Annex 3
Risk Management Guide
A higher education institution (HEI) can face a multitude of risks. It is
inescapable and is relevant to ask ‘what is the risk of doing X?’ but also to
question ‘what is the risk if we don’t?’
This guide provides a brief overview of the risk management process at City
University London. The guide offers a number of ideas and poses questions
which should be considered when updating, renewing or starting a new risk
register.
Towards the end of this guide there are a number of snapshots of the
documentation used at City to capture strategic risks. In addition to this, the
Governance and Risk responsibility structure is also identified.
1. What is Risk?
Risk concerns both opportunities and threats. An HEI may experience risks that
are a threat to current activities but at the same time by being too over cautious
may prevent opportunities being taken. By considering the actions and decisions
that are taken by City we can start to determine how factors may be preventing
us from meeting our key objectives.
Positive risk management should help City University London to:
 Have increased confidence in achieving its desired outcomes
 Effectively constrain threats to acceptable levels
 Take informed decisions about exploiting opportunities
‘Risk identification is partly about trying to eliminate the number of unknowns’
(CUC & the Leadership Foundation, 2009: Getting to Grips with Risk). An
institution must be mindful that there are some risks that they have yet to
consider and in some cases may not even know about. The list of risks that are
identified should be comprehensive, consistent and complete; however, risks can
arise at any point of a project lifecycle and these should also be considered.
2 Who should own your risk?
The Vice Chancellor is responsible for the management of the University,
including all the risks to the University. To assist the Vice Chancellor with this
challenge, there are Strategic Risk Owners identified from the University’s
delegated responsibility framework and their areas of individual authority. This
alignment with the delegations framework ensures that the risk owner has the
authority to fulfil their responsibilities. Each level of owner has a particular set of
responsibilities:
Annex 3



Strategic Risk Owners – responsible for management and control of all
aspects of their risks, including the implementation of measures taken in
respect of each risk (whether these risks are within one particular activity
or at the strategic or strategic sub-risk level, school and portfolio level or
programme level including business processes, operational services and
projects).
Risk Owner – responsibility for management and control of all aspects of
their risks whether strategic sub-risk, school or portfolio risk, operational
risks and programme and project level risks.
Action Owners - a delegated role responsible for taking actions in relation
to a specific risk and for keeping the risk owner apprised of the situation.
3 What do we mean by controlling the risks?
Controls are actions or strategies that have been put in place to help to reduce,
or mitigate, the risk, both in terms of likelihood of occurrence and severity of
outcome. Remember that an institution does not want to be so risk-adverse that
opportunities are not taken. However, the controls should help an institution
avoid exposed decisions leading to financial loss.
4 What is the level of risk?
It is important for us to prioritise risk so that the University can focus on the most
important issues. At City University London we assess risk by considering the
likelihood of a risk occurring and the impact that this would have on the
University. Impacts may be cost, time, management attention, loss of reputation
and loss of market share. The University also considers the risk once actions
have been made. This is known as ‘net risk’ or ‘post-control risk.’ By considering
where the risk was before the actions were in place (‘pre-control risk’) we are
able to determine the effectiveness of the controls we are putting in place.
5. Future management of the risk
It may be appropriate that once controls have been put in place the risk is
deemed tolerable and therefore no further action may need to be taken. In this
case, the risk may even be taken off the risk register as an expired risk. It is,
however, not appropriate to forget about this risk escalating at a later date.
If the risk is intolerable it is essential to consider further actions to reduce the risk.
It is good practice to consider the consequence of the action but also to delegate
the responsibility to an appropriate staff member with an intended completion
date for the task. In some cases an action may be on-going and it is worth
considering the action becoming a control at a later date.
Annex 3
6. Risk Map
Once post-control risks have been assessed for the impact and likelihood they
can be plotted on a risk map. The map at City University London operates on a
‘traffic light’ system whereby the risks sitting in the red section of the map (i.e.,
above the University’s tolerance line) are the areas of most concern. It is the
risks above the tolerance line that have been identified as being those with the
biggest threat to the business of the University and will be the primary concern of
Council.
7 Risk reporting
Risk reporting is the key aspect of the risk management process. The Senior
Team of the University are reliant on the information with which they are
provided. It is essential to provide the right level of detail for the smooth running
of the risk management process. At City, high level risks (those above the
tolerance line) are reported to Council. Those below the tolerance line at the
strategic level are monitored by the risk owners and discussed at ExCo. School
and portfolio risks are dealt with within the structure of each particular school or
portfolio. Where these operational risks become a greater risk to the University
they are escalated up to the strategic risk register for consideration at a
University-wide level.
8. School Risks
Operational risks at School and Portfolio level are considered as part of the
Planning Round. The risks associated with achieving the school plans are
considered by the Strategy and Planning Unit and aggregated up so that areas of
risk common across the University can be identified. Schools and portfolios will
also have their own risks not common with others. An example of this is the
fulfilment of the NHS contract in the School of Community and Health Sciences.
9. Project Risks
Risks at the project level are managed by the Projects Team in IPCS. Much of
the detail of risk management is held within the Prince2 project management
environment.
10. Annual Review
The risk register is reviewed biannually at all levels. As part of the review the
controls, actions and risk significance is reconsidered. Any changes will be
documented and where appropriate, risks that have escalated above the
tolerance line will be reported to Council.
Annex 3
As part of the annual review Audit and Risk Committee will consider the
University’s risk appetite and advise Council to move the tolerance line if
required. The risk policy will also be monitored annually and can be changed if
necessary. These exercises all form part of reporting to HEFCE in the Annual
Monitoring Statement.
11. Description of controls
Controls are put in place to alleviate, or mitigate, the chances of a risk occurring.
Generally, higher priority risks will have more controls in place to try to reduce the
likelihood of a risk occurring. However, some risks are external to the University
and the level of controls may be limited as action by the University may not
reduce the risk.
It is important to consider the consequence of implementing controls. Controls
should help to reduce the risk, not just be put in place to seem that action is
being taken. Action should reduce the risk or at least maintain the level of the
risk. Controls can expire if they are no longer relevant in the consideration of a
risk. This can occur when the University strategy is updated or policy changes
are implemented.
Annex 3
12
Risk Register: A brief overview
The main body of work associated with Risk Management at City University London is focussed on the Risk Register. The Register
identifies the major risks for the University and links them to the Strategic Plan. This ensures that we consider all risks in achieving the
plan. Figures 1 and 2 show the two parts of the Risk Register. Figure 1 shows the tabular Risk Register which is used as a quick guide to
the risk. Figure 2 is the risk analysis sheet which provides the detail of the actions the University has in place already, further actions that
Link to the Strategic Plan
The Corporate (KPI) and Operational
Performance Indicators (Op) identified to
achieve the Strategic Plan
Risk Description
Substantial risks
to achieving the
Strategic Plan
Pre Control Risk
Impact
(1-5)
Likelihood (15)
Significance
Risk colour in
accordance
with
University's
risk appetite
Controls
Controls in
place to
constrain the
risk
Post Control Risk
Impact
(1-5)
Likelihood
(1-5)
Significance
Risk colour in
accordance
with
University's risk
appetite
1.1
Controls
4
2
8
Risk
toleration
If the post
control risk is
deemed
intolerable
identify further
actions
required
stating
responsibility,
timescale and
cost
Risk Owner
Person
responsible
for ensuring
risk
manageme
nt
Current Status
Closed,
Reducing,
Increasing,
Imminent or No
Change
1 Quality of Education
KPI - Student experience
KPI - Governance & Compliance
Op - Student recommendations
Op - Retention rates
Op - Programme introductions/
amendments/withdrawals
Op - Employer engagement in curriculum
devt
Op - Results of external programme audits
Op - Timely completion of institutional
reviews
Programme
Development
4
4
16
the University intends to put in place, and the key indicators to measure the level of the risk.
Figure 1: Part of the tabular risk register
1.1 Actions
DVC
Education
Review
Summer
2009
Annex 3
1.1 Programme Development
Controls in Place:
 Strengthened marketing intelligence in programme approval
 COO focus on marketing, brand and publicity management
 Address key development areas through Planning Round at ExCo
 Staff development unit created offering improvement of teaching and learning supported by Schools
and enhancement strategies
 Annual/Periodic reviews of course viability to BoS and APPSC
 Annual review of courses with professional accreditation
 First year student survey to assess student experience
 Action plans in response to NSS
 Institutional audit discussed at ExCo and scaled up through audit liaison committees in Schools.
Further Actions required:
Action
Effective co-ordination of University and School based market
research
Review University’s UG offerings including core curriculum
Review University’s graduate offerings
Regular poll of alumni about courses from 2010
All student to receive core curriculum by 2010
Module feedback approach to gain consistent student feedback
2nd yr & PG survey assessing wider scope than NSS
INTO initiative to improve PG entry flows and quality
Business related education review feeding into UG Review
Associate Deans (L&T) role defined and strengthened
Timetabling review
ADS established as a development unit
Responsibility
Target
Date
Marketing
?
DVCE/Head
of ADU
Report in
June 09
Achieved
2010/11
2010
2010
2008/09
2009
June 09
Summer 09
Monitoring/Early warning mechanisms/KPIs:
KPI – Student experience
 % agree response on NSS (3rd yr UG only). NSS results by School and League Table results
Figure 2: Detailed risk analysis
Annex 3
13
Risk Appetite/Risk Map
It is important for the University to assess the level of risk it is willing to accept. When monitoring it is essential to keep the University’s
Council informed of the high level risks. In order to do this, the Audit and Risk Committee recommend a risk tolerance on an annual basis.
Any risk which is deemed to fall above the tolerance line, in this case into the red area of the risk map, must be approved and sanctions put
in place by Council, ExCo and the Projects Board. A full risk map can be viewed as part of the Risk Management documentation and
would usually identify where each of the risks are plotted on the map, and potentially where they have moved from as part of the
monitoring.
Net Risk Assessment (risk after considering controls in place) over the next 5 years or life of the project
Impact Criteria
5 year Impact or over life of the project
Catastrophic 5
Financial net impact of 6-20% of turnover
Substantial regulatory consequences
Major negative sanction by Hefce
Major international adverse publicity
Death of an individual or several major injuries
Major 4
Financial net impact of 3-5% of turnover
Addressable regulatory consequences
Adverse publicity in national papers
Major injury
Impact
University forced to cease business
Loss of a substantial part of University/School
Financial net impact >20% turnover
Multiple major injuries or deaths
Financial net impact of 1-2% of turnover
No regulatory consequences
Adverse publicity locally or in THES
Minor injury
City University Risk
Tolerance Line
Any risks which fall
above this line will need
Council/ExCo/Project
Board approval and
sanction
Serious 3
Moderate 2
Financial net impact of less than 1% of turnover
No other significant impacts
Minor 1
1
Rare
University
Social Science
IHS
Law
Informatics
Engineering
Cass
Arts
Projects
% of cost
1%
1.4
0.1
0.3
0.1
0.1
0.1
0.4
0.1
1%
£m of turnover (2005/6)
3%
6%
4.1
8.2
0.3
0.6
1.0
1.9
0.3
0.5
0.2
0.5
0.4
0.8
1.1
2.2
0.3
0.5
3%
6%
20%
27.4
1.9
6.4
1.8
1.6
2.7
7.3
1.8
20%
2
3
4
5
Possible
Likely
Very likely
Almost certain
Likelihood within 5 years or life of project
0 - 5%
6-20%
51-80%
>80%
21-50%
Extremely unlikely or
Low but not
More likely to occur Almost certainly will
Fairly likely to occur
virtually impossible
impossible
than not
occur
Your assessment of probability should depend on factors such as past history, current
circumstances and the nature of controls in place
Annex 3
14
Governance and Risk responsibilities
All members of staff have a duty to be aware of the day to day risks within the University and to be aware of the risks operating within their
School or Portfolio. At the strategic level risks are owned by members of the Senior Management Team. There is currently a list of fifteen
strategic risks which are deemed to be of vital importance to the running of the University. These risks can be found within the Strategic
Risk Register.
City University
Governance and Risk Responsibilities
(from July 2009)
Deputy Vice
Chancellor
Responsible for Management
Responsible for University
Planning
Dinos
Arcoumanis
DVC Education
DVC Research
and International
Responsible for :
Responsible for:
Learning and
Development Centre
Research
International
Education
Relationships
Susan Nash
PVC
Director of City
Law School
Responsible for :
City Law School
Responsible for
Governance of the
University
Julius Weinberg
Acting VC
Julius Weinberg
David Bolton
Council
Members
of the University
Christina
Slade
Ken Grattan
PVC
Director of School
of Community and
Health Sciences
Conjoint Dean,
School of Social
Science and Arts
Conjoint Dean,
School of
Informatics and
SEMS
Dean of Cass
Business School
Responsible for:
Responsible for:
Responsible for :
Responsible for:
Mary Watts
School of Community
and Health Sciences
School of Social
Science
School of
Informatics
School of Arts
School of
Engineering and
Mathematical
Science
Richard
Gillingwater
Cass Business
School
Henrietta
Royle
Frank Toop
Chief Operating
Officer
University
Secretary
Responsible for :
Responsible for:
Governance
Finance
Internal Audit
Human Resources
Commercial office
Academic
Development Unit
Information Services
Dean of Students
Marketing
Dean of Validations
Development and
Alumni Relations
John Tibble
Services for Students
Kevin Gibbons
Property and
Facilities