In developing and implementing its approach to risk management, the University follows best practice in the management of risk. The University is mindful of international standards on risk management (specifically ISO Guide 73:2009 and ISO 31000:2009); guidance from HEFCE; guidance from the Committee of University Chairs; and other relevant sector bodies.
The University is required to implement adequate arrangements to promote effective risk management, control and governance, under the terms of the Memorandum of Assurance and Accountability between HEFCE and Higher Education Institutions (HEFCE2014/12). The Audit Code of Practice, Annex A to the Memorandum, requires Audit Committees of Higher Education institutions to produce an annual report to their governing body, giving the Committee’s opinion on the adequacy and effectiveness of the institution’s system of risk management.
HEFCE's annual Accounts Direction requires HEIs to publish a Statement of Internal Control and Risk Management as part of their audited financial statements. This statement must include an account of the risk management arrangements in place, and set out how risk assessment and internal control is embedded in the organisation's operations. The Accounts Direction also sets out HEFCE’s requirements for risk management. HEFCE notes that effective risk management should:
cover all risks – including those of governance, management, quality, reputation and finance – but focuses on the most important risks
- produce a balanced portfolio of risk exposure
- be based on a clearly articulated policy and approach
- require regular monitoring and review, giving rise to action where appropriate
- be managed by an identified individual and involve the demonstrable commitment of governors, academics and officers
- be integrated into normal business processes and aligned with the strategic objectives of the organisation.
The University’s risk management framework is designed to ensure that the University is able to comply with applicable risk management standards and regulatory requirements.