Risk management policy

Overview

Risk is the possibility that an action, event or set of circumstances will have an impact on the University’s ability to achieve its objectives. Risk management is the process by which the institution attempts to minimise the likelihood of a risk materialising whilst ensuring that steps are in place to mitigate the impact of the risk should it occur.

In delivering its strategy, the University of Dundee recognises that there will be risks involved and sets out its policy on the identification and management of risks that it faces in achieving its objectives. The University is committed to effective risk management which will increase the probability of successful outcomes whilst protecting the sustainability of the University.

The purpose of this policy is not to eliminate risk altogether, but rather to seek to prevent or mitigate those risks that the University deems unacceptable in the context of its prevailing risk appetite in the area concerned. Its aims are to ensure that risk is taken into account in the development and delivery of the University’s activities, including risk analysis, the development of actions to manage risks, and to monitor, review and evaluate such activity.

Who this policy applies to

This Policy extends to all of the University’s activities and operations.

Policy Statement

The University of Dundee aims to:

• ensure that the achievement of the objectives of the University of Dundee is not negatively impacted by significant risks that have not been anticipated
• ensure the achievement of objectives and have in place reliable contingency plans to deal with unexpected risks
• promote an innovative and less risk-averse culture in which the taking of risks within the University’s risk appetite range in pursuit of opportunities is encouraged and supported
• embed risk management into decision making processes

The University of Dundee will have an established framework for identifying and managing risks, a tool of which will be risk registers.

Risk registers allow for clear oversight of risks so that should a risk come to pass, it can be managed. The collation of risk registers relating to individual risks helps the University decide which risks it is able and unable to tolerate, and inform decisions on what activities to proceed with.

Risks must be assessed in relation to the likelihood of their occurrence and their potential impact on the achievement of operational objectives.

The University of Dundee recognises that risk appetite and tolerance varies according to the activity and that its acceptance of risk is subject to ensuring that the potential benefits and risks are clearly identified and that measures to mitigate risk are established before activities are approved.

The University aims to minimise its exposure to compliance, reputation and health & safety risk, while encouraging and accepting a degree of risk in pursuit of its vision and strategic objectives.

Where the risk is unacceptably high and inevitable, a plan must be developed to mitigate the risk. These risks must be monitored and reported on.

Responsibilities

The University is responsible for issuing relevant procedures and guidance for the implementation of effective risk management.

The University will engender and sustain a culture of risk management throughout the University.

University management has prime responsibility for establishing robust strategic risk management processes, and the Court has overall responsibility for overseeing it. In accordance with accepted best practice, the Court has delegated responsibility for the oversight of risk management processes to the Audit Committee.

The Institutional Risk Register will be reviewed by the Professional Services Group, University Executive Group, Audit Committee and Court at least twice a year.

Employees of the University must understand the nature of risk and accept responsibility for managing the risks associated with their area of authority.

Risks associated with projects (including, for example, capital building or other infrastructure projects, collaboration and partnership agreements, business improvement, IT projects, etc.) will be examined as an integral part of the authorisation and project management processes.

Risk Management Oversight Group

There will be a Risk Management Oversight Group.

The Risk Management Oversight Group will monitor the University’s performance in identifying, assessing, prioritising and preventing key risks related to all aspects of the University’s activities.

The Risk Management Oversight Group will oversee institutional risk management and also risk management at a Directorate/School level.

The Risk Management Oversight Group will meet twice a year as a minimum requirement, but additional meetings will be arranged as and when required. It will report to the University Executive Group, and its minutes shall also be shared with the Audit Committee.

The remit of the Risk Oversight Group will be to:

• identify high-level strategic risks affecting or likely to affect the University as a whole
• monitor performance at an institutional level and at the level of individual Schools and Directorates in identifying, evaluating and mitigating (or eliminating) key risks related to all aspect of the University’s activities
• review actions plans for risks where the risk is deemed to be outside the risk appetite
• ensure that there are adequate and effective plans across the University for crisis management, disaster recovery and business continuity
• advise the Audit Committee and Court in relation to institutional risk appetite

The membership of the Risk Management Oversight Group will comprise:

• The University Secretary (Convener)
• Director of Academic & Corporate Governance
• Vice-Principal
• Nominee to represent School Managers
• Nominee to represent School Deans
• Finance Manager (Insurance)
• Director of Legal
• Director of Estates & Buildings
• Director of IT
• Head of Safety Services
• Assistant Policy Officer (Risk & Audit) (Clerk to Committee)

Academic & Corporate Governance

The Directorate of Academic & Corporate Governance will coordinate risk management activity, and specifically will:

• champion the aims of the Risk Management Strategy
• develop standardised procedures for identifying, evaluating and reporting on key risks
• maintain and update an institutional risk register

Deans, School Managers and Directors

The University’s Schools and Directorates must have risk registers in place and these must be reviewed regularly. Deans, School Managers and Directors of Professional Services will take devolved responsibility for:

• identifying key risks associated with their particular activities
• assessing the threat posed by each risk
• defining and implementing the steps required to minimise or prevent risk
• identifying areas where disaster recovery and business continuity plans are required, and developing and maintaining such plans
• reporting on the above

Further information

• Business Continuity Policy