Risk Management Framework and Policy v7.0 (2024)
What is this policy about?
This policy sets out the University’s approach to risk management and the framework to identify, assess, address and monitor risk
Who should follow this policy?
All staff should be aware of this policy; it is the responsibility of each College, School and service to ensure that there is a nominated administrator who is fully conversant in the policy and how risk is managed.
How does the University check this policy is followed?
This policy is a key part of the Audit and Risk Committee annual review. The Strategic Risk Register is regularly reviewed and discussed at the Senior Management Group.
Who should I contact with any queries about this policy?
Please contact Craig.Chapman-Smith@glasgow.ac.uk or Jane.Hoey@glasgow.ac.uk
Last refreshed 09/12/24
Purpose
The University is accountable to a wide audience including funding bodies, students, staff, the public and the University Court. Risk management supports our strategic planning and prioritisation and strengthens our ability to be agile when responding to challenges or seizing opportunities.
The purpose of the risk management policy and framework is to:
- definition of risk, roles and responsibilities and the encompassing governance structure.
- a consistent set of tools required to adopt good practice in the identification, assessment, mitigation and monitoring of risk. It is intended to cover risk at a strategic and operational level as well as support the delivery of change through our project management framework.
Risk management definition
Risk is defined as the threat or possibility that an action, event or set of circumstances will adversely or beneficially affect an organisation’s ability to achieve its objectives. Risk management is defined as the planned and systematic approach to identifying, assessing, addressing and managing risk.
Roles and responsibilities
- Court retains responsibility for the review of the effectiveness of risk management systems of control independently from the Audit and Risk Committee and will review the content of the Strategic Risk Register (SRR) annually
- The Audit and Risk Committee will keep under review the adequacy and effectiveness of the University’s risk management arrangements and shall consider:
- The scope and effectiveness of the systems established by management to identify, assess, manage, and monitor financial and non-financial risks. This will include regular review by the Committee of the SRR, and attendance by a member or members of the Committee at University-level risk workshops.
- Where applicable, internal audit and management’s assessments and reports on the effectiveness of the systems for risk management.
- Review the oversight and governance arrangements for risk areas on an annual basis.
- The Principal will be accountable for reporting to Court, via the Audit and Risk Committee, a summary of the University’s risk management process and the outcome of the risk management monitoring activities.
- The University Risk Management Policy and Framework and reporting will be delegated to the Executive Director of Finance. The Executive Director of Finance will ensure the managing processes are robust and demonstrate assurance to the Audit and Risk Committee.
- The Director of Strategy Implementation and Risk, reporting to the Executive Director of Finance, will manage the SRR, providing assurance on the effectiveness of mitigations, horizon scanning insights on emerging risk and act as the escalation conduit from operational and project risk assessments.
- The risks identified within the SRR are determined by the University’s Strategic Framework. Each risk is assigned to a member of the Senior Management Group (SMG). The role of risk owner is to take responsibility for ensuring that suitable management strategies are in place for dealing with each identified risk
- The Head of Risk, reporting to the Director of Strategy Implementation and Risk will be responsible for the day-to-day management of all other financial and non-financial risk across the University and lead on College/University Services risk registers as well as support the management of risk across Schools, Research Institutes, University Services functions and major programmes/projects
- The Heads of College and College Management Groups (CMG) will be responsible for risk management activities within their Colleges. The Colleges and University Services Heads of Finance will be responsible for administering the Colleges’ risk management activities supported by the Head of Risk. Please refer to appendix E for the Level 2 Risk Standard Operating Procedure
- The University Chief Operating Officer & Secretary and Professional Services Group (PSG) will be responsible for risk management within University Services.
- Heads of Schools will be responsible for the risk management activities within their School. School risk registers will be managed locally and returned to CMG on an agreed schedule or as part of the School Return (SPR). This is supported by the Head of Risk. Please refer to appendix F for the Level 3 Risk Standard Operating Procedure.
- Executive Directors of Service will be accountable for the management of risk within each service. Each Executive Director of Service will delegate the administering of risk management activities within their service to a nominated Local Risk Manager. Please refer to appendix F for the Level 3 Risk Standard Operating Procedure.
Strategic, operational and project risk
The University’s annual operating planning process sets the objectives and targets necessary to achieve the delivery of our strategic ambitions. Risk management is embedded within this process and risk is managed at the following levels:
- Court review annually.
- Audit and Risk Committee review bi-annually.
- Senior Management Group (SMG) review monthly with an annual full review (referred to as level 1 risk register).
- Committees and Sub-committees review bi-annually and prior to discussion at the SMG.
- College Management Group and Professional Services Group will agree review schedule with an annual full review (referred to as level 2 risk registers).
- Schools, Research Institutes and University Services leadership teams will agree review schedule with annual full reviews (referred to as level 3 risk registers).
Major projects and working groups require a separate risk register which will be monitored by the relevant project board (or equivalent). Escalation for projects and working groups will vary in Colleges and University Services and the Terms of Reference for each board should define the escalation process. In general, tactical and project risk is managed at the following levels:
- Programme and Project Boards or Professional Services Group review at each meeting with an annual review.
- University Services Executive Directors of Service (if applicable) review monthly.
- Programme and Project Boards or Working Groups review at each meeting.
University Safety and Resilience risk
Identification, assessment and mitigation of health and safety risk is managed by the Director of Health, Safety and Resilience. These risks will not be managed as part of the University Risk Management Policy and Framework. Please refer to www.gla.ac.uk/myglasgow/health for further details and policy.
Cybersecurity risk
Identification, assessment and mitigation of a cybersecurity threat is managed by the Chief Information Security Officer. These risks include but are not limited to: the threat from ransomware; state sponsored activity (theft or disruptive activity); the risk of theft of data (particularly research data) and; release of data through human error. These risks will not be managed as part of the University Risk Management Policy and Framework unless escalated, via the Professional Services Group to the Senior Management Group. At this point, it will be recorded and managed on the Strategic Risk Register under this framework. The website for cybersecurity risk can be reached at IT information security
Risk escalation
Guidance in appendices E and F (Standard Operating Procedures) outlines the various levels in the University where risk is managed. Should a major risk (as defined by the scoring matrix in appendix B) be considered too great for the current level of management, it should be escalated to the next level. This will be clearly marked in the risk register as detailed in appendix A.
Risk appetite
The University recognises that its risk appetite is continually changing as it responds to internal and external changes. At any one time, the University may be willing to accept additional risk in one area while reducing in another. As part of the annual SMG risk review, the risk appetite will be checked against current strategic and operational needs.
The University’s approach is to minimise exposure to Health & Safety, reputation, legal and staff wellbeing. The University will accept some risk in service delivery and operations as well as technology if there is a return on innovation and improvement to key systems and services. The University will accept a higher academic and financial risk exposure if it can be demonstrated that there will be a clear return and positive impact to its strategic ambitions. Appendix D provides risk appetite statements for each category of risk.
Embedding risk
Risk should not be viewed as a standalone piece of work or a regulatory requirement; it should be seen as a tool to support the delivery of our operations and strategic ambition as well as a core source of data for decision making:
- Linking risk to strategy. Risk shall be categorised in line with the thematic and enabling strategies. The exception to this will be health and safety and reputational risk. The full list of thematic and enabling strategies can be found in appendix D.
- Linking risk to governance. Our governance structure is fully explained on the site, www.gla.ac.uk/governance Each governance body has a Terms of Reference including risk management and escalation processes. Each governance body responsible for a thematic or enabling strategy shall review the appropriate risks on the Strategic Risk Register
- Linking risk to investment. The investment portfolio is managed by the Investment Committee. As all investments capture the associated thematic or enabling strategy, the annual reports to Audit and Risk Committee and Court will demonstrate how investments >£500k are contributing to the mitigation of the Strategic Risk Register. Business cases should outline key investment risks. www.gla.ac.uk/myglasgow/governance/corporategovernance/financialgovernance/investmentcommittee
- Linking risk to performance. At Strategic Risk Register level only, risks shall be linked to University Key Performance Indicators (KPIs) as an additional measure in reviewing strategic delivery.
- Key Risk Indicators (KRIs) will be developed as our maturity continues to develop.
- Linking risk to culture. Embedding a risk culture will continue to be developed. This is built upon the Institute of Risk Management guidance: https://www.theirm.org/what-we-say/thought-leadership/risk-culture
Risk Management Group
Nominated Risk Managers in College and University Services will meet quarterly to review the master risk register. This is the aggregation of all registers and held by the University Head of Risk for analysis including trends. This is maintained in the risk management software platform detailed in section 12, Risk Management Framework.
The master risk register will be manually collated quarterly for strategic, operational risks and major programmes. Insights will be shared at Committee, College Management, Professional Services Group and Boards as well as summarised monthly for Senior Management Group as part of the Strategic Risk Register review.
The Terms of Reference for the Risk Management Group can be found at www.gla.ac.uk/risk/riskmanagementgroup
Publication and communication of risk
A webpage has been created for University staff which provides further information related to this policy and framework at www.gla.ac.uk/risk This includes links to the Terms of Reference for the RMG, templates, exemplars, training materials as well as the extract from the annual Financial Statement on Principal Risk and Uncertainties.
Risk mitigations may contain sensitive information which is for internal use only and therefore not on the website.
Risk Management Framework
Supporting this policy, Colleges and University Services will adhere to a consistent format when articulating and managing risk. Strategic, operational and project risk is managed using the University strategy, project and Governance/Risk/Compliance (GRC) tool, Portfolio and Project Management Anywhere (PPMA) which can be accessed using a single sign on at https://uofg.ppmanywhere.com/. A training guide on how to use this tool can be found at https://www.gla.ac.uk/myglasgow/ppm/ppma/ppmatraining/ and further outlined in the appropriate Standard Operating Procedures. The framework within this document outlines:
- The template in Appendix A is the data used within PPMA for all risk registers
- Guidance in Appendix B on the methodology for scoring risks
- Guidance in Appendix C on how risk is rated and escalations
- Guidance in Appendix D on our appetite for risk
- Guidance in Appendix E on how risk is managed at CMG and PSG levels
- Guidance in Appendix F on how risk is managed at School, Research Institute and University Services functional levels
The number of risks in a register is not fixed, however, at board level and above, this should be limited to the key risks that will directly impact on the delivery of the University strategy or services.
As part of the risk review cycle outlined in section 4, the review should include the deletion of risks that are no longer applicable, the introduction of new risks and the amendment of current risks.
The Risk Management Policy and Framework will be subject to annual review at the Audit and Risk Committee. The Audit and Risk Committee will review the strategic risk register as well as evidence that the risk policy is being adhered to across the University.
The Audit and Risk Committee will review the effectiveness of the risk policy and risk management framework and may recommend an external review of the process.
It is the responsibility of the Head of Risk to ensure that the risk management framework is being adhered to and will escalate to the Director of Strategy Implementation and Risk omissions or evidence of a lapse in risk management from operational risk registers.
Appendix A: risk register PPMA field description
* denotes a mandatory field and the system will not save until this is completed
|
ID |
A unique identifier automatically generated by PPM |
|
Risk Register |
Automatically assigned within the PPMA structure |
|
Title* |
A very short title that makes it easy to understand what the risk is about. A precursor is automatically added to identify the risk register |
|
Risk owner* |
Who will be ultimately accountable for the management of this risk? This is not the person who will be responsible for completing the mitigating actions |
|
Root cause* |
What are the reasons this risk could occur? This is commonly written as “due to…” |
|
Risk description* |
How would you describe the risk? This is commonly written as “there is a risk that…” |
|
Risk impact* |
What would happen if the risk happened? This is commonly written as “this will result in…” |
|
Category* |
This is the strategic theme which the strategic category aligns with. Refer to appendices C for a drop-down list of these categories |
|
Strategy |
How does this risk relate to our thematic and enabling strategies? Refer to appendices C for a drop-down list of these strategies |
|
Business Objective |
Which of the 9 objectives from the 2025 Strategy. Refer to appendices C for a drop-down list of these objectives |
|
KPI |
If applicable, the risk should be attributed to one of the strategic Key Performance Indicators |
|
Movement* |
Since the last review, is this risk: WORSENING – the risk is becoming more likely, or the impact is bigger than you originally thought STABLE – there is no change to the likelihood of the risk occurring or the impact it will have IMPROVING – the risk is becoming less likely, or the impact is less than you originally thought |
|
Escalation groups/ committees* |
Using the escalation table in appendix D, at what level in the University is this being managed? Level 1 – Audit and Risk Committee/Court Level 2 – Senior Management Group Level 3 – College Management Group, Professional Services Group or Committee The governance site contains all Terms of Reference for committees including escalation of risk |
|
Identified Date |
Date risk was agreed to go onto the risk register |
|
Last review date |
The date the risk was last reviewed |
|
Next review date |
A separate date for each mitigation action or when the control will be reviewed again |
|
Mitigation* |
How will we manage this risk? RESOLVE – can we completely remove all likelihood that this risk will not happen or that there will be no impact to the University? REDUCE – can we make it less likely that the risk will happen or, if it does, we can soften the impact to the University? ACCEPT – is there nothing we can do to reduce or resolve the likelihood and probability? TRANSFER – can we pass this to an external partner to resolved or reduce such as a sub-contractor to manage on our behalf? |
|
Proximity* |
If the risk becomes a reality, how far in the future is that likely to happen? It is common to use this alongside the initial probability, e.g., there is a 75% chance of this happening in 6 months to 1 year Anytime 1 to 3 months 3 to 6 months 6 months to 1 year More than 1 year |
|
Initial impact* |
What was the impact when the risk was first identified? A score of 1 to 5. Refer to appendices B for further details. This score does not change and fixed after entry. |
|
Initial probability* |
What was the impact when the risk was first identified? A score of 1 to 5. This score does not change and fixed after entry.. A score of 1 to 5: 1 (very Low) - 1% to 19% chance. “there is not much chance of this happening” 2 (low) - 20% to 39% chance. “we don’t think this will happen” 3 (medium) - 40% to 59% (or 50/50) chance. “we don’t know if this will happen” 4 (high) – 60% to 79% chance. “we are reasonably sure this will happen” 5 (almost certain) – 80% to 99% chance. “we are almost certain this will happen” |
|
Initial assessment* |
Initial impact * Initial probability. This is automatically calculated by PPMA. This score does not change and fixed after entry |
|
Current impact* |
What is the impact at the time of review? A score of 1 to 5. Refer to appendices B for further details |
|
Current probability* |
At the time of review, what is the likelihood that this risk will happen? A score of 1 to 5 as detailed above in the initial probability |
|
Current assessment* |
Current impact * Current probability. This is automatically calculated by PPMA |
|
Residual impact* |
If all actions were completed and controls are working, what would the impact score be? Refer to appendices B for further details |
|
Residual probability* |
If all actions were completed and controls are working, what would the probability score be? A score of 1 to 5 as detailed above in the initial probability |
|
Residual assessment* |
Residual impact * Residual probability. This is automatically calculated by PPMA |
|
Mitigation ID |
A unique identifier automatically generated by PPM |
|
Mitigation control or action* |
Mitigations can take one of two forms: Action – this will be a task with a clear output or outcome with a clearly defined due date. Common words for an action include deliver, produce, run or set up Control – this will be an operational or business as usual mitigation such as monthly review at a committee or board. Controls do not have a due date but need to have a date when it will be reviewed to ensure the mitigation is effective |
|
Mitigation description* |
A list of mitigations that will be undertaken to manage the risk. A separate line should be created for each mitigation so that the owner can be assigned |
|
Mitigation assigned to* |
A separate name who is responsible for each mitigation action or control |
|
Action or review date* |
A separate date for each mitigation action or when the control will be reviewed again |
|
Mitigation notes |
An update on the current effectiveness of the control or delivery of the action |
|
RAG |
What is the RAG (Red Amber Green) of the mitigation action or control GREEN – the action or control is on track AMBER – for management information only; the action or control may go off track RED – for management intervention; the action or control is off track |
|
Action Status* |
Is this action or control started, in progress or complete? PPMA provides a list of open and closed actions together with completions dates |
|
Last updated |
An automated date and time as soon as the user presses save to update an action |
|
Updated by |
An automated field showing the username as soon as save is pressed to update an action |
|
Comments and attachments |
Freeform text to provide additional information or context. Where possible, comments should include the minutes from the last review of the risk. Attachments can be added to support actions. |
Appendix B: scoring methodology
|
Probability |
1 - Very Low Probability |
2 - Low Probability |
3 - Medium Probability |
4 - High Probability |
5 - Almost Certain |
|
|
1% to 19% chance of happening; there is not much likelihood this will happen |
20% to 39% chance of happening; we don't think this will happen |
40% to 59% chance of happening; we don't know if this will happen (50/50) |
60% to 79% chance of happening; we are reasonably sure this will happen |
80% to 99% chance of happening; we are almost certain this will happen |
|
Impact |
1 - Very Low Impact |
2 - Low Impact |
3 - Medium Impact |
4 - High Impact |
5 – Highest Impact |
|
Civic |
Minor impact on Civic Engagement – very limited impact on civic and community partners. |
Short-term impact on Civic Engagement – limited impact on civic and community partners; contained to specific area of the University’s civic engagement |
Significant impact on Civic Engagement; significant impact on civic and community partners resulting in negative impact on institutional ability to meet civic engagement commitments. |
Major impact on Civic Engagement; major impact on civic and community partners resulting in inability to meet significant institutional commitments and the delivery of the University’s Civic Mission and its Civic Strategy |
Unsustainable impact on Civic Engagement involving a significant number of civic and community partners |
|
Data |
High trust - can be used for strategic purposes; GDPR unlikely to be impacted |
High to moderate trust - can be used for management purposes; GDPR could be impacted and requires further review |
Moderate trust - can be used for more than one operational purpose; GDPR highly likely to be impacted and requires action |
Moderate - Low trust - can be used for single operational purpose; GDPR will be an issue and an action plan is required |
Low trust - data is not fit for purpose; GDPR requirements will be not be met |
|
Estates |
Disruption of up to 1 day to business-critical services/estate; disruption of up to 5 days to non-critical services/estate; |
Disruption up to 5 days to business critical services/estate; disruption of up to 10 days to non-critical services/estate; |
Total loss of up to 1 day to business critical services/estate; total loss of up to 5 days to non-critical services/estate; |
Total loss of up to 5 days to business critical services/estate; total loss of up to 10 days to non-critical services/estate; |
Total loss over 5 days to business critical services/estate; total loss over 10 days to non-critical services/estate; |
|
External relations and reputation |
Highly unlikely to cause adverse publicity |
Unlikely to cause adverse publicity |
Needs careful PR/Diverse local publicity |
Diverse local and national publicity/limited damage to University brand |
Adverse national and international publicity/sustained damage to University brand |
|
Finance |
Financial loss of £500k-£1m or £100k-£500k per annum |
Financial loss of £1-2m or £500k-£750k per annum
Opportunities would result in <£750k per annum cost saving or income generation |
Financial loss of £3m-£5m or £750k-£1m per annum; minor changes to current procurement or current supplier contracts required Opportunities would result in £750k-£1m per annum cost saving or income generation |
Financial loss of £5-10m or £1m-£2m per annum; major changes to current procurement or current supplier contracts required Opportunities would result in £1m-£2m per annum cost saving or income generation |
Financial loss of >£10m or >£2m per annum; new procurement or new supplier contracts will be required Opportunities would result in >£2m p.a cost saving or income generation |
|
Health and Safety |
Minimal impact to health/welfare |
Workplace safety compromised; significant impact to health/welfare |
Litigation due to unsafe workplace; major impact to health/welfare; lost time <7 days |
Serious injury or harm; dangerous near miss; significant publicity and litigation as a result; lost time >7 days |
Death or permanent disability; long term impact to service; major publicity and litigation |
|
Innovation |
Minor impact on our Innovation Strategy |
Would have a small impact on our ability to take advantage of commercialisation opportunities |
Would have a major impact on the Innovation Strategy objectives
Opportunities may result in some commercialisation opportunities |
Would have a significant impact on our ability to take advantage of commercialisation opportunities |
Would result in us unable to achieve our Innovation Strategy
Opportunities would result in significant commercialisation opportunities |
|
International |
Minor impact on international activity which does not have widespread consequences for international strategy |
Short-term impact on international activity; minor impact on recruitment, research, reputation and partnership activity – contained to small region |
Significant impact on international activity; loss of significant income and detrimental to partnership activities, research and reputation in one region. |
Major impact on international activity; major impact on a partnership activity, research, reputation and recruitment in key geographical region or several regions. |
Unsustainable impact on international activity impacting several key regions. Would result in inability to achieve our International Strategy or meet institutional targets. |
|
Learning and teaching |
Minor impact on teaching activity |
Short-term impact on teaching activity |
Significant impact on teaching activity; loss of a key academic course; |
Major impact on teaching activity; significant impact on a school |
Unsustainable impact on teaching activity; significant impact on a College |
|
People and OD |
Minimal impact to staff wellbeing. No visible impact to capacity and capability |
An increase in wellbeing cases. Key roles are being impacted. Visible impact on service delivery and operations |
Major impact to staff wellbeing. Short term loss of key roles. Significant impact to staff morale |
Threat of staff industrial action. Long term loss of key roles. Significant impact to capacity and capability. Highest impact on service delivery and operations |
Widespread and sustained industrial action. Long term impact to capacity and capability. Complete loss of service delivery and operations |
|
Research |
Minor impact on research activity |
Short-term impact on research activity |
Significant impact on research activity |
Major impact on research activity; significant impact on a school; short term damage to research funding |
Unsustainable impact on research activity; significant impact on a College; irreparable damage to research funding |
|
Services |
Disruption (< 1 day) disruption to business critical services; no noticeable disruption to non-critical services |
Disruption between 1 and 5 days disruption to business critical services; disruption < 10 days to non-critical services |
Loss < 1 day disruption to business critical services; no loss to non-critical services |
Loss (between 1 and 5 days) disruption to business critical services; loss (< 10 days) to non-critical services |
Loss > 5 days of service to business critical services; loss > 10 days to non-business critical services |
|
Student Experience |
no noticeable impact on student experience |
no impact to teaching; would lead to individual students raising concerns; no impact on NSS scores |
minor disruption to teaching; would lead to a group of students raising concerns; low impact (1-2) years on NSS scores |
significant disruption to teaching; would lead to individual students raising a formal complaint or leaving the University; medium impact (2-3 years) on NSS scores |
teaching stopped in one or more School; would lead to a group of students raising formal complaints or leaving the University; long term impact (more than 3 years) on NSS scores |
|
Student Recruitment |
no noticeable impact on student recruitment |
would lead to 1% and 3% of student recruitment markets not being met |
would lead to 4% to 7% of student recruitment targets not being met |
would lead to between 7% and 10% of student recruitment targets not being met |
would lead to more than 10% of student recruitment targets not being met |
|
Sustainability |
Overall success in meeting targets and fulfilling actions; a small number of actions not achieved within expected timescale |
Overall success in meeting targets and fulfilling actions; some targets missed and some actions not achieved within expected timescale |
Mixed success in meeting targets and fulfilling actions; significant revision required to strategy and action plan |
Some successes in implementing sustainability strategy but overall failure to achieve goals, resulting in negative publicity |
General failure to achieve strategy resulting in widespread condemnation and reputational damage to University |
|
Technology/ IT |
Negligible impact on technology systems, infrastructure or architecture |
MInor impact on technology systems, infrastructure or architecture with a known solution or a medium term workaround fix. There may be an impact on the delivery of the Technology Strategy Opportunities would result in minor improvements to technology systems, infrastructure or architecture |
Impact to technology systems, infrastructure or architecture that could be fixed with a short term workaround solution. Minimal impact on the delivery of the Technology Strategy Opportunities would result in significant improvements to technology systems, infrastructure or architecture |
Major impact on technology systems, infrastructure or architecture that would require immediate remediation. Key elements of the Technology Strategy would not be delivered. Opportunities would result in significant improvements to technology systems, infrastructure or architecture |
Untenable impact on technology systems, infrastructure or architecture. Unable to achieve the delivery of the Technology Strategy Opportunities would result in a transformational change to technology systems, infrastructure or architecture |
|
Transformation |
Minor impact on the Transformation Strategy |
Would result in a delay or increase to cost within business case tolerances to a Transformation project. |
Would result in a delay or increase to cost outside of business case tolerances but highly likely to be approved. May result in minor inefficiencies to our processes or systems Opportunities would have some impact to the Transformation Strategy. Would result in minor efficiency improvements to our processes or systems |
Would result in a significant delay or increase to cost to a Transformation project. May result in major inefficiencies to our processes or systems. Opportunities would have a direct impact to the Transformation Strategy. |
Would result in the complete halt to a Transformation project. The Transformation Strategy would not be able to meet stated goals. Would result in unacceptable inefficiencies to our processes or systems Opportunities would exceed the current expected benefits from the Transformation Strategy. Would result in significant efficiency improvements to our processes or systems |
Project specific
|
Project – Finance and cost |
Overspend of less than 1% of agreed budget |
Overspend between 1% and 3% of agreed budget |
Overspend between 3% and 5% of agreed budget; minor changes to current procurement or current supplier contracts required |
Overspend between 5% and 10% of agreed budget; major changes to current procurement or current supplier contracts required. Additional Capital Application required |
Overspend of greater than 10% of agreed budget; new procurement or new supplier contracts will be required. Additional Capital Application required |
|
Project - Resources |
We have the capability but there may be an acceptable delay in freeing the resources to complete the work |
We have the capability but there may be an unacceptable delay in freeing the resources to complete the work |
We do not have the capability and would need to train current resources to complete the work within acceptable cost or time |
We do not have the capability and would need to source externally or recruit to complete the work within acceptable cost or time |
We not have the capability and sourcing expertise is likely to be increase cost or time to unacceptable levels |
|
Project – Scope and business case |
Scope change or functionality/quality/ business case impact barely noticeable. |
Scope change or functionality/quality/business case impact noticeable but accepted by customer/end user |
Scope change or functionality/quality/ business case noticeable and would require a minor change |
Scope change or functionality/quality/business case noticeable and would require a major change |
Scope change or functionality/quality/business case would not be accepted by the customer/end user |
|
Project – Time and planning |
Slippage of less than 2% of project lifecycle or less than 4 weeks. Has no impact of the implementation of business activities. |
Slippage between 3% and 10% of project lifecycle or between 1- and 2-months slippage. Delay of up to two weeks for non-business critical activities and up to 2 days on business-critical activities. |
Slippage between 10% and 15% of project lifecycle or between 2- and 3-months slippage. Delay of up to 4 weeks for non-business critical and up to 1-week delay to business-critical activities. |
Slippage between 15% and 20% of project lifecycle or between 3- and 6-months slippage. Delay of up to 2 weeks for business-critical activities. |
Slippage of greater than 20% of project lifecycle or more than 6 months slippage Delay of greater than 2 weeks for business-critical activities. |
Appendix C: Escalation levels, ratings and strategic themes
|
Escalation level |
Examples |
|
Level 0 |
Court and Audit and Risk Committee |
|
Level 1 |
Senior Management Group
|
|
Level 2 |
College Management Groups, Professional Services Group, Governance Groups (as described in the corporate governance structure (www.gla.ac.uk/governance) |
|
Level 3 |
School, University Services Leadership Teams (e.g. People and OD, Commercial Services or Finance) |
|
1 - Very Low Impact |
2 - Low Impact |
3 - Medium Impact |
4 – High impact |
5 – Major impact |
|
|
5 - Almost Certain |
Medium |
Medium |
High |
Major |
Major |
|
4 - Very High Probability |
Low |
Medium |
High |
High |
Major |
|
3 - Medium Probability |
Low |
Medium |
Medium |
High |
High |
|
2 - Low Probability |
Low |
Low |
Medium |
Medium |
High |
|
1 - Very Low Probability |
Low |
Low |
Low |
Low |
Medium |
|
Low risk: Requires minimal attention. Updated at next review date |
Medium risk: Should be reviewed and updated monthly to ensure that mitigation is effective |
High risk: Effective mitigation plan signed off at appropriate level and updated monthly to ensure that mitigation is effective |
Major risk: Requires immediate attention. Effective mitigation plan signed off a level above or SMG/Audit and Risk Committee. Updated regularly to ensure that mitigation is effective |
|
Thematic strategies |
Enabling strategies |
Other |
|
Civic engagement Innovation Internationalisation Learning and teaching Research Student experience Sustainability |
Data and cybersecurity Estates Finance People and Organisational Development Services Student recruitment Technology/IT Transformation |
Health & Safety External Relations Student recruitment Project finance and cost Project resources Project scope and business case Project time and planning |
Appendix D: risk appetite statements
| Strategic theme | AVERSE | MINIMAL | CAUTIOUS | SEEKING |
| We will accept risk with a score of 1 -4 | We will accept risk with a score of 5 - 9 | We will accept risk with a score of 10 – 16 | We will accept risk with a score of 20-25 | |
| Definition | Avoidance of risk and uncertainty is a key organisational objective | Preference for safe options that have a low degree of risk and may only have limited potential for reward | Willing to consider all potential options and choose the one most likely to result in successful delivery, while also providing an acceptable level of reward and value for money | Eager to be innovative and to choose options offering potentially higher rewards despite greater inherent risks |
| Data | The University will not compromise on its statutory obligations to store, interrogate or dispose of data. There is no tolerance for information security risk causing loss or damage to University data | |||
| Estates | EXISITING ESTATE | CAMPUS DEVELOPMENT | ||
| The University will take all care of duties in the protection of the campus heritage and the fabric of our buildings | The University will actively seek new and innovative usage of space | |||
| External Relations and reputation | The University will not compromise its reputation and values in the short or long term | |||
| Finance | Financial risks and rewards are to be weighed against short and long term strategic and operational priorities | |||
| Health and Safety | The University will not compromise any aspect of Health and Safety that puts any staff, student or member of the public at risk | |||
| Innovation | The University's appetite for Academic and Technical innovation is that it should be competitive at the earliest opportunity to maintain its standing in local and global markets | |||
| Learning and Teaching | The University recognises that, although quality and integrity of output is paramount, it seeks to maintain and to benefit from ongoing developments in the definition and delivery of academic outputs | The University's appetite for Academic and Technical innovation is that it should be competitive at the earliest opportunity to maintain its standing in local and global markets | ||
| People and OD | The University will not compromise the wellbeing of its staff | The University recognises trade union collaboration and will avoid industrial action as much as possible | ||
| Research | The University recognises that, although quality and integrity of output is paramount, it seeks to maintain and to benefit from ongoing developments in the definition and delivery of academic outputs | The University's appetite for Academic and Technical innovation is that it should be competitive at the earliest opportunity to maintain its standing in local and global markets | ||
| Student experience | A positive and rewarding experience is of paramount importance to the University. A small level of risk is acceptable if it demonstrates providing a more enriched and innovative experience to the student | |||
| Services | The University seeks innovation and improvement but will not accept higher risk in the operation of key services | |||
| Sustainability | Threats | Opportunities | ||
| The University has zero tolerance for any adverse impact on the environment | The University has a high tolerance for innovative and unique opportunities that actively contribute to our Sustainability Strategy and reduces our carbon footprint | |||
| Technology | The University seeks innovation and improvement but will not accept higher risk in the operation of key systems | |||
| Transformation | The University's will actively seek opportunities for innovation and accept higher risk that would demonstrate excellence |
Appendix E: Level 2 Risk Standard Operating Procedure
|
Related policy |
Risk Management Policy and Framework v7.0 |
|
Managed by |
Finance Office |
|
Accountable person |
Jane Hoey, Head of Risk |
|
Approved by |
Audit and Risk Committee and sent to KPMG, internal auditors |
|
Date approved |
30th October 2024 |
|
Version |
1.0 |
|
Version notes |
First draft |
Scope
|
This SOP covers |
Strategic and operational risk at each of the College Management Groups (CMG) and the Professional Services Group (PSG) |
|
This SOP does not cover |
|
|
Related SOPs |
Level 3 Operational Risk Standing Operating Procedure |
Resources
|
Systems impacted |
Portfolio and Project Management Anywhere (PPMA) |
|
Forms/templates used |
PPMA has a specific form built into the application to record risks, controls and actions. |
|
Reporting |
There are 5 key reports available in PPMA
|
|
Additional guidance |
|
Procedure
|
Ref |
Procedure |
|
1 |
Risk identification
|
|
2 |
Risk Articulation
|
|
3 |
Risk mitigation
|
|
4 |
Risk Reporting
|
|
5 |
Risk Review
|
|
6 |
Risk escalation
|
Training
|
PPMA |
Risk training for project and strategic/operational risk is included in the PPMA Overview Course. Details of this can be found on the internal website www.gla.ac.uk/myglasgow/ppm |
|
Risk training |
Tailored risk training is available via Jane.Hoey@glasgow.ac.uk |
Appendix F: Level 3 Risk Standard Operating Procedure
|
Related policy |
Risk Management Policy and Framework v7.0 |
|
Managed by |
Finance Office |
|
Accountable person |
Jane Hoey, Head of Risk |
|
Approved by |
Audit and Risk Committee and sent to KPMG, internal auditors |
|
Date approved |
30th October 2024 |
|
Version |
1.0 |
|
Version notes |
First draft |
Scope
|
This SOP covers |
Strategic and Operational risks for each of the Schools and Professional Departments within Professional Services Group (PSG). |
|
This SOP does not cover |
|
|
Related SOPs |
Level 2 Operational Risk Standing Operating Procedure. |
Resources
|
Systems impacted |
Portfolio and Project Management Anywhere (PPMA). |
|
Forms/templates used |
PPMA has a specific form built into the application to records risks, controls and actions. |
|
Reporting |
There are 5 key reports available in PPMA
|
|
Additional guidance |
QuickRef Guide to project risk. |
Procedure
|
Ref |
Procedure |
|
1 |
Risk identification
|
|
2 |
Risk Articulation
|
|
3 |
Risk mitigation
|
|
4 |
Risk Reporting
|
|
5 |
Risk Review
|
|
6 |
Risk escalation
|
Training
|
PPMA |
Risk training for project and strategic/operational risk is included in the PPMA Overview Course. Details of this can be found on the internal website www.gla.ac.uk/myglasgow/ppm |
|
Risk training |
Tailored risk training is available via Jane.Hoey@glasgow.ac.uk |
Download the Risk Management Policy and Framework in PDF
Note that this document is frequently updated in terms of impact and appetite statements as we mature our strategies.
Last updated December 2024.