risk management policy - bangor university€¦ · bangor university – risk management policy 2...

1

Risk Management Policy

Rev

Date Purpose of Issue/Description of Change Date

1. June 2006 Initial Issue

2. November 2009 Revised and updated 6th November 2009

3. September 2010 Revised and updated 1st September 2010

4. June 2013 Revised and updated 24th June, 2013

5. September 2015 Revised and updated 28th September 2015

6. September 2017 Revised and updated

7. August 2018 Substantial revision

Policy Officer

Senior Responsible Officer

Approved By Date

Head of Risk Assurance

Director of Finance University Council

October 2015

Head of Risk Assurance

Director of Finance University Council October 2017

Head of Planning & Student Data

University Secretary University Council 28th September 2018

Bangor University – Risk Management Policy

2

1. Introduction

1.1. Risk in the context of Bangor University is “the threat or possibility that an action or event will adversely or beneficially affect the University’s ability to achieve its objectives.”

1.2. Risk management is the process that provides assurance that, objectives are more likely to be achieved, damaging actions are avoided or minimised and beneficial actions are optimised. The University recognises the need to adopt a systematic risk management approach to ensure systems and processes effectively manage identified risks.

2. Policy Statement

2.1. Bangor University has adopted a risk based approach to internal control which is designed to

provide reasonable assurance that it will achieve the corporate objectives and overall mission.

2.2. The University acknowledges that there are a number of risks inherent in its business, and is committed to managing those risks that pose a significant threat to the achievement of its strategic objectives.

2.3. The University recognises that in pursuit of its mission and objectives it may choose to accept

varying levels of risk. It will do so subject always to ensuring that potential benefits and risks are fully understood before developments are authorised and that sensible measures to mitigate risk are established.

2.4. Risk management will be embedded as an integral part of the University’s decision making

and routine management, and will be incorporated within the strategic and operational planning processes at all levels across the University.

2.5. The benefits of this approach have been identified as:

i. Supports strategic and business planning ii. Supports academic standards and continuous improvement of academic activities iii. Protects the University’s reputation iv. Supports optimal use of resources v. Promotes continuous improvement vi. Provides a focus for the internal audit programme vii. Reduces unexpected events and shocks viii. Reassures stakeholders and partners ix. Minimises crisis management

3. Policy Context: Governance and Regulatory Requirements

3.1. Risk management is fundamental to good management practices and forms part of the

corporate governance arrangements of the University. The University’s Council, Audit and Risk Committee and Executive need a mechanism through which they can gain assurance regarding the ability to meet the University’s objectives.


3

3.2. The Higher Education Code of Governance (Committee of University Chairs, December 2014) identifies a number of specific requirements in relation to the governing body’s responsibilities in respect of risk management:

i. (as a primary element of higher education governance) “The governing body ensures

institutional sustainability by working with the Executive to set the institutional mission and strategy. In addition, it needs to be assured that appropriate steps are being taken to deliver them and that there are effective systems of control and risk management.”

ii. (in respect of regulatory requirements) “The governing body must receive assurance that

the institution is meeting the conditions of funding as set by regulatory and funding bodies and other major institutional funders which include the requirements of the financial memoranda. These include the need to … have a sound system of risk management.”

iii. (in respect of Audit requirements) “The Audit Committee must … produce an annual

report for the governing body, including: its opinion on the adequacy and effectiveness of the institution’s risk Management … arrangements”

iv. (in respect of academic risks) “Governing bodies will still wish to receive assurance that

academic risks (such as those involving partnerships and collaboration, recruitment and retention, data provision, quality assurance and research integrity) are being effectively managed.”

3.3. The Higher Education Funding Council for Wales (HEFCW) identify a number of specific

requirements in respect of risk management in their Financial Management Code and Audit Code of Practice (August 2017):

i. (in respect of planning on a sustainable basis) “Governing bodies must ensure that the

institution has conducted a thorough risk assessment of adverse events that could give rise to sustainability concerns.”

ii. (in respect of effective risk management processes) “The institution must ensure that it

has an effective policy of risk management.” iii. (in respect of reporting significant events and failures) “The governing body must inform

HEFCW, without delay, about major changes in strategy and/or risk profile” iv. (in respect of internal audit arrangements) “…each institution must have an internal

audit function … Internal audit terms of reference must make clear that its scope encompasses all the institution’s activities, the whole of its risk management (processes) … The internal audit annual report must provide an opinion on the adequacy and effectiveness of the institution’s arrangements for risk management.”

v. (in respect of audit committees in institutions) “The audit committee annual report must

record the committee’s opinion on the adequacy and effectiveness of the institution’s arrangements for risk management”


4

4. Responsibility for Risk Management

4.1. The University Council is ultimately responsible for ensuring there is an effective process of risk management embedded at all levels of the University and covering all aspects of business and academic activity. The Council sets the tone and influences the culture of risk management at the highest level including determining the University’s ‘risk appetite’, emanating from the University’s strategic plan, and agreeing the University’s risk appetite statement (see appendix 1).

4.2. The Audit and Risk Committee have delegated responsibility for overseeing the University’s

risk management processes and providing assurance to Council on the effectiveness of the internal control system and any emerging issues, through its annual report.

The Internal Auditors will develop a risk-based audit plan, in consultation with members of Executive and approved by the Audit and Risk Committee, so that audit assurance is focussed on the effectiveness of controls in place to manage the most significant risks. The Internal Auditors will provide an annual opinion to the Audit & Risk Committee on the adequacy and effectiveness of the University's risk management processes.

4.3. The Executive, chaired by the Vice Chancellor, is responsible for maintaining overall

management oversight of risk management, ensuring that the University’s risk appetite is applied, and that there is an effective process of risk management in place.

Corporate risks will be owned by a member of the Executive who will ensure all corporate risks within their areas of responsibility are managed appropriately, and that all departmental risks linked to their corporate risks are being adequately managed. Executive members will ensure that relevant Task Groups or Management Groups have an oversight of risk management within their areas of responsibility. Where a risk cannot be managed by the relevant College or Professional Service it should be escalated to the Executive for further consideration.

4.4. The Risk Management Task Group, chaired by the University Secretary, is responsible for

maintaining oversight of the implementation of the University’s risk management processes. The Terms of Reference for the Risk Management Task Group are attached at appendix 2.

4.5. Task Groups are responsible for reviewing corporate risks within their areas of responsibility

and departmental risks linked to these corporate risks on a regular basis (at least annually but significant risks being reviewed more often as appropriate) by ensuring that the key risks are recorded and are being effectively managed.

4.6. Deans of College and Directors of Professional Services are responsible for identification,

assessment and management of risk within their area of responsibility. Where a risk cannot be managed at this level it should be escalated to the Executive for further consideration.

4.7. Project Boards are responsible for overseeing that the assessment and management of risks

within projects are in line with the project methodology set out Project Management Framework.


5

4.8. All staff with management responsibility will be expected to have an understanding of the nature of risk associated with their area of responsibility. Individual members of staff are responsible for ensuring individual risks are controlled and monitored, including the implementation of actions identified to strengthen controls, and where appropriate escalating any changes or concerns to their line manager.

4.9. The Head of Planning & Student Data is responsible for providing advice on the development and implementation of the risk management policy and processes, and facilitating implementation, together with maintaining the Corporate Risk Register. The Head of Planning & Student Data will ensure that quarterly risk reviews, risk controls and sources of assurance are examined and challenged where necessary, together with monitoring the implementation of mitigating actions. The Head of Planning & Student Data is responsible for reporting outcomes and issues arising from this work to the Risk Management Task Group.

The Head of Planning & Student Data is also responsible for performance management of the University Strategy and supporting strategies by monitoring strategic objectives and associated KPIs which are linked to the University’s risk register. The Head of Planning & Student Data will develop and maintain a set of KPIs to demonstrate performance of each area in respect of following the risk management framework.

5. Risk Management Framework 5.1. Risk management requires a planned and systematic approach to the identification,

assessment and mitigation of the risks that could hinder the achievement of the University’s strategic objectives. The University’s approach allocates responsibility for risk management and establishes a framework within which risks are identified and evaluated so that an appropriate response can be determined and effected.

5.2. Risk management is undertaken as an integral part of strategic and operational management. Strategic and operational plans will include an assessment of the risks and mitigating actions associated with each objective, which will be reviewed regularly. Risks must be identified and assessed as part of the business case for all new schemes, investments and projects.

5.3. Risk registers form the basis for action plans designed to address weaknesses in controls

identified and mitigate risks where this is considered to be necessary. The corporate risk register is concerned with the main risks to be managed by the University, and is informed by a ‘top-down’ review of international, national, and regional developments, competition, changing environment, resources and potential problems or opportunities, identified at all levels in the University. This is supported by a ‘bottom-up’ evaluation of departmental risk registers, through the linkage of departmental risks to corporate risks. The corporate risk register is maintained by the Head of Planning and Student Data, and overseen by the Executive; it is formally reviewed quarterly, but emerging risks are added as required. Departmental risk registers are maintained by Colleges and Professional Services, which are required to ensure that the risks associated with the delivery of their plans, objectives, and key business processes in their area are identified, managed and monitored. Risks should be controlled at a management level with the resources to underwrite the impact of the risk.


6

Where the degree of exposure increases beyond a management level’s ability/delegated authority, the risk should be escalated to the Executive who will consider whether the risk should be added to the University’s corporate risk register.

5.4. The University’s approach to the identification, evaluation and management of risk is consistent across all areas, and involves the following steps:

i. Risk identification:

a. Corporate risk register – key corporate risks that would prevent achievement of the University’s strategic objectives and the strategic priority (from the University’s strategic plan) to which they relate.

b. Departmental risk registers – risks associated with key business processes that would prevent achievement of the University’s strategic objectives and the corporate risk to which they relate.

ii. evaluating the severity of each risk using the risk scoring matrix (see appendix 3) iii. identifying risk controls and mitigating actions iv. moderation of the risk score in view of the identified risk controls v. identifying assurances which demonstrate the effectiveness of controls vi. assigning an owner to each risk, risk control and mitigating action, and (for corporate

risks) associating the risk with a Task Group vii. quarterly review of risk registers, and identification of any gaps in assurance or control viii. quarterly reporting to, and monitoring by, the Risk Management Task Group, The

Executive and the Audit & Risk Committee (see appendix 4)

5.5. The University uses an assurance framework based on a ‘three lines of defence’ model in determining the level of assurance that can be attributed to risk controls in order to assess their effectiveness, this approach considers the level of assurance provided by: departmental assurance, based on day-to-day activity; management oversight assurance; independent assurance (see appendix 5).

5.6. The University uses the 4Risk software and a standard risk register format for its risk management processes. The software is configured and maintained by the Planning team within Corporate Services, who also provide user training and advice.

5.7. Training needs across all parties with responsibility for risk management (see section 4) will

be considered on an annual basis as part of the annual review of risk management processes as per the schedule at appendix 4.

Bangor University – Risk Management Policy Appendix 1

7

Risk Appetite Statement Risk appetite is the level of risk the University is prepared to tolerate or accept in the pursuit of the strategic objectives. The University’s approach is to minimise its exposure to reputational, compliance and financial risk, whilst accepting and encouraging an increase degree of risk in pursuit of its mission and objectives. It recognises that its appetite for risk varies according to the activity undertaken, and that its acceptance of risk is subject always to ensuring that potential benefits and risks are fully understood before developments are authorised, and that sensible measures to mitigate risk are established. The university’s appetite for risk across its activities is provided in the following statements, and is illustrated in the diagram below:

Risk Appetite

Ris

k Ex

po

sure

by

Stra

tegi

c O

bje

ctiv

e

Unacceptable to take risks

Higher willingness to take risks

1 2 3 4

An Excellent Education and Student Experience

Enhancing Research Success

An International University for the Region

Welsh Language, Culture and Civic Engagement

People

Resources

Governance and Management

Brand and Marketing

Excellent Education and Student Experience - The University is committed to excellence in teaching and to providing the students with the best teaching and learning resources and personal support through the pursuit of academic and research excellence. It is recognised that this should involve an increased degree of risk in developing an excellent education and student experience, and the university is comfortable in accepting this risk subject to ensuring that potential benefits and risks are fully understood before developments are authorised and that sensible measures to mitigate risk are established. Enhancing Research Success - The University wishes to improve research performance relative to other institutions across the UK and deliver an environment where the research community has the best opportunity to thrive at all levels, supporting the existing areas of research strength which form the “pinnacles of research”, and nurturing new research areas across all disciplines. It is recognised that this will involve an increased degree of risk in developing research activities, and the University is comfortable in accepting this risk subject to ensuring that potential benefits and risks are fully understood before developments are authorised and that sensible measures to mitigate risk are established.


8

An International University for the Region – The University has the ambition to be a leading international higher education provider to give Bangor’s students the intercultural expertise demanded in the global economy. The University aims to enhance skills and knowledge by supporting the outward mobility of staff and students, recognising this as a valuable opportunity to broaden the experience of staff and students through international engagement. There is an acceptance that to achieve this that there is a moderate level of risk to be taken subject to ensuring that potential benefits and risks are fully understood before developments are authorised and that sensible measures to mitigate risk are established. Welsh Language and Civil Engagement - The University will build on their position as the leading provider of higher education through the medium of Welsh, supported by the University’s robust Welsh Language Scheme which gives energy and rigour to the academic provision and operational activities. The University has a responsibility to contribute more widely to the cultural wealth of the region which will be embraced through significant investment in facilities and people to create an artistic programme of the highest quality. It is recognised that this will involve a moderate level of risk to achieve the aims and objectives subject to ensuring that potential benefits and risks are fully understood before developments are authorised and the sensible measures to mitigate risk are established. People – The University recognises that people are a key resource and is committed to staff well-being and a fair and inclusive environment for staff, and therefor has a moderately low appetite for any deviation from the standards in these areas. Resources – The financial strategy strikes a balance between generating surpluses and enabling significant infrastructure investment. A number of actions are in place to manage financial risk and it is recognised that the appetite for risk varies according to the circumstances but overall financial risk should be minimised. Governance and Management – In order to adapt successfully to the rapidly changing HE environment it is important to the University to have a coherent strategy, be speedy in decision-making, nurture innovation and be committed to delivering continual improvement in governance and management arrangements. The University also places great importance on compliance, and has no appetite for any breaches in statue, regulation, professional standers, research ethics, bribery or fraud. The University therefore has a low appetite for risk in the conduct of any of its activities that puts its reputation in jeopardy, could lead to undue adverse publicity, or could lead to a loss of confidence by Welsh Government and funders of University activities. Brand and Marketing – The University will develop a strong brand identity with effective communication, marketing and fundraising operations. It is important that the University build an increasing level of trust and preserves a high reputation but it is also recognised that there is a need to be innovative in marketing and accept that a higher level of risk may be required subject to ensuring that potential benefits and risks are fully understood before developments are authorised and that sensible measures to mitigate risk are established.


9

Updated August 2018

RISK MANAGEMENT TASK GROUP

COMPOSITION AND TERMS OF REFERENCE COMPOSITION: University Secretary (Chair) Director of Finance Director of Student Services Dean of the College of Human Sciences Pro Vice Chancellor (Research & Impact) Acting Director of Property and Campus Services Director of Human Resources Acting Director of IT Services College Manager (Environmental Sciences & Engineering) President of the Students’ Union Head of Planning & Student Data (Secretary) TERMS OF REFERENCE: 1. To oversee the effectiveness of the University’s Risk Management Policy and processes. 2. To review and challenge the University’s corporate and departmental risk registers and to identify any

omissions or deficiencies in relation to risk identification, risk controls, mitigating actions, and assurances.

3. To consider reports on the timeliness and adequacy of quarterly risk reviews and completion of

mitigating actions. 4. To submit recommendations for improvements to the University’s corporate and departmental risk

registers to the relevant senior manager, Committee, or Task Group. 5. To receive periodic reports from senior managers, Committees or Task Groups on the risk management

and control strategies for Institutional risks, including project risks. 6. To provide an annual report to the Audit and Risk Committee on the adequacy of the University’s risk

management processes. 7. To report to the Executive via the Task Group’s minutes. 8. To provide a quarterly report to the Audit & Risk Committee. 9. The group will meet quarterly; additional meetings may be arranged if specific issues arise.


10

Risk scoring methodology

Risks will be assessed on the likelihood of occurrence and the potential impact on the strategic aims and objectives of the University should they be realised. A. Likelihood Evaluation Criteria: this table will help determine how likely it is that the University will be exposed to each specific risk considering

factors such anticipated frequency of occurrence; the external environment (e.g. regulatory, economic, community expectations etc.); history of previous events.

B. Impact Evaluation Criteria: this table defines the consequences or impact criteria, assessed against potential financial loss, reputation impact, safety, disruption etc.

C. Risk Ranking Matrix: this table ranks potential risks as Extreme, High, Moderate and Low, based on the evaluation criteria above

A. Likelihood Evaluation Criteria

Likelihood rating Description

1. Rare Has not occurred before, but could occur at some time in the next 10 years.

2. Unlikely Do not expect it to happen but it is possible it may do so at some time in the next 4 - 10 years.

3. Possible Could be difficult to control due to external influences. May occur in the next 3 year period.

4. Likely Very difficult to control. Will probably occur more than once in the next 3 years.

5. Almost Certain

Will occur this year. May occur at frequent intervals over the next 3 year period.


11

B. Impact Evaluation Criteria: Some risks may only have an impact in one of the areas listed below whereas others may have an impact in a number of areas to differing degrees. When recording the impact the highest level within any one of the areas should be noted.

Impact Rating Description Possible Consequences/Examples

1: Negligible Very little or no impact. Objectives: No or insignificant impact on the University’s / College’s / Department’s / Subsidiary Company’s strategic objectives.

Financial: Little or no financial impact.

Regulatory/Legislation: No or limited regulatory consequence.

Reputation/Adverse Publicity: No or very limited adverse publicity – there is no impact on external parties or awareness of the problem.

Disruption: Minor service disruption of less than 1 day.

Health and Safety: No risk of injury. Health and Safety compliant.

2: Minor Negative outcomes from risk or lost opportunities unlikely to have a permanent or significant effect on the University’s/College’s/Department’s / Subsidiary Company’s reputation or performance.

Objectives: Limited impact on the University’s / College’s / Department’s/ Subsidiary Company’s strategic objectives which can be addressed and managed quite quickly and with a small degree of effort.

Financial: Manageable within budget or contingency, contained within single financial year.

Regulatory/Legislation: Limited regulatory consequences – e.g. legal action with limited potential for decision against. Some limited regulatory changes expected.

Reputation/Adverse Publicity: Some external parties aware of problem, but impact is minimal. Minor local short term adverse publicity.

Disruption: Minor but noticeable service disruption of 1 or 2 days.

Health and Safety: Small risk of minor injury. Minor lapse in Health and Safety systems and procedures.


12

3: Moderate Negative outcomes from risks or lost opportunities having a moderate to significant impact on the University’s / College’s / Department’s / Subsidiary Company’s reputation and / or performance. Such a risk can be managed relatively straight forwardly, without major impact, in the short to medium term.

Objectives: Adverse impact, of a moderate nature, on the University’s / College’s / Department’s/ Subsidiary Company’s strategic objectives which can be managed in the short term.

Financial: Manageable within budget or contingency, persists across multiple financial years.

Regulatory/Legislation: Limited regulatory consequences, i.e. modest recent changes or some changes anticipated. Any legal action probably settled out of court.

Reputation/Adverse Publicity: Local adverse publicity of the subject area for a short defined period. A number of external parties aware of problem.

Disruption: Disruption to a specific service of 1 – 4 weeks with longer term service delivery implications.

Health and Safety: Risk of injury, leading to loss of staff time. Appropriate systems in place but a breach of Health and Safety standards occurs as an isolated incident.

4: Major Negative outcomes from risks or lost opportunities with a significant effect that will require major effort to manage and resolve in the medium term but do not threaten the existence of the University / College / Department / Subsidiary Company in the medium term.

Objectives: The achievement of the University’s/ College’s / Department’s/ Subsidiary Company’s strategic objectives will not be met in the medium term.

Financial: Significant impact on financial outturn, reserves or a technical breach of financial covenants.

Regulatory/Legislation: Significant changes to regulatory framework. Legal action against the University for major violation with limited potential for quick settlement.

Reputation/Adverse Publicity: Long and short term local reputational damage. Negative adverse publicity in national media.

Disruption: Immediate impact on majority of services or one specific service.

Health and Safety: Serious risk of injury. Appropriate systems in place but these are not always adhered to or implemented fully. HSE involvement.


13

5: Critical Negative outcomes from risks or lost opportunities which if not resolved in the medium term will threaten the existence of the University / College/ Department / Subsidiary Company.

Objectives: The achievement of the University’s/ College’s / Department’s/ Subsidiary Company’s strategic objectives will not be met.

Financial: Threat to the solvency of the University or a major breach of financial covenants.

Regulatory/Legislation: Major complex changes to regulatory framework. Major negative sanction by HEFCW. Multiple breaches of legislation and prosecution for breaches of statutory duty.

Reputation/Adverse Publicity: Long and short term reputational damage, third parties suffer loss. Adverse publicity in national (possibly international) media.

Disruption: Immediate impact on the University’s strategic mission. E.g: Loss of core systems, financial systems fail completely and cannot be recovered, major fire prevents substantial part of the university delivering courses, collapse in student applications.

Health and Safety: Potential to cause one or a number of fatalities/ serious life changing injury. Serious and/or systemic failure to address risks to health and safety.


14

C. Risk Ranking Matrix

RISK Impact

Li

kelih

oo

d

1 2 3 4 5

Negligible Minor Moderate Major Critical

5 Almost Certain

Low (5) Medium (10) High (15) Extreme (20) Extreme (25)

4 Likely Low (4) Medium (8) High (12) High (16) Extreme (20)

3 Possible Low (3) Low (6) Medium (9) High (12) High (15)

2 Unlikely Low (2) Low (4) Low (6) Medium (8) Medium (10)

1 Rare Low (1) Low (2) Low (3) Low (4) Low (5)


The assurance framework is based on a ‘three lines of defence’ model, as outlined below.

Source: Examples include:

1st line Management of function/dept: i.e. the Colleges or Services that perform the day to day activity.

Performance data, risk registers, other management information and reports.

This type of assurance can lack independence and objectivity, but its value is that it comes from those who know the bu siness, culture and day-to-day challenges.

2nd line Corporate Oversight: i.e. separate from day to day activity but not independent of the management arrangements.

The setting of boundaries by implementing policies, Task Group and Executive oversight of business processes and risks. Self-evaluation of performance.

Sources of second line assurance is considered more objective than first line assurance.

3rd line Independent assurance.

Assurance provided from outside / independent of the University Management.

This relates to independent and more objective assurance, including internal audit, whose work is specifically designed to provide the Audit and Risk Committee with an independent and objective opinion on the framework of governance, risk management and control. Other sources of external assurance include external audit, HEFCW and Regulatory bodies.

For each source of assurance identified the effectiveness of the control it covers has been rated as follows:

No Assurance given Partial Assurance Reasonable Substantial

Poor or breakdown in control.

Significant breakdown in the application of controls.

Controls are applied but with some lapses

Controls are applied continuously or with minor lapses.

risk management policy - bangor university€¦ · bangor university – risk management policy 2...

Documents