Risk Management Strategy
The purpose of this document is to outline an overall approach to risk management that addresses the risks facing the University of Durham in pursuing its strategy and which will facilitate the effective recognition and management of such risks.
Corporate Governance principles for best practice have been outlined in the Cadbury and Hampel reports and more recently Turnbull. The reports have focused upon the benefits to an organisation of risk management and internal controls. Principle D.2 of the Combined Code states that the Financial Statements of an enterprise should disclose the existence of a process for identifying, evaluating and managing the risks faced by an organisation and that such a process is regularly reviewed for continuing relevance and effectiveness.
Risk management should be embedded within the daily operation of the university from strategy formulation through to business planning and processes. Through understanding risks, decision-makers will be better able to evaluate the impact of a particular decision or action on the achievement of the University's objectives.
Risk management strategy does not focus upon risk avoidance but on the identification and management of an acceptable level of risk.
2. Objectives of the Strategy
- To develop a risk map which will identify and rank all significant risks facing the University and so assist achievement of the University strategy through pro-active risk management.
- To rank all risks in terms of likelihood of occurrence and expected impact upon the University.
- To allocate clear roles, responsibilities and accountabilities for risk management.
- To facilitate compliance with best practice in corporate governance, ensuring that the appropriate disclosure statement can be issued within the annual Financial Statements. In addition, to enable the Financial Statements to include a summary of the process applied to reviewing the effectiveness of the system of internal control.
- To raise awareness of the principles and benefits involved in the risk management process and to obtain staff commitment to the principles of risk control.
3. Assessment and Review
This will involve consideration of all potential risks facing the University in pursuing its strategy with risks broken down into appropriate headings (e.g. computer security, staffing, student statistics, reputation etc.) and identified with the colleges, academic and service departments.
All risks should be clearly defined together with the controls that currently exist to manage them. Considering the adequacy of the present control system will avoid duplication of resources as several of the identified risks may already prove to be effectively controlled.
It is important that the internal systems and procedures in place are adequate to manage the identified risk. Where control weaknesses are identified, these should be noted so that the proposed action is taken to remedy such weaknesses.
The Internal Audit Section will undertake the identification of risks. Input will be obtained from the individual colleges, academic and service departments to ensure that all risks have been taken into account and that important risk and control issues have not been overlooked.
4. Risk Ranking
Risks will be categorised as strategic, financial or operational.
As not all risks represent equal significance to the University, each area shall be ranked high, medium or low in terms both of likely frequency and impact.
5. Action Plan
Once risks have been identified and quantified, the next step is to control and manage them. This will involve the consideration of cost-effective action, which will be judged against risk ranking, and the likelihood of occurrence. The proposed action to be taken will then be mapped against the specified risk together with an implementation date reflected by the perceived urgency and the named person designated as responsible for managing the risk.
6. Benefits of Risk Management
Provided the risk management approach is effectively planned and executed according to the specific culture of the University, the benefits of the risk process should encompass the following:
- Awareness of significant risks with priority ranking assisting the efficient planning of resources.
- Enhancement of focus for internal audit needs assessment and planning.
- Recognition of responsibility and accountability.
- An aid to strategic and business planning.
- Identification of new opportunities.
- Action plan for the effective management of significant risks.
7. Ongoing Review
It should be noted that in order to realise its full potential, the Risk Management process should be subject to periodic review. This will ensure that the risk matrix is updated to modify the perceived risks, recognising that new risks will arise whilst others will either disappear or become less significant in terms of priority.
Monitoring the effectiveness of the process is vital and the University should ensure that:
- Clear responsibility exists for the management of a particular risk area.
- Reporting arrangements should be in place, which will highlight changes in risk priority and any instances where risks are not being effectively managed.
- Procedures are in place, which will ensure the review of the effectiveness of the overall risk process.
- Methods are established for the appraisal of the performance of the risk management process and that suitable performance standards and implemented by which the process may be reviewed.
- University Risk Management Strategy (last modified: 6 December 2010)