Skip to content

Risk Management Policy 

About the Risk Management Policy

Risk management refers to the practice of identifying potential risks in advance of them taking place, assessing them and taking action to reduce the likelihood of the risk happening, or its impact if it does happen. 

The Risk Management Policy is documented below on this web page and sets out the University’s approach to risk management.  The Policy is considered by the Risk Oversight Group, Executive Board and Audit Committee before being approved every year by Council, the University’s governing body.  

For advice on risk management or the Risk Management Policy, please contact the Student Conduct, Risk and Information Governance Team: 

Matthew Stephenson, Tel 01274 233021, Email: 

The Risk Management Policy is stated below:



Risk Management Policy

Owner: University Secretary
Author: Matt Stephenson, Associate Director (Governance, Legal & Risk)
Approved by: Council
Date of approval of this version: 29 November 2023
Next Review Date: 29 November 2026
Version Number: v3.3b
Applicable statutory, legal or national best practice requirements:

OfS Regulatory framework for higher education in England

OfS Accounts Direction

Equality impact assessment completion date: 31 August 2023
Data protection impact assessment completion date No detailed DPIA needed due to nature of policy

This document can only be considered valid when viewed via the University website. If this document is printed into hard copy or saved to another location you must check that the version number on your copy matches that of the one on the University website.  Approved documents are valid for use after their approval date and remain in force beyond any expiry of their review date until a new version is available.

1. Introduction

1.1 Risk is the effect of uncertainty on objectives with an effect being something which is a deviation from an expected outcome. This could have either a positive or negative effect. Risk is typically expressed in terms of:

  • Risk Sources
  • Potential Events
  • Consequences; and
  • Likelihood

1.2 Risk management is a coordinated activity to direct and control the risks an organisation faces.

1.3 The University recognises the need to adopt a systematic risk management approach to ensure systems and processes effectively manage identified risks.

1.4 The benefits of this approach are that it:

   1.4.1   supports strategic and operational planning and decision making;

   1.4.2   supports academic standards and continuous improvement of academic activities;

   1.4.3   protects the University’s reputation and standing;

   1.4.4   increases productivity;

   1.4.5   supports effective use of resources;

   1.4.6   promotes continuous improvement;

   1.4.7   helps focus the internal audit programme;

   1.4.8   reduces the impact of unexpected events and shocks;

   1.4.9   reassures stakeholders and partners;

   1.4.10 reduces the need for crisis management; 

   1.4.11 optimises the benefit of new opportunities;

   1.4.12 supports the achievement of objectives, targets, KPIs and strategies; and

   1.4.13 supports demonstration and achievement of societal expectations (such as environmental, social and governance {ESG} aspects including the University's sustainability commitments).

2. Scope

2.1 This policy applies to those responsible for, or working in, any activity across the University which includes some element of risk or uncertainty.

3. Responsibilities


3.1 Council is ultimately responsible for ensuring that an effective process of risk management is embedded at all levels in the University and covering all aspects of business and academic activity.

3.2 Council considers risk and controls and receives regular reports from both the Executive Board and Audit Committee. Reports to Council focus on providing the appropriate level of assurance that the processes and controls to identify and manage risk are working effectively.

Audit Committee

3.3 The Audit Committee will provide more detailed scrutiny and oversight of the risk management framework on behalf of Council. Audit Committee will assess the adequacy of arrangements for risk management and for internal financial control. This will include the detailed periodic review of the Corporate Risk Register, annual review of the overall statement of institutional risk appetite and consideration of the high-level review of work conducted by both the University’s internal and external auditors around the adequacy of relevant systems of internal control.

3.4 The Audit Committee will provide the necessary assurance and recommendations that will enable it to recommend to Council whether to approve the Corporate Risk Register and the annual risk appetite.

Executive Board

3.5 The Executive Board, led by the Vice-Chancellor, is charged with responsibility for overseeing implementation of the Risk Management Policy.

3.6 The Executive Board will receive regular reports on risk management from the Risk Oversight Group, which oversees the implementation and operation of the risk management framework on behalf of the Executive Board.

3.7 The Executive Board will provide regular reports to Audit Committee.

Senior managers

3.8 The University Secretary is the University’s executive lead for risk management and will ensure that the Executive Board receives regular updates on the University’s corporate risk register, highlighting any significant recommendations and will oversee university-wide engagement with operational risk management.

3.9 Members of the Executive Board are responsible for local arrangements for risk management within their own areas including ensuring an appropriate level of scrutiny for the risks. They also have responsibility for ownership of corporate risks ensuring identification and alignment of risks for which they are responsible with University strategy and KPIs and, where appropriate delegated to other managers, the treatment of risks through delivery of agreed actions to mitigate identified risks.

Wider responsibilities

3.10 The identification, assessment and management of risk is an essential element of the work of all University Committees, Boards, Faculties and Directorates, as well as part of the Project Management Framework.

3.11 All staff with management responsibility are expected to have an understanding of the nature of risk associated with their area of responsibility as well as appropriate escalation procedures.

3.12 All staff with management responsibilities are expected to embed the University's values including the commitments to environmental, social and governance and, sustainability goals along with equality, diversity and inclusion within their risk management responsibility.

3.13 Risk management training will be provided as part of the management training programme to support the operation of the risk management framework. Specific personnel will be mandated to complete the training.

4. General Principles

4.1 As part of the Risk Management Framework, the University will consider the amount and type of risk that is acceptable in the pursuit of its business objectives and agree a Risk Appetite Statement that is reflective of the strategic risks and organisation-wide operational risks.

4.2 The Risk Appetite Statement will be reconsidered on an annual basis.  

Risk Registers

4.3 Risks identified by the University are documented in risk registers.

4.4 The University Corporate Risk Register documents the University’s main strategic risks.

4.5 Local risk registers are in place for each faculty and directorate and in relation to some specific activities such as compliance with UKVI requirements.

4.6 For every risk, both corporate risks and local risks, the risk registers include:

  • the risk definition (or title);
  • the causes, effects for that risk;
  • the appetite for that risk (for corporate level risks only);
  • the risk owner;
  • the risk lead (if different to the owner);
  • existing controls and mitigations;
  • the details of the assurances that each mitigation is effective and the amount of confidence that may be derived from the assurance;
  • the impact and probability scores and overall rating;
    • of the risk prior to any mitigations taking effect (inherent risk score);
    • of the risk as a result of the mitigations in place (residual risk score);
    • of the level of risk the University would find acceptable (target risk score) (for corporate level risks only); and
  • planned further controls to reduce residual risk to an acceptable level.

These elements of the risk register are reviewed and updated on an ongoing basis.

4.7 The University uses a three lines of assurance approach to provide confidence, based adequate and appropriate evidence that mitigations are in place and operating effectively. The three lines of assurance are:

  • first line: departmental management provides assurance that mitigations are in place and operating effectively via internal checking and oversight mechanisms;
  • second line: University management, governance structures and input from other Directorates separate from the department responsible for the risk, provide assurance that mitigations are in place and operating effectively;
  • third line: third parties such as partners, inspectors, auditors, regulators and customers provide feedback and checking mechanisms to assure that mitigations are in place and operating effectively (this may or may not include oversight of first and second line assurances);

4.8 Operational oversight of the risk register is undertaken by the Risk Oversight Group reporting to the Executive Board with formal oversight by Audit Committee at each of its meetings on behalf of the University’s Council.

4.9 The identification of key institutional risks informs the corporate risk register and is derived from the perspective of the members of The Executive Board, the Risk Oversight Group and local management teams who consider factors such as the international, national, regional and local developments, competition, changing environment, resources and potential problems or opportunities for the University.

4.10 Risk registers are formally reviewed and updated at least quarterly by Faculty or Directorate Management teams of through other equivalent channels determined by Deans / Directors.

Internal Audit

4.11 Internal audit reinforces the risk management approach, with the programme of reviews based on the key risks of the University and to provide assurance to managers and the Audit Committee that:

  • a process is in place to identify key risks;
  • a response to managing individual risks has been adopted; and that
  • appropriate and timely action is taken to improve risk management.

4.12 The internal audit planning process involves engagement with University management to identify the risks associated with delivery of the University’s strategic objectives. These are cross-referenced with the University risk register and are subjected to a risk assurance exercise.

4.13 Risk assurance identifies the key controls in place to manage each risk and the sources of assurance available. The internal audit programme of work is informed by areas highlighted where controls could be enhanced or where additional assurance may be required by senior management or by the Audit Committee. 

Risk Oversight Group

4.14 The Risk Oversight Group is the key University body for the consideration of risk and risk management matters. It is a sub-committee of the Executive Board and is chaired by the University Secretary.

4.15 It will identify and rate the key institutional risks to delivery of the strategic objectives and key operational matters.

4.16 It reports on a quarterly basis to the Executive Board providing a detailed review and consideration of the Corporate Risk Register and local risk registers and the mitigations and assurances contained in each.

4.17 It supports consistency of practice for risk management and business continuity throughout the University.

4.18 Its role is to:

  • consider emergent risk areas, advising the Executive Board as appropriate;
  • oversee the development and maintenance of the University’s overall risk management and business continuity infrastructure and framework, at institutional and sub-institutional level, ensuring consistency of practice and reporting, and making recommendations to the Executive Board as appropriate; this includes ensuring the adequacy, relevance and strategic alignment of the institutional risk register;
  • oversee the University’s risk exposure, keeping under review new and emergent risks, ensuring appropriate horizon scanning (both within and outside the HE sector), reporting to the Executive Board as appropriate;
  • consider the institutional risk appetite and potential differences between different business areas and institutional activities, making recommendations to the Executive Board as appropriate:
  • to review the institutional risk register, ensuring that it provides a comprehensive and current assessment of institutional risk, aligned to key performance indicators and institutional strategy, with appropriate risk mitigation actions;
  • to undertake deep dive reviews of corporate level risk, assessing all aspects of the risk and identifying any further elements of the risk not previously documented;
  • to undertake reviews of local risk registers, specifically assessing specific highly rated local risks and identifying any further local risks not previously documented and considering the escalation or de-escalation of issues to the institutional registers;
  • to consider and follow-up on events where a risk or detrimental incident has materialised unexpectedly or where existing controls were inadequate, in order to reduce the likelihood of future occurrences of this risk and to identify gaps in the University's risk profile; and
  • to facilitate regular updates and discussion on business continuity planning and ensure the regular review of the University’s Business Continuity Plans and their alignment with related plans and policies (e.g. emergency planning, disaster recovery).

Project Risks

4.19 Parallel arrangements are in place for project-based risks.

4.20 Each Project Board is responsible for the management of risks for each project. These can be escalated to the Executive Board.

4.21 In addition, the Executive Board will receive a regular report from the Project team on the status of any projects and any risks to delivery.

4.22 Furthermore, a representative from the Programme Management Office is a member of the Risk Oversight Group to ensure effective linkage between project-based risks and other University risks.

Risk Management Process

4.23 Risks are identified through assessing what circumstances or events will impact on the delivery of the University’s strategy and operational objectives and priorities and are captured in the either the Corporate Risk register of local risk registers.

4.24 An assessment of each risk will be undertaken to ascertain the likelihood and scale of impact of each risk. Every risk is given a score from 1-5 for impact and probability which is then multiplied for an overall risk rating.

4.25 These risk ratings are then colour coded to enable the quick identification of the overall significance of each risk:

  • Low (risk rating of 1-4), coloured green
  • Medium (risk rating of 5-9), coloured amber / orange
  • High (risk rating of 10-15), coloured red
  • Exposed (risk rating of 16-25), coloured dark red

4.26 The inherent and residual rating will inform the required risk controls.

4.27 The University uses risk management software and a standard risk register format to complete the risk evaluation process involving risk identification, cause, impact assessment, category of risk, probability, risk control and action assessment.

4.28 Due diligence and good management practice dictate that identified risks are actively managed through established controls and that further controls to reduce residual risk to an acceptable level are developed and captured as appropriate. Systematic documentation and monitoring of key risks and management actions with identified early warning and performance indicators of effectiveness will be undertaken. This supports the development of targeted risk treatment plans.

4.29 Risk owners will ensure that risk controls have appropriate regard to legal and regulatory requirements and the University's commitments to environmental, social and governance including sustainability along with equality, diversity and inclusion.

4.30 As the University’s risk management activity matures, further developments will be embedded into the University’s Risk Management Framework.

5. Monitoring and review

5.1 All strategic risks are owned by a member of the University Executive Board. Executive Board members are also responsible for local risk management within their own Faculties and Directorates.

5.2 Senior managers are charged with reporting to the Executive Board any issues arising from this process.

5.3 All staff are expected to escalate all known risks to a level of management that can effectively respond.

5.4 This policy will be formally reviewed on at least a three-yearly basis with a Risk Appetite Statement being approved annually.

6. Related policies and standards / documentation

6.1 OfS Regulatory Framework for higher education in England (Annex B: Public interest governance principles):

"V. Risk management: The provider operates comprehensive corporate risk management and control arrangements (including for academic risk) to ensure the sustainability of the provider's operations, and its ability to continue to comply with all of its conditions of registration."

6.2 OfS Accounts Direction, paragraph 27.