RISK MANAGEMENT POLICY - University of Portsmouthpolicies.docstore.port.ac.uk/policy-042.pdf ·...
Transcript of RISK MANAGEMENT POLICY - University of Portsmouthpolicies.docstore.port.ac.uk/policy-042.pdf ·...
RISK MANAGEMENT POLICY November 2019
port.ac.uk
RISK MANAGEMENT POLICY NOVEMBER 2019
The latest version of this document is always to be found at:
http://policies.docstore.port.ac.uk/policy-042.pdf
DOCUMENT TITLE
Risk Management Policy November 2019
DOCUMENT AUTHOR AND DEPARTMENT
RESPONSIBLE PERSON AND DEPARTMENT
Adrian Parry, Executive Director of Corporate Governance
Adrian Parry, Executive Director of Corporate Governance
APPROVING BODY DATE OF APPROVAL
Board of Governors
9 October 2019, Min 11
REVIEW DATE EDITION NO. ID CODE DATE OF EFFECT
October 2020
11
42
November 2019
EITHER
For public access online (internet)? Tick as appropiate
OR
For staff access only (intranet)? Tick as appropiate
Yes No
For public access on request copy to be mailed Tick as appropiate
Password protected Tick as appropiate
Yes No
Yes No
External queries relating to the document to be referred in the first instance to the
Corporate Governance team at [email protected].
If you need this document in an alternative format, please email [email protected].
1 RISK MANAGEMENT POLICY NOVEMBER 2019
Contents
Summary ........................................................................................................................................................ 2
1. What is the Purpose of this Policy? ...................................................................................................... 2
2. What is Risk Management? .................................................................................................................. 2
3. Who is Responsible for Risk Management? ......................................................................................... 2
4. How is Risk Managed? .......................................................................................................................... 3
5. Risk Management and Operational Planning....................................................................................... 3
6. Risk Management and Projects ............................................................................................................ 3
7. Operational and Strategic Risks………………………………………………………………………………………………………3
8. Risk Management and Investment Proposals ...................................................................................... 3
9. Training ....................................................................................................................................................... 4
10. Review of this Policy ............................................................................................................................. 4
Appendix A: Risk Register Template......................................................................................................................... 5
Appendix B: Methodology for Scoring Risks .................................................................................................. 7
Appendix C: Residual Risk Map ...................................................................................................................... 9
2 RISK MANAGEMENT POLICY NOVEMBER 2019
SUMMARY
What is this Procedure about?
This Policy sets out the University’s approach to risk management and the mechanisms it employs to identify, analyse and manage risk. It provides guidance on responsibilities for risk management and information on how risk registers are to be compiled.
Who is this Procedure for?
All staff should familiarise themselves with this Policy. The Human Resources Department also offers regular training events to further enable staff to familiarise themselves with its requirements.
How does the University check this Procedure is followed?
The corporate risk register is regularly submitted for scrutiny and discussion by governors and by the University Executive Board. The internal audit service will also periodically review the effectiveness of the Policy and its implementation.
Who should I contact if I have any queries about this Procedure?
Please contact Adrian Parry, Executive Director of Corporate Governance on 023 9284 3195 or at [email protected].
Risk Management Policy – 2019/2020
1. WHAT IS THE PURPOSE OF THIS POLICY?
1.1 The University recognises that the management of risk is an important component of good management practice and has an open and receptive approach to identifying, discussing and addressing risks.
1.2 The University accepts that risk can never be totally eliminated. The purpose of the University’s Risk Management Policy is to support the development of a consistent approach to determining, analysing and managing risk to ensure that all reasonable steps are taken to mitigate risk and that the level of risk accepted is balanced against the expected reward.
1.3 The Office for Students' (OfS) Terms and Conditions of Funding require the University to have effective arrangements for providing assurance to the Board of Governors that the University has a robust and comprehensive system of risk management, control and corporate governance. This Policy helps to ensure that the University complies with this requirement.
2. WHAT IS RISK MANAGEMENT?
2.1 Risk can be defined as the threat or possibility that an action or event will adversely or beneficially affect an organisation’s ability to achieve its objectives.
2.2 Risk management can be defined as a process which provides assurance that objectives are more likely to be achieved; damaging things will not happen or are less likely to happen; and beneficial things will be or are more likely to be achieved.
3. WHO IS RESPONSIBLE FOR RISK MANAGEMENT?
3.1 The Vice-Chancellor has ultimate responsibility for risk management and has delegated the day-to-day management of this responsibility to the Director of Corporate Governance.
3.2 The University Executive Board (UEB) is responsible for identifying, evaluating and monitoring the key risks faced by the University and for scrutinising the actions taken to manage these key risks. UEB will formally review all key risks before their submission to governors.
3.3 The Audit and Quality Committee is responsible for the oversight of risk management and for advising the Board of Governors upon the effectiveness of the University’s risk management processes. It provides a formal opinion on the effectiveness and upon the reliance that may be placed on the University’s risk management systems via its annual report to the Board of Governors.
3.4 The Board of Governors is responsible for determining the appropriate level of risk exposure for the University, monitoring the management of key risks, and for gaining assurance that risks identified are being activity managed with appropriate controls in place that are working effectively.
3.5 The internal audit service is responsible for auditing the effectiveness of the University’s risk management processes. The internal audit service develops an annual internal audit plan that is guided by the risk profile of the University and the implications of this risk profile for the University’s business processes.
3.6 Notwithstanding the responsibilities outlined above, all managers have responsibility for risk management within their own areas of accountability and have a duty to inform their respective UEB member where exposure to risk is of a material nature. If the UEB member considers that the risk will impede the delivery of strategic objectives and is therefore of strategic significance to the University (see paragraph 16) then they will ensure that the new risk or, if it is material, the increased exposure to risk, is reported to UEB. The UEB member will determine whether this should take the form of a specific written or verbal report to UEB or, if the issue is less urgent, should be reported as part of the next iteration of the corporate risk register. Guidance on this matter is available from the Executive Director of Corporate Governance.
4. HOW IS RISK MANAGED?
4.1 The University seeks to identify, assess and effectively manage all risks. The aim of risk management is to be proactive in supporting the achievement of the University’s agreed objectives and not simply to avoid risk.
4.2 The University maintains a corporate risk register. This records identified key risks and, for each key risk, will include coverage of its associated risk scores, controls and actions. Each key risk will be aligned with the strategic objectives outlined in the University’s strategic plan.
4.3 The University uses the:
• template in Appendix A as the framework for establishing its corporate risk register
• methodology in Appendix B for measuring and scoring its strategic risks
• matrix in Appendix C as the framework for determining a map of its strategic residual risks.
4.4 The number of key risks to be recorded in the corporate risk register is not rigidly defined. However, it records only those risks that are likely to impede the delivery of strategic objectives and are therefore of strategic significance to the University.
4.5 UEB and the Audit and Quality Committee reviews the corporate risk register on a three monthly basis and the Board of Governors reviews it on a six monthly basis. This process may involve the introduction of new risks, the amendment of existing risks and the deletion of risks that are no longer deemed applicable.
4.6 It is the responsibility of the Director of Corporate Governance to ensure that the corporate risk register is regularly updated and submitted in accordance with designated timescales for review by UEB, the Audit and Quality Committee and the Board of Governors. If considered necessary by the Director of Corporate Governance to ensure that the corporate risk register maintains its currency, then she or he will, in discussion with the relevant risk owner(s), update and amend the register between these review points. She or he will ensure that any such amendments are highlighted to the audience of the previous and next iteration.
5. RISK MANAGEMENT AND OPERATIONAL PLANNING
The University’s planning processes set the annual objectives and targets that are necessary for the delivery of the strategic plan and allocates resources for their achievement. Risk management is integrated within this process and is embedded within the planning returns that are submitted annually by faculty and professional service areas. Risks identified in planning returns will be scrutinised by the Director of Corporate Governance and monitoring reports will be submitted to UEB to inform its consideration of the corporate risk register.
6. RISK MANAGEMENT AND PROJECTS
Major projects each require a separate risk register, which shall be monitored by the relevant project board (or equivalent). Where the risks associated with a major project are likely to impact upon the strategic objectives of the University, this will be reported through the project board's designated escalation route (ie either to the Strategic Technology Projects Board or via the UEB-project sponsor directly to UEB).
7. OPERATIONAL AND STRATEGIC RISKS
Individual risk registers at faculty or professional service level or at project level will be operational in nature and will focus on local risks. A high risk score given to a risk cited within a local or project risk register is context specific and will not necessarily translate to the same level of risk within the University’s corporate risk register.
8. RISK MANAGEMENT AND INVESTMENT PROPOSALS
All investments carry opportunity costs for the University and an assessment of the relative risks versus the relative rewards of investment proposals may be useful in some circumstances. The following matrix may help to guide such assessments:
Perceived high reward Perceived low reward
Perceived high risk Pursue with caution Avoid
Perceived low risk Prioritise Safe
9. TRAINING
UEB has agreed that training in risk management should be available to all staff but is mandatory for:
• staff with management roles or responsibility for strategic and operational planning or those staff
• staff who are designated to attend by their line managers.
The training will be organised and delivered by the Human Resources Department and the Office of the Executive Director of Corporate Governance via the University’s staff development programme.
10. REVIEW OF THIS POLICY
The OfS's Terms and conditions of Funding requires that systems of internal control should be reviewed at least annually. This policy forms part of the University’s systems of internal control and shall be reviewed and approved annually by the Board of Governors. This requirement shall usually be addressed at the first meeting of the Board of Governors held in each academic year.
Appendix A
RISK REGISTER TEMPLATE
Risk registers should use the following template. Guidance on the content of each column of the template is provided on the following page.
RISK 1 RISK TO STUDENT RECRUITMENT
RISK OWNER(S) Overall oversight: Pro Vice-Chancellor Education and Student Experience (with support from the Chief Operating Officer)
LINKS TO UNIVERSITY STRATEGY
Failure to address risks in this area may jeopardise achievement of the following strategic objectives:
• recognising and sustaining our strengths in undergraduate education and growing our provision in the areas of postgraduate, part-time, CPD and flexible modes of study
• building on our financial strength and increasing the contribution to income that comes from research and commercial activities
• raising expectations and creating ladders of opportunity for people in our region to take part in higher education
• creating a network of strategic global partnerships to support internationalisation
• using our financial strength in support of our strategic ambitions for maximum impact and sustainability.
INHERENT RISK INHERENT RISK SCORE
CURRENT CONTROLS TARGET DATE RESIDUAL RISK RESIDUAL RISK SCORE
ADDITIONAL CONTROLS
MONITORING AND ACTIONS
Failure to recruit to student number targets (undergraduate, postgraduate, part- time and full-time)
Likelihood = 3 Impact = 4 TOTAL = 12
Strong management of the recruitment process
Strong marketing campaign
Keep tariffs under review
Responsive curriculum
Strong liaison with commissioning bodies (e.g. NHS and Probation Service)
Ongoing Turbulence in recruitment following removal of the SNC
Changes in government/UKVI policies
Changes in commissioning body policies
Variability in recruitment between different subject areas and courses
Part-time market continues to contract
Decline in postgraduate taught/postgraduate research markets
Greater competition to recruit postgraduate taught/ postgraduate research students
Likelihood = 2 Impact = 4 TOTAL = 8
Targeted marketing campaigns
Development of tactical USPs to enhance recruitment
Diversification of markets
Creation of new partnerships to facilitate progression
KPI report to Board
UEB monitoring
Curriculum Committee
RISK MANAGEMENT POLICY NOVEMBER 2019 5
RISK MANAGEMENT POLICY NOVEMBER 2019
GUIDANCE ON THE CONTENT OF COLUMN HEADINGS
Column Heading Description
Risk This should identify the risk
Risk Owners This should identify the owners of the risk
Links to University Strategy
This should identify the objectives within the strategic plan that may be jeopardised if the risk is not addressed
Inherent Risk This should describe the risk before any additional controls are applied. Most risks will already have some controls in place as a consequence of previous University practice or funding council requirements for example.
Inherent Risk Score The impact and likelihood of the risk occurring should be scored using the criteria provided in Appendix B. The two scores should then be multiplied to determine the inherent risk score. This will produce a score of 1–25 and will determine whether the inherent risk is red, amber or green (see the matrix in Appendix B).
Current Controls State here the controls that are currently in place to manage or to mitigate the risk. The control should reduce the likelihood that a risk will occur and/or the impact were it to occur. The time, effort and expense of managing the controls should not outweigh potential benefits.
Target Date Identify any key dates for the delivery of the controls cited in the previous column.
Residual Risk This should describe the risk that remains after any controls have been applied.
Residual Risk Score The impact and likelihood of the risk occurring should be scored again, this time to reflect the level of the risk with the stated controls in place. The score will determine whether the residual risk is red, amber or green. (This score should not be higher than the inherent risk score.)
Additional Controls If the residual risk score is amber or red then additional controls should be identified to reduce the residual risk further.
Monitoring and Actions This should identify any ongoing monitoring activities or scrutiny by relevant boards and committees that the University undertakes as part of its ‘business as usual’ activities to mitigate risk in that area of activities.
RISK MANAGEMENT POLICY NOVEMBER 2019
Appendix B
METHODOLOGY FOR SCORING RISKS
The term ‘likelihood’ refers to the probability that a risk will occur. The score for the likelihood of the risk occurring is determined by using the following for guidance:
Score Likelihood of the Risk
1 Highly unlikely to occur (< 20% probability)
2 Unlikely to occur (20%- <40% probability)
3 Likely to occur (40%- <60% probability)
4 Very likely to occur (60%- <80% probability)
5 Extremely likely to occur (>80% probability)
The term ‘impact’ refers to the consequences for the University if the risk were to occur. The score for the impact if the risk occurs is determined by using the following scale for guidance:
Score Impact of the Risk
1 Implications would have a very low impact and can be managed locally, or via minor revision of planned outcomes, or with little effect upon delivery timescales.
2 Implications would have a low impact and can be managed within any contingency funding set, or would detract slightly from the quality of outcomes, or would delay elements of the activity without impacting on the overall timescale for delivery.
3 Implications would have a medium impact and would exhaust or exceed any contingency funding set, or would detract from the quality of outcomes but not detract from the overall purpose of the activity, or lead to slightly extended timescales that would not materially affect desired outcomes.
4 Implications would have a high impact and could not be met within approved budgets, or would significantly detract from the quality of outcomes and reduce the viability of the activity, or lead to greatly extended timescales with outcomes later than required to obtain maximum benefit.
5 Implications would be critical and increased costs would negate the benefits of the activity, or the quality of outcomes would be reduced to such an extent that the benefits of the activity would be negated, or extended timescales mean that outcomes are too late and negate the benefits of the activity.
The overall risk score is calculated on the following basis
Likelihood x Impact = Overall Risk Score
So, for example, if the likelihood of the risk occurring is 3 and the impact of risk occurring is 3 then the overall risk score is 9.
RISK MANAGEMENT POLICY NOVEMBER 2019
The overall risk score is then applied to the following matrix to determine whether the risk should be categorised as green, amber or red:
Impact 1
Very low impact
2
Low impact
3
Medium impact
4
High impact
5
Critical impact
Likelihood
1. Highly unlikely to occur
1
2
3
4
5
2. Unlikely to occur
2
4
6
8
10
3. Likely to occur
3
6
9
12
15
4. Very likely to occur
4
8
12
16
20
5. Extremely likely to occur
5
10
15
20
25
Risks that are categorised as amber or red will require the implementation of additional controls unless subject to the Board of Governors’ agreement and acceptance.
The University’s objective for risk management is to optimise its control of risk. This involves ensuring that the most cost-effective controls are in place for each risk and that a cost-benefit analysis of the controls is considered. This may mean that certain risks have a high residual score because the cost of reducing the risk still further may be higher than the potential cost incurred if the risk actually happened.
There will be occasions when there are factors outside of the University’s control which limit the control measures that can be implemented to manage a risk. Examples might include government policies on student funding or student visa controls. In such cases, it should be recognised that it may not be possible to significantly reduce the level of residual risk to the University.
RISK MANAGEMENT POLICY NOVEMBER 2019
Appendix C
RESIDUAL RISK MAP
Plotting residual risks onto a risk map provides a summary of residual risk scores and helps the University to maintain an overview of its entire portfolio of risk. This also helps to ensure that account is taken of the dependencies that exist between risks (for instance, a decline in student recruitment will impact upon financial health) and plotting related risks within a risk map can help to ensure that account has been taken of these dependencies.
An example of a residual risk map is outlined below:
Impact score
Likelihood Score
1 2 3 4 5
1 1 2 3
Failure to meet external quality standards
Failure to meet external Returns and Investment standards
4
Poor financial strategy and management
Failure to provide fit for purpose buildings/ infrastructure
5
2 2 4 6 8 10
Failure to meet research and innovation targets
Loss of significant estate or IT facility
Fail to attract/ retain high calibre staff
Failure to recruit to budgeted target
Reduction in league table position
Failure to provide sufficient places in halls/ accommodation
Fail to develop workforce in line with University needs
3
3
6
9
12
15
4
4
8
12
16
20
5
5
10
15
20
25
RISK MANAGEMENT POLICY NOVEMBER 2019
The residual risk map is accompanied by charts that provide:
• a summary of changes to residual risk status over the previous 12 months
• a summary of the reasons for any changes in residual risk status since the previous iteration of the risk register was
considered. Examples of these summaries are outlined below:
SUMMARY OF CHANGES IN RESIDUAL RISK STATUS
RISK No INHERENT RISK DESCRIPTION
STARTING POINT AS AT JULY 2017
RESIDUAL RISK SCORE AS AT SEPTEMBER 2018
RESIDUAL RISK SCORE AS AT FEBRUARY 2018
RESIDUAL RISK SCORE AS AT MAY 2018
1 Failure to meet Home/EU student number targets (including under or over recruitment)
8
4
NO CHANGE
8
2 Failure to optimise REF rating (new risk introduced in February 2017)
N/A
N/A
3
6
REASONS FOR CHANGES IN RESIDUAL RISK STATUS AS AT MAY 2018
RISK No INHERENT RISK DESCRIPTION REASONS FOR CHANGE IN RISK STATUS
1 Failure to meet Home/EU student number targets (including under or over recruitment)
Adjusted upwards to reflect the University’s current Home/EU full-time undergraduate recruitment position, the increasingly competitive student recruitment market and the availability of alternative routes such as apprenticeships
2 Failure to optimise REF rating (new risk introduced in February 2017)
Adjusted upwards to reflect ambiguity over intentions and criteria for assessment in the next Research Excellence Framework
ADDITION OF NEW RISKS
RISK No RISK DESCRIPTION RESIDUAL RISK SCORE AS AT MAY 2018
3 Partnership arrangements are insufficiently developed and supported to ensure that recruitment is optimised
6
4 Loss of reputation through association with strategic partners who are inappropriate or fall into disrepute
4
CONTACT US
University of Portsmouth
T +44 (0)23 9284 3195
W port.ac.uk
A Directorate University House Winston Churchill Avenue Portsmouth PO1 2UP United Kingdom
HM 1119