Programme aims
At its core, the programme is about making compliance simpler, clearer and more effective.
Instead of departments dealing with multiple overlapping requests and disconnected processes, we will coordinate our efforts to ensure we effectively manage risks in essential areas including:
- Counter-fraud
- Cyber security
- Health and safety
- HR compliance
- Export controls and sanctions
- Conflicts of interest
- Business continuity and resilience
- Information compliance
The aim is to reduce duplication, improve visibility of risks and create a more consistent standard across the University.
Why the programme is needed
In 2025, the University’s auditors highlighted serious concerns in areas including cyber security, fire safety. These issues were seen as emblematic of wider weaknesses in risk, compliance and assurance across the organisation
It found that there were inconsistent controls for managing these risks, and that these controls were not applied consistently. It also found that audit actions were not implemented quickly enough, and that risk compliance and assurance activity is fragmented and burdensome.
Without urgent action, we will not be able to protect our people or our systems from harm. The University is also at risk of regulatory action and reputational risk. This in turn threatens our long-term ability to deliver our academic mission.
In response, the University’s senior leadership has called for faster action, clearer accountability and a more joined-up approach to managing risk. The focus has now shifted from reacting to problems to building stronger long-term systems and standards across the institution.
What will the programme involve?
A major part of the first phase of the programme focuses on mandatory training and clearer reporting.
Mandatory training courses — including cyber security, harassment prevention, anti-bribery and health and safety — are being tracked through new dashboards that show compliance levels across departments and divisions.
These dashboards are designed to give leaders better data, improve oversight and make it easier to identify gaps or areas needing attention. Dashboards are already in place for departments, and additional dashboards will be added for divisions and key governance committees.
Cyber security and fire safety are the two biggest immediate priorities. The University has committed significant new funding to improve cyber resilience, recruit specialist staff and introduce stronger controls and monitoring. In fire safety, rapid progress has been made to complete fire risk assessments, improve governance and begin long-term remediation work across University buildings.
The programme is also driving cultural change, with clear ownership of risks, faster delivery of actions and less tolerance for non-compliance. Senior leaders, divisions and departments are all expected to play a more active role in maintaining standards and reducing risk.
What happens next?
This is a long term programme of change that will take several years. However, there are two actions essential activities that will take place in Trinity term and the Long Vacation 2026:
1) Annual assurance exercise
At present, departments are asked to report on risks in a variety of ways – including a financial assurance return during the Long Vacation. We are changing this from August 2026, when departments will also be asked a series of additional questions as part of the financial assurance exercise
The exercise will now ask about a range of additional risks, and how departments are mitigating them. By carrying out these this exercise in a joined up way, we will get a much better, collective understanding of our risks, which we can then work together to manage.
Detailed guidance will be provided by the Finance and Assurance teams to support colleagues adjusting to this change.
2) Mandatory training
There is a range of training that all staff must take part in on an annual basis – to ensure they understand and respond to key risks.
Currently, completion rates of key training courses are very inconsistent across the organisation and we do not have enough oversight of who has completed them. This exposes the university to unacceptable risks.
In response, the programme team will work to increase the uptake of key training courses. As well as encouraging individuals to take personal responsibility for completing the training, it will also develop and improve reporting dashboards, and add additional reports so that divisions, committees and the University as a whole can get clarity on where training has been undertaken
These dashboards will be shared with local teams, so that they follow up with those who have not completed their training to increase completion rates.
Management and oversight
The programme is sponsored by the Director of Assurance Lukasz Bohdan. and the interim Programme Lead is Kate Vickers.
The team’s focus is on taking the action that is needed in a coordinated way that reduces unnecessary burdens on colleagues across the University and simplifies processes wherever possible.
The Programme is currently putting together a proposal for additional resource to support implementation from 2026/27 – with targeted support for divisions
The programme is aligned to the ambitions of the Professional Services Programme. It focuses on streamlining processes, reducing burden, focusing on priorities and clarifying priorities.
The Programme team will work close with the Assurance Shared Leadership Group align its activities with wider service improvements, and engage with colleagues across the University to shape its approach.
More information
More information will follow as the programme develops. If you have any questions at this stage, please contact compliance@admin.ox.ac.uk.
