1. Definitions
1.1 The Higher Education Funding Council for England (HEFCE) published the following definition of risk:
‘the threat or possibility that an action or event will adversely or beneficially affect an organisation’s ability to achieve its objectives’ [Circular 2001/28, ‘Risk Management’].
For the purposes of this Risk Management Strategy, risks are considered as occurrences or opportunities that would impact on the delivery of the University’s core business, the quality of its outputs, the achievement of its strategic goals or the excellence of its reputation. Risks can be as diverse as the threat of a global flu pandemic, a Ransomware attack and a missed opportunity to enhance an existing business practice.
1.2 Risk management is variously defined as:
“a process which provides assurance that: objectives are more likely to be achieved; damaging things will not happen or are less likely to happen; beneficial things will be or are more likely to be achieved.” (HEFCE)
“Risk Management is a central part of any organisation’s strategic management. It is the process whereby organisations methodically address the risks attaching to their activities with the goal of achieving sustained benefit within each activity and across the portfolio of all activities.
The focus of good risk management is the identification and treatment of these risks. Its objective is to add value to all the activities of the organisation. It marshals the understanding of the potential upside and downside of all those factors which can affect the organisation. It marshals the understanding of the potential upside and downside of all those factors which can affect the organisation. It increases the probability of success and reduces both the probability of failure and the uncertainty of achieving the organisation’s overall objectives.
Risk management should be a continuous and developing process which runs throughout the organisation’s strategy and the implementation of that strategy. It should address methodically all the risks surrounding the organisation’s activities past, present and in particular, future.” (Institute of Risk Management, IRM Risk Standard, 2002)
“Organisations of all types and sizes face external and internal factors and influences that make it uncertain whether they will achieve their objectives.
Managing risk is iterative and assists organisations in setting strategy, achieving objectives and making informed decisions.
Managing risk is part of governance and leadership and is fundamental to how the organisation is managed at all levels. It contributes to the improvement of management systems.
Managing risk is part of all activities associated with an organisation and includes interaction with stakeholders.
Managing risk considers the external and internal context of the organisation, including human behaviour and cultural factors. (ISO 31000, 2018)
2. Institutional attitude to risk and principles of risk management
2.1 The University of Bath encourages enterprise and innovation. Whilst it is robust in its approach to risk management, it is not inherently a ‘risk averse’ organisation. The University has achieved considerable success since it received its Royal Charter in 1966 and is prepared to invest and innovate in order to enhance its current standing as one of the UK’s leading universities.
2.2 The University’s objective is to be ‘risk aware’, by ensuring that risk management is an integral part of its governance, planning, management and review processes, including the evaluation of new development opportunities. Effective risk management will enhance:
- the likelihood of the University delivering its objectives;
- the University’s reputation;
- its financial sustainability;
- its planning and decision-making activities;
- its leadership, management and governance;
- its core business;
- its ability to innovate.
2.3 The approach adopted to risk management is proportionate, proactive and transparent. In order to ensure a proportionate response, the University has embedded risk management processes into the University’s planning and decision-making framework. In order to ensure a proactive response, deans and directors/heads of professional services are required to consider risk management plans alongside the development of their strategic plans. In order to ensure transparency, risk management is conducted in an open, blame-free culture which encourages all risks to be highlighted and addressed. There is also a systematic approach to reporting and reviewing risk management, involving senior managers and members of the governing body.
2.3.1 Risk Appetite Our risk appetite can be considered as the level of risk that we are prepared to accept in order to deliver our strategic objectives. Our risk appetite varies with the nature of the activity being undertaken. In general, the University’s appetite for risk in relation to any aspect of compliance is low, whilst in relation to its performance its appetite may range from low to moderate in order to prioritise the allocation of limited resources. The University has a higher appetite for risk in relation to investments to secure its future sustainability, nevertheless, decisions to invest are taken in the context of understanding the potential benefits and risks, and acting to mitigate the risks as far as possible.
2.4 The University’s approach to risk management follows the private sector corporate governance principles and practice outlined in the Financial Reporting Council’s UK Corporate Governance Code (2018) and the Guidance on Risk Management, Internal Control and Related Financial and Business Reporting (2014) to the extent that:
Council (“the Board”) is responsible for determining the nature and extent of the principal risks it is willing to take in achieving its strategic objectives. Council maintains sound risk management systems.
Council receives regular reports on the key risks facing the University, considers an annual report on risk management, and approves an updated Risk Register and Risk Management Plan for the forthcoming year. The Corporate Governance section of the Financial Statements describes the University’s risk management processes.
Council receives regular reports on the key risks facing the University, considers an annual report on risk management, and approves an updated Risk Register and Risk Management Plan for the forthcoming year. The Corporate Governance section of the Financial Statements describes the University’s risk management processes
Audit and Risk Assurance Committee, on behalf of Council, monitors the University’s risk management and internal control systems and Internal Audit periodically audit their effectiveness. Most recently, the effectiveness of the risk management processes was considered by the independent review of Council’s effectiveness in 2018 (the Halpin Report).
Council ensures the design and implementation of the University’s risk management systems identify the risks facing the University and enable Council to make a robust assessment of the principal risks.
Council determines the nature and extent of the principal risks faced and those risks that the University is willing to take in achieving its strategic objectives (risk appetite);
Council agrees how the principal risks should be managed or mitigated to reduce the likelihood of their incidence or their impact.
Council, via the Audit and Risk Assurance Committee and periodic effectiveness reviews, monitors and reviews the University’s risk management systems, and satisfies itself they are functioning effectively.
2.5 The University’s approach to risk management follows ISO 31000 to the extent that:
- Council and University Executive Board ensure that risk management is integrated into all organisational decision-making;
- Council publishes a statement of the University’s approach to risk management in the form of this Risk Management Strategy;
- Council has oversight of the risks identified to the delivery of the University’s strategic objectives, the analysis of these risks and the proposals to managing these risks.
- Council receives regular reports on risk management from the University Executive Board.
3. Roles and responsibilities
3.1 Council is responsible for agreeing the University’s key risks, approving the framework for risk assessment and management, monitoring risk management activities, and for the continuous process of calibrating the institution’s risk appetite. Council has a key role in the management of strategic risk. In accordance with the Office for Students’ Terms and conditions of funding for higher education institutions (March 2018), Council has responsibility for ensuring that the University “has a robust and comprehensive system of risk management, control and corporate governance. This should include the prevention and detection of corruption, fraud, bribery and irregularities
3.2 The Vice-Chancellor and President is responsible for maintaining and promoting the operational efficiency of the University’s financial management, strategic management and risk management processes. The President and Vice-Chancellor is the University’s Accountable Officer. Under the Office for Students’ Terms and conditions of funding for higher education institutions (March 2018): “The accountable officer is personally responsible to the governing body for ensuring compliance with the terms and conditions of funding for providing the OfS with clear assurances to this effect.” This includes responsibility for ensuring that funding is being used for the purposes for which it was given and that the University has a robust and comprehensive system of risk management.
3.3 The Deputy Vice-Chancellor is responsible for academic planning and, hence, is the owner of the risks associated with the financial sustainability of the University’s academic portfolio. The Chief Operating Officer is responsible has line management responsibility for DDAT, Campus Infrastructure and Human Resources. Hence, the Chief Operating Officer is the owner of the risks associated with the capacity and fitness for purpose of the University’s physical and IT infrastructure, and the capacity and capability of its workforce. The Pro-Vice-Chancellors and Vice-Presidents are responsible for the delivery of relevant strategic objectives and, hence, are the owners of the risks associated with the delivery of those objectives. In identifying these overall responsibilities under the Risk Management Strategy, the University recognises that risk management in these domains is delivered through a range of senior managers.
3.4 University Executive Board is responsible for advising the Vice-Chancellor on the assessment of risk, the development of the risk management action plan and the implementation of the risk management action plan. Executive Board is also responsible for submitting regular progress reports on risk management to the University Council, via the Audit and Risk Assurance Committee. The Executive Board is also responsible for co-ordinating operation-wide planning, risk management and resource allocation activities. It is responsible for risks escalated from faculty/professional service/departmental level and for risks escalated by project management/control groups.
3.5 Audit and Risk Assurance Committee (ARAC) is responsible for reviewing the effectiveness of the risk management, control and governance arrangements, and in particular to review the external auditors’ management letter, the internal auditors’ annual report and management responses. ARAC considers a report on operational and strategic risk management from UEB at each of its meetings.
3.6 Deans, Directors of Professional Services and Heads of Department are responsible for the assessment and management of operational and project risk within their functional lead area, faculty, service or department. Project management/control groups are responsible for escalating any risks that cannot be managed within a project to the Executive Board. Deans, Directors of Professional Services and Heads of Department are also responsible for horizon scanning activities to provide early warning of strategic risk, escalating risk that cannot be managed at faculty/departmental level to the Executive Board and for identifying operational risk associated with the business processes of other departments.
3.7 The Strategic Projects Office is responsible for the development and implementation of a Project Assurance Framework to support the management of the risks associated with the University’s portfolio of projects, particularly its strategic projects.
3.8 The Department of Risk, Resilience and Compliance is responsible for the development of the University’s risk management activities and for the maintenance of the University’s Risk Register and Risk Management Plan. The Department is also responsible for drafting KPI/risk reports by strategic pillar for consideration by Council.
3.9 The Organisational Resilience and Business Continuity Standing Group is responsible for identifying business continuity risks to inform the review of the Operational Risk Register.
4. Identifying risks
4.1 The University Strategy 2021-26 articulates our Vision, Mission and strategic objectives. The University’s approach to risk management is objective-driven and its Risk Management Strategy outlines the framework of systematic processes that the institution has put in place to identify, evaluate, manage and review the risks associated with the delivery of its Strategy. The University Strategy is approved by Council, the University’s governing body.
4.2 Risks are identified through various self-assessment exercises. Strategic and operational risks are identified through the University’s planning process and management activities, whilst most project risks are identified by individual project management teams, supported by the expertise of the Strategic Projects Office. The planning process provides a bottom-up operations-wide assessment of operational and project risk. The University’s Strategic Risk Register provides a top-down strategic assessment of risk, and incorporates the strategic risks identified during the planning process. Executive Board is responsible for undertaking the strategic assessment of risk and deans and heads of academic departments and directors and heads of professional services are responsible for undertaking the assessment of risk in the department for which they are responsible.
4.3 The University’s planning process provides a systematic approach to integrating strategic planning, financial planning, environment scanning, performance review, risk management and resource allocation. Faculties and key departments are asked to update risk management plans as part of their planning submissions. The Department of Risk, Resilience and Compliance is then responsible for ensuring that the operational and strategic risks identified at departmental level are incorporated into the University’s Strategic Risk Register or Operational Risk Register as appropriate.
4.4 The University’s Strategic Risk Register contains 9 sub-categories of risk associated with the delivery of the University’s objectives:
- research;
- teaching;
- student recruitment and access;
- student experience;
- physical infrastructure (estate);
- physical infrastructure (IT);
- people;
- financial capacity.
In addition, there is a super-ordinate reputational risk.
4.5 The gross and net risks associated with the 10 sub-categories of risk are reviewed before each meeting of ARAC and any changes are recommended to Council via ARAC. Faculty Risk Management Action Plans are considered regularly by Faculty Executive Committees and reviewed by the planning team on an annual basis (see paragraph 3.7 above).
5. Evaluating risks
5.1 Having identified risks at institutional or departmental level, they are evaluated in terms of the likelihood of their occurrence (on a scale of 1-5) and the level of impact that they would have if they did occur (on a scale of 1-5). When multiplied together, these give a numerical value for the ‘gross’ risk. The University’s Risk Register publishes the gross risk and the ‘net’ risk for the most significant risk elements. The net risk, or residual risk, refers to the numerical assessment once the likelihood and impact values are adjusted to take account of any mitigation actions already in place. Risk descriptors are in place to support the calibration of these risk assessments.
5.2 As outlined in 6.1 below, the University recognises that there are some risk elements that it will have to tolerate, even if these have the highest net risk values. There a number of reasons why the University may be unable to manage the risk. The risk may arise from funding decisions outwith the University’s control or potential solutions may be unaffordable. For this reason, the University does not have a numeric net risk threshold, preferring to consider each risk element in its own specific context. Executive Board will monitor all risks and report regularly to Council on risk mitigation actions, changes in net risk and emerging and contingent risks.
6. Addressing risks
6.1 Having identified risks, the University deploys four methods for addressing risk:
tolerate the risk – where the resource required to address a risk is disproportionate to the beneficial impact or there is no action that the University could take to lessen the likelihood or impact of the risk then it may accept the risk, whilst monitoring the situation regularly.
transfer the risk – where the University seeks through insurance or a third party agreement to transfer some share of the risk to an external organisation.
treat the risk – where the University puts in place mitigation actions to contain the risk to an acceptable level.
terminate the risk – where the University decides not to pursue an activity or an opportunity because the ‘net risk’ to its core business, quality of output, attainment of its strategic goals or reputation is too high.
6.2 Where the University opts to treat the risk, an individual/committee/department is designated to take responsibility for implementing agreed mitigation activities to a specified timescale. Progress is monitored by the Executive Board and ARAC. Officers responsible for strategic risks are also required to report to ARAC at appropriate intervals.
7. Review and reporting arrangements
7.1 Faculty and key departmental risk registers and management plans are reviewed annually by the University Planning Team. This review of operational and project risk at departmental level informs the re-evaluation of the likelihood and impact of risk elements in the University’s Risk Register.
7.2 The Department of Risk, Resilience and Compliance is responsible for preparing regular risk management progress reports for Executive Board. Following consideration of the progress reports, Executive Board forwards the documentation to the next meeting of ARAC. The intention is for all risk elements to be reviewed by the Executive Board before each meeting of ARAC.
7.3 Executive Board, ARAC and Council receive regular progress reports on Risk Management. The Department of Risk, Resilience and Compliance is responsible for preparing the report. The University’s Strategic Risk Register is reviewed annually in order to reflect issues emerging from the planning process and to approve the Risk Management Plan for the following academic session. Strategic risks are reviewed when a new University Strategy is produced. Risks can be added or withdrawn at this time if the perceived changes in the risks are significant enough. The Operational Risk Register is reviewed at each meeting of UEB.
7.4 Council receives information on institutional performance in the form of key performance indicators designed to evaluate progress against the University’s strategic goals. A detailed report on the KPIs and risk associated with each specific strategic pillar is received annually by Council.
7.5 As required by the Office for Students, the Audit and Risk Assurance Committee reports an annual opinion to Council (and subsequently to the Office for Students) on the adequacy and effectiveness of the University’s arrangements for risk management, control and governance. It does this by reviewing the external auditors’ management letter, the reports written by the Internal Audit Department and other information including management responses. The University’s Strategic Risk Register is used to help inform the schedule of activities of the Internal Audit Department.
8. Related documentation
- University Strategy 2021-26
- University Risk Register and Risk Management Plan
- Emergency Management Plan
- Financial Regulations
- Business Continuity Plans
- The UK Corporate Governance Code, Financial Reporting Council
- Guidance on Risk Management, Internal Control and Related Financial and Business Reporting (2014) Financial Reporting Council
- A Risk Management Standard (IRM, 2002)
- ISO 31000: 2018 Risk Management
Approved by Council July 2022.