University of Nottingham - Risk Management Policy
- The Risk Management Policy is also available as a PDF document.
Risk is the possibility that events, outcomes or actions, both foreseen and unforeseen adversely affect the University's ability to achieve its strategic objectives; it arises as much from the possibility that opportunities will not be realised as from the possibility that threats will materialise.
An ambitious organisation in a dynamic and uncertain environment will inevitably encounter an ever-changing array of risks, which to succeed, it must understand and manage as a normal practice.
The University is committed to effective risk management by embedding it in many management processes, especially strategic and operational planning, and by an integrated risk management framework involving planned and systematic risk identification, assessment and mitigation activities.
Risk management entails both reducing the likelihood and impact of events that would have a negative consequence and increasing the likelihood of events that would have positive consequences.
This policy sets out the University's overall approach to risk management. For additional information, contact the Director of Planning and Management Information.
2 Risk Tolerance and Appetite
The University's will seek to mitigate or avoid any risks that significantly threaten its position as a leading University, while seeking to capitalise on opportunities to enhance its position.
Where risks are unavoidable, we will put in place measures to reduce the impact of the event or circumstance to an acceptable level. The University will adopt a proportionate response, meaning that risks with a higher risk status attract more regular and intensive consideration and review.
The University may at times pursue objectives that contain an element of risk in anticipation of gaining strategic advantages. It may at times also accept an increased degree of overall risk.
3 Roles and Responsibilities
Ultimate responsibility for the system of risk management internal control lies with Council. Its Audit Committee provides a channel for formal reporting and appraisal.
Responsibility for establishing, operating and monitoring the system of risk management lies with the Vice Chancellor through the Management Board. This includes but is not limited to:
- Defining the University's risk policy and readiness to expose itself to risk, for strategic benefit;
- Assessment of the University's exposure to risk, especially in terms of its Mission and Plan;
- Regular review of the institutional Risk Register, which is owned by Management Board;
- Periodic review of the effectiveness of risk management processes;
- Annual reporting to Council.
The Director of the Planning and Management Information Division (PMID) of the Registrar's Department is responsible for implementing the University Risk Policy, including:
- Reviewing and developing the University's risk management framework;
- Monitoring the effectiveness of risk mitigation activities;
- Maintaining and distributing the Risk Register;
- Embedding risk management programmes;
- Encouraging and disseminating good practice and ensuring conformance to HEFCE guidance.
Senior academic and administrative staff are expected to be aware of the University's Risk Management Policy, familiarise themselves with the Risk Register, and contribute to the University's efforts to understand, assess, and manage its risks.
- They should help mitigate risks faced by the University and identify when and how School or Professional Services expose the University to additional risk.
- Staff responsible for risk mitigation programmes related to items in the Risk Register are expected to monitor the effectiveness of those programmes and notify the appropriate Management Board member of substantive changes in the overall risk status.
- All senior staff should encourage an awareness of institutional risks and risk management within their area of responsibility. They must not knowingly take on projects or commitments which expose the University to risk without consent of Management Board.
- Managers of major projects and all other ventures the University has a stake in are obligated to identify, report, and manage risks that may have consequences for the University.
All staff have some part to play in protecting the University from undue exposure to risk, whether reputational, financial, or in terms of its core activities of teaching and research, and are encouraged to be aware of the implications and potential consequences of their actions for the University. If you know of a risk in your area of work that is not already recognised and recorded, you need to share this information with your manager.
4 The Risk Management Process
The implementation and operation of risk management is a continuous process involving activities at all levels of the University and across academic and administrative functions. The main recurring activities at the University level are summarised here; for details of the relevant University procedures, contact the Director of the Planning and Management Information Division of the Registrar's Department. There may also be complementary process and policies within Schools and Professional Services.
- Strategic risk identification and assessment takes place within strategic risk workshops involving senior staff. Workshops include detailed consideration of causes, consequences, the effectiveness of any mitigating activities in place, and a determination of whether additional measures are needed to reduce the likelihood or impact of the risk. Assessments are to be evidence based and where possible draw on informed expert views. Early warning mechanisms such as a specified level of the relevant key performance indicators are developed. For recognised risks to the University's strategic objectives, responsibility for risk monitoring and mitigation activities is allocated to a specified senior staff member, usually a member of Management Board. Major workshops take place at least annually and aim at broad representation of Schools, Professional Services, and Management Board. The strategic risk workshop results in updates of the University Risk Register.
- There is a biannual interim risk review; higher risk status items may be reviewed yet more frequently. Interim reviews are carried out by the Risk Management Working Group, comprising risk management network delegates, senior academics, and MB members. An autumn update provides a revised Register to coincide with the beginning of the annual planning cycle. A spring update takes place at the conclusion of the planning cycle.
- Management Board receives and reviews the updated Register on a regular basis and will revise, question, or confirm its content before reporting providing updates to Council.
- Senior and mid-level staff manage the implementation of both routine and exceptional risk mitigation programmes on an ongoing basis. Risk mitigation plans will ideally be put in place and responsibility for their execution assigned to named individuals, and monitored by PMID.
- The Risk Register is provided as a recommended resource during strategic plan development and the annual planning cycle. Authors of plans, whether individuals or Committees, are expected to consult it as appropriate.
The Scope of the policy is all University of Nottingham academic units, administrative functions, sites, and operations, including its campuses in the United Kingdom, China, and Malaysia.
Organisational units and projects that maintain their own policies and Risk Registers should ensure their local policy and practice are aligned to the University's.
This policy shall be:
- Published on the University's internal websites;
- Included with the University Risk Register;
- Brought to the attention of all senior academic and administrative staff;
- Included in the staff handbook, which is made available to all members of the University.
Current senior staff are responsible for bringing the Risk Policy to the attention of new members of staff as appropriate.
- Dr Thomas Loya
- Director, Planning and Management Information
- Registrar's Department
- Trent Building Room 107, University Park
- Nottingham, NG7 2AN
- +44 (0)115 951 3121
Last revised: January 2010