Risk is the effect of uncertainty on the institution's ability to meet its objectives.
Risk registers are tools that aim to help managers evaluate and monitor risks in order to inform decision-making. Risk registers are useful for providing oversight of key risks, and an awareness of the risk environment can help to meet strategic objectives effectively.
A blank risk register template is available for Schools/Directorates to use in order to complete their own risk registers.
A risk register should not be filled out by one individual; key individuals should be involved to ensure that the risk register is a comprehensive tool and that all potential significant risks are included. The Institutional Risk Register may be a useful example in terms of how to fill out a risk register, however, it is worth considering whether the 'impact' scale is accurate in relation to all Schools/Directorates; will your major risks be >5M or would a lower/higher scale be more relevant?
The table below provides information on the different columns in the risk register template:
|Relevent Strategy aims||What aim/objective is at risk?
A good starting point might be to look at the University Strategy or School/Directorate Strategy
to identify which Key Performance Indicators are at risk.
|Risk description||What is the risk? E.g. poor student learning experience|
|Risk cause(s)||Why is this happening? There may be many causes for a risk e.g. a popular module was cancelled/not enough module options|
|Risk consequence(s)||What may be a result of this risk? E.g. student complaints/media attention|
|Risk owner||Who owns the risk? E.g. Dean/School Manager|
|Inherent risk assessment||If you do nothing and leave the risk as it is, what is the likelihood of this occurring?
What would the impact be? Multiply these numbers together to work out the inherent risk score.
|Existing controls||What existing controls are in place for this risk?|
|Residual risk assessment||Taking into account these controls,
what is the risk score now? Has it decreased?
|Actions for further control||
Looking at the residual risk score: is this within your 'appetite' or 'tolerance' range?
|Action owner||Who is responsible for these actions?|
|Action review date||When will this next be reviewed?|
Risk, risk cause(s) and risk consequence(s):
It is easy to confuse the risk with the risk cause(s) or consequence(s). The example below aims to help:
A risk of X due to/as a result of Y results in Z.
A risk of the degradation of estate as a result of little or no surplus providing opportunity to invest in the estate results in the inability to support teaching and research.
How to use a Risk Register
Risk management establishes processes that support the meeting of objectives whilst protecting the University's staff, students, financial sustainability and reputation. One method of managing risk is the use of a risk register. A risk register serves as a repository for information relating to risk pertaining to the University/School/Directorate. Risk registers can also be used to provide oversight of risks on specific activities, such as partnerships. The risk register is used to provide significant information on the main risks.
To be effective risk registers need to be developed and maintained as part of an ongoing process that enables the identification, evaluation and treatment of risks. This then enables the prioritisation of actions to reduce risks to an acceptable level as required. Risk registers can help individuals, management, groups and committees to:
- Understand the nature of the risks the University/School/Directorate face;
- Identify the level of risk that management is willing to accept;
- Obtain assurance on the controls in place to reduce the likelihood/mitigate the impact of the risk;
- Review the risk score and status as and when required; and
- Develop awareness of key risk indicators and respond accordingly.
In order to be effective, the risk register should be treated as a dynamic working tool and should evolve over time with risks that are no longer of relevance removed and new risks added as the external risk environment changes. When reviewing a risk register, the following factors may be useful to consider:
- When carrying out a deep dive on an individual risk, does the impact or likelihood score change?
- Have the University's/School's/Directorate's objectives changed? If so, are there different risks to consider?
- Has the external context changed?
- Are the actions and controls in place effective?