How To Write A Risk Management Policy For The University Of Kerry

Transcription

1 Risk Management Policy Originator name: Department: Implementation date: Ruth Anderson Finance 1 August 2013 Date of next review: 1 August 2016 Related policies: Health & Safety Policy, Equality & Diversity Policy Version History Version Author Revisions Made Date 1 R Anderson First Draft July 13 Approval History Equality Analysis Version Reviewed by Date 1 Jo McCarthy-Holland 11/07/13 Committee Sign Off Version Committee Name Date of Sign Off 1 Executive Board 23/7/13 1 Audit Committee 25/7/13 1 Council 25/7/13

2 1 Introduction 1.1 Purpose This risk management policy forms part of the University s internal control and corporate governance arrangements. The internal control system encompasses a number of elements that together facilitate an effective and efficient operation, enabling the University to respond to a variety of operational, financial and commercial risks. The policy sets out the University s definition of risk and describes the purpose of risk management. It explains the University s underlying approach to risk management and documents the roles and responsibilities of key parties. 1.2 Scope This policy applies to Executive Board members; senior managers; members of Council and its Committees; and the University s internal audit service. 1.3 Equality Analysis The University is strongly committed to equality of opportunity and the promotion of diversity for the benefit of all members of the University community. Equality analysis is a tool which helps consider the effect of activities on different groups of people and to ensure that policies, decisions and services work well for everyone. The policy itself is considered to have a broadly neutral impact for groups with protected characteristics under the Equality Act Failure to manage risk effectively, where it relates to an activity involving a particular group / community, could lead to equality issues.equality analysis is recognised as a useful tool in assessing risk. 1.4 Definitions Risk anything that can impede or enhance an organisation s ability to achieve its objectives. Risk Management the process, structure and culture put in place to identify, assess and control the uncertainties which may impact on the organisation s ability to achieve its objectives. Level 1 Risk Register the University s High Level Risk Register, reflecting the key risks to the University s strategic aims and objectives. Level 2 Risk Register a risk register owned at individual Executive Board member level reflecting the key strategic and operational risks within a Faculty or Support Area. Risk Appetite - the level of risk that an organisation is prepared to take to achieve its strategic objectives. 1.5 Legislative / Regulatory Context Under the terms of its Financial Memorandum with HEFCE, Council must take reasonable steps to ensure that there are sound arrangements for risk management, control and governance within the University. 1.6 Health & Safety Implications N/A 2

3 2 Policy 2.1 Principles Effective risk management is essential to the continuation, growth and prosperity of the University in line with its strategic objectives. It is not a process for avoiding risk. If used well, it will actively allow the University to take on activities with a higher level of risk because the risks have been identified, are understood and well managed and the residual risk is thereby lower The University adopts an open and receptive approach to the management of risk Risk management is intrinsic to the management of the University s business and not simply a compliance issue Risk management requires a proactive rather than a reactive approach. 2.2 Procedures Role of Council Council has responsibility for overseeing risk management within the University as a whole. Its role is to: Set the tone and influence the culture of risk management within the University. Determine the appropriate risk appetite or level of exposure for the University and formally document this in a risk appetite statement that is reviewed, and where necessary updated, on at least a triennial basis. Approve major decisions which may affect the University s risk profile or exposure e.g. major capital investments, mergers and overseas partnerships Role of the Audit Committee On behalf of Council, the Audit Committee is responsible for: Ensuring that appropriate arrangements are in place to ensure that risks are identified, assessed and effectively managed. Monitoring the management of significant risks which could threaten the achievement of the University s strategic objectives. Ensuring that internal auditors have plans to review the adequacy and effectiveness of risk management and provide an annual assessment of the University s risk management arrangements. Audit Committee will:- Report to Council on risk management and alert Council members to any emerging issues. Prepare an annual report of its review of the effectiveness of the University s risk management, control and governance arrangements for consideration by Council and the President & Vice-Chancellor as Accounting Officer. In preparing its report, the Audit Committee will draw on information provided by the internal audit service, external audit and the Executive Board. 3

4 2.2.3 Role of the Executive Board Key roles of the Executive Board are to: Implement policies approved by Council on risk management and internal control. Own the University s High Level Risk Register (Level 1 Risk Register), specifically:- To identify and evaluate the significant risks faced by the University. To agree ownership of risks. To ensure that appropriate actions are taken to mitigate risks. Ensure that the High Level Risk Register remains effective by: Appraising the register formally on at least an annual basis Ensuring that emerging risks are added as required and mitigating actions and risk indicators are monitored regularly and updated as appropriate Reviewing the High Level Risk Register at all regular meetings of the Executive Board Develop strategies, policies and procedures to assist in the management of major risks. Individual members of the Executive Board are responsible for:- Encouraging good risk management practice within their area of responsibility, ensuring that Faculty and Departmental risks are identified and assessed and that appropriate actions are taken to mitigate the risks. Specifically: Role of Internal Audit Establishing and maintaining Level 2 Risk Registers in the same format as the High Level Risk Register for faculties and major support areas (including Corporate Services, Registrar s Division and IT). Establishing and maintaining risk registers, in the same format as the University s High Level Risk Register, for projects of major strategic and/or operational importance The Internal Audit Service adopts a risk-based approach to its work with the overall objective of evaluating and improving the effectiveness of the University's risk management, internal control and governance processes. This involves conducting an annual review of the adequacy of the University's risk management arrangements and a programme of reviews based substantially on the University's assessment of high level risks. 3 Governance & Directory Requirements 3.1 Responsibility The Chief Financial Officer has overall responsibility for this policy. The Deputy Director, Corporate Finance, has responsibility for ensuring it is effectively implemented, progress monitored and that the policy is regularly reviewed. 3.2 Implementation / Communication Plan This policy will be communicated via the University s Corporate Policies website and the 4

5 Finance Department website. It will be communicated directly to members of the Executive Board, Faculty Managers and other Senior Managers responsible for Level 2 and/or Project Risk Registers. 3.3 Exceptions to this Policy N/A 3.4 Supporting documentation Level 2 Risk Register Guidelines can be found on the Finance website in Resources, then Risk Management: 5