Guidance on risk management and risk appetite statement

Updated on 10 February 2023

Information on risk treatment and tolerance.

On this page

Risk Treatment:

Risk treatment is the process of modifying the risk.  This will involve deciding on one or more options to modify the risk and then the implementation of these.  The 'treatments' then modify existing controls or create new controls.

Risk treatment would be included in 'existing controls' and 'actions for further control' in the risk register template

Treatment options:

Threat Strategy
Avoid Eliminate uncertainty - terminate risk
Reduce Change size - controls to reduce impact/likelihood
Accept Take the risk - tolerate
Monitor Continue to watch the risk for changes
  • Avoid: the decision to not start or not continue with the activity which led to risk.
  • Reduce: controls will be put in place to aim to reduce the impact/likelihood of the risk.
  • Accept: where the risk lies within the appetite/tolerance range, the risk may be taken in order to pursue opportunity.
  • Monitor: monitoring a risk will include monitoring the status of the risk, the status of the controls in place to mitigate the risk, the status of the associated causes and the status of the associated consequences.

Continual monitoring of a risk means that, where required, the treatment option can be changed; for example, if the likelihood of a risk occurring decreases, it might then fall within the appetite/tolerance range to 'accept' the risk.

What is risk appetite and risk tolerance?

Risk appetite and risk tolerance refers to the willingness of the institution to take a certain amount of risk.  The diagram below depicts risk appetite, risk tolerance and risk capacity:

  • Risk Appetite: risk appetite refers to the amount of risk the University/School/Directorate is willing to accept in the pursuit of its objectives.
  • Risk Tolerance: risk tolerance refers to the boundaries of risk taking outside which the University/School/Directorate is not willing to venture in pursuit of its objectives.
  • Risk Capacity: risk capacity is the amount of risk the University/School/Directorate cannot exceed.

The University Court has determined an approach to risk for the University.  This approach seeks to minimise exposure to reputational, compliance and undue financial risk whilst encouraging a more open stance to risk in the achievement of the University's strategic objectives as set out in the strategy wheel of the Strategy to 2022.  The University accepts that the level of risk appetite varies from one activity to another depending on the potential for that risk to materialise and have a detrimental effect on the reputation and financial sustainability of the University and whether that risk might undermine the University's ability to comply with relevant laws, regulations, codes and practice.

The University defines its risk appetite by reference to a five-point, qualitative non-linear scale: averse - minimal - cautious - open - hungry.

The risk appetite statement (download below) sets out the University's stance on the core operational risks relating to reputation, compliance, financial sustainability and infrastructure as well as the University's stance in terms of risk relating to the delivery of its strategic objectives.    In response to feedback from the Court, the University takes a much more open approach to risk in the delivery of its strategic objectives, encouraging risk-taking within the context of an averse/minimal approach to reputation, compliance, finance and infrastructure risk.