Risk Management Policy

Transcription

1 Risk Management Policy Effective from 4 July 2015 Version Number: 2.1 Author: Director of Planning Planning Directorate

2 Document Control Information Status and reason for development Revised updating the previous policy to reflect the 2014 CUC Higher Education Code of Governance. There are no fundamental changes to the underlying policy requirements. Revision History Author Summary of changes Version Authorised & Date John Forshaw John Forshaw Updated to reflect change in University Committee structure Incorporated internal governance and committee structures, national guidance and risk process updates V2.1 Audit & Risk Committee: 02/06/15 John Forshaw Approved original version V1.0 Council V2.0 Council: 03/07/14 Audit Committee:18/06/14 Exec:06/05/14 Ops Board:30/04/14 Policy Management and Responsibilities Owner: Vice Chancellor is the Policy Owner and has delegated day to day management and communication of the policy to the Director of Planning. Others with See Roles & Responsibilities within Appendix 6. responsibilities (please specify): Have you completed consultation / formal Please specify date completed and brief outcome, or N/A assessment with the following advisory teams Equality Analysis (E&D, HR) Legal implications (LPG) Information Governance (LPG) Student facing procedures (QEO) Consultation Staff Trades Unions via HR Students via USSU Any relevant external bodies (please specify) N/A N/A N/A Specify date/outcomes of any relevant consultations or N/A Authorised by: Audit & Risk Committee Date authorised: 02 June 2015 Effective from: 4 July 2015 Review due: 1 July 2018 Document location: University Policy & Procedure Pages Document dissemination and communications plan: This policy is available via the University website. Briefings and associated training will be provided by the Planning Directorate to Colleges, Schools and Professional Services as part of embedding risk management within the operational and performance management cycle. Page 2 of 15

3 1.0 Purpose 1.1 The CUC Higher Education Code of Governance states that the governing body ensures institutional sustainability by working with the Executive to set the institutional mission and strategy. In addition, it needs to be assured that appropriate steps are being taken to deliver them and that there are effective systems of control and risk management. Responsibilities include: Decisions that might have significant reputational or financial implications and seeking assurance that these undergo a rigorous process of due diligence. Academic risks such as those involving partnerships and collaboration, recruitment and retention, data provision, quality assurance, and research integrity. 1.2 The Code also requires that the Audit Committee has the financial expertise and the time to examine risk management control and governance under delegation from the governing body. It cannot confine itself to financial matters, and its role extends to all areas of institutional activity. The Audit committee must produce an annual report for the governing body, including: its opinion on the adequacy and effectiveness of the institution's risk management, control and governance arrangements. 1.3 Risk management informs strategic development through the identification and treatment of risk so that strategic objectives are more likely to be achieved, damaging events are avoided or minimised and opportunities are maximised. Good risk management increases the probability of success, and reduces the probability of failure and uncertainty of achieving the University s objectives. 1.4 The purpose of the risk management policy is to explain the University's underlying approach to risk management and to document the roles and responsibilities of Council and its sub-committees, the senior management team and other key parties. It also outlines key aspects of the risk management process, and identifies the main reporting procedures. 2.0 Scope 2.1 Risk can be defined as the threat or possibility that an action or event will adversely or beneficially affect an organisation s ability to achieve its objectives 1. Accordingly risks include both threats and opportunities. 2.2 Risk Management involves the planned and systematic approach to the identification, evaluation and control of risk. It is concerned with evaluating the measures an organisation has in place already to manage identified risks and then suggesting actions that the organisation should take to control these risks more effectively. For threats, the outcome of risk management is the reduced likelihood (probability) of a risk occurring or limiting the consequences (impact) should the risk occur by implementing appropriate methods of control (risk mitigations). The opposite is the case for opportunities. 2.3 This risk management policy forms part of the University's internal control and corporate governance arrangements. It explains the institution s underlying approach to risk management, documents the roles and responsibilities of Council, senior management, and other key parties. It also outlines key aspects of the risk management process, and identifies the main reporting procedures. It applies to institutional, School, Professional Services Directorates, subsidiary companies, and project risk management: At an institutional level: risks can affect either positively or negatively the University's ability to operate as a business and/or deliver its long term strategic aims and objectives as outlined in the University s Strategic Plan. 1 HEFCE 01/28 Risk management A guide to good practice for higher education institutions Page 3 of 15

4 At an operational level (Schools, Professional Services Directorates and Subsidiary Companies): risks can affect the successful delivery of operational plans and hence achievement of academic and financial priorities as contained in the University s key sub-strategies. At a project level: risks can affect the successful delivery of the project s stated benefits by impacting the cost, time and/or quality of outputs. 3.0 Policy Statements Underlying approach to risk management 3.1 The following key principles outline the institution s approach to risk management and internal control: Council has responsibility for overseeing risk management within the institution as a whole; An open and receptive approach to solving risk problems is adopted by Council; The Vice-Chancellor and the University Management Team supports, advises and implements policies approved by Council; The institution makes conservative and prudent recognition and disclosure of the financial and non-financial implications of risks; Deans, Heads of School and Directors of Professional Services are responsible for encouraging good risk management practice within their areas; and The University s significant risks will be identified and closely monitored on a regular basis. Risk appetite The University has a responsible approach to risk management, seeking to recognise and manage its exposure to risks. In pursuit of achieving its strategic aims and academic mission the University will, therefore, accept a degree of risk, commensurate with the potential reward within defined tolerances for risk appetite agreed by Council for key areas: Corporate and operational risk appetite: the University s general approach is to minimise its exposure, classified as minimalist (see Appendix 1), with respect to its core business and values specifically: Adherence to the values stated in the University s Strategic Plan ; Prioritisation of the health and safety of staff, students and visitors to the University; Ensuring business continuity that is, the continued operation of University systems and processes that support the ongoing delivery of critical business operations; Maintenance of the quality of academic provision; and Compliance with statutory requirements. Project risk appetite: in pursuing its distinctive mission and goals the University s project risk appetite is classified as open. The University is committed to seizing the opportunities provided by the imagination and enthusiasm of its staff, the co-operation of partners and its support for innovation. It will do so, subject always to ensuring that the opportunities are consistent with its mission, that the potential benefits (reward and value for money) and risks are fully understood before developments are authorised, and that appropriate measures to mitigate risk are established. Strategic risk appetite: the University s strategic risk appetite is classified as cautious. The University is driven to pursue its distinctive mission and goals, through seizing developed and presented opportunities, but it also has to protect its core business and values. 3.3 The classifications of risk appetite can be found at Appendix 1. 2 Defined as the amount of risk that an organisation is prepared to accept, tolerate, or be exposed to at any point in time. The Orange Book: Management of Risk Principles and Concepts, HM Treasury, October 2004 Page 4 of 15

5 Risk identification, assessment and management 3.4 Risk management is undertaken as an integral part of strategic and operational management: Strategic and operational plans will include an assessment of the risks and mitigating actions associated with each objective; these will be reviewed regularly by the local management teams with the most significant risks being reported to and reviewed by the University as part of the quarterly review cycle; Risks must be identified and assessed as part of the business case for all new schemes, investments and projects; once approved risks must be reviewed regularly by the project board or similar governance committee. 3.5 The Planning Directorate will maintain the University Risk Register. Each School and Professional Services Directorate will maintain its own local risk register. 3.6 For each risk the details identified in Appendix 2 will be recorded and monitored in a risk register. The register will be maintained by a nominated risk champion within each area with the authority and responsibility to collate the component risks on behalf of the Dean / Head of School / Director of Professional Service and ensure procedures are in place to enable effective capture of new risks on a timely basis. The risk champion will liaise with relevant staff and use appropriate methods defined by the Planning Directorate as the custodian of the University Risk Register. 3.7 Risks will be assessed using a 5x5 scale for the likelihood and impact of each risk before and after mitigating actions according to the criteria shown in Appendices 3 and 4 respectively. The overall risk score will be assessed using the probability impact matrix shown in Appendix 5. These criteria are incorporated in to risk register templates available from the Planning Directorate. 3.8 The main options available to the University in dealing with the risks facing it are to: Terminate avoid the risk (e.g. terminating a risky activity); Transfer transfer the risk to a third party if cost-effective (e.g. by contracting out); Treat retain and control the risk; Tolerate exposure to the risk is tolerable without any further action. 3.9 Risks should be controlled at a management level with the resources to underwrite the impact of the risk. Such resources may include the holding of a financial or time contingency as a means of mitigating the impact should the risk occur. Where the degree of exposure increases beyond a management level s ability/delegated authority, the risk should be escalated. Appendix 5 identifies the risk scores which would require a risk to be escalated to the University Executive. Of these the top 10 will be escalated to Council.Risk governance 3.9 The University Management Team, Audit and Risk Committee and Council have key roles to play in the overall risk management framework. The specific responsibilities of the different groups are shown in Appendix 6. This also shows the frequency with which these groups review risks. Scrutiny and assurance by Council and Audit and Risk Committee 3.10 Annually the Audit and Risk Committee will, based upon their quarterly assessment of the risk register, provide the Council with an opinion on whether the University has had an effective and mature risk management process in place for the preceding year. It should consider: Leadership: do senior management and the Executive support and promote risk management? Risk Strategy and Policies: Is there a clear risk strategy and risk policies? People: Are staff equipped and supported to manage risk well? Page 5 of 15

6 Partnerships & Resources: Are there effective arrangements for managing risks with partners and are there appropriate supporting resources? Processes: Do the University s processes incorporate effective risk management? Risk Handling: Are risks handled well? Outcomes: Does risk management contribute to achieving outcomes? 3.11 Based on these reports the Council, advised by the Audit and Risk Committee and the External Auditors, must satisfy itself that key risks have been identified and are being managed in accordance with the University s policy as well as whether any revisions to the policy should be implemented. It should consider: Whether risk management continues to be linked to the achievement of the University's objectives; The appropriate risk appetite or level of exposure for the University as a whole; Whether risk review procedures cover fundamental reputation, governance, staff, research, teaching, operational, compliance, student experience, estates, financial and other risks to achieving the University's objectives; Whether risk assessment and risk-based internal control are embedded in ongoing operations and form part of its culture; Changes in the nature and extent of fundamental risks and the University's ability to respond to changes in its internal and external environment since the last assessment; The extent and frequency of reports on internal control to Council and whether this is sufficient for Council to build up a cumulative assessment of the state of control and effectiveness of risk management; The incidence of any fundamental control failings or weaknesses identified at any point within the year and the impact that they have had or could have on financial results or the institutions reputation; The effectiveness of the overall approach, compliance and policy to risk management and whether changes or improvements to processes and procedures are necessary. 4.0 Related Documentation CUC Higher Education Code of Governance, 2014 HEFCE 01/28 Risk management A guide to good practice for higher education institutions Risk Register template (Excel spreadsheet) 5.0 Appendices Appendix 1 Classification of risk appetite Appendix 2 Components of the Risk Register Appendix 3 Risk Probability Criteria Appendix 4 Risk Impact Criteria (Threat / [Opportunity]) Appendix 5 - Probability Impact Matrix (and Risk Scores) Appendix 6 - Risk Governance Page 6 of 15

7 APPENDIX 1 Classification of risk appetite Classification Description Averse Avoidance of risk and uncertainty is a key organisational objective Minimalist Cautious Open Hungry Preference for ultra-safe business delivery options that have a low degree of inherent risk and only have a potential for limited reward Preference for safe delivery options that have a low degree of residual risk and may only have limited potential for reward Willing to consider all potential delivery options and choose the one that is most likely to result in successful delivery while also providing an acceptable level of reward (and value for money etc.) Eager to be innovative and to choose options offering potentially higher business rewards, despite greater inherent risk Page 7 of 15

8 APPENDIX 2 Components of the Risk Register Field Id Category Risk Description Owner Probability (pre mitigation) Impact (pre mitigation) Gross Risk Level Description Unique identifier for the risk The type of risk e.g. financial, operational A short description of the uncertain event and the consequences should it materialise The senior member of the team with responsibility for managing the risk The likelihood of the risk happening before any additional action (control) is taken (see Appendix 3) The effect of the consequences should the risk occur before any additional action (control) is taken (see Appendix 4) The initial rating of the risk without any additional controls based on the Gross Risk Score Gross Risk Score Probability x impact score pre mitigation (see Appendix 5) Proximity Risk Causes Mitigating Actions Probability (post mitigation) Impact (post mitigation) Net Risk Level The earliest the risk is likely to occur The events or circumstances which may trigger the risk The current or intended actions with target completion dates to reduce the probability and/ or impact of the risk The likelihood of the risk happening after the identified mitigating actions have been implemented (see Appendix 3) The effect of the consequences should the risk occur after the identified mitigating actions have been implemented (see Appendix 4) The rating of the risk after the mitigating actions based on the Gross Risk Score Net Risk Score Probability x impact score post mitigation (see Appendix 5) Status Response Category Escalation level Open / Closed / New Terminate / Transfer / Treat / Tolerate The level to which the risk is escalated (including Executive and Council) Page 8 of 15

9 APPENDIX 3 Risk Probability Criteria Scale Description Criteria Very High Highly Likely >75% 3 out of 4 or more frequently High Probable 51-75% 1 in 2 chance (50-50) to 3 out of 4 Medium Possible 26-50% 1 in 4 chance to 1 in 2 (50-50) Low Remote 6-25% 1 in 20 chance to 1 in 4 Very Low Very Remote <5% 1 in 20 chance or less frequent Page 9 of 15

10 APPENDIX 4 Risk Impact Criteria (Threat / [Opportunity]) 3 Scale Very High Description Catastrophic Strategy and Policy Prevents successful achievement of several strategic priorities resulting in strategy needing to be revised. High Major Prevents successful achievement of one strategic priority resulting in parts of strategy needing to be revised. Financial Impact on budget or additional expenditure / [income]: Capital > 5M Revenue > 1m recurrent Impact on budget or additional expenditure / [income]: Capital 1M - 5m Revenue 0.5m - 1m recurrent Operational Performance / Business Continuity Loss of major customer / contract / partnership / bid. Inability to deliver core service resulting in stopping delivery of programmes. Interruption of critical services > 24 hours. Loss of mid-sized customer / contract / partnership / bid. Inability to deliver core service resulting in noticeable loss of performance affecting ability to deliver programmes. Interruption of critical services > 12 hours. Criteria Student Experience Severe impact affecting large numbers of students which will have a significant affect on University level NSS scores and/or retention. High impact affecting large number of students which will have a significant affect on overall School level NSS scores and/or retention. Reputation Severe level of criticism / [praise] in national press. Permanent impact on student recruitment; irreparable damage to relationships with funding bodies and significant partners. > 12 months to restore level of credibility. University criticised / [praised] in national press. Long term impact on student recruitment, relationship with funding bodies or partners. Recoverable within 6 months. Legal / Regulatory Compliance / Governance / Health & Safety Major legislative breach resulting in suspension of business. Multiple major irreversible injuries or deaths of staff, students or members of public. Serious legislative breach resulting in intervention, sanctions and legal action. Major irreversible injury or death of staff, student or member of public. Programme / Projects (Time / Benefits) 4 > 12 months Failure to deliver more than one of the major benefits 6 to 12 months Failure to deliver one of the major benefits 3 Descriptors relate mostly to threats unless specifically included in [ ] for opportunities; otherwise, for opportunities the descriptors should be interpreted as preventing the stated threat (e.g. bring project forward by x weeks) 4 Relates primarily to significant projects or change programmes Page 10 of 15

11 Scale Description Strategy and Policy Medium Moderate Restricts ability to achieve one or more strategic priorities requiring some modification to parts of strategy. Low Minor Impacts on some aspects of one or more strategic priority but not significant enough to require modifying the strategy. Financial Impact on budget or additional expenditure / [income]: Capital 0.5m - 1m Revenue 100k - 500k recurrent Impact on budget or additional expenditure / [income]: Capital 100k - 500k Revenue 25k - 100k Operational Performance / Business Continuity Loss of minor customer / contract / partnership / bid. Moderate disruption to some services resulting in temporary loss of performance affecting some programmes. Interruption of critical services > 6 hours. Unhappy customer / partner. Loss of potential new customer / contract / bid. Manageable disruption to some services resulting in no loss of performance but requiring additional staff and interim working arrangements. Criteria Student Experience Moderate impact affecting local programme area which will have a material impact on the programme level NSS scores and/or retention. Minor impact affecting several programmes / large group of students but which is unlikely to have a material impact on NSS scores or retention. Reputation University criticised / [praised] in local press. Medium term impact on student recruitment, relationship with funding bodies or partners. Recoverable within 1 month. Programme / discipline area criticised / [praised] in local press. Short term disruption to student recruitment, relationships with funding bodies or partners. Recoverable within 1 week. Legal / Regulatory Compliance / Governance / Health & Safety Significant legislative breach resulting in investigation. Major reversible injury to staff, student or member of public. Not life threatening. Moderate impact leading to warning. Some minor reversible injuries. Programme / Projects (Time / Benefits) 4 1 to 6 months Significant reduction in more than one benefit 1 to 4 weeks Significant reduction in one of the benefits Interruption of critical services > 3 hours. Page 11 of 15

12 Scale Very Low Description Insignificant Strategy and Policy Impacts on minor part of one strategic priority but not significant enough to require modifying the strategy. Financial Impact on budget or additional expenditure / [income]: Capital < 100k Revenue < 25k recurrent Operational Performance / Business Continuity Disruption to potential customer / contract / bid. Manageable disruption to minor services resulting in no obvious loss of performance. Interruption of critical services > 1 hour. Criteria Student Experience Minor impact affecting single programme but which is unlikely to have a material impact on NSS scores or retention. Reputation Negligible criticism / [praise] in specialist local press. Negligible impact on student recruitment, relationship with funding bodies or partners. Fully recoverable within 1 day. Legal / Regulatory Compliance / Governance / Health & Safety Minor impact. No reprimand, sanction or legal action. Some superficial injuries. Programme / Projects (Time / Benefits) 4 < 1 week Minor reduction in one of the benefits Page 12 of 15

13 PROBABILITY University of Salford Risk Management Policy V2.1 APPENDIX 5 - Probability Impact Matrix (and Risk Scores) [Opportunities] [Critical] [High] [Medium] [Low] Low Medium High Critical Threats Very High High Medium Low Very Low [Very High] [High] [Medium] [Low] [Very Low] Very Low Low Medium High Very High IMPACT / [OPPORTUNITIES] IMPACT / THREATS Notes Area to top right of bold line indicates those risks with a net risk score of 9 or more and which should be escalated to Executive Of those, the top 10 risks should be escalated to Council Page 13 of 15

14 APPENDIX 6 - Risk Governance Body / Role Responsibilities Review of Risks Council Audit and Risk Committee Vice- Chancellor Overall responsibility for risk management within the University, specifically: Endorses the University s Risk Management Policy; Determines the institutional risk appetite; Provides a strategic focus to the management of risk, ensuring that the identification of risk is integrated and aligned to the key strategic objectives; Endorses major decisions affecting the University s risk profile or exposure; Satisfies itself that less significant risks are being effectively managed and controlled; Annually reviews the University s approach to risk management and approve changes or improvements to its process. On behalf of Council, keeps under review the integrity and effectiveness of the University s risk management framework, alerting Council to any emerging issues. Produces an annual report for Council on the adequacy and effectiveness of the institution's risk management, control and governance arrangements in advance of Council approving the audited financial statements. The Vice-Chancellor has delegated responsibility from Council for implementing the Risk Management Policy, specifically: Review the most significant risks (approx. top 10) Frequency: quarterly Review the most significant risks (approx. top 10) Frequency: each meeting Reviews the full risk register annually 5 As required To implement the policies on risk management and internal control. To identify, evaluate and control risks within the Institution, including emerging risks, and allocate responsibility for the control mechanisms. To ensure that the procedures are embedded within the day-to-day management of the University. To ensure that there is ownership of risk management and internal controls throughout the University. To ensure that there is adequate training and resources to ensure that the policy can be implemented. To report to the Council on significant and emerging risks during the year. To ensure that the process of day-to-day risk management is adequately documented, including disaster recovery plans. To oversee regular reviews of the University's approach to risk management and its effectiveness. 5 The annual review of the full risk register is to provide assurances of the breadth of risks covered and to mitigate any surprises if there is escalation of a known risk to the top 10. Page 14 of 15

15 University Management Team (UMT) Supports the Vice-Chancellor in discharging his/her responsibility for the implementation of the Policy. Responsible for escalating risks to Council as appropriate. Review the most significant risks (approx. top 10) Frequency: approximately 6 times a year prior to submission to Council and Audit and Risk Committee Sub-strategy owners Schools; Professional Services Risk Champion Planning Directorate External Assurance Providers Responsible for identifying, managing and reporting the strategic risks associated with University objectives specific to their portfolios. Management of the risks is to be undertaken in consultation with the relevant Deans, Heads of Schools and Directors of Professional Services impacted by the risks. The substrategy owners also provide a level of functional oversight for the operational risks in the business areas that impact on their portfolios. The Deans / Heads of School and Directors of Professional Services are responsible for identifying, managing and reporting the strategic and operational risks specific to their areas. Risk reporting of the most significant risks will take place as an integral part of the quarterly performance review cycle. Nominated individual within each School / Professional Service with the authority and responsibility to maintain the area s risk register on behalf of the Dean / Head of School / Director and ensure procedures are in place to enable effective capture of new risks on a timely basis. The risk champion will liaise with relevant staff and use appropriate methods defined by the Planning Directorate as the custodian of the University Risk Register. To lead on the management and governance of the corporate risk management strategy, including the development of associated policy and procedure, and the monitoring of its implementation. Custodian of the University Risk Register. Facilitate a moderation meeting as a minimum annually to review all local risk registers to ensure that they are being maintained to the expected quality and share good practice. Internal Audit; External Audit: Provide independent challenge, audit of key controls, and formal reporting on assurance including the effectiveness of the Risk Management Policy. Regulatory Bodies: Provide assurance in relation to specific areas of interest, often backed up by a specific audit (e.g. the appropriate use of specific sources of funding) Review the full risk register annually prior to submission to Audit and Risk Committee 5 As required School/PS Executive (or equivalent) to review their risk register and agree any items to be escalated Frequency: quarterly (minimum) As required and specifically in advance of each quarterly review Review risks as required and specifically in advance of each submission to the University Management Team, Audit and Risk Committee and Council As required Page 15 of 15