Risk Management Strategy
Risk is a part of everyday life, and successful organisations identify and manage their risks effectively. High quality risk management is a positive process which supports and enhances business management.
The University recognises that it has a responsibility to manage internal and external risks as a key component of good corporate governance and is committed to embedding risk management in all of its activities, to help achieve the University’s strategic and operational objectives.
The Risk Management Strategy outlines Queen Margaret University’s approach to risk and details the Risk Appetite Framework to be applied. It helps to ensure that risks are properly identified and then either eliminated or reduced to an acceptable level. This approach is adopted to protect the University and ensure risks are managed effectively and appropriately. The strategy also aims to emphasise the opportunities afforded by positive risk management, which is important to support the successful delivery of the University’s Strategy from 2020. To ensure that the focus is on a meaningful, high quality output, the University’s risk management process has been kept as straightforward as possible.
Risks, mitigating actions and their impact are captured in the Corporate Risk Register, which is reviewed and updated by the Senior Leadership Team on a regular and frequent basis.
Good organisational risk management will lead to organisational resilience. Resilience means being able to thrive in an uncertain environment; it means being able to withstand shocks; and it means coming through uncertainty in a stronger position.
Objectives
The principal objectives of this strategy are:
- To embed risk management within the University’s operations and processes as a valuable and positive business management tool, helping the University to identify and evaluate opportunities as well as threats
- To assist the University’s resilience, and its ability to thrive in an uncertain environment
- To raise awareness of the principles and benefits of the risk management process and to obtain staff commitment to the principles and practices of risk control.
Institutional risk appetite
The University accepts that it must take some risks in order to achieve its goals, and to realise expected benefits. The University is committed to ensuring that risks taken will be controlled and managed, and exposure will be kept to an acceptable level.
The University acknowledges that the level of exposure carried by different activities will vary, and its threshold for accepting varying levels of risk will change depending on the risk area under consideration, the specific objectives involved, the subsequent activities undertaken, and the projected benefits.
The University is clear that it will reject or closely manage any activity that has the potential to cause significant financial or reputation harm to the institution, most notably where these might endanger the University’s ongoing viability, its ability to achieve its key strategic goals, or its ability to meet its regulatory and/or legal obligations.
The University defines Risk Appetite based on the following categories:
Avoid |
No appetite. Not prepared to accept any level of risk. |
Averse |
Prepared to accept only low levels of risk, with a preference for very safe or prudent options, even if these carry potential for only very limited return. |
Moderate |
A tendency to accept low or moderate levels of risk in order to achieve objectives. A more ambitious outlook, albeit still relatively prudent. |
Open |
Willing to consider all options/actions/activities to achieve objectives, even where there are elevated levels of associated risk. |
High | Eager to pursue original, creative, pioneering options/activities to achieve objectives, and to accept substantial risks in order to achieve successful outcomes and significant rewards. |
Based on these categories, the University’s institutional baseline Risk Appetite is defined as “moderate” to “open”. This means that, while maintaining a level of prudence, the University is generally willing to consider all options, and will accept moderate levels of risk in the pursuit of its objectives, albeit with a preference for options or activities that limit exposure, even if the rewards are likely to be similarly limited.
While a general appetite of moderate to open is in place, it is recognised that risk appetite will vary according to the objectives pursued and the linked activities undertaken. For example, the University would give consideration to activities which carry elevated levels of risk where it can be shown that the anticipated outcomes are realistically achievable, and likely to deliver enhanced benefits. Acceptance of risk, irrespective of risk appetite, should always take account of the likely benefits an activity will deliver.
Risk areas and associated appetite
At strategic level, risk appetite is applied to the University’s identified risk areas as follows:
Strategic risk area | Avoid | Averse | Moderate | Open | High |
Teaching quality |
X | ||||
Programme development |
X | ||||
Transformative and internationally recognised research |
X | ||||
Enterprise and innovation |
X | ||||
Seek out partnership and collaboration |
X | ||||
Financial security |
X | ||||
Environmental and social responsibility |
X | ||||
Reputation |
X | ||||
Compliance |
X | ||||
People and Culture |
X | ||||
Major change activities | X |
Rationale for risk appetite
1. Teaching quality (averse)
As it is essential that high standards of teaching quality are maintained, we should not be open to any risk regarding academic standards. We should, though, look to evolve the way we deliver our teaching, taking a creative approach whilst maintaining quality. Therefore, the overall risk appetite in this areas is averse.
2. Programme development (Moderate)
We should be willing to accept a moderate level of risk in programme development to allow for innovation and exploration of new markets.
3. Transformative and internationally recognised research (Open)
We should be open to accepting an elevated level of risk where we are exploring transformative and internationally recognised research. Our capacity for financial investment using internal funds is limited, so the balance of this financial risk should sit more with partners. However we should ensure that staff time is made available to explore opportunities.
4. Enterprise and innovation (Open)
Similar to above, although capacity for financial investment will be limited, we should be open to exploring opportunities at a relatively elevated level of risk, and ensure that staff time is made available to do this.
5. Seek out partnership and collaboration (Open)
Partnerships and collaborations are important for the overall University portfolio, profile and cultural development. A key aspect of them, though, it is to deliver a net contribution to the University’s finances. Given this, the risk appetite in this area should be set at open. All partnerships will be risk assessed but we should be willing to accept elevated levels of associated risk where potential financial benefits are significant.
6. Financial security (Averse)
Although we should be open to exploring innovative developments, partnerships and investment, we should be prudent when it comes to our overall financial security. This will require a careful consideration of the balance of risk and reward when considering activities that require significant investment, along with consideration of the appropriate level of “risk capital” which can be made available.
7. Environmental and social responsibility (Moderate)
We should have a high appetite for innovative practices in this area but this will have to be moderated by ensuring that innovations will result in key positive deliverables and will not be financially prohibitive.
8. Reputation (Averse)
Our reputation is key to attracting students and staff and creating partnerships.
Although we can build this reputation through developments where we are accepting of an elevated level of risk, our base position on reputation should be averse to risk.
9. Compliance (Avoid)
We should not be prepared to accept any level of risk on compliance. This covers our legal obligations, where failure to comply can have financial and reputational consequences and/or risk our ability to operate as a University.
10. People and Culture (Averse)
We need to maintain a culture that allows us to fulfil our purpose to create a better society through education, research and innovation, and by providing a supportive and creative learning environment in which students and staff thrive. This includes provision of an excellent student experience, and well supported staff.
We should adopt a relatively low risk strategy in this area but be open to creative thought around ways to improve the student and staff experience.
11. Major change activities (Moderate)
In order to thrive and evolve we will have to consider major change activities (such as the Innovation Park and Commercial Zone). This will have to be tempered though by careful management of operational, cultural, reputational and financial risk.
Roles and responsibilities
1. Court
The Court sets the overall risk appetite for the University. It is responsible for ensuring that a system of risk management, evaluation and review is established, including control and accountability. It formally reviews the Corporate Risk Register and Risk Management Strategy once a year.
2. Audit and Risk Committee
The Audit and Risk Committee is responsible for assessing the adequacy and effectiveness of risk management control and governance arrangements and for reporting its conclusions to Court. It formally reviews the Corporate Risk Register and Risk Management Strategy twice a year.
3. Senior Leadership Team
The Senior Leadership Team is responsible for ensuring that the University’s risk management, evaluation and review process is effectively applied, taking into account the University’s risk appetite. This is both to support the achievement of the University’s strategy and to ensure that risks connected to core University operations are appropriately managed. The primary tools for this are the Risk Management Strategy and the Corporate Risk Register.
Senior Leadership Team meetings will have a specific agenda item on risk at least every quarter. It is the responsibility of Senior Leadership Team members to identify and raise new risks under this item or flag up existing risks where there is a concern that they may be moving into a higher category.
If possible, an assessment (or re-assessment) of the new or increased risk should be undertaken in advance of the Senior Leadership Team meeting, using evaluation tools in the Risk Management Strategy, to allow discussion and agreement of the risk categorisation. Where a risk is particularly high profile, or difficult to assess, it will be considered further by SLT, Audit and Risk Committee or Court if required.
In addition, the Senior Leadership Team will undertake a fuller review of the Corporate Risk Register on a quarterly basis. This will involve a review and re-assessment of the categorisation of risks; progress on mitigating actions; and monitoring of residual risk.
4. Schools and departments
Schools and departments must ensure that risk is managed effectively in line with the University’s Risk Management Strategy and is reviewed and reported appropriately. Risks should be recorded in the school/department risk register, which should form part of the operational plan.
Schools and departments should formally review all arrangements for risk management affecting their activity each quarter, with updates more frequently if circumstances change. New or increased risks should be flagged to the Senior Leadership Team for possible inclusion in the Corporate Risk Register as required.
Project risks should be managed effectively in line with the University’s Risk Management Strategy. Where material, project risks should be recorded in the school/department risk register.
5. Individuals
All staff are responsible for ensuring that consideration of risk is part of the normal operation of the University. They should undertake their job within risk management guidelines, including compliance with all control measures that have been identified. Each individual member of staff has a responsibility for bringing any new or increased risk to the attention of their head of department or division.
6. Internal audit
Internal audit provides comments on the adequacy of the process in place to identify risk and the effectiveness of the control measures in place. It makes recommendations to management. Recommendations, along with planned management actions are presented to and monitored by the Audit and Risk Committee.
Identifying risk
As indicated above, the responsibility for identifying risk sits with staff at all levels of the University.
When identifying risk, consideration should be given both to threats to which the University has to react and to risks associated with active decisions being considered by the University. The University’s Risk Management Strategy should be used to evaluate an identified risk and consider whether escalation is required. The process for the escalation of risk is also set out below.
Escalation
The escalation process follows the roles and responsibilities set out above and is summarised below
1. Individual
Consider if identified risk should be escalated to school/department level.
2. School/department
Consider risk for inclusion in school/department risk register and whether the risk should be escalated to Senior Leadership Team.
3. Senior Leadership Team
Consider risk for inclusion in Corporate Risk Register and whether it requires to be highlighted to the Audit and Risk Committee for specific discussion.
4. Audit and Risk Committee
Consider risks in the Corporate Risk Register and whether any need to be discussed at Court level, taking account of the advice of Senior Leadership Team
5. Court
Consider risks identified for discussion and other risks identified as part of its work.
Evaluation
Not all risks faced by the University will be of the same magnitude or significance. In addition, the University does not have the resources to manage every single risk it faces. A key purpose of the evaluation stage is to filter out the risks that need to be managed from the risks that simply need to be monitored.
Each risk is assessed for the likelihood it will happen and the impact if it does happen, using a 4x4 evaluation matrix below.
Impact | |||||
Minor | Measureable | Serious | Major | ||
Likelihood |
Very likely |
4 | 8 | 12 | 16 |
Probable | 3 | 6 | 9 | 12 | |
Possible | 2 | 4 | 6 | 8 | |
Unlikely | 1 | 2 | 3 | 4 |
Risk Criteria to support evaluation of Impact and Likelihood are provided below. Please note, these guidelines are intended to aid the process of judging the potential impact/severity of a risk. They are not intended to be comprehensive or exact. In many cases the assessment of risk may require aggregating impacts of different types, and also the possible cumulative effect of different risks happening at the same time.
When assessing impact, in many cases, the highest rated score from multiple impacts will be used. For example, a risk may have a measurable financial impact but a major reputational impact. In such a case the impact assessment would be major. The overall assessment will, in all cases, require an element of judgement by management.
Impact rating |
Score | Financial | Reputation | Operations | Staff | Students |
Major | 4 |
More than 5% of turnover |
Extensive and negative coverage by national media. Government intervention. |
Major operational disruption. Services unavailable for a significant period of time.
|
Major impact on staff morale. Significant level of dissatisfaction and demotivation. Staff may leave as a result. |
Major disruption. Exams cancelled. Work not assessed. Graduation delays. |
Serious | 3 | 3% - 5% of turnover | Picked up by local media. Possible league table impact or Government queries. |
Requires concerted management attention. Disruption and potential short delays. | Widespread cause for concern. Moderate level of dissatisfaction and demotivation. | |
Measurable | 2 | 1% – 3% of turnover | Evident to some external sources with localised impact. | May require management intervention. Local disruption likely with escalation possible if not tackled. | Cause for concern in specific areas of the University with associated dissatisfaction and demotivation. | Cause for concern in specific areas of the University with associated disruption to classes/studies. |
Minor | 1 | Less than 1% of turnover |
May be evident to those close to the area of interest or within the University. |
Minor operational impact. |
Some cause for concern for staff. No lasting impact. | Some cause for concern. Minor disruption. No lasting impact on studies. |
Likelihood rating | Score | Likelihood probability guide | Likelihood frequency guide |
Very likely | 4 | More than 75% chance of occurrence. | Will happen within the next year. Regular occurrence is likely. |
Probable | 3 | 40% - 75% chance of occurrence. | Likely to happen over the next 1-2 years. |
Possible | 2 | 10% - 40% chance of occurrence. | Could happen with the next 3 or more years. |
Unlikely | 1 | Less than 10% chance of occurrence. | Has happened rarely /never before. |
Addressing the risk
In broad terms risk can be addressed using one of the four methods below:
- Tolerate: Accept the risk, either because it is insignificant or additional actions would not be beneficial.
- Treat: Take cost effective actions to reduce either the likelihood of the risk happening, the impact, or both.
- Transfer: Let someone else take the risk (eg. by insurance or passing responsibility for the risk to a contractor); however, some level of risk is likely to be retained by the University.
- Terminate: Agree that the risk is too high and do not proceed with the project or cease the current activity.
Where a risk is to be treated or transferred it is likely that this will be captured in the Corporate Risk Register. Each risk identified should have a ‘risk owner’. The risk owner should be responsible for co-ordinating any activity required to manage the risk, and for monitoring the situation to see if the level of risk changes.
Monitoring and review
The Corporate Risk Register measures inherent risk if no action is taken and residual risk following mitigating actions. Residual risk is also assessed at each review and any change recorded.
Actions are split into existing actions and actions for further control. If actions for further control are required to manage a risk it is for the risk owner to propose what action is appropriate, and to ensure that these are taken. Where possible, actions for further control should be SMART (specific, measurable, achievable, realistic and timely). If it is clear that an action for further control will continue in the long term it should be moved into existing actions.
As noted above, the Corporate Risk Register is monitored and reviewed on a quarterly basis by the Senior Leadership Team, twice a year by the Audit and Risk Committee and once a year by Court.
Business Continuity Planning
Some risks could impact on the ability of the business to continue operating during times of change or disruption. These risks will feed into the business continuity planning processes. Consideration will be given to having specific business continuity plans in place should these risks happen.
Certain risks emerge which could mean major disruption to our business, senior management teams, employees or accommodation. These risks will be dealt with as part of the University’s business continuity planning process.