Council is responsible, under Statutes and Regulations, for the advancement of the University’s objects, for its administration, and for the management of its finances and property. It will receive regular reports on strategic risks, and will seek assurances over risk management and controls from individuals identified as accountable for risks. It will make an active contribution to management by challenging accountable individuals. It will define and keep under review the University’s risk appetite.
Council delegates to the General Purposes Committee (‘GPC’) responsibility to keep under review procedures for identifying and managing risks across the University’s activities. In discharging these responsibilities GPC will also advise Council on any recommendations to amend this Policy. GPC is also the forum in which matters relating to risk that cannot be adequately resolved elsewhere are determined. In order to discharge its responsibility for procedures for identifying risks across the University’s activities, GPC will review and update regularly the University’s strategic risk register. GPC will consider the strategic risks identified by the academic and service divisions, the major Committees of Council, and other bodies, as appropriate. These divisional and Committee risk registers will have been informed by the risk registers of departments, faculties and other academic and service units of the University. In order to discharge its responsibility for managing risks, GPC will review risk management reports relating to each of the key risks on the University’s Strategic Risk Register.
The Vice-Chancellor is accountable to HEFCE for discharging the University’s responsibilities for effective risk management, as set out in the annual Accounts Direction to Higher Education Institutions.
The Audit and Scrutiny Committee provides an annual opinion to Council on the adequacy and effectiveness of the University’s arrangements for risk management.
The internal auditors undertake audit work sufficient to allow them to provide an annual opinion to the Audit and Scrutiny Committee on the adequacy and effectiveness of the University’s arrangements for risk management.
The Risk Advisory Group is responsible for advising GPC on the University’s risk management process, being the procedures, guidance and training provided to staff to facilitate the embedding of risk management into the culture of the University.
The Registrar is responsible for:
a. ensuring that this Policy is implemented and maintained;
b. providing appropriate levels of explanatory guidance and training to support this Policy;
c. defining and implementing procedures for the reporting and escalation of risk to GPC, Council and other University bodies as required;
d. raising awareness of this Policy and its objectives, standards and statements amongst staff and all others to whom it is relevant.
Heads of Division, Heads of Department, Faculty Board Chairs and Heads of University Services (ASUC and UAS) are responsible for:
a. ensuring that this Policy is implemented and followed in their respective divisions, departments, faculties and sections (as appropriate);
b. ensuring that staff within these areas are made aware of this Policy, associated explanatory guidance, and any requirements that the Policy places upon them or their activities.
The Boards of Directors of wholly-owned subsidiary companies of the University are deemed to have responsibilities equivalent to Heads of Division as set out above unless alternate arrangements have been agreed and approved by GPC.
Every member of staff is responsible for familiarising themselves with this Policy, in particular any aspects that have a direct bearing upon the role that they perform for the University.
 Statute VI: https://governance.admin.ox.ac.uk/legislation/statute-vi-council
Part 3 of Council Regulation 15, 2002.
 (link currently unavailable)