. 15

RISK RANKING MATRIX RISK Impact 1 2 3 4 5 Negligible Minor Moderate Major Critical 5 Almost Certain Low(5) Medium (10) High (15) Extreme (20) Extreme (25) Likelihood 4 Likely Low (4) Medium(8) Medium(12) High (16) Extreme (20) 3 Possible Low (3) Low(6) Medium (9) Medium(12) High (15) 2 Unlikely Low (2) Low (4) Low(6) Medium (8) Medium (10) 1 Rare Low (1) Low (2) Low (3) Low (4) Low (5) 16

Appendix 3 Risk Appetite Statement Risk appetite is the level of risk the University is prepared to tolerate or accept in the pursuit of the strategic objectives. The University s approach is to minimise its exposure to reputational, compliance and financial risk, whilst accepting and encouraging an increase degree of risk in pursuit of its mission and objectives. It recognises that its appetite for risk varies according to the activity undertaken, and that its acceptance of risk is subject always to ensuring that potential benefits and risks are fully understood before developments are authorised, and that sensible measures to mitigate risk are established. The university s appetite for risk across its activities is provided in the following statements, and is illustrated in the diagram below: Risk Exposure by Strategic Objective Risk Appetite An Excellent Education and Student Experience Enhancing Research Success An International University for the Region Welsh Language, Culture and Civic Engagement People Resources Governance and Management Brand and Marketing Unacceptable Higher willingness to take risks to take risks 1 2 3 4 Excellent Education and Student Experience - The University is committed to excellence in teaching and to providing the students with the best teaching and learning resources and personal support through the pursuit of academic and research excellence. It is recognised that this should involve an increased degree of risk in developing an excellent education and student experience, and the university is comfortable in accepting this risk subject to ensuring that potential benefits and risks are fully understood before developments are authorised and that sensible measures to mitigate risk are established. Enhancing Research Success - The University wishes to improve research performance relative to other institutions across the UK and deliver an environment where the research community has the best opportunity to thrive at all levels, supporting the existing areas of research strength which form the pinnacles of research, and nurturing new research areas across all disciplines. It is recognised that this will involve an increased degree of risk in developing research activities, and the University is comfortable in accepting this risk subject to ensuring that potential benefits and risks are fully understood before developments are authorised and that sensible measures to mitigate risk are established. An International University for the Region The University has the ambition to be a leading international higher education provider to give Bangor s students the intercultural expertise demanded in the global economy. The University aims to enhance skills and knowledge by supporting the outward mobility of staff and students, recognising this as a valuable opportunity to broaden the experience of staff and students through international engagement. There is an acceptance that to achieve this that there is a moderate level of risk to be taken subject to ensuring that potential benefits and risks are fully understood before developments are authorised and that sensible measures to mitigate risk are established. Welsh Language and Civil Engagement - The University will build on their position as the leading provider of higher education through the medium of Welsh, supported by the University s robust Welsh Language Scheme which gives energy and rigour to the academic provision and operational activities. The University has a responsibility to contribute more widely to the cultural wealth of the region which will be embraced through

significant investment in facilities and people to create an artistic programme of the highest quality. It is recognised that this will involve a moderate level of risk to achieve the aims and objectives subject to ensuring that potential benefits and risks are fully understood before developments are authorised and the sensible measures to mitigate risk are established. People The University recognises that people are a key resource and is committed to staff well-being and a fair and inclusive environment for staff, and therefor has a moderately low appetite for any deviation from the standards in these areas. Resources The financial strategy strikes a balance between generating surpluses and enabling significant infrastructure investment. A number of actions are in place to manage financial risk and it is recognised that the appetite for risk varies according to the circumstances but overall financial risk should be minimised. Governance and Management In order to adapt successfully to the rapidly changing HE environment it is important to the University to have a coherent strategy, be speedy in decision-making, nurture innovation and be committed to delivering continual improvement in governance and management arrangements. The University also places great importance on compliance, and has no appetite for any breaches in statue, regulation, professional standers, research ethics, bribery or fraud. The University therefore has a low appetite for risk in the conduct of any of its activities that puts its reputation in jeopardy, could lead to undue adverse publicity, or could lead to a loss of confidence by Welsh Government and funders of University activities. Brand and Marketing The University will develop a strong brand identity with effective communication, marketing and fundraising operations. It is important that the University build an increasing level of trust and preserves a high reputation but it is also recognised that there is a need to be innovative in marketing and accept that a higher level of risk may be required subject to ensuring that potential benefits and risks are fully understood before developments are authorised and that sensible measures to mitigate risk are established.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback