Risk Register Template
Risk Management Framework
Supporting this policy, Colleges and University Services will adhere to a consistent format when articulating and managing risk. Strategic, operational and project risk is managed using the University strategy, project and Governance/Risk/Compliance (GRC) tool, Portfolio and Project Management Anywhere (PPMA) which can be accessed using a single sign on at https://uofg.ppmanywhere.com/. A training guide on how to use this tool can be found at https://www.gla.ac.uk/myglasgow/ppm/ppma/ppmatraining/ and further outlined in the appropriate Standard Operating Procedures. The framework within this document outlines:
- The template in Appendix A is the data used within PPMA for all risk registers
- Guidance in Appendix B on the methodology for scoring risks
- Guidance in Appendix C on how risk is rated and escalations
- Guidance in Appendix D on our appetite for risk
- Guidance in Appendix E on how risk is managed at CMG and PSG levels
- Guidance in Appendix F on how risk is managed at School, Research Institute and University Services functional levels
The number of risks in a register is not fixed, however, at board level and above, this should be limited to the key risks that will directly impact on the delivery of the University strategy or services.
As part of the risk review cycle outlined in section 4, the review should include the deletion of risks that are no longer applicable, the introduction of new risks and the amendment of current risks.
The Risk Management Policy and Framework will be subject to annual review at the Audit and Risk Committee. The Audit and Risk Committee will review the strategic risk register as well as evidence that the risk policy is being adhered to across the University.
The Audit and Risk Committee will review the effectiveness of the risk policy and risk management framework and may recommend an external review of the process.
It is the responsibility of the Head of Risk to ensure that the risk management framework is being adhered to and will escalate to the Director of Strategy Implementation and Risk omissions or evidence of a lapse in risk management from operational risk registers.
Appendix A: risk register PPMA field description
* denotes a mandatory field and the system will not save until this is completed
ID |
A unique identifier automatically generated by PPM |
Risk Register |
Automatically assigned within the PPMA structure |
Title* |
A very short title that makes it easy to understand what the risk is about. A precursor is automatically added to identify the risk register |
Risk owner* |
Who will be ultimately accountable for the management of this risk? This is not the person who will be responsible for completing the mitigating actions |
Root cause* |
What are the reasons this risk could occur? This is commonly written as “due to…” |
Risk description* |
How would you describe the risk? This is commonly written as “there is a risk that…” |
Risk impact* |
What would happen if the risk happened? This is commonly written as “this will result in…” |
Category* |
This is the strategic theme which the strategic category aligns with. Refer to appendices C for a drop-down list of these categories |
Strategy |
How does this risk relate to our thematic and enabling strategies? Refer to appendices C for a drop-down list of these strategies |
Business Objective |
Which of the 9 objectives from the 2025 Strategy. Refer to appendices C for a drop-down list of these objectives |
KPI |
If applicable, the risk should be attributed to one of the strategic Key Performance Indicators |
Movement* |
Since the last review, is this risk: WORSENING – the risk is becoming more likely, or the impact is bigger than you originally thought STABLE – there is no change to the likelihood of the risk occurring or the impact it will have IMPROVING – the risk is becoming less likely, or the impact is less than you originally thought |
Escalation groups/ committees* |
Using the escalation table in appendix D, at what level in the University is this being managed? Level 1 – Audit and Risk Committee/Court Level 2 – Senior Management Group Level 3 – College Management Group, Professional Services Group or Committee The governance site contains all Terms of Reference for committees including escalation of risk |
Identified Date |
Date risk was agreed to go onto the risk register |
Last review date |
The date the risk was last reviewed |
Next review date |
A separate date for each mitigation action or when the control will be reviewed again |
Mitigation* |
How will we manage this risk? RESOLVE – can we completely remove all likelihood that this risk will not happen or that there will be no impact to the University? REDUCE – can we make it less likely that the risk will happen or, if it does, we can soften the impact to the University? ACCEPT – is there nothing we can do to reduce or resolve the likelihood and probability? TRANSFER – can we pass this to an external partner to resolved or reduce such as a sub-contractor to manage on our behalf? |
Proximity* |
If the risk becomes a reality, how far in the future is that likely to happen? It is common to use this alongside the initial probability, e.g., there is a 75% chance of this happening in 6 months to 1 year Anytime 1 to 3 months 3 to 6 months 6 months to 1 year More than 1 year |
Initial impact* |
What was the impact when the risk was first identified? A score of 1 to 5. Refer to appendices B for further details. This score does not change and fixed after entry. |
Initial probability* |
What was the impact when the risk was first identified? A score of 1 to 5. This score does not change and fixed after entry.. A score of 1 to 5: 1 (very Low) - 1% to 19% chance. “there is not much chance of this happening” 2 (low) - 20% to 39% chance. “we don’t think this will happen” 3 (medium) - 40% to 59% (or 50/50) chance. “we don’t know if this will happen” 4 (high) – 60% to 79% chance. “we are reasonably sure this will happen” 5 (almost certain) – 80% to 99% chance. “we are almost certain this will happen” |
Initial assessment* |
Initial impact * Initial probability. This is automatically calculated by PPMA. This score does not change and fixed after entry |
Current impact* |
What is the impact at the time of review? A score of 1 to 5. Refer to appendices B for further details |
Current probability* |
At the time of review, what is the likelihood that this risk will happen? A score of 1 to 5 as detailed above in the initial probability |
Current assessment* |
Current impact * Current probability. This is automatically calculated by PPMA |
Residual impact* |
If all actions were completed and controls are working, what would the impact score be? Refer to appendices B for further details |
Residual probability* |
If all actions were completed and controls are working, what would the probability score be? A score of 1 to 5 as detailed above in the initial probability |
Residual assessment* |
Residual impact * Residual probability. This is automatically calculated by PPMA |
Mitigation ID |
A unique identifier automatically generated by PPM |
Mitigation control or action* |
Mitigations can take one of two forms: Action – this will be a task with a clear output or outcome with a clearly defined due date. Common words for an action include deliver, produce, run or set up Control – this will be an operational or business as usual mitigation such as monthly review at a committee or board. Controls do not have a due date but need to have a date when it will be reviewed to ensure the mitigation is effective |
Mitigation description* |
A list of mitigations that will be undertaken to manage the risk. A separate line should be created for each mitigation so that the owner can be assigned |
Mitigation assigned to* |
A separate name who is responsible for each mitigation action or control |
Action or review date* |
A separate date for each mitigation action or when the control will be reviewed again |
Mitigation notes |
An update on the current effectiveness of the control or delivery of the action |
RAG |
What is the RAG (Red Amber Green) of the mitigation action or control GREEN – the action or control is on track AMBER – for management information only; the action or control may go off track RED – for management intervention; the action or control is off track |
Action Status* |
Is this action or control started, in progress or complete? PPMA provides a list of open and closed actions together with completions dates |
Last updated |
An automated date and time as soon as the user presses save to update an action |
Updated by |
An automated field showing the username as soon as save is pressed to update an action |
Comments and attachments |
Freeform text to provide additional information or context. Where possible, comments should include the minutes from the last review of the risk. Attachments can be added to support actions. |
Appendix B: scoring methodology
Probability |
1 - Very Low Probability |
2 - Low Probability |
3 - Medium Probability |
4 - High Probability |
5 - Almost Certain |
|
1% to 19% chance of happening; there is not much likelihood this will happen |
20% to 39% chance of happening; we don't think this will happen |
40% to 59% chance of happening; we don't know if this will happen (50/50) |
60% to 79% chance of happening; we are reasonably sure this will happen |
80% to 99% chance of happening; we are almost certain this will happen |
Impact |
1 - Very Low Impact |
2 - Low Impact |
3 - Medium Impact |
4 - High Impact |
5 – Highest Impact |
Civic |
Minor impact on Civic Engagement – very limited impact on civic and community partners. |
Short-term impact on Civic Engagement – limited impact on civic and community partners; contained to specific area of the University’s civic engagement |
Significant impact on Civic Engagement; significant impact on civic and community partners resulting in negative impact on institutional ability to meet civic engagement commitments. |
Major impact on Civic Engagement; major impact on civic and community partners resulting in inability to meet significant institutional commitments and the delivery of the University’s Civic Mission and its Civic Strategy |
Unsustainable impact on Civic Engagement involving a significant number of civic and community partners |
Data |
High trust - can be used for strategic purposes; GDPR unlikely to be impacted |
High to moderate trust - can be used for management purposes; GDPR could be impacted and requires further review |
Moderate trust - can be used for more than one operational purpose; GDPR highly likely to be impacted and requires action |
Moderate - Low trust - can be used for single operational purpose; GDPR will be an issue and an action plan is required |
Low trust - data is not fit for purpose; GDPR requirements will be not be met |
Estates |
Disruption of up to 1 day to business-critical services/estate; disruption of up to 5 days to non-critical services/estate; |
Disruption up to 5 days to business critical services/estate; disruption of up to 10 days to non-critical services/estate; |
Total loss of up to 1 day to business critical services/estate; total loss of up to 5 days to non-critical services/estate; |
Total loss of up to 5 days to business critical services/estate; total loss of up to 10 days to non-critical services/estate; |
Total loss over 5 days to business critical services/estate; total loss over 10 days to non-critical services/estate; |
External relations and reputation |
Highly unlikely to cause adverse publicity |
Unlikely to cause adverse publicity |
Needs careful PR/Diverse local publicity |
Diverse local and national publicity/limited damage to University brand |
Adverse national and international publicity/sustained damage to University brand |
Finance |
Financial loss of £500k-£1m or £100k-£500k per annum |
Financial loss of £1-2m or £500k-£750k per annum
Opportunities would result in <£750k per annum cost saving or income generation |
Financial loss of £3m-£5m or £750k-£1m per annum; minor changes to current procurement or current supplier contracts required Opportunities would result in £750k-£1m per annum cost saving or income generation |
Financial loss of £5-10m or £1m-£2m per annum; major changes to current procurement or current supplier contracts required Opportunities would result in £1m-£2m per annum cost saving or income generation |
Financial loss of >£10m or >£2m per annum; new procurement or new supplier contracts will be required Opportunities would result in >£2m p.a cost saving or income generation |
Health and Safety |
Minimal impact to health/welfare |
Workplace safety compromised; significant impact to health/welfare |
Litigation due to unsafe workplace; major impact to health/welfare; lost time <7 days |
Serious injury or harm; dangerous near miss; significant publicity and litigation as a result; lost time >7 days |
Death or permanent disability; long term impact to service; major publicity and litigation |
Innovation |
Minor impact on our Innovation Strategy |
Would have a small impact on our ability to take advantage of commercialisation opportunities |
Would have a major impact on the Innovation Strategy objectives
Opportunities may result in some commercialisation opportunities |
Would have a significant impact on our ability to take advantage of commercialisation opportunities |
Would result in us unable to achieve our Innovation Strategy
Opportunities would result in significant commercialisation opportunities |
International |
Minor impact on international activity which does not have widespread consequences for international strategy |
Short-term impact on international activity; minor impact on recruitment, research, reputation and partnership activity – contained to small region |
Significant impact on international activity; loss of significant income and detrimental to partnership activities, research and reputation in one region. |
Major impact on international activity; major impact on a partnership activity, research, reputation and recruitment in key geographical region or several regions. |
Unsustainable impact on international activity impacting several key regions. Would result in inability to achieve our International Strategy or meet institutional targets. |
Learning and teaching |
Minor impact on teaching activity |
Short-term impact on teaching activity |
Significant impact on teaching activity; loss of a key academic course; |
Major impact on teaching activity; significant impact on a school |
Unsustainable impact on teaching activity; significant impact on a College |
People and OD |
Minimal impact to staff wellbeing. No visible impact to capacity and capability |
An increase in wellbeing cases. Key roles are being impacted. Visible impact on service delivery and operations |
Major impact to staff wellbeing. Short term loss of key roles. Significant impact to staff morale |
Threat of staff industrial action. Long term loss of key roles. Significant impact to capacity and capability. Highest impact on service delivery and operations |
Widespread and sustained industrial action. Long term impact to capacity and capability. Complete loss of service delivery and operations |
Research |
Minor impact on research activity |
Short-term impact on research activity |
Significant impact on research activity |
Major impact on research activity; significant impact on a school; short term damage to research funding |
Unsustainable impact on research activity; significant impact on a College; irreparable damage to research funding |
Services |
Disruption (< 1 day) disruption to business critical services; no noticeable disruption to non-critical services |
Disruption between 1 and 5 days disruption to business critical services; disruption < 10 days to non-critical services |
Loss < 1 day disruption to business critical services; no loss to non-critical services |
Loss (between 1 and 5 days) disruption to business critical services; loss (< 10 days) to non-critical services |
Loss > 5 days of service to business critical services; loss > 10 days to non-business critical services |
Student Experience |
no noticeable impact on student experience |
no impact to teaching; would lead to individual students raising concerns; no impact on NSS scores |
minor disruption to teaching; would lead to a group of students raising concerns; low impact (1-2) years on NSS scores |
significant disruption to teaching; would lead to individual students raising a formal complaint or leaving the University; medium impact (2-3 years) on NSS scores |
teaching stopped in one or more School; would lead to a group of students raising formal complaints or leaving the University; long term impact (more than 3 years) on NSS scores |
Student Recruitment |
no noticeable impact on student recruitment |
would lead to 1% and 3% of student recruitment markets not being met |
would lead to 4% to 7% of student recruitment targets not being met |
would lead to between 7% and 10% of student recruitment targets not being met |
would lead to more than 10% of student recruitment targets not being met |
Sustainability |
Overall success in meeting targets and fulfilling actions; a small number of actions not achieved within expected timescale |
Overall success in meeting targets and fulfilling actions; some targets missed and some actions not achieved within expected timescale |
Mixed success in meeting targets and fulfilling actions; significant revision required to strategy and action plan |
Some successes in implementing sustainability strategy but overall failure to achieve goals, resulting in negative publicity |
General failure to achieve strategy resulting in widespread condemnation and reputational damage to University |
Technology/ IT |
Negligible impact on technology systems, infrastructure or architecture |
MInor impact on technology systems, infrastructure or architecture with a known solution or a medium term workaround fix. There may be an impact on the delivery of the Technology Strategy Opportunities would result in minor improvements to technology systems, infrastructure or architecture |
Impact to technology systems, infrastructure or architecture that could be fixed with a short term workaround solution. Minimal impact on the delivery of the Technology Strategy Opportunities would result in significant improvements to technology systems, infrastructure or architecture |
Major impact on technology systems, infrastructure or architecture that would require immediate remediation. Key elements of the Technology Strategy would not be delivered. Opportunities would result in significant improvements to technology systems, infrastructure or architecture |
Untenable impact on technology systems, infrastructure or architecture. Unable to achieve the delivery of the Technology Strategy Opportunities would result in a transformational change to technology systems, infrastructure or architecture |
Transformation |
Minor impact on the Transformation Strategy |
Would result in a delay or increase to cost within business case tolerances to a Transformation project. |
Would result in a delay or increase to cost outside of business case tolerances but highly likely to be approved. May result in minor inefficiencies to our processes or systems Opportunities would have some impact to the Transformation Strategy. Would result in minor efficiency improvements to our processes or systems |
Would result in a significant delay or increase to cost to a Transformation project. May result in major inefficiencies to our processes or systems. Opportunities would have a direct impact to the Transformation Strategy. |
Would result in the complete halt to a Transformation project. The Transformation Strategy would not be able to meet stated goals. Would result in unacceptable inefficiencies to our processes or systems Opportunities would exceed the current expected benefits from the Transformation Strategy. Would result in significant efficiency improvements to our processes or systems |
Project specific
Project – Finance and cost |
Overspend of less than 1% of agreed budget |
Overspend between 1% and 3% of agreed budget |
Overspend between 3% and 5% of agreed budget; minor changes to current procurement or current supplier contracts required |
Overspend between 5% and 10% of agreed budget; major changes to current procurement or current supplier contracts required. Additional Capital Application required |
Overspend of greater than 10% of agreed budget; new procurement or new supplier contracts will be required. Additional Capital Application required |
Project - Resources |
We have the capability but there may be an acceptable delay in freeing the resources to complete the work |
We have the capability but there may be an unacceptable delay in freeing the resources to complete the work |
We do not have the capability and would need to train current resources to complete the work within acceptable cost or time |
We do not have the capability and would need to source externally or recruit to complete the work within acceptable cost or time |
We not have the capability and sourcing expertise is likely to be increase cost or time to unacceptable levels |
Project – Scope and business case |
Scope change or functionality/quality/ business case impact barely noticeable. |
Scope change or functionality/quality/business case impact noticeable but accepted by customer/end user |
Scope change or functionality/quality/ business case noticeable and would require a minor change |
Scope change or functionality/quality/business case noticeable and would require a major change |
Scope change or functionality/quality/business case would not be accepted by the customer/end user |
Project – Time and planning |
Slippage of less than 2% of project lifecycle or less than 4 weeks. Has no impact of the implementation of business activities. |
Slippage between 3% and 10% of project lifecycle or between 1- and 2-months slippage. Delay of up to two weeks for non-business critical activities and up to 2 days on business-critical activities. |
Slippage between 10% and 15% of project lifecycle or between 2- and 3-months slippage. Delay of up to 4 weeks for non-business critical and up to 1-week delay to business-critical activities. |
Slippage between 15% and 20% of project lifecycle or between 3- and 6-months slippage. Delay of up to 2 weeks for business-critical activities. |
Slippage of greater than 20% of project lifecycle or more than 6 months slippage Delay of greater than 2 weeks for business-critical activities. |
Appendix C: Escalation levels, ratings and strategic themes
Escalation level |
Examples |
Level 0 |
Court and Audit and Risk Committee |
Level 1 |
Senior Management Group
|
Level 2 |
College Management Groups, Professional Services Group, Governance Groups (as described in the corporate governance structure (www.gla.ac.uk/governance) |
Level 3 |
School, University Services Leadership Teams (e.g. People and OD, Commercial Services or Finance) |
1 - Very Low Impact |
2 - Low Impact |
3 - Medium Impact |
4 – High impact |
5 – Major impact |
|
5 - Almost Certain |
Medium |
Medium |
High |
Major |
Major |
4 - Very High Probability |
Low |
Medium |
High |
High |
Major |
3 - Medium Probability |
Low |
Medium |
Medium |
High |
High |
2 - Low Probability |
Low |
Low |
Medium |
Medium |
High |
1 - Very Low Probability |
Low |
Low |
Low |
Low |
Medium |
Low risk: Requires minimal attention. Updated at next review date |
Medium risk: Should be reviewed and updated monthly to ensure that mitigation is effective |
High risk: Effective mitigation plan signed off at appropriate level and updated monthly to ensure that mitigation is effective |
Major risk: Requires immediate attention. Effective mitigation plan signed off a level above or SMG/Audit and Risk Committee. Updated regularly to ensure that mitigation is effective |
Thematic strategies |
Enabling strategies |
Other |
Civic engagement Innovation Internationalisation Learning and teaching Research Student experience Sustainability |
Data and cybersecurity Estates Finance People and Organisational Development Services Student recruitment Technology/IT Transformation |
Health & Safety External Relations Student recruitment Project finance and cost Project resources Project scope and business case Project time and planning |
Appendix D: risk appetite statements
Strategic theme | AVERSE | MINIMAL | CAUTIOUS | SEEKING |
We will accept risk with a score of 1 -4 | We will accept risk with a score of 5 - 9 | We will accept risk with a score of 10 – 16 | We will accept risk with a score of 20-25 | |
Definition | Avoidance of risk and uncertainty is a key organisational objective | Preference for safe options that have a low degree of risk and may only have limited potential for reward | Willing to consider all potential options and choose the one most likely to result in successful delivery, while also providing an acceptable level of reward and value for money | Eager to be innovative and to choose options offering potentially higher rewards despite greater inherent risks |
Data | The University will not compromise on its statutory obligations to store, interrogate or dispose of data. There is no tolerance for information security risk causing loss or damage to University data | |||
Estates | EXISITING ESTATE | CAMPUS DEVELOPMENT | ||
The University will take all care of duties in the protection of the campus heritage and the fabric of our buildings | The University will actively seek new and innovative usage of space | |||
External Relations and reputation | The University will not compromise its reputation and values in the short or long term | |||
Finance | Financial risks and rewards are to be weighed against short and long term strategic and operational priorities | |||
Health and Safety | The University will not compromise any aspect of Health and Safety that puts any staff, student or member of the public at risk | |||
Innovation | The University's appetite for Academic and Technical innovation is that it should be competitive at the earliest opportunity to maintain its standing in local and global markets | |||
Learning and Teaching | The University recognises that, although quality and integrity of output is paramount, it seeks to maintain and to benefit from ongoing developments in the definition and delivery of academic outputs | The University's appetite for Academic and Technical innovation is that it should be competitive at the earliest opportunity to maintain its standing in local and global markets | ||
People and OD | The University will not compromise the wellbeing of its staff | The University recognises trade union collaboration and will avoid industrial action as much as possible | ||
Research | The University recognises that, although quality and integrity of output is paramount, it seeks to maintain and to benefit from ongoing developments in the definition and delivery of academic outputs | The University's appetite for Academic and Technical innovation is that it should be competitive at the earliest opportunity to maintain its standing in local and global markets | ||
Student experience | A positive and rewarding experience is of paramount importance to the University. A small level of risk is acceptable if it demonstrates providing a more enriched and innovative experience to the student | |||
Services | The University seeks innovation and improvement but will not accept higher risk in the operation of key services | |||
Sustainability | Threats | Opportunities | ||
The University has zero tolerance for any adverse impact on the environment | The University has a high tolerance for innovative and unique opportunities that actively contribute to our Sustainability Strategy and reduces our carbon footprint | |||
Technology | The University seeks innovation and improvement but will not accept higher risk in the operation of key systems | |||
Transformation | The University's will actively seek opportunities for innovation and accept higher risk that would demonstrate excellence |
Appendix E: Level 2 Risk Standard Operating Procedure
Related policy |
Risk Management Policy and Framework v7.0 |
Managed by |
Finance Office |
Accountable person |
Jane Hoey, Head of Risk |
Approved by |
Audit and Risk Committee and sent to KPMG, internal auditors |
Date approved |
30th October 2024 |
Version |
1.0 |
Version notes |
First draft |
Scope
This SOP covers |
Strategic and operational risk at each of the College Management Groups (CMG) and the Professional Services Group (PSG) |
This SOP does not cover |
|
Related SOPs |
Level 3 Operational Risk Standing Operating Procedure |
Resources
Systems impacted |
Portfolio and Project Management Anywhere (PPMA) |
Forms/templates used |
PPMA has a specific form built into the application to record risks, controls and actions. |
Reporting |
There are 5 key reports available in PPMA
|
Additional guidance |
|
Procedure
Ref |
Procedure |
1 |
Risk identification
|
2 |
Risk Articulation
|
3 |
Risk mitigation
|
4 |
Risk Reporting
|
5 |
Risk Review
|
6 |
Risk escalation
|
Training
PPMA |
Risk training for project and strategic/operational risk is included in the PPMA Overview Course. Details of this can be found on the internal website www.gla.ac.uk/myglasgow/ppm |
Risk training |
Tailored risk training is available via Jane.Hoey@glasgow.ac.uk |
Risk register template in Microsoft Excel
Please note that there are some ongoing refinements to our risk appetite and impact statements that will be updated here in Q3 2022
Download a blank Excel risk register template
Last updated June 2022
Updated May 2022