1.1 The Higher Education Funding Council for England (HEFCE) published the following definition of risk:
‘the threat or possibility that an action or event will adversely or beneficially affect an organisation’s ability to achieve its objectives’ [Circular 2001/28, ‘Risk Management’].
For the purposes of this Risk Management Strategy, risks are considered as occurrences or opportunities that would impact on the delivery of the University’s core business, the quality of its outputs, the achievement of its strategic goals or the excellence of its reputation. Risks can be as diverse as the threat of a global flu pandemic and a missed opportunity to enhance an existing business practice.
1.2 Risk management is variously defined as:
“a process which provides assurance that: objectives are more likely to be achieved; damaging things will not happen or are less likely to happen; beneficial things will be or are more likely to be achieved.” (HEFCE)
“Risk Management is a central part of any organisation’s strategic management. It is the process whereby organisations methodically address the risks attaching to their activities with the goal of achieving sustained benefit within each activity and across the portfolio of all activities.
The focus of good risk management is the identification and treatment of these risks. Its objective is to add value to all the activities of the organisation. It marshals the understanding of the potential upside and downside of all those factors which can affect the organisation. It increases the probability of success, and reduces both the probability of failure and the uncertainty of achieving the organisation’s overall objectives.
Risk management should be a continuous and developing process which runs throughout the organisation’s strategy. It should address methodically all the risks surrounding the organisation’s activities past, present and in particular, future." (Institute of Risk Management, IRM Risk Standard, 2002)
2. Institutional attitude to risk and principles of risk management
2.1 The University of Bath encourages enterprise and innovation. Whilst it is robust in its approach to risk management, it is not inherently a ‘risk averse’ organisation. The University has achieved considerable success since it received its Royal Charter in 1966 and is prepared to invest and innovate in order to enhance its current standing as one of the UK’s leading universities.
2.2 The University’s objective is to be ‘risk aware’, by ensuring that risk management is an integral part of its planning and review processes, including the evaluation of new development opportunities. Effective risk management will enhance:
- the likelihood of the University delivering its objectives;
- the University’s reputation;
- its financial sustainability;
- its planning and decision-making activities;
- its leadership, management and governance;
- its core business;
- its ability to innovate.
2.3 The approach adopted to risk management is proportionate, proactive and transparent. In order to ensure a proportionate response, the University has embedded risk management processes into the University’s planning and decision-making framework. In order to ensure a proactive response, deans and directors/heads of professional services are required to consider risk management plans alongside the development of their strategic plans. In order to ensure transparency, risk management is conducted in an open, blame-free culture which encourages all risks to be highlighted and addressed. There is also a systematic approach to reporting and reviewing risk management, involving senior managers and members of the governing body.
2.4 The University’s approach to risk management follows the private sector corporate governance principles and practice outlined in the Financial Reporting Council’s UK Corporate Governance Code (2016) and the Guidance on Risk Management, Internal Control and Related Financial and Business Reporting (2014) to the extent that:
(C2) Council (“the Board”) is responsible for determining the nature and extent of the principal risks it is willing to take in achieving its strategic objectives. Council maintains sound risk management systems.
(C 2.1) Council receives regular reports on the key risks facing the University, considers an annual report on risk management, and approves an updated Risk Register and Risk Management Plan for the forthcoming year. The Corporate Governance section of the Financial Statements describes the University’s risk management processes.
(C2.2) Council considers a range of sustainability metrics in the Annual Sustainability Assurance Report and confirms that, on the basis of these metrics, the University remains sustainable. This was part of a voluntary return that Council made annually to the HEFCE until 2017.
(C2.3) Audit Committee, on behalf of Council, monitors the University’s risk management and internal control systems and Internal Audit periodically audit their effectiveness. Most recently, the effectiveness of the risk management processes was considered by the independent review of Council’s effectiveness in 2018 (the Halpin Report).
Council ensures the design and implementation of the University’s risk management systems identify the risks facing the University and enable Council to make a robust assessment of the principal risks.
Council determines the nature and extent of the principal risks faced and those risks that the University is willing to take in achieving its strategic objectives (risk appetite).
Council agrees how the principal risks should be managed or mitigated to reduce the likelihood of their incidence or their impact.
Council, via the Audit Committee and periodic effectiveness reviews, monitors and reviews the University’s risk management systems, and satisfies itself they are functioning effectively.
3. Roles and responsibilities
3.1 Council is responsible for agreeing the University’s key risks, approving the framework for risk assessment and management, monitoring risk management activities, and for the continuous process of calibrating the institution’s risk appetite. Council has a key role in the management of strategic risk. In accordance with the Office for Students’ Terms and conditions of funding for higher education institutions (March 2018), Council has responsibility for ensuring that the University “has a robust and comprehensive system of risk management, control and corporate governance. This should include the prevention and detection of corruption, fraud, bribery and irregularities.”
3.2 The President and Vice-Chancellor is responsible for maintaining and promoting the operational efficiency of the University’s financial management, strategic management and risk management processes. The President and Vice-Chancellor is the University’s Accountable Officer. Under the Office for Students’ Terms and conditions of funding for higher education institutions (March 2018): “The accountable officer is personally responsible to the governing body for ensuring compliance with the terms and conditions of funding for providing the OfS with clear assurances to this effect.” This includes responsibility for ensuring that funding is being used for the purposes for which it was given and that the University has a robust and comprehensive system of risk management.
3.3 The Deputy Vice-Chancellor and Provost is responsible for academic planning and, hence, is the owner of the risks associated with student recruitment and admissions. The Vice-President (Implementation) is responsible for space management and has line management responsibility for Computing Services. Hence, the Vice-President (Implementation) is the owner of the risks associated with the capacity and fitness for purpose of the physical and IT infrastructure. The Pro-Vice-Chancellors are responsible for the delivery of relevant academic objectives and, hence, are the owners of the risks associated with the delivery of those objectives. In identifying these overall responsibilities under the Risk Management Strategy, the University recognises that risk management in these domains is delivered through a range of senior managers.
3.4 Executive Committee is responsible for advising the President and Vice-Chancellor on the assessment of risk, the development of the risk management action plan and the implementation of the risk management action plan. Executive Committee is also responsible for submitting regular progress reports and an annual report on risk management to the University Council.
3.5 Audit Committee is responsible for reviewing the effectiveness of the risk management, control and governance arrangements, and in particular to review the external auditors’ management letter, the internal auditors’ annual report and management responses.
3.6 Deans, Directors of Professional Services and Heads of Department are responsible for the assessment and management of operational and project risk within their faculty, service or department. Project management/control groups are responsible for escalating any risks that cannot be managed within a project to the University Planning Team. Deans, Directors of Professional Services and Heads of Department are also responsible for horizon scanning activities to provide early warning of strategic risk, escalating risk that cannot be managed at faculty/departmental level to the University Planning Team and for identifying operational risk associated with the business processes of other departments.
3.7 The University Planning Team is responsible for co-ordinating operation-wide planning, risk management and resource allocation activities. The University Planning Team is also responsible for risks escalated from faculty/professional service/departmental level and for risks escalated by project management/control groups.
3.8 The Office of Policy and Planning is responsible for the implementation and development of the University’s risk management activities and for the publication of the University’s Risk Register and Risk Management Plan.
4. Identifying risks
4.1 The University Strategy 2016-21 articulates our Vision, Mission and business objectives. The University’s approach to risk management is objective-driven and its Risk Management Strategy outlines the framework of systematic processes that the institution has put in place to identify, evaluate, manage and review the risks associated with the delivery of its Strategy. The University Strategy is approved by Council, the University’s governing body.
4.2 Risks are identified through various self-assessment exercises. Strategic and operational risks are identified through the University’s planning process, whilst most project risks are identified by individual project management teams. The planning process provides a bottom-up operations-wide assessment of operational and project risk. The University’s Risk Register provides a top-down strategic assessment of risk, and incorporates the strategic risks identified during the annual planning process. Executive Committee is responsible for undertaking the strategic assessment of risk and Deans and heads of academic departments and directors and heads of professional services are responsible for undertaking the assessment of risk in the department for which they are responsible.
4.3 The University’s planning process provides a systematic approach to integrating strategic planning, financial planning, environment scanning, performance review, risk management and resource allocation. Faculties and key departments are asked to update risk management plans as part of their planning submissions. The Office of Policy and Planning is then responsible for ensuring that the operational and strategic risks identified at departmental level are incorporated into the University’s Risk Register as appropriate.
4.4 The University’s Risk Register contains 8 sub-categories of risk associated with the delivery of the University’s objectives:
- student recruitment and access;
- student experience;
- physical infrastructure (estate);
- physical infrastructure (IT);
- financial capacity.
All departmental risk registers and risk management plans are also required to relate back to the delivery of the University’s strategic goals.
4.5 The University’s Risk Register is updated for each meeting of Council. Faculty Risk Management Action Plans are considered regularly by Faculty Executive Committees, and reviewed by the University Planning Team on an annual basis (see paragraph 3.7 above).
5. Evaluating risks
5.1 Having identified risks at institutional or departmental level, they are evaluated in terms of the likelihood of their occurrence (on a scale of 1-5) and the level of impact that they would have if they did occur (on a scale of 1-5). When multiplied together, these give a numerical value for the ‘gross’ risk. The University’s Risk Register publishes the gross risk and the ‘net’ risk for the most significant risk elements. The net risk, or residual risk, refers to the numerical assessment once the likelihood and impact values are adjusted to take account of any mitigation actions already in place.
5.2 As outlined in 6.1 below, the University recognises that there are some risk elements that it will have to tolerate, even if these have the highest net risk values. There a number of reasons why the University may be unable to manage the risk. The risk may arise from funding decisions outwith the University’s control or potential solutions may be unaffordable. For this reason, the University does not have a numeric net risk threshold, preferring to consider each risk element in its own specific context. Executive Committee will monitor all risks and report regularly to Council on risk mitigation actions, changes in net risk and emerging and contingent risks.
6. Addressing risks
6.1 Having identified risks, the University deploys four methods for addressing risk:
tolerate the risk – where the resource required to address a risk is disproportionate to the beneficial impact or there is no action that the University could take to lessen the likelihood or impact of the risk then it may accept the risk, whilst monitoring the situation regularly.
transfer the risk – where the University seeks through insurance or a third party agreement to transfer some share of the risk to an external organisation.
treat the risk – where the University puts in place mitigation actions to contain the risk to an acceptable level.
terminate the risk – where the University decides not to pursue an activity or an opportunity because the ‘net risk’ to its core business, quality of output, attainment of its strategic goals or reputation is too high.
6.2 Where the University opts to treat the risk, an individual/committee/department is designated to take responsibility for implementing agreed mitigation activities to a specified timescale. Progress at departmental level is monitored by the University Planning Team. Progress at institutional level is monitored by the Executive Committee and Council. Officers responsible for strategic risks are also required to report to Audit Committee at appropriate intervals.
7. Review and reporting arrangements
7.1 Faculty and key departmental risk registers and management plans are reviewed annually by the University Planning Team. This review of operational and project risk at departmental level informs the re-evaluation of the likelihood and impact of risk elements in the University’s Risk Register.
7.2 The Office of Policy and Planning is responsible for preparing regular risk management progress reports for Executive Committee. Following consideration of the progress reports, Executive Committee forwards the documentation to the next meeting of Council. The intention is for all risk elements to be reviewed by the Executive Committee before each meeting of Council.
7.3 Executive Committee and Council receive an annual report on Risk Management. The Office of Policy and Planning is responsible for preparing the report. The University’s Risk Register is reviewed annually in order to reflect issues emerging from the planning process. Risks can be added or withdrawn if the perceived changes in the risks are significant enough.
7.4 Council receives information on institutional performance in the form of key performance indicators designed to evaluate progress against the University’s strategic goals.
7.5 As required by the HEFCE Audit Code of Practice, the Audit Committee reports an annual opinion to Council (and subsequently to the HEFCE) on the adequacy and effectiveness of the University’s arrangements for risk management, control and governance. It does this by reviewing the external auditors’ management letter, the reports written by the Internal Audit Department and other information including management responses. The University’s Risk Register is used to help inform the schedule of activities of the Internal Audit Department.
8. Related documentation
University Strategy 2016-21
University Risk Register and Risk Management Plan
Emergency Management Plan
Business Continuity Plans
The UK Corporate Governance Code (2016), Financial Reporting Council
Guidance on Risk Management, Internal Control and Related Financial and Business Reporting (2014) Financial Reporting Council
Approved by Council July 2018.