The Council is responsible for the University's system of internal controls and for reviewing its effectiveness. A system of internal controls exists to manage and control the risk of failure to achieve business objectives.
The system of internal control is based on an ongoing process designed to identify the principal risks to the achievement of policies, aims and objectives, to evaluate the nature and extent of those risks, and to manage them efficiently, effectively and economically.
Responsibility for Risk Management
The Council, through the Strategy and Finance Committee, has overall responsibility for reviewing the University's approach to and process for risk management. The Council is also responsible for ensuring a consistent and sound approach to the management of risk throughout the University through the development, implementation and embedding of a formal, structured risk management process across the organisation.
The University's risk management strategy is based on good practice defined by guidance given by the Turnbull Committee and the findings of subsequent reviews, including the recommendations given by HEFCE.
Risk Management Processes
The University has established the following processes:
- a Risk Management Group reporting to the University Executive Board oversees risk management across the University;
- a robust risk assessment and management process has been developed and is becoming embedded across the University;
- a University-wide risk register is in place with key risks assigned to risk owners and risk reporting channels established;
- a risk prioritisation framework is in place forming the basis of risk assessment, identification and management, and
- Internal Audit reports include an independent assessment of the adequacy and effectiveness of the University's system of internal control and risk management.
Schools and Services are also required to maintain risk management registers for their own activities and are required to report on their risk management arrangements to the Risk Management Group.
The University recognises that effective risk management requires that risk assessments developed at School and Service levels be examined alongside the results of the corporate risk level assessment to produce a comprehensive picture of risk across the institution. The Risk Management Group reviews all risk registers prior to acceptance and these are used to inform the corporate Risk Register and internal controls as necessary. The Audit Committee assesses and reports on the effectiveness of the risk management process and its operation.
The Risk Management Group also oversees work on major incident and business continuity planning. In carrying out the above responsibilities, the Group reviews Internal Audit reports relevant to risk management. The system of internal control is designed to follow best practice and is based on an ongoing process designed to identify the principal risks which may prevent or inhibit achievement of the University's aims and objectives, to evaluate the nature and extent of those risks and manage them efficiently, effectively and economically.
The University is committed to the development of the risk management process as a tool for ensuring sound governance and good management practice in support of the achievement of organisation objectives. The University has developed its Corporate Plan with specific reference to the risks identified. The risk management process has also been expanded to formally document controls, mitigating actions and early warning mechanisms. The work on identifying risks also informs the annual Internal Audit programme.