Risk Management Framework

Guidance Notes

1. Background

Risk Management forms part of the University’s internal control (management) arrangements. This

document outlines the University’s approach to risk evaluation and subsequent management. The

University follows recognised practice in how it approaches risk as outlined within the Combined

Code (1999), and both “The Orange Book. Management of Risk – Principles and Concepts” and

“Thinking about Risk. Managing your risk appetite: A practitioners Guide” published by the HM

Treasury.

The University aims to take a pragmatic approach to risk management which ensures that its

processes are fit for purpose, integrated with the planning and management of the University and

proportionate to the administrative burden.

Whilst emphasis is placed on the management of risk it is important to note that the failure to

realise a genuine opportunity is equally a risk to the University and should be managed/monitored

through the same processes and procedures.

This most recent iteration of the Risk Management policy was developed in the autumn of 2015 and

was launched alongside the 2016/17 planning process.

2. Principles

The management of risk is key to ensuring the University successfully achieves its desired goals

whilst protecting the interests of its stakeholders. Risk is uncertainty of outcome, and good risk

management allows the University to:

have increased confidence in achieving its desired outcomes

effectively constrain threats to acceptable levels; and

take informed decisions about exploiting opportunities

Good risk management also allows stakeholders to have increased confidence in the organisation’s

corporate governance and ability to deliver.1

In developing the new framework the following principles have been applied:

that risk management should be integral to the University’s planning (at all levels);

that equal focus should be placed on the what’s happening in the external environment and

how this might impact on the University achieving its objectives, as that currently afforded

to the internal environment (relating to core operations or projects);

that a single framework be applicable for the whole University, that is able to span all risk

levels/types of risk;

that a more thematic approach be taken to risk management, with risks grouped according

to potential impact areas as well as source;

that risks are managed by those in a position to manage the risk and reported to those for

whom knowledge of how that risk is being managed is relevant;

that a more dynamic approach be taken to how the University manages risk;

1 The Orange Book. Management of Risk – Principles and Concepts. October 2004 (HM Treasury).

that an increased focus be placed on how assurance is sought/received in relation to risks

and their subsequent handling;

that ownership and accountability for the management of risk is essential to an effective risk

management process;

that both the approach to, and the management of, a risk be proportionate to the impact of

that risk (should it materialise).

3. Risk Appetite

Risk appetite is defined as:

“The amount of risk that the University is prepared to accept, tolerate, or be exposed to at any point

in time.”

The University’s overall statement of risk appetite is appended to this guidance as Annex One. It

should be recognised that whilst the University as a whole has a defined risk appetite, different

functions/activities might be more or less hungry for risk, and that, managed properly, this can be

entirely appropriate to the organisation delivering its wider objectives.

Should you want any further guidance on risk appetite i.e. how much of what sort of risk you are

prepared to take, then do please refer to the HM Treasury guide “Thinking about risk – managing

your risk appetite: A practitioners guide” (November 2006).

4. Risk Approach

For each type of risk the overall approach is to:

Identify risks which pose threats to fulfilment of strategic and/or operational goals. Risks

may relate to our People, our Finances, our Reputation, or the Operational Delivery of the

University’s functions;

Evaluate the possibility and impact of a risk materialising (the “risk assessment”) which is

used to prioritise risks;

Reflect on how the risk is best addressed - tolerated, treated, transferred, terminated or

taken (if an opportunity);

Consider those actions/controls already in place to manage the risk and assess whether they

are sufficient;

aim to Reduce the risk through establishing further mitigating actions/countermeasures

which might affect the impact or the possibility of the risk occurring;

Assess the residual risk rating i.e. that rating which might be possible to achieve if all the

mitigating actions/countermeasures are achieved and are successful;

Monitor the risk (to ensure that early warning signs are detected in order to put contingency

arrangements in operation) by identifying the most appropriate assurance mechanisms to

oversee that risk and, if currently insufficient, introduce additional mechanisms;

Review once a risk has been managed/passed to learn lessons and feed back into the

process of managing subsequent risks.

5. Risk Scoring

The University’s exposure to each opportunity/threat is a combination of the likelihood of a risk

materialising, and, if it were to materialise the impact it would have on the University. By definition

any assessment of likelihood and/or impact is going to be a largely subjective exercise, however

steps have been taken to bring objectivity to ensure consistency of both approach and assessment.

Particular focus has been placed on the calibration of the scoring mechanisms to help individuals

accurately assess the potential impact of a risk (with descriptors being provided from a number of

perspectives should that risk materialise):

Time (taken to resolve)

Cost

Reputational impact

Management Effort

Outputs (impact on goals, be that local or institutional)

Both likelihood and impact are scored on a scale of 1-5. Definitions for each are included in Figure 1

below. Likelihood ranges from Rare (1) to Almost Certain (5) and Impact from Insignificant (1) to

Catastrophic (5).

Figure One. Risk Scoring Matrix

6. Completing the Risk Register Template

The Risk Register template is appended to this guidance as Annex Two. The template can broadly be

subdivided into two sections:

a) an articulation and assessment of the risk itself; and

b) a consideration of specifically where assurance will be sought in relation to that risk.

Working left to right across the template:

a) Articulation/Assessment of Risk

Event is expected to

occur in most

circumstances

>90%Almost

Certain5

5 10 15 20 25

Event will probably

occur in most

circumstances

50-90% Likely 44 8 12 16 20

Event should occur at

some time30-50% Possible 3

3 6 9 12 15

Event could occur at

some time10-30% Unlikely 2

2 4 6 8 10

Event could occur only

in exceptional

circumstances

<10% Rare 11 2 3 4 5

1 2 3 4 5

Insignificant Minor Moderate Major Catastrophic

Resolution would be

achieved through normal

activity

Resolution would require

input from Head of School

or Director

Resolution would require

the mobilisation of a

dedicated project team

(VCEG approved)

Resolution would require

direction from Council

Resolution would require

external intervention

under £50k £0.05m to £0.5m £0.5m to £5m £5m to £50m over £50m

Little or no external

publicity/reputational risk

Adverse external impact

or reputational risk issues

unlikely

Some adverse but short-

lived external impact or

reputational impact likely

Substantial but short-lived

adverse external

publicity/impact

unavoidable

Sustained, ongoing,

adverse, highly critical

publicity/impact likely

At event, the impact of

which can be absorbed

through normal activity

At event, consequences of

which can be absorbed but

management effort is

required to minimise

impact

A significant event which

can be managed under

normal circumstances

A critical event which with

proper management can

be endured

A disaster with potential

to lead to collapse of

University

Negligible impact on

Dept/Function or common

goals

Impacts only on

School/Directorate rather

than University's common

goals

Impacts but not radically

on some goals/strategic

plan objectives

Major impact on current or

ongoing goals and

strategic plan objectives

Fundamental impact on

current and/or ongoing

goals/strategic plan

objectives

IMPACT

LIK

ELIH

OO

D

Time

Cost

Reputation

Management

Effort

Outputs

Ref.

To aid with collation/reporting we are asking that all risks be allocated a unique working reference.

This should be done locally and follow the convention of a short abbreviation relating to the

School/Directorate followed by a number e.g. for Planning, Governance & Compliance, the first risk

on the register might be PGC/1 or for the third risk on the Education and Social Work register:

ESW/3.

Risk Date

This should be the date on which a risk is formally escalated to the School/PS Directorate Risk

Register. We will be tracking/monitoring risks over time so understanding when they were first

identified and formally captured (and indeed when they are removed from the register) is beneficial

in helping understand whether mitigating actions/countermeasures are having the desired effect to

the timescales necessary.

Statement of Risk

Capturing the risk accurately is essential in helping to identify the best way to evaluate (and

subsequently address) that risk. Risks should be assessed and prioritised in relation to objectives, be

that at a local or institutional level. In stating risks, care should be taken to avoid stating impacts

which may arise as being the risks themselves, and to avoid stating risks which do not impact on

objectives; equally care should be taken to avoid defining risks with statements which are simply the

converse of the objective. A statement of risk should encompass the cause of the impact, and the

impact to the objective which might arise. Examples2 of well written statements of risk are provided

below in Figure Two.

Figure Two. Drafting of Statement of Risk

Primary Goal Impacted

One of the main enhancements of the “new” Risk Management Framework will be to organise risks,

irrespective of where they were initially identified, according to the goals of the University that they

might affect. This will align more closely with the revised approach being taken to planning for

2016/17 onwards. As well as helping us group “like” risks and agree thematic ways of managing

these risks, it will enable us to report risks to the appropriate governance mechanic for that area of

the University’s activity e.g. risks relating to the achievement of our Research goals should be

received/reviewed by the Research & Knowledge Exchange Committee (or sub-committee thereof)

alongside discussions of what we are doing to achieve those goals.

2 From “The Orange Book: Management of Risk – Principles and Concepts (October 2004)

The goals of the University (as defined within Making the Future: 2013-18) are broadly grouped as:

Research and knowledge exchange – delivering high quality research of lasting academic value and

with impact that benefits and enriches society;

Teaching, learning and the student experience – increasing the number of students getting an

Outstanding Sussex experience;

Our Falmer campus – creating a high-quality physical environment at Falmer to attract the best

students and staff where they will be able to enjoy their study and work;

External engagement – building more and stronger partnerships with external organisations,

institutions and individuals locally, nationally and internationally;

Economic and social impact – strengthening the economic and social impact of the University on the

wider region

Professional services – supporting academic excellence and the student experience with excellent

value professional services delivered by high-quality people working with the best facilities and

partners;

Sustainable operating – securing the platform for the University’s sustainable future

Risk Type

Many schemes exist to characterise risk types. Given the breadth of risks the University is exposed

to a simple four “type” scheme has been adopted.

a) Financial

b) Reputational

c) Operational

d) People-related

It is often the case that a single risk might be described as being of more than one type. Where this

is the case the dominant “type” should be recorded. What is most important is that the risk has

been recorded and is being appropriately managed, rather than how it has been categorised.

By recording the “type” of risk it encourages the University to take a broader, more balanced

approach to its consideration of risk, and not place unintended emphasis (or the converse) on

particular type areas.

The risk “type” is also important when it comes to producing your Risk Heat Map (see Section 7).

Current Controls

These are variously called the current controls, countermeasures or mitigating actions – those things

that the University is already doing to manage down the potential risk. The scoring of the risk

(above) will have taken into account those activities/measures already in place.

Most of these controls will be preventative i.e. they are designed to limit the possibility of an

undesirable outcome being realised, an example of this might be the introduction of a certain

procedure/policy to ensure that something runs smoothly, or a specific intervention designed to

address the risk materialising. The more important it is that an undesirable outcome should not

arise, then the more important it becomes to implement appropriate preventative/mitigating action.

Other types of control include:

a) corrective controls - those designed to correct undesirable outcomes e.g. insurance

b) directive controls - those designed to ensure that a particular outcome is achieved e.g.

requiring certain training to be completed before someone can undertake a particular task;

and

c) detective controls – designed to identify occasions of undesirable outcomes having been

realised, an example of which might be a Post Implementation review within a project to

detect lessons learned for application to future work.

All types of control are appropriate, what is most important is that the control put in place is

proportional to the risk. It is normally sufficient to limit controls to give a reasonable assurance of

confining likely loss within the defined risk appetite of the University. Every control action has an

associated cost (be that financial, time etc.) which needs to be considered when deciding on

whether required.

Owner

This should be the person ultimately responsible/accountable for the management of the risk. For

genuinely strategic risks (those with impact rating 4 or 5 to the University – see section on Risk

Rating) this would normally be a member of VCEG. For those rating 3-4 it might be a Head of School

or Professional Services director, and for lesser risks (1-2) then it would be appropriate for these to

be “owned” by a local manager or Head of Function/Department.

Given the complexity of the University it is recognised that, where risks might be identified/managed

in multiple places e.g. Health & Safety then it is possible for local registers to have local owners and

the institution as a whole to have an overall lead person.

Updater

It is recognised that it won’t always be the risk owner that updates and maintains the risk register for

the School, PS Directorate or University. Where this is the case it would help the Planning team if a

separate person were identified to be the “go-to” person when we need information on the risk or

how it is being managed.

Current Rating

An assessment of the current Likelihood and Impact of the risk using the methodology outlined in

Section 5 – Risk Scoring.

Overall Rating

This box will auto-populate on your template and is a function of the information inputted into the

previous cells relating to Impact and Likelihood. The overall gross risk score will range from 1-25.

1-5 Acceptable

6-10 Action necessary

11-15 Action essential

16-25 Action critical

n.b. the risk scoring matrix has been calibrated to the overall goals of the University, rather than

local strategies/goals, so it is unlikely (though not impossible) that a local register, at either School or

PSD level would contain a risk with an overall rating in excess of 15.

Change

When managing risk it is essential to monitor whether a risk is growing or diminishing over time.

This change might be a function of either the external environment in which we are operating, or the

relative importance of an outcome changing over time. It could also represent the impact of the

various controls/actions that might have been undertaken to manage the risk.

The template contains four options (chosen from the dropdown list) including NEW to highlight

when a risk is new to the register.

Previous Rating/Overall Rating

This information should be transposed from the last update made to the Register. If a new risk has

been added then these columns would not be applicable and should be left blank. The difference

between the previous rating and that of the current assessment constitutes the “change” referred

previously within the template.

Planned Mitigating Actions

The template thus far has captured the risk and those actions/controls already in place to

manage/ameliorate that risk. Any further actions necessary (but not already underway), which

would reduce the University’s exposure to that risk should be included in this section. The reason

these actions are not already underway might be an issue of timing or resource. The various types

of action that might be considered to mitigate a risk are the same as those described under the

“controls” section previously.

Commentary

Anything else that would help the reader of the Register better understand the risk. It might be used

to capture activity or developments between this version of the register and the previous, or where

something has happened in the wider environment that might have led to a change in the scoring of

a risk.

Residual Risk

A residual risk score is calculated in the same way (likelihood and impact) as the gross score. It

defines the level of risk to which the University might reasonably be exposed once the various

countermeasures/actions (both current and planned) have been put in place and are reducing the

impact/likelihood of that risk. This might not be the lowest possible exposure as (as has been stated

previously) all actions require some form of resource, and the University will take a response

regarding which actions to implement proportionate to the potential impact of the risk.

The aim should be that sufficient control/action is in place to manage a risk down to acceptable

levels (Overall Rating: 1-5). If a risk is assessed to have a residual rating greater than 10 then it is

likely that insufficient countermeasures/mitigating actions are in place (or are planned).

c) Assurance

The University has chosen to adopt the “Three Lines of Defence” approach to how it receives

assurance on risk. The approach helps clarify roles, responsibilities and accountabilities towards the

effective governance of risk management and assurance.

• involved in day-to-day risk management

•follow a risk process

•apply internal controls and risk responses

1st Line

Schools/PS Directorates

•oversee and challenge risk management

•provide guidance and direction

•develop risk management framework

2nd Line

Risk and Compliance

•review 1st and 2nd lines

•provide an independent perspective and challenge the process

•objective and offers assurance

3rd Line

Audit

Operational (1st line of defence)

The University (be that at an institutional or local) is responsible for ensuring that a risk and control

environment is established as part of day-to-day operations. The first line of defence provides

management assurance by identifying risk and mitigating actions, implementing controls and

monitoring/reporting on progress.

The various assurance mechanisms that might exist and which are relevant to the risk being

monitored/managed should be inserted into the vertical columns. It is recognised that individual

assurance mechanisms e.g. the local risk register, will provide assurance to multiple risks, hence the

solution of creating a column for each type of 1st line assurance against which a check can be placed

if appropriate to individual risks.

Internal Oversight (2nd line of defence)

These are generally the mechanisms that provide oversight, guidance and direction, normally

through policy/procedure. They might include such mechanics as Project Boards, Committees,

Management Groups or any other body internal to the University which have a monitoring role. The

process for recording these relevant to each risk is the same as for the 1st line.

Independent Assurance (3rd line of defence)

Generally provided by external means these are all the different assurance mechanisms that exist to

provide assurance to the University – the most obvious of which is our Internal/External Audit

functions. Dependent on the area of risk, other assurance mechanisms might exist such as

professional bodies, HEFCE, Health & Safety Executive etc. that have their own monitoring/oversight

functions to what we do. Again, this section should be completed as previously.

On a more general note, capturing the various assurance mechanisms across the whole of the

University will help the University ensure that the Terms of Reference/scope of these

functions/bodies accurately reflects the role they are required to carry out.

Control RAG

Above this section of the template are definitions for the RAG to be applied when assessing the

adequacy of the assurance controls in place. These are as follows:

Low: Significant concerns over the adequacy/effectiveness of the controls in place in proportion to the risks

Medium: Some areas of concern over the adequacy/effectiveness of the controls in place in proportion to the risks

High: Controls in place assessed as adequate/effective and in proportion to the risk

Insufficient information to judge the adequacy/effectiveness of controls

Based on these descriptors an assessment should be made as to whether there are sufficient

assurance mechanisms in place relative to the size of the risk. Based on this assessment a

judgement can be made as to whether the assurance currently in place is sufficient (Is Assurance

Sufficient?).

Where it is felt that additional assurance mechanisms are necessary to ensure the risk is managed as

effectively (proportionate to the potential exposure) then Improvement Actions should be

identified, and, if agreed, implemented. Actions can take a number of forms that might include:

- recruitment of technical expertise into a function (or professional training for existing staff) e.g.

around Health & Safety risks;

- reviewing the terms of reference of an existing Committee/Management Group to ensure an

oversight mechanism sits within our governance structures; or

- the need for an Internal Audit of a particular area of activity.

It is important to recognise that the opposite might also be true where, for a relatively low risk area

we have in place multiple, complex, often time-consuming assurance mechanisms. Once the various

assurance mechanisms are captured and mapped and this is felt to be the case then consideration

should be given as to whether they are all necessary and whether any of these can be ceased (and in

so doing free up resource). Where this is the case then stopping doing something might also be

regarded as an “improvement action”.

Commentary

An opportunity to provide any other information or progress updates on the assurance around that

particular risk.

7. Risk Heat Map

A graphical summary of the aggregated risk profile of the School/PS Directorate or Institution.

Figure Three. Risk Heat Map

8. Governance/Reporting

For the risk management system to be beneficial it needs to be fully embedded into both the

governance and planning frameworks of the University. Risks need to have pathways to be

escalated when appropriate and where mitigating actions/countermeasures are agreed on these

need to be included in the priorities/workload of the responsible individual, School or Department.

PEOPLE FINANCE

REPUTATIONOPERATIONAL

DELIVERY

IMPACT IMPACT

L

I

K

E

L

I

H

O

O

D

IMPACT IMPACT

L

I

K

E

L

I

H

O

O

D

L

I

K

E

L

I

H

O

O

D

L

I

K

E

L

I

H

O

O

D

Figure Four. Risk Management within the wider Planning Framework of the University

Ultimately Council is responsible for establishing and monitoring risk management policies,

strategies and the risk register. In so doing it looks to the Audit Committee “to advise Council on the

effectiveness of risk management” within the University.

The overall Risk Management Framework (and attendant procedures) is managed by the Planning,

Governance & Compliance Directorate with Professional Services, drawing on local processes within

Schools, PS Directorate and projects. Figure Five below provides a summary of how information in

relation to risk flows through the University.

CountermeasuresMitigating Action

Co

un

termeasu

resM

itigating A

ction

SchoolsPlanning

PSDPlanning

LocalRegisters

LocalRegisters

PlanningCollate & Review

Risk Framework

Environmental Scanning

PlanningCollate & Review

Monitoring

Major Projects

Project Portfolio

Risk Registers

Portfolio Risk Register

PlanningCollate & Review

INTERNAL[Business as Usual)

CHANGE

EXTERNAL

Council(Annual)

Audit / Performance/FI

Committees(Termly)

VCEG(Termly)

VCEG members

Teaching & Learning

Committee

Research & Knowledge Exchange

Committee

Human Resources Committee

Health, Safety & Environment

Committee

Thematic Reporting

Inst

itu

tio

nal

Rep

ort

ing

Others

Feedback

Feedback

Figure Five. Risk Management within the University.

Frequency of Reporting

Risks to the delivery of local/University goals and outcomes are generally identified and then

escalated via one of three routes:

- external - through notification/scanning of what’s happening in the environment in which

the University operates;

- projects (referred to as “change” in Figure Five); and

- locally at School/PSD-level

External – almost by definition these can surface at any time and might need the rapid mobilisation

of response if potentially highly impactful. They are often harder to influence through mitigating

action as most will be outside of the direct control of the University. Examples of these types of risk

(and/or opportunities) might be: changes to the overall governmental funding environment, or the

introduction of proposed changes to Tier 4 Visas for overseas students. Their likelihood is typically

(though not impossibly e.g. lobbying) difficult to influence, however with sufficient planning it is

normally possible to offset the potential impact through the introduction of countermeasures.

Whilst the Planning office will conduct routine environmental scanning, if anyone identifies a

significant risk/opportunity to the University they should notify the Planning Office who will

undertake the appropriate assessment and provide guidance as to how (and whether) the risk needs

to be added to the overall framework.

Projects – are recognised as being integral to the University achieving its goals. Separate guidance

exists as to the University’s approach to managing projects (incl. their governance). The

management of risk within the project environment is key to their successful delivery. The

University is establishing a central Programme Office, working with the various functions/teams that

already exist, to monitor the portfolio of projects and programmes underway in the University at any

one time. Irrespective of the complexity/scale of a project risk needs to be considered – for smaller

projects this might purely be identification and management, larger projects will probably have their

own risk registers which are reported into/monitored by formally established Project Boards. Risks

to Major Projects will, in addition, be part of the more formal reporting to VCEG, Performance

Committee and ultimately Council.

The Programme Office reports to VCEG bi-monthly (and Performance Committee termly) on the

status of Major/Mid-Tier projects within the University. This includes an assessment of the major

risks to the successful delivery of those projects.

Locally – risk registers for Schools and Professional Services Directorates also need to be maintained.

Whilst progress in managing individual risks might vary according to the potential exposure of the

risk, Schools/PSDs will be required to submit their full registers termly. A full review of your risk

register should be undertaken alongside your planning process in Oct-Jan, and lighter-touch reviews,

to capture any changes (be that to the scoring or any “new” risks that might have emerged and need

to be added to the Register) towards the end of the Spring and Summer terms. It is anticipated that

Schools/PSDs would normally review their registers (and progress on managing any significant risks)

as part of their SMT meetings.

Source Frequency of reporting3

External As requested/agreed (dependent on type/potential exposure)

Projects Cat 1/2a Bi-monthly, alongside Highlight Reporting to Programme Office

Cat 2b/3 Locally and/or into Relevant Programme Board (as required)

Schools/PSDs Termly (Full – Planning Round; Light-touch – Spring/Summer terms)

Onward Reporting

As described previously a key feature of the University’s risk management framework is the ability to

group risks and ensure they are considered by the most appropriate assurance mechanism. The Risk

Register template requires individuals to associate their risks to specific goals. This will allow the

Planning Office to group risks, collated from whatever source, and ensure they are reported to the

3 For substantive risks, where the University’s risk exposure is significant, specific reporting mechanisms/regimes will be agreed.

most appropriate assurance mechanism e.g. all Health & Safety risks from around the institution,

need to be brigaded to a central Health & Safety risk register and this form part of the routine

reporting to the Health, Safety and Environment Committee. Similarly any/all risks identified in

relation to us achieving one of our academic goals will be grouped and shared with the appropriate

University Committee; aggregated financial risks to the Finance & Investment Committee and so on.

The Vice Chancellors Executive Group (VCEG) formally review the Institutional Risk Register termly

ahead of subsequent reporting to the key Committees of Council (described below). Where a

specific significant risk is “live” and requires more regular monitoring/consideration then it will do

this through its weekly meetings.

Performance Committee, have a specific role “for strategies, projects and plans and areas of

operation, to monitor the management of the main risks”. To enable them to fulfil this function they

will be routinely updated on the status and plans for all risks deemed to have an impact defined as

either major/catastrophic and a likelihood of 3 (possible) or above.

Audit Committee have the responsibility delegated from Council as to the overall effectiveness of

the Risk Management Framework. In addition to the reporting on major risks received by the

Performance Committee they will also receive assessments as to the various assurance

arrangements and whether these are operating effectively. They might decide to seek further

assurance on certain risks if they have specific concerns.

Finance and Investment Committee (or their delegated Sub-Committees) will receive updates to

their meetings as to the overall financial risk profile of the University and on any specific financial

risks where the potential exposure is in excess of £5m.

Council is ultimately responsible for the strategic oversight of risk management within the University

as a whole. It has a statutory requirement to own the Institutions Risk Register. The involvement of

Council in risk management is helpful as members can provide a more complete picture of risk for

the University, ensuring that it is integrated into wider processes and also help define the overall risk

appetite.