Risk is defined as ‘the effect of uncertainty on objectives’. This may also be expressed as a deviation from expected outcomes, either positive (opportunity) or negative (threat).
Risk management is defined as ‘co-ordinated activities to direct and control an organisation with regard to risk’.
Risk appetite is defined as ‘the amount of risk that an organisation is willing to pursue or retain’.
A risk management framework is defined as ‘a set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation’. A risk management framework would be expected to include policy, objectives, mandate and commitment to manage risk; together with plans, accountabilities, resources, processes and activities for risk management.
These definitions are specified in international standards ISO Guide 73:2009 and reflected in ISO 31000:2009.
The University’s objectives for risk management are:
In developing and implementing its approach to risk management, the University follows best practice in the management of risk. The University is mindful of international standards on risk management (specifically ISO Guide 73:2009 and ISO 31000:2009); guidance from HEFCE; guidance from the Committee of University Chairs; and other relevant sector bodies.
The University is required to implement adequate arrangements to promote effective risk management, control and governance, under the terms of the Memorandum of Assurance and Accountability between HEFCE and Higher Education Institutions (HEFCE2014/12). The Audit Code of Practice, Annex A to the Memorandum, requires Audit Committees of Higher Education institutions to produce an annual report to their governing body, giving the Committee’s opinion on the adequacy and effectiveness of the institution’s system of risk management.
HEFCE's annual Accounts Direction requires HEIs to publish a Statement of Internal Control and Risk Management as part of their audited financial statements. This statement must include an account of the risk management arrangements in place, and set out how risk assessment and internal control is embedded in the organisation's operations. The Accounts Direction also sets out HEFCE’s requirements for risk management. HEFCE notes that effective risk management should:
cover all risks – including those of governance, management, quality, reputation and finance – but focuses on the most important risks
The University’s risk management framework is designed to ensure that the University is able to comply with applicable risk management standards and regulatory requirements.
Stephanie Norman, Head of Risk, Compliance and Assurance
Tel: (01865 2) 70285