abcdef Risk Management Programme Risk management is about identifying potential risks and managing ways to prevent them

Transcription

1 abcdef Risk Management Programme Risk management is about identifying potential risks and managing ways to prevent them 1

2 Introduction Organisations have always faced and dealt with risks, or obstacles, that might affect what they do and the way they work, but these risks haven t always been recorded or analysed to help manage the obstacles and make improvements. So the University has put together a formal Risk Management Programme that can be understood and used by all members of staff. All higher education institutions are required, by the Higher Education Funding Council for England, to operate a risk management programme. This booklet explains the various aspects of the University s Programme, and summarises the policies and procedures it has in place to manage its risks. [The full list of the University s policies and procedures is set out at the back of this booklet.] Risk management is a process that affects every area of the University and needs to be integrated into everything the University does and by all members of staff. What is Risk Management? The first step in looking at risk management is to understand what risk means. Risks can be described as the possible obstacles (actions/events) that might stop the University, and/or its divisions, achieving their objectives. Examples of risks might be: Objective To attract and retain world-class academic staff To maintain and improve RAE rating To manage the installation of a new IT system Risk Academic profile not sufficient to attract staff Departure of key staff External supplier of IT equipment ceases trading Therefore, risk management is a simple and systematic process used to: identify risks (obstacles) that might stop objectives being achieved assess the risks to see how likely or severe they will be if they do occur, and manage the risks to reduce: o either the likelihood of the risks occurring o or the severity of the risks if they do occur As well as being a systematic process, risk management is also a cyclical process because, just as objectives develop and change over time, so the risks that might prevent those objectives being achieved will also change, as illustrated overleaf. 2

3 Determine Objectives Review Effectiveness Knowledge about identifying and dealing with risks are part of decision-making and ti Identify Risks Manage Risks Assess Risks The risk management cycle Benefits of Risk Management As can be seen from the illustration above, one of the key benefits of risk management is that it can be used to support and improve the University s, and divisions, existing decision-making and reporting processes. Additionally, risk management also helps everyone to: make better use of all its resources, including financial resources increase focus on what needs to be done (and avoided) to achieve everyone s objectives provide better quality services secure the well-being of staff, students and users of the University s services and facilities protect its reputation But risk management is not just about managing risks or obstacles; equally importantly, it s about managing opportunities and the risk of not taking those opportunities to help achieve objectives. 3

4 Risk Management in Practice Risk Registers These are used as the simple formal framework to list and analyse, in detail, the risks that might prevent the University and/or its divisions achieving their objectives, and the information needed to do this includes: a description of the risks and the objectives that may be affected by that risk the person who implements the actions to manage the risks a list of the actions that are currently being used to manage the risks an assessment of: o the likeliness of the risk occurring o how severely the risk would affect the division and/or the University if it did occur (its impact) To help build a picture of all the risks in the division, it is useful to mark them on a matrix as illustrated below. High Medium Risks 4 High Risks 1 Critical Risks Impact Medium Low Low Risks 2 Low Risks Medium Risks 1 Low Risks High Risks Medium Risks Low Medium High Likelihood Having analysed the risks, the most important aspect of risk management is to decide what further action may be needed to further reduce either the likelihood or the severity of the risk. For example, if a risk is thought to be low, it may only need to be monitored without taking any further action to manage it. However, if a risk is thought to be high, or critical, a lot more work will be needed to manage it. Each division maintains its own local risk register, which is updated at least once a year. The information provided in the register helps divisions to make decisions about how to manage their risks with their available resources. 4

5 In addition to the divisional risk registers, there is also a strategic risk register. This identifies and analyses the key risks faced by the whole organisation and is reviewed and updated every six months by the Risk Management Steering Group and is reported to the University Council. Early Warning Indicators The likelihood or severity of a risk occurring can change over time, eg the nature of the risk may change and/or the actions in place to manage it may not be working properly. Therefore, details of practical monitoring arrangements are also listed on risk registers to provide an early warning indicator to Heads of divisions that further action to manage the risk is needed. If an early warning indicator is triggered, it is reported to the Risk Management Steering Group by the Head of the division. This is because the Group has to report to the Vice-Chancellor when: there is a greater likelihood that a risk is going to occur and that further action is being taken to manage the risk Risk Appraisals for Projects All projects have risks, whether the project is launching a new course/programme, or bidding for research funds, or changing IT systems. The risks that might prevent the project being successful could be: the timetable is too tight there may not be enough skilled staff to carry out the project the costs of the project may escalate To help divisions identify the potential risks to the project and put in place practical actions to prevent the risks occurring, a risk appraisal is prepared by the group responsible for the project and submitted to the Risk Management Steering Group. This is because the Group needs to report to the Vice-Chancellor and the Audit Committee that the project is being well managed. Annual Statement on Risk Management Activities The University must report to HEFCE each year to show that it is managing the risks that might prevent it achieving its objectives. Each year all Heads of divisions prepare a short report when they are updating their business plans to confirm: that their divisions have identified potential risks and have put in place practical actions to manage the risks their staff are aware of the division s objectives, risks and actions to manage the risks 5

6 Responsibility for Risk Management Everyone in the University is responsible for managing risks. However, the role they play differs from person to person and depends on their level of responsibility within the University. All members of staff manage risks within their own job and undertake their role within the University s risk management policies and procedures. Heads of divisions are responsible for ensuring that risks within their divisions are managed. They compile their local risk register, with input from their staff, and update it at least annually for report to the Risk Management Steering Group. They inform the Risk Management Steering Group about: What risks may prevent them achieving their objectives? Which of the risks presents the most concern? What are the options for managing these risks? When, and how, can these options be put in place? How are risks, and actions taken to manage them, monitored? How will the division respond to new risks? The Risk Management Co-ordinator provides support and advice to staff, and the Risk Management Steering Group, on all aspects of the University s Risk Management Programme. The Risk Management Steering Group is responsible for: implementing the Risk Management Programme; reviewing the divisional risk registers; and updating the strategic risk register, which identifies and analyses the key risks faced by the whole organisation. The Group is chaired by the Director of Administration and reports to the Vice- Chancellor. It meets at least once per term and is responsible for providing accurate and timely information to the Audit Committee about how risks are being managed in the divisions and the University. The Audit Committee reviews and monitors the work of the Risk Management Steering Group. It must make an annual report to the University Council about how risks are being managed. The University Council is responsible for making sure that the University has an effective Risk Management Programme. 6

7 Policies and Procedures of the University s Risk Management Programme Risk Management Policy Statement in the Ordinances Risk Register Pro Forma / Guidance Notes Reporting Early Warning Indicators Risk-based Appraisal of Change and Development Activities or Projects Requirements for the Annual Statement on Risk Management Activities for the Corporate Planning Statement Copies of the Policies and Procedures have been circulated to all Heads of divisions. They are also available from Rosalind Sector, the Risk Management Co-ordinator (ext. 816), or can be downloaded from the University s website (from 3 January 26). 7