Risk Management Framework and Policy v6.0 (2022)
What is this policy about?
This policy sets out the University’s approach to risk management and the framework to identify, assess, address and monitor risk
Who should follow this policy?
All staff should be aware of this policy; it is the responsibility of each College, School and service to ensure that there is a nominated administrator who is fully conversant in the policy and how risk is managed.
How does the University check this policy is followed?
This policy is a key part of the Audit and Risk Committee annual review. The next review and sign off of the policy and framework at Audit and Risk Committee is August 2022. The Strategic Risk Register is regularly reviewed and discussed at the Senior Management Group.
Who should I contact with any queries about this policy?
Please contact Craig.Chapman-Smith@glasgow.ac.uk
Last refreshed 01/05/22
Purpose
The University is accountable to a wide audience including funding bodies, students, staff, the public and the University Court. Risk management supports our strategic planning and prioritisation and strengthens our ability to be agile when responding to challenges or seizing opportunities.
The purpose of the risk management policy and framework is to:
- definition of risk, roles and responsibilities and the encompassing governance structure
- a consistent set of tools required to adopt good practice in the identification, assessment, mitigation and monitoring of risk. It is intended to cover risk at a strategic and operational level as well as support the delivery of change through our project management framework
Risk management definition
Risk is defined as the threat or possibility that an action, event or set of circumstances will adversely or beneficially affect an organisation’s ability to achieve its objectives. Risk management is defined as the planned and systematic approach to identifying, assessing, addressing and managing risk.
Roles and responsibilities
- The Principal will be accountable for reporting to Court, via the Audit and Risk Committee, a summary of the University’s risk management process and the outcome of the risk management monitoring activities
- The University Risk Management Policy and Framework and reporting will be delegated to the Executive Director of Finance. The Executive Director of Finance will ensure the managing processes are robust and demonstrate assurance to the Audit and Risk Committee
- The University Director of Risk, reporting to the Director of Finance will be responsible for the day-to-day management of risk across the University
- The University Director of Risk will support the management of risk across all Colleges, Schools, Research Institutes, University Services and major programmes/projects as well as collate and analyse risk across the whole University. The Director of Risk will also manage the Strategic Risk Register, providing assurance on the effectiveness of mitigations, horizon scanning insights on emerging risk and act as the escalation conduit from operational and project risk assessments
- The Senior Management Group, Professional Services Group and College Management Groups (CMG) will review risks monthly. The results of these reviews will be collated and fed into the strategic risk review, where risks identified are either common to all operational units or where they have been identified as having potentially broader implications
- The risks identified within the Strategic Risk Register are determined by the University’s Strategic Framework. Each risk is assigned to a member of the Senior Management Group. The role of risk owner is to take responsibility for ensuring that suitable management strategies are in place for dealing with each identified risk
- The Chief Operating Officer & Secretary will be responsible for risk management within University Services. Executive Directors of Service will be accountable for the management of risk within each service. Each Executive Director of Service will delegate the administering of risk management activities within their service to a nominated Risk Manager
- The Heads of College and College Management Groups will be responsible for risk management activities within their Colleges. The College Heads of Finance will be responsible for administering the Colleges’ risk management activities
- Heads of Schools will be responsible for the risk management activities within their School. School risk registers will be managed locally and returned to CMG on a monthly or, as a minimum, quarterly basis as part of the School Return (SPR)
Strategic, project and operational risk
The University’s annual operating planning process sets the objectives and targets necessary to achieve the delivery of our strategic ambitions. Risk management is embedded within this process and risk is managed at the following levels:
- Court review annually
- Audit and Risk Committee review bi-annually
- Senior Management Group and Sub Committees review monthly with an annual full review
- College Management Group and Professional Services Group review monthly with an annual full review
- Boards and Committees reviewed at each meeting
- Schools and University Services reviewed monthly with an annual full review
Major projects and working groups require a separate risk register which will be monitored by the relevant project board (or equivalent). Escalation for projects and working groups will vary in Colleges and University Services and the Terms of Reference for each board should define the escalation process. In general, tactical and project risk is managed at the following levels:
- Senior Management Group review monthly with an annual full review
- Project Boards or Professional Services Group review at each meeting with an annual review
- University Services Executive Directors of Service (if applicable) review monthly
- Programme and Project Boards or Working Groups Governance review at each meeting
Health and Safety risk
Identification, assessment and mitigation of health and safety risk is managed by the Director of Health, Safety and Wellbeing. These risks will not be managed as part of the University Risk Management Policy and Framework. Please refer to www.gla.ac.uk/myglasgow/health for further details and policy.
Cybersecurity risk
Identification, assessment and mitigation of a cybersecurity threat is managed by the Chief Information Security Officer. These risks include but are not limited to: enter once details from Mark. These risks will not be managed as part of the University Risk Management Policy and Framework unless escalated, via the Professional Services Group to the Senior Management Group. At this point, it will be recorded and managed on the Strategic Risk Register under this framework. Please note that, as of May 2022, the website for cybersecurity risk is still in development. This document shall be updated as soon as this becomes available.
Risk escalation
Guidance in appendix D outlines the various levels in the University where risk is managed. Should a major risk (as defined by the scoring matrix in appendix D) be considered too great for the current level of management, it should be escalated to the next level. This will be clearly marked in the risk register as detailed in appendix A.
Risk appetite
The University recognises that its risk appetite is continually changing as it responds to internal and external changes. At any one time, the University may be willing to accept additional risk in one area while reducing in another. As part of the annual SMG risk review, the risk appetite will be checked against current strategic and operational needs.
The University’s approach is to minimise exposure to Health & Safety, reputation, legal and staff wellbeing. The University will accept some risk in service delivery and operations as well as technology if there is a return on innovation and improvement to key systems and services. The University will accept a higher academic and financial risk exposure if it can be demonstrated that there will be a clear return and positive impact to its strategic ambitions. Appendix E provides risk appetite statements for each category of risk.
Embedding risk
Risk should not be viewed as a standalone piece of work or a regulatory requirement; it should be seen as a tool to support the delivery of our operations and strategic ambition as well as a core source of data for decision making:
- Linking risk to strategy. Risk shall be categorized in line with the thematic and enabling strategies. The exception to this will be health and safety and reputational risk. The full list of thematic and enabling strategies can be found in appendix D.
- Linking risk to governance. Our governance structure is fully explained on the site, www.gla.ac.uk/governance Each governance body has a Terms of Reference including risk management and escalation processes. Each governance body responsible for a thematic or enabling strategy shall review the appropriate risks on the Strategic Risk Register
- Linking risk to investment. The investment portfolio is managed by the Investment Committee. As all investments capture the associated thematic or enabling strategy, the annual reports to Audit and Risk Committee and Court will demonstrate how investments >£500k are contributing to the mitigation of the Strategic Risk Register. Business cases should outline key investment risks. www.gla.ac.uk/myglasgow/governance/corporategovernance/financialgovernance/investmentcommittee
- Linking risk to performance. At Strategic Risk Register level only, risks shall be linked to University Key Performance Indicators (KPIs) as an additional measure in reviewing strategic delivery
Risk Management Group
Nominated Risk Managers in College and University Services will meet quarterly to review the master risk register. This is the aggregation of all registers and held by the University Director of Risk for analysis including trends.
The master risk register will be manually collated quarterly for strategic, operational risks and major programmes. Insights will be shared at Committee, College Management, Professional Services Group and Boards as well as summarised monthly for Senior Management Group as part of the Strategic Risk Register review.
The Terms of Reference for the Risk Management Group can be found at www.gla.ac.uk/risk/riskmanagementgroup
Risk Management Framework
Supporting this policy, Colleges and University Services will adhere to a consistent format when articulating and managing risk.
The University uses:
- The template in Appendix A as the data capture for all risk registers
- Guidance in Appendix B on the methodology for scoring risks
- Guidance in Appendix C on how risk is rated and escalation
- Guidance in Appendix D on our appetite for risk
The number of risks in a register is not fixed, however, at board level and above, this should be limited to the key risks that will directly impact on the delivery of the University strategy or services.
As part of the risk review cycle outlined in section 4, the review should include the deletion of risks that are no longer applicable, the introduction of new risks and the amendment of current risks.
The Risk Management Policy and Framework will be subject to annual review at the Audit and Risk Committee. The Audit and Risk Committee will review the strategic risk register as well as evidence that the risk policy is being adhered to across the University.
The Audit and Risk Committee will review the effectiveness of the risk policy and risk management framework and may recommend an external review of the process.
It is the responsibility of the Director of Risk to ensure that the risk management framework is being adhered to and will escalate to the Director of Finance omissions or evidence of a lapse in risk management from operational risk registers.
Appendix A: risk register data description
Ref |
A unique identifier. This can be anything that makes sense to the risk register owner but should be sequential |
Title |
A very short title that makes it easy to understand what the risk is about |
Date raised |
What date was this initially added to the log. This will help with the ageing profile of the register |
Risk owner |
Who will be ultimately accountable for the management of this risk? This is not the person who will be responsible for completing the mitigating actions |
Root cause |
What are the reasons this risk could occur? This is commonly written as “due to…” |
Risk description |
How would you describe the risk? This is commonly written as “there is a risk that…” |
Risk impact |
What would happen if the risk happened? This is commonly written as “this will result in…” |
Strategy |
How does this risk relate to our thematic and enabling strategies? Refer to appendices C for a drop-down list of these strategies |
Movement |
Since the last review, is this risk: RISING – the risk is becoming more likely, or the impact is bigger than you originally thought STABLE – there is no change to the likelihood of the risk occurring or the impact it will have IMPROVING – the risk is becoming less likely, or the impact is less than you originally thought |
Mitigation |
How will we manage this risk? RESOLVE – can we completely remove all likelihood that this risk will not happen or that there will be no impact to the University? REDUCE – can we make it less likely that the risk will happen or, if it does, we can soften the impact to the University? ACCEPT – is there nothing we can do to reduce or resolve the likelihood and probability? TRANSFER – can we pass this to an external partner to resolved or reduce such as a sub-contractor to manage on our behalf? |
Proximity |
If the risk becomes a reality, how far in the future is that likely to happen? It is common to use this alongside the initial probability, e.g., there is a 75% chance of this happening in 6 months to 1 year Anytime 1 to 3 months 3 to 6 months 6 months to 1 year More than 1 year |
Initial impact |
A score of 1 to 5. Refer to appendices B for further details |
Initial probability |
If all actions were completed and controls are working, what would the probability score be? A score of 1 to 5: 1 (very Low) - 1% to 19% chance. “there is not much chance of this happening” 2 (low) - 20% to 39% chance. “we don’t think this will happen” 3 (medium) - 40% to 59% (or 50/50) chance. “we don’t know if this will happen” 4 (high) – 60% to 79% chance. “we are reasonably sure this will happen” 5 (almost certain) – 80% to 99% chance. “we are almost certain this will happen” |
Initial assessment |
Initial impact * Initial probability |
Mitigation control or action |
Mitigations can take one of two forms: Action – this will be a task with a clear output or outcome with a clearly defined due date. Common words for an action include deliver, produce, run or set up Control – this will be an operational or business as usual mitigation such as monthly review at a committee or board. Controls do not have a due date but need to have a date when it will be reviewed to ensure the mitigation is effective |
Mitigation description |
A list of mitigations that will be undertaken to manage the risk. A separate line should be created for each mitigation so that the owner can be assigned |
Mitigation owner |
A separate name who is responsible for each mitigation action or control |
Action or review date |
A separate date for each mitigation action or when the control will be reviewed again |
Residual impact |
If all actions were completed and controls are working, what would the impact score be? Refer to appendices B for further details |
Residual probability |
If all actions were completed and controls are working, what would the probability score be? A score of 1 to 5: 1 (very Low) - 1% to 19% chance. “there is not much chance of this happening” 2 (low) - 20% to 39% chance. “we don’t think this will happen” 3 (medium) - 40% to 59% (or 50/50) chance. “we don’t know if this will happen” 4 (high) – 60% to 79% chance. “we are reasonably sure this will happen” 5 (almost certain) – 80% to 99% chance. “we are almost certain this will happen” |
Residual assessment |
Residual impact * Residual probability |
Escalation level |
Using the escalation table in appendix D, what level in the University is this being managed? Levels 1 to 3 are fixed, however, levels 4 to 7 can be changed to suit the audience of the risk register: Level 1 – Audit and Risk Committee/Court Level 2 – Senior Management Group Level 3 – College Management Group, Professional Services Group or Committee The governance site contains all Terms of Reference for committees including escalation of risk |
Status |
Is this risk still open? |
Last review |
What was the last date that this risk was updated? |
Notes |
Freeform text to provide additional information or context |
Appendix B: scoring methodology
Probability |
1 - Very Low Probability |
2 - Low Probability |
3 - Medium Probability |
4 - High Probability |
5 - Almost Certain |
|
1% to 19% chance of happening; there is not much likelihood this will happen |
20% to 39% chance of happening; we don't think this will happen |
40% to 59% chance of happening; we don't know if this will happen |
60% to 79% chance of happening; we are reasonably sure this will happen |
80% to 99% chance of happening; we are almost certain this will happen |
Impact |
1 - Very Low Impact |
2 - Low Impact |
3 - Medium Impact |
4 - High Impact |
5 – Highest Impact |
Civic |
|
|
|
|
|
Data |
High trust - can be used for strategic purposes; GDPR unlikely to be impacted |
High to moderate trust - can be used for management purposes; GDPR could be impacted and requires further review |
Moderate trust - can be used for more than one operational purpose; GDPR highly likely to be impacted and requires action |
Moderate - Low trust - can be used for single operational purpose; GDPR will be an issue and an action plan is required |
Low trust - data is not fit for purpose; GDPR requirements will be not be met |
Estates |
Negligible environmental impact managed within operating budgets. Nil or minor localised impacts to, ecosystems, water resources or air. Impact does not require specific management of rehabilitation. Dust/Noise nuisance release |
Environmental damage, requiring up to £100k to study or correct. Minor impact to ecosystems, water resources or air. Damage is recoverable through short-term (less than 1 year) management and rehabilitation. On site release contained by organisation. |
Temporary but localised effect on ecosystems, water resources or air. Rectification required over medium-term (1-5 years). Requiring £100k-£500k to study or correct.. On site release contained by organisation. |
Major temporary effect on ecosystems, water resources or air. Requiring £500k-£1million to study or correct. Major temporary Rectification difficult but may be possible in the long term (5 years or longer). Release affecting minimal off-site area requiring external assistance (SFRS/RPS etc.) |
Major permanent effect on ecosystems, water resources or air requiring £1million+ to study or correct. Rectification difficult and unlikely to result in recovery. Toxic release affecting off-site with detrimental effect requiring external assistance. |
External relations and reputation |
Highly unlikely to cause adverse publicity |
Unlikely to cause adverse publicity |
Needs careful PR |
Diverse local publicity/limited damage to University brand |
Adverse national publicity/ongoing damage to University brand |
Finance |
Financial loss of £500k-£1m or more than £100k p.a. |
Financial loss of £1-2m or more than £500k p.a.
Opportunities would result in less than £750k p.a cost saving or income generation |
Financial loss of £3-5m or more than £750k p.a.; minor changes to current procurement or current supplier contracts required
Opportunities would result in more than £750k p.a cost saving or income generation |
Financial loss of £5-10m or more than £1m p.a.; major changes to current procurement or current supplier contracts required
Opportunities would result in more than £1m p.a cost saving or income generation |
Financial loss of >£10m or more than £2m p.a.; new procurement or new supplier contracts will be required
Opportunities would result in more than £2m p.a cost saving or income generation |
Health and Safety |
Minimal impact to health/welfare |
Workplace safety compromised; significant impact to health/welfare |
Litigation due to unsafe workplace; major impact to health/welfare; lost time <7 days |
Serious injury or harm; dangerous near miss; significant publicity and litigation as a result; lost time >7 days |
Death or permanent disability; long term impact to service; major publicity and litigation |
Innovation |
Minor impact on our Innovation Strategy |
Would have a small impact on our ability to take advantage of commercialisation opportunities |
Would have a major impact on the Innovation Strategy objectives
Opportunities may result in some commercialisation opportunities |
Would have a significant impact on our ability to take advantage of commercialisation opportunities |
Would result in us unable to achieve our Innovation Strategy
Opportunities would result in significant commercialisation opportunities |
International |
|
|
|
|
|
Learning and teaching |
Minor impact on teaching activity |
Short-term impact on teaching activity |
Significant impact on teaching activity; loss of a key academic course; |
Major impact on teaching activity; significant impact on a school |
Unsustainable impact on teaching activity; significant impact on a College |
People and OD |
Minimal impact to staff wellbeing. No visible impact to capacity and capability |
An increase in wellbeing cases. Key roles are being impacted. Visible impact on service delivery and operations |
Major impact to staff wellbeing. Short term loss of key roles. Significant impact to staff morale |
Threat of staff industrial action. Long term loss of key roles. Significant impact to capacity and capability. Highest impact on service delivery and operations |
Widespread and sustained industrial action. Long term impact to capacity and capability. Complete loss of service delivery and operations |
Research |
Minor impact on research activity |
Short-term impact on research activity |
Significant impact on research activity |
Major impact on research activity; significant impact on a school; short term damage to research funding |
Unsustainable impact on research activity; significant impact on a College; irreparable damage to research funding |
Services |
Disruption (< 1 day) disruption to business critical services; no noticeable disruption to non-critical services |
Disruption between 1 and 5 days disruption to business critical services; disruption < 10 days to non-critical services |
Loss < 1 day disruption to business critical services; no loss to non-critical services |
Loss (between 1 and 5 days) disruption to business critical services; loss (< 10 days) to non-critical services |
Loss > 5 days of service to business critical services; loss > 10 days to non-business critical services |
Student Experience |
no noticeable impact on student experience |
no impact to teaching; would lead to individual students raising concerns; no impact on NSS scores |
minor disruption to teaching; would lead to a group of students raising concerns; low impact (1-2) years on NSS scores |
significant disruption to teaching; would lead to individual students raising a formal complaint or leaving the University; medium impact (2-3 years) on NSS scores |
teaching stopped in one or more School; would lead to a group of students raising formal complaints or leaving the University; long term impact (more than 3 years) on NSS scores |
Student Recruitment |
no noticeable impact on student recruitment |
would lead to 1% and 3% of student recruitment markets not being met |
would lead to 4% to 7% of student recruitment targets not being met |
would lead to between 7% and 10% of student recruitment targets not being met |
would lead to more than 10% of student recruitment targets not being met |
Sustainability |
No impact from a legal or reputational perspective |
No legal impact but negligible reputational damage or discord within community |
Could result in: Minor fines or legal suits Manageable reputational damage Some discord within community Negligible impact on staff and student recruitment and retention Opportunities may have an indirect positive impact on our Sustainability Strategy |
Could result in: Major fines or legal suits Reputational damage requiring careful PR Noticeable discord within community Some negative impact on staff and student recruitment and retention Opportunities may have a direct positive impact on our Sustainability Strategy |
Would definitely result in: Major fines or legal suits Significant reputational damage Serious discord within community Significant negative impact on staff and student recruitment and retention Opportunities will definitely have a direct positive impact on our Sustainability Strategy |
Technology/ IT |
Negligible impact on technology systems, infrastructure or architecture |
MInor impact on technology systems, infrastructure or architecture with a known solution or a medium term workaround fix. There may be an impact on the delivery of the Technology Strategy
Opportunities would result in minor improvements to technology systems, infrastructure or architecture |
Impact to technology systems, infrastructure or architecture that could be fixed with a short term workaround solution. Minimal impact on the delivery of the Technology Strategy
Opportunities would result in significant improvements to technology systems, infrastructure or architecture |
Major impact on technology systems, infrastructure or architecture that would require immediate remediation. Key elements of the Technology Strategy would not be delivered.
Opportunities would result in significant improvements to technology systems, infrastructure or architecture |
Untenable impact on technology systems, infrastructure or architecture. Unable to achieve the delivery of the Technology Strategy
Opportunities would result in a transformational change to technology systems, infrastructure or architecture |
Transformation |
Minor impact on the Transformation Strategy |
Would result in a delay or increase to cost within business case tolerances to a Transformation project. |
Would result in a delay or increase to cost outside of business case tolerances but highly likely to be approved. May result in minor inefficiencies to our processes or systems
Opportunities would have some impact to the Transformation Strategy. Would result in minor efficiency improvements to our processes or systems |
Would result in a significant delay or increase to cost to a Transformation project. May result in major inefficiencies to our processes or systems.
Opportunities would have a direct impact to the Transformation Strategy. |
Would result in the complete halt to a Transformation project. The Transformation Strategy would not be able to meet stated goals. Would result in unacceptable inefficiencies to our processes or systems
Opportunities would exceed the current expected benefits from the Transformation Strategy. Would result in significant efficiency improvements to our processes or systems |
Project – Finance and cost |
Overspend of less than 1% of agreed budget |
Overspend between 1% and 3% of agreed budget |
Overspend between 3% and 5% of agreed budget; minor changes to current procurement or current supplier contracts required |
Overspend between 5% and 10% of agreed budget; major changes to current procurement or current supplier contracts required. Additional Capital Application required |
Overspend of greater than 10% of agreed budget; new procurement or new supplier contracts will be required. Additional Capital Application required |
Project - Resources |
|
|
|
|
|
Project – Scope and business case |
Scope change or functionality/quality/ business case impact barely noticeable. |
Scope change or functionality/quality/business case impact noticeable but accepted by customer/end user |
Scope change or functionality/quality/ business case noticeable and would require a minor change |
Scope change or functionality/quality/business case noticeable and would require a major change |
Scope change or functionality/quality/business case would not be accepted by the customer/end user |
Project – Time and planning |
Slippage of less than 2% of project lifecycle or less than 4 weeks. Has no impact of the implementation of business activities. |
Slippage between 3% and 10% of project lifecycle or between 1- and 2-months slippage. Delay of up to two weeks for non-business critical activities and up to 2 days on business-critical activities. |
Slippage between 10% and 15% of project lifecycle or between 2- and 3-months slippage. Delay of up to 4 weeks for non-business critical and up to 1-week delay to business-critical activities. |
Slippage between 15% and 20% of project lifecycle or between 3- and 6-months slippage. Delay of up to 2 weeks for business-critical activities. |
Slippage of greater than 20% of project lifecycle or more than 6 months slippage Delay of greater than 2 weeks for business-critical activities. |
Appendix C: escalation, categories and ratings
Escalation level |
Examples |
Level 1 (fixed) |
Court and Audit and Risk Committee |
Level 2 (fixed) |
Senior Management Group |
Level 3 (fixed) |
College Management Groups, Professional Services Group, Governance Groups (as described in the corporate governance structure (www.gla.ac.uk/governance) |
Level 4 (mandatory) |
School, University Services Leadership Teams (e.g. People and OD, Commercial Services or Finance) |
Level 5 (optional) |
Teams or Programme Boards |
Level 6 (optional) |
Sub teams or Project Boards |
Level 7 (optional) |
Projects |
1 - Very Low Impact |
2 - Low Impact |
3 - Medium Impact |
4 – High impact |
5 – Major impact |
|
5 - Almost Certain |
Medium |
Medium |
High |
Major |
Major |
4 - Very High Probability |
Low |
Medium |
High |
High |
Major |
3 - Medium Probability |
Low |
Medium |
Medium |
High |
High |
2 - Low Probability |
Low |
Low |
Medium |
Medium |
High |
1 - Very Low Probability |
Low |
Low |
Low |
Low |
Medium |
Low risk: Requires minimal attention. Updated at next review date |
Medium risk: Should be reviewed and updated monthly to ensure that mitigation is effective |
High risk: Effective mitigation plan signed off at appropriate level and updated monthly to ensure that mitigation is effective |
Major risk: Requires immediate attention. Effective mitigation plan signed off a level above or SMG/Audit and Risk Committee. Updated regularly to ensure that mitigation is effective |
Thematic strategies |
Enabling strategies |
Other |
Civic engagement Innovation Internationalisation Learning and teaching Research Student experience Sustainability |
Data and cybersecurity Estates Finance People and Organisational Development Services Student recruitment Technology/IT Transformation |
Health & Safety External Relations Student recruitment Project finance and cost Project resources Project scope and business case Project time and planning |
Appendix C: Impact Statements
Impact | 1 - Very Low Impact | 2 - Low Impact | 3 - Medium Impact | 4 - High Impact | 5 – Highest Impact |
Civic | Minor impact on Civic Engagement – very limited impact on civic and community partners. | Short-term impact on Civic Engagement – limited impact on civic and community partners; contained to specific area of the University’s civic engagement | Significant impact on Civic Engagement; significant impact on civic and community partners resulting in negative impact on institutional ability to meet civic engagement commitments. | Major impact on Civic Engagement; major impact on civic and community partners resulting in inability to meet significant institutional commitments and the delivery of the University’s Civic Mission and its Civic Strategy | Unsustainable impact on Civic Engagement involving a significant number of civic and community partners |
Data | High trust - can be used for strategic purposes; GDPR unlikely to be impacted | High to moderate trust - can be used for management purposes; GDPR could be impacted and requires further review | Moderate trust - can be used for more than one operational purpose; GDPR highly likely to be impacted and requires action | Moderate - Low trust - can be used for single operational purpose; GDPR will be an issue and an action plan is required | Low trust - data is not fit for purpose; GDPR requirements will be not be met |
Estates | Disruption of up to 1 day to business-critical services/estate; disruption of up to 5 days to non-critical services/estate; | Disruption up to 5 days to business critical services/estate; disruption of up to 10 days to non-critical services/estate; | Total loss of up to 1 day to business critical services/estate; total loss of up to 5 days to non-critical services/estate; | Total loss of up to 5 days to business critical services/estate; total loss of up to 10 days to non-critical services/estate; | Total loss over 5 days to business critical services/estate; total loss over 10 days to non-critical services/estate; |
Infrastructure (heating/power/water) loss affecting a section of a building. | Infrastructure (heating/power/water) loss affecting entire building. | Infrastructure (heating/power/water) loss affecting up to half of campus area. | Infrastructure (heating/power/water) loss affecting up to three-quarters of campus area. | Infrastructure (heating/power/water) loss affecting more than three-quarters of campus area. | |
External relations and reputation | Highly unlikely to cause adverse publicity | Unlikely to cause adverse publicity | Needs careful PR/Diverse local publicity | Diverse local and national publicity/limited damage to University brand | Adverse national and international publicity/sustained damage to University brand |
Finance | Financial loss of £500k-£1m or £100k-£500k per annum | Financial loss of £1-2m or £500k-£750k per annum | Financial loss of £3m-£5m or £750k-£1m per annum; | Financial loss of £5-10m or £1m-£2m per annum; | Financial loss of >£10m or >£2m per annum; |
minor changes to current procurement or current supplier contracts required | major changes to current procurement or current supplier contracts required | new procurement or new supplier contracts will be required | |||
Opportunities would result in <£750k per annum cost saving or income generation | Opportunities would result in £750k-£1m per annum cost saving or income generation | Opportunities would result in £1m-£2m per annum cost saving or income generation | Opportunities would result in >£2m p.a cost saving or income generation | ||
Health and Safety | Minimal impact to health/welfare | Workplace safety compromised; significant impact to health/welfare | Litigation due to unsafe workplace; major impact to health/welfare; lost time <7 days | Serious injury or harm; dangerous near miss; significant publicity and litigation as a result; lost time >7 days | Death or permanent disability; long term impact to service; major publicity and litigation |
Innovation | Minor impact on our Innovation Strategy | Would have a small impact on our ability to take advantage of commercialisation opportunities | Would have a major impact on the Innovation Strategy objectives | Would have a significant impact on our ability to take advantage of commercialisation opportunities | Would result in us unable to achieve our Innovation Strategy |
Opportunities may result in some commercialisation opportunities | Opportunities would result in significant commercialisation opportunities | ||||
International | Minor impact on international activity which does not have widespread consequences for international strategy | Short-term impact on international activity; minor impact on recruitment, research, reputation and partnership activity – contained to small region | Significant impact on international activity; loss of significant income and detrimental to partnership activities, research and reputation in one region. | Major impact on international activity; major impact on a partnership activity, research, reputation and recruitment in key geographical region or several regions. | Unsustainable impact on international activity impacting several key regions. |
Would result in inability to achieve our International Strategy or meet institutional targets. | |||||
Learning and teaching | Minor impact on teaching activity | Short-term impact on teaching activity | Significant impact on teaching activity; loss of a key academic course; | Major impact on teaching activity; significant impact on a school | Unsustainable impact on teaching activity; significant impact on a College |
People and OD | Minimal impact to staff wellbeing. No visible impact to capacity and capability | An increase in wellbeing cases. Key roles are being impacted. Visible impact on service delivery and operations | Major impact to staff wellbeing. Short term loss of key roles. Significant impact to staff morale | Threat of staff industrial action. Long term loss of key roles. Significant impact to capacity and capability. Highest impact on service delivery and operations | Widespread and sustained industrial action. Long term impact to capacity and capability. Complete loss of service delivery and operations |
Research | Minor impact on research activity | Short-term impact on research activity | Significant impact on research activity | Major impact on research activity; significant impact on a school; short term damage to research funding | Unsustainable impact on research activity; significant impact on a College; irreparable damage to research funding |
Services | Disruption (< 1 day) disruption to business critical services; no noticeable disruption to non-critical services | Disruption between 1 and 5 days disruption to business critical services; disruption < 10 days to non-critical services | Loss < 1 day disruption to business critical services; no loss to non-critical services | Loss (between 1 and 5 days) disruption to business critical services; loss (< 10 days) to non-critical services | Loss > 5 days of service to business critical services; loss > 10 days to non-business critical services |
Student Experience | no noticeable impact on student experience | no impact to teaching; would lead to individual students raising concerns; no impact on NSS scores | minor disruption to teaching; would lead to a group of students raising concerns; low impact (1-2) years on NSS scores | significant disruption to teaching; would lead to individual students raising a formal complaint or leaving the University; medium impact (2-3 years) on NSS scores | teaching stopped in one or more School; would lead to a group of students raising formal complaints or leaving the University; long term impact (more than 3 years) on NSS scores |
Student Recruitment | no noticeable impact on student recruitment | would lead to 1% and 3% of student recruitment markets not being met | would lead to 4% to 7% of student recruitment targets not being met | would lead to between 7% and 10% of student recruitment targets not being met | would lead to more than 10% of student recruitment targets not being met |
Sustainability | Overall success in meeting targets and fulfilling actions; a small number of actions not achieved within expected timescale | Overall success in meeting targets and fulfilling actions; some targets missed and some actions not achieved within expected timescale | Mixed success in meeting targets and fulfilling actions; significant revision required to strategy and action plan | Some successes in implementing sustainability strategy but overall failure to achieve goals, resulting in negative publicity | General failure to achieve strategy resulting in widespread condemnation and reputational damage to University |
Technology/ IT | Negligible impact on technology systems, infrastructure or architecture | MInor impact on technology systems, infrastructure or architecture with a known solution or a medium term workaround fix. There may be an impact on the delivery of the Technology Strategy | Impact to technology systems, infrastructure or architecture that could be fixed with a short term workaround solution. Minimal impact on the delivery of the Technology Strategy | Major impact on technology systems, infrastructure or architecture that would require immediate remediation. Key elements of the Technology Strategy would not be delivered. | Untenable impact on technology systems, infrastructure or architecture. Unable to achieve the delivery of the Technology Strategy |
Opportunities would result in minor improvements to technology systems, infrastructure or architecture | Opportunities would result in significant improvements to technology systems, infrastructure or architecture | Opportunities would result in significant improvements to technology systems, infrastructure or architecture | Opportunities would result in a transformational change to technology systems, infrastructure or architecture | ||
Transformation | Minor impact on the Transformation Strategy | Would result in a delay or increase to cost within business case tolerances to a Transformation project. | Would result in a delay or increase to cost outside of business case tolerances but highly likely to be approved. May result in minor inefficiencies to our processes or systems | Would result in a significant delay or increase to cost to a Transformation project. May result in major inefficiencies to our processes or systems. | Would result in the complete halt to a Transformation project. The Transformation Strategy would not be able to meet stated goals. Would result in unacceptable inefficiencies to our processes or systems |
Opportunities would have some impact to the Transformation Strategy. Would result in minor efficiency improvements to our processes or systems | Opportunities would have a direct impact to the Transformation Strategy. | Opportunities would exceed the current expected benefits from the Transformation Strategy. Would result in significant efficiency improvements to our processes or systems | |||
PROJECT SPECIFIC RISKS | |||||
Project – Finance and cost | Overspend of less than 1% of agreed budget | Overspend between 1% and 3% of agreed budget | Overspend between 3% and 5% of agreed budget; minor changes to current procurement or current supplier contracts required | Overspend between 5% and 10% of agreed budget; major changes to current procurement or current supplier contracts required. Additional Capital Application required | Overspend of greater than 10% of agreed budget; new procurement or new supplier contracts will be required. Additional Capital Application required |
Project - Resources | We have the capability but there may be an acceptable delay in freeing the resources to complete the work | We have the capability but there may be an unacceptable delay in freeing the resources to complete the work | We do not have the capability and would need to train current resources to complete the work within acceptable cost or time | We do not have the capability and would need to source externally or recruit to complete the work within acceptable cost or time | We not have the capability and sourcing expertise is likely to be increase cost or time to unacceptable levels |
Project – Scope and business case | Scope change or functionality/quality/ business case impact barely noticeable. | Scope change or functionality/quality/business case impact noticeable but accepted by customer/end user | Scope change or functionality/quality/ business case noticeable and would require a minor change | Scope change or functionality/quality/business case noticeable and would require a major change | Scope change or functionality/quality/business case would not be accepted by the customer/end user |
Project – Time and planning | Slippage of less than 2% of project lifecycle or less than 4 weeks. Has no impact of the implementation of business activities. | Slippage between 3% and 10% of project lifecycle or between 1- and 2-months slippage. Delay of up to two weeks for non-business critical activities and up to 2 days on business-critical activities. | Slippage between 10% and 15% of project lifecycle or between 2- and 3-months slippage. Delay of up to 4 weeks for non-business critical and up to 1-week delay to business-critical activities. | Slippage between 15% and 20% of project lifecycle or between 3- and 6-months slippage. Delay of up to 2 weeks for business-critical activities. | Slippage of greater than 20% of project lifecycle or more than 6 months slippage |
Delay of greater than 2 weeks for business-critical activities. |
Appendix D: risk appetite statements
Strategic theme | AVERSE | MINIMAL | CAUTIOUS | SEEKING |
We will accept risk with a score of 1 -4 | We will accept risk with a score of 5 - 9 | We will accept risk with a score of 10 – 16 | We will accept risk with a score of 20-25 | |
Definition | Avoidance of risk and uncertainty is a key organisational objective | Preference for safe options that have a low degree of risk and may only have limited potential for reward | Willing to consider all potential options and choose the one most likely to result in successful delivery, while also providing an acceptable level of reward and value for money | Eager to be innovative and to choose options offering potentially higher rewards despite greater inherent risks |
Data | The University will not compromise on its statutory obligations to store, interrogate or dispose of data. There is no tolerance for information security risk causing loss or damage to University data | |||
Estates | EXISITING ESTATE | CAMPUS DEVELOPMENT | ||
The University will take all care of duties in the protection of the campus heritage and the fabric of our buildings | The University will actively seek new and innovative usage of space | |||
External Relations and reputation | The University will not compromise its reputation and values in the short or long term | |||
Finance | Financial risks and rewards are to be weighed against short and long term strategic and operational priorities | |||
Health and Safety | The University will not compromise any aspect of Health and Safety that puts any staff, student or member of the public at risk | |||
Innovation | The University's appetite for Academic and Technical innovation is that it should be competitive at the earliest opportunity to maintain its standing in local and global markets | |||
Learning and Teaching | The University recognises that, although quality and integrity of output is paramount, it seeks to maintain and to benefit from ongoing developments in the definition and delivery of academic outputs | The University's appetite for Academic and Technical innovation is that it should be competitive at the earliest opportunity to maintain its standing in local and global markets | ||
People and OD | The University will not compromise the wellbeing of its staff | The University recognises trade union collaboration and will avoid industrial action as much as possible | ||
Research | The University recognises that, although quality and integrity of output is paramount, it seeks to maintain and to benefit from ongoing developments in the definition and delivery of academic outputs | The University's appetite for Academic and Technical innovation is that it should be competitive at the earliest opportunity to maintain its standing in local and global markets | ||
Student experience | A positive and rewarding experience is of paramount importance to the University. A small level of risk is acceptable if it demonstrates providing a more enriched and innovative experience to the student | |||
Services | The University seeks innovation and improvement but will not accept higher risk in the operation of key services | |||
Sustainability | Threats | Opportunities | ||
The University has zero tolerance for any adverse impact on the environment | The University has a high tolerance for innovative and unique opportunities that actively contribute to our Sustainability Strategy and reduces our carbon footprint | |||
Technology | The University seeks innovation and improvement but will not accept higher risk in the operation of key systems | |||
Transformation | The University's will actively seek opportunities for innovation and accept higher risk that would demonstrate excellence |
Download the Risk Management Policy and Framework in PDF
Note that this document is frequently updated in terms of impact and appetite statements as we mature our strategies.
Last updated June 2022