RISK MANAGEMENT POLICY

November 2020
Contents
Summary .......................................................................................................................................................... 4
What is this document about? ..................................................................................................................... 4
Who is this for? ............................................................................................................................................ 4
How does the University check this is followed?.......................................................................................... 4
Who can you contact if you have any queries about this document? .......................................................... 4
Executive summary ...................................................................................................................................... 4
What is the purpose of the Policy…………………………………………………………………………………………………………………5
What is Risk Management ……………………………………………………………………………………………………………………….5
Who is responsible for Risk Management…………………………………………………………………………………………….…..5
How is risk Managed…………………………………………………………………………………………………………………………….….6
Risk Management and Operational Planning………………………………………………………………………………………….…… 7
Risk Management and Projects……………………………………………………………………………………………………………….…..7
Operational and Strategic Risks……………………………………………………………………………………………………….……….….8
Risk Management and Investment Proposals…………………………………………………………………………………….…….….9
Training……………………………………………………………………………….……………………………………………………………….……..9
Review of this Policy………………………………………………………………………………………………………….………………….…….9
Appendix one…………………………………………………………………………………………………………………….…………….……..…10
Appendix two…..…………………………………………………………………………………………………………………….………….……...13
Appendix three……………………………………………………………………………………………………………………….………….……..15

University of Portsmouth | Rick Management Policy November 2020 | 2 of 20

 Document title

Risk Management Policy November 2020

Document author and department

Adrian Parry, Executive Director of Corporate Governance

Approving body

Board of Governors

Date of approval

23 November 2020

Review date

October 2021

Edition no.

12

ID Code

42

Date of effect

24 November 2020
For a) public access online internet or b) staff only intranet?
Both
External queries relating to the document to be referred in the first instance to the Corporate
Governance team: email corporate-governance@port.ac.uk

If you need this document in an alternative format,

please email corporate.communications@port.ac.uk
The latest version of this document is always to be found at:

press control and click to go to http://policies.docstore.port.ac.uk/policy-042.pdf

3
Summary
What is this document about?
This Policy sets out the University’s approach to risk management and the mechanisms it employs to
identify, analyse and manage risk. It provides guidance on responsibilities for risk management and
information on how risk registers are to be compiled.

Who is this for?

All staff should familiarise themselves with this Policy. The Human Resources Department also offers
regular training events to further enable staff to familiarise themselves with its requirements

How does the University check this is followed?

The corporate risk register is regularly submitted for scrutiny and discussion by governors and by the
University Executive Board. The internal audit service will also periodically review the effectiveness of
the Policy and its implementation.

Who can you contact if you have any queries about this
document?
Please contact Adrian Parry, Executive Director of Corporate Governance on 023 9284 3195 or at
adrian.parry@port.ac.uk.

Executive summary
This policy sets out the University’s approach to risk management and the mechanisms it employs to
identify, analyse and manage risk. It provides guidance on responsibilities for risk management and
information on how risk registers are to be compiled.

4
Summary

1 This policy sets out the University’s approach to risk management and the mechanisms it
employs to identify, analyse and manage risk. It provides guidance on responsibilities for risk
management and information on how risk registers are to be compiled.

What is the Purpose of this Policy?

2 The University recognises that the management of risk is an important component of good
management practice and has an open and receptive approach to identifying, discussing and
addressing risks.

3 The University accepts that risk can never be totally eliminated. The purpose of the University’s
risk management policy is to support the development of a consistent approach to determining,
analysing and managing risk to ensure that all reasonable steps are taken to mitigate risk and
that the level of risk accepted is balanced against the expected reward.

4 The Office for Students’ (OfS) Terms and Conditions of Funding require the University to have
effective arrangements for providing assurance to the Board of Governors that the University
has a robust and comprehensive system of risk management, control and corporate governance.
This policy helps to ensure that the University complies with this requirement.

What is Risk Management?

5 Risk can be defined as the threat or possibility that an action or event will adversely or
beneficially affect an organisation’s ability to achieve its objectives.

6 Risk management can be defined as a process which provides assurance that objectives are
more likely to be achieved; damaging things will not happen or are less likely to happen; and
beneficial things will be or are more likely to be achieved.

Who is Responsible for Risk Management?

7 The Vice Chancellor has ultimate responsibility for risk management and has delegated the day-
to-day management of this responsibility to the Executive Director of Corporate Governance.

5
8 The University Executive Board (UEB) is responsible for identifying, evaluating and monitoring
the key risks faced by the University and for scrutinising the actions taken to manage these key
risks. UEB will formally review all key risks before their submission to governors.

9 The Audit and Quality Committee is responsible for the oversight of risk management and for
advising the Board of Governors upon the effectiveness of the University’s risk management
processes. It provides a formal opinion on the effectiveness and upon the reliance that may be
placed on the University’s risk management systems via its annual report to the Board of
Governors.

10 The Board of Governors is responsible for determining the appropriate level of risk exposure for
the University, monitoring the management of key risks, and for gaining assurance that risks
identified are being activity managed with appropriate controls in place that are working
effectively.

11 The internal audit service is responsible for auditing the effectiveness of the University’s risk
management processes. The internal audit service develops an annual internal audit plan that is
guided by the risk profile of the University and the implications of this risk profile for the
University’s business processes.

12 Notwithstanding the responsibilities outlined above, all managers have responsibility for risk
management within their own areas of accountability and have a duty to inform their respective
UEB member where exposure to risk is of a material nature. If the UEB member considers that
the risk will impede the delivery of strategic objectives and is therefore of strategic significance
to the University (see paragraph 16) then they will ensure that the new risk or, if it is material,
the increased exposure to risk, is reported to UEB. The UEB member will determine whether this
should take the form of a specific written or verbal report to UEB or, if the issue is less urgent,
should be reported as part of the next iteration of the corporate risk register. Guidance on this
matter is available from the Executive Director of Corporate Governance.

How is Risk Managed?

13 The University seeks to identify, assess and effectively manage all risks. The aim of risk
management is to actively support the achievement of the University’s agreed objectives and
not simply to avoid risk.

14 The University maintains a corporate risk register. This records identified key risks and, for each
key risk, will include coverage of its associated risk scores, controls and actions. Each key risk will
be aligned with the strategic objectives outlined in the University’s strategic plan.

15 The University uses the:

6
 (i) Template at Appendix 1 as the framework for establishing its corporate risk register.

(ii) Methodology at Appendix 2 for measuring and scoring its strategic risks.

(iii) Matrix at Appendix 3 as the framework for determining a map of its strategic residual
risks.

16 The number of key risks to be recorded in the corporate risk register is not rigidly defined.
However, it records only on those risks that are likely to impede the delivery of strategic
objectives and are therefore of strategic significance to the University.

17 UEB and the Audit and Quality Committee review the corporate risk register on a three monthly
basis and the Board of Governors reviews it on a six monthly basis. This process may involve the
introduction of new risks, the amendment of existing risks and the deletion of risks that are no
longer deemed applicable.

18 It is the responsibility of the Executive Director of Corporate Governance to ensure that the
corporate risk register is regularly updated and submitted in accordance with designated
timescales for review by UEB, the Audit and Quality Committee and the Board of Governors. If
considered necessary by the Executive Director of Corporate Governance to ensure that the
corporate risk register maintains its currency, then she or he will, in discussion with the relevant
risk owner(s), update and amend the register between these review points. She or he will
ensure that any such amendments are highlighted to the audience of the previous and next
iteration.

Risk Management and Operational Planning

19 The University’s planning processes set the annual objectives and targets that are necessary for
the delivery of the strategic plan and allocates resources for their achievement. Risk
management is integrated within this process and is embedded within the planning returns that
are submitted annually by faculty and professional service areas. Risks identified in planning
returns will be scrutinised by the Executive Director of Corporate Governance and monitoring
reports will be submitted to UEB to inform its consideration of the corporate risk register.

Risk Management and Projects

20 Major projects each require a separate risk register, which shall be monitored by the
relevant project board (or equivalent). Where the risks associated with a major project
are likely to impact upon the strategic objectives of the University, this will be reported

7
 through the project board’s designated escalation route (i.e. either to the Strategic
Technology Projects Board or via the UEB-project sponsor directly to UEB).

Operational and Strategic Risks

21 Individual risk registers at faculty or professional service level or at project level will be
operational in nature and will focus on local risks. A high risk score given to a risk cited within a
local or project risk register is context specific and will not necessarily translate to the same level
of risk within the University’s corporate risk register.

Risk Management and Investment Proposals

22 All investments carry opportunity costs for the University and an assessment of the relative risks
versus the relative rewards of investment proposals may be useful in some circumstances. The
following matrix may help to guide such assessments:

Perceived High Reward Perceived Low Reward

Perceived High Risk Pursue with Caution Avoid

Perceived Low Risk Prioritise Safe

8
Training

23 UEB has agreed that training in risk management should be available to all staff but is
mandatory for staff with management roles or responsibility for strategic and operational
planning or those staff who are designated to attend by their line managers. The training will be
organised and delivered by the Human Resources Department and the Office of the Executive
Director of Corporate Governance via the University’s staff development programme.

Review of this Policy

24 The OfS’s Terms and Conditions of Funding require that systems of internal control should be
reviewed at least annually. This policy forms part of the University’s systems of internal control
and shall be reviewed and approved annually by the Board of Governors. This requirement shall
usually be addressed at the first meeting of the Board of Governors held in each academic year

9
APPENDIX 1 - RISK REGISTER TEMPLATE

Risk registers should use the following template. Guidance on the content of each column of the template is provided on the following page.

(7) RISK CATEGORY: REGULATORY COMPLIANCE

Links to University Strategy: Failure to address this risk may jeopardise achievement of the following strategic objectives:
 Being a proud part of Portsmouth and our region, working in partnership to support and influence the economic, educational and cultural life of the City
 Maintaining and enhancing our quality and reputation

7 RISK CATEGORY: INHERENT RISK CURRENT CONTROLS RESIDUAL RISK ADDITIONAL CONTROLS DUE DATE RESPONSIBLE
REGULATORY COMPLIANCE SCORE SCORE OVERSIGHT

7.1 Non-compliance with Likelihood = 4 Preparations to ensure Likelihood = 1 Additional investment Ongoing Exec Dir of CG
legislation and regulatory Impact = 4 readiness for random OfS Impact = 4 and/or focus of resources
requirements results in fines inspections to attain required
and prohibitions being compliance standards
imposed upon the University TOTAL = 16 TOTAL = 4
with the consequence that it Robust, well publicised and
suffers financial loss and enforced procedures for Reduced dependence on
reputational damage meeting legal obligations (e.g. key personnel
health and safety, FOI, GDPR,
UKVI, Prevent)

Contracts ensure that suppliers

operate in accordance with the
University’s expectations and
legal responsibilities (e.g.
Modern Slavery Act)

10
7.2 Quality assurance Likelihood = 2 Continued provision of central Likelihood = 1 Action plans and task Ongoing DVC
requirements are not met Impact = 3 support for reviews monitored Impact = 3 groups to address specific
resulting in poor inspection through QAC issues
reports and negative
publicity with the TOTAL = 6 TOTAL = 3
consequence that the Preparations to ensure
University suffers readiness for inspections
reputational damage

11
Column Heading Description
Risk Category This should identify the risk

Risk Owners This should identify the owners of the risk

Links to University This should identify the objectives within the strategic plan that may be
Strategy jeopardised if the risk is not addressed
Inherent Risk The impact and likelihood of the risk occurring should be scored using the
Score criteria provided at Annex B. The two scores should then be multiplied to
determine the inherent risk score. This will produce a score of 1 - 25 and will
determine whether the inherent risk is red, amber or green (see the matrix in
Annex B).

Current Controls State here the controls that are currently in place to manage or to mitigate the
risk. The control should reduce the likelihood that a risk will occur and/or the
impact were it to occur. The time, effort and expense of managing the controls
should not outweigh potential benefits.

Residual Risk The impact and likelihood of the risk occurring should be scored again, this time
Score to reflect the level of the risk with the stated controls in place. The score will
determine whether the residual risk is red, amber or green. (This score should
not be higher than the inherent risk score.)

Additional If the residual risk score is amber or red then additional controls should be
Controls identified to reduce the residual risk further.

Due Date Identify any key dates for the delivery of the controls cited in the previous
column.

Responsible This should identify the individuals, committees or other bodies who have
Oversight oversight of the risk

12
 APPENDIX 2

METHODOLOGY FOR SCORING RISKS

The term ‘likelihood’ refers to the probability that a risk will occur. The score for the likelihood of the risk occurring is
determined by using the following for guidance:

Score Likelihood of the Risk

1 Highly unlikely to occur (< 20% probability)
2 Unlikely to occur (20% - <40% probability)
3 Likely to occur (40% - <60% probability)
4 Very likely to occur (60% - <80% probability)
5 Extremely likely to occur (>80% probability)

The term ‘impact’ refers to the consequences for the University if the risk were to occur. The score for the impact if the
risk occurs is determined by using the following scale for guidance:

Score Impact of the Risk

1 Implications would have a very low impact and can be managed locally, or via minor revision of
planned outcomes, or with little effect upon delivery timescales
2 Implications would have a low impact and can be managed within any contingency funding set, or
would detract slightly from the quality of outcomes, or would delay elements of the activity
without impacting on the overall timescale for delivery.
3 Implications would have a medium impact and would exhaust or exceed any contingency funding
set, or would detract from the quality of outcomes but not detract from the overall purpose of the
activity, or lead to slightly extended timescales that would not materially affect desired outcomes.
4 Implications would have a high impact and could not be met within approved budgets, or would
significantly detract from the quality of outcomes and reduce the viability of the activity, or lead to
greatly extended timescales with outcomes later than required to obtain maximum benefit
5 Implications would be critical and increased costs would negate the benefits of the activity, or the
quality of outcomes would be reduced to such an extent that the benefits of the activity would be
negated, or extended timescales mean that outcomes are too late and negate the benefits of the
activity

13
The overall risk score is calculated on the following basis
Likelihood x Impact = Overall Risk Score

So, for example, if the likelihood of the risk occurring is 3 and the impact of risk occurring is 3 then the overall risk rating
is 9. The overall risk score is then applied to the following matrix to determine whether the risk should be categorised as
green, amber or red:

Impact 1 2 3 4 5
Very Low Low Medium High Critical
Likelihood Impact Impact Impact Impact Impact
1 Highly Unlikely to Occur 1 2 3 4 5

2 Unlikely to Occur 2 4 6 8 10

3 Likely to Occur 3 6 9 12 15

4 Very Likely to Occur 4 8 12 16 20

5 Extremely Likely to Occur 5 10 15 20 25

Any risk with an impact score of 5 that does not have a “red” risk categorisation (i.e. an overall risk score of 15 or above),
should automatically receive an “amber” risk categorisation. This is because any impact score of 5 reflects a “critical
impact” on activities and should be designated at least as an amber risk rating so that it is appropriately monitored.
Risks that are categorised as amber or red will require the implementation of additional controls unless subject to the
Board of Governors’ agreement and acceptance.
The University’s objective for risk management is to optimise its control of risk. This involves ensuring that the most
cost-effective controls are in place for each risk and that a cost-benefit analysis of the controls is considered. This may
mean that certain risks have a high residual score because the cost of reducing the risk still further may be higher than
the potential cost incurred if the risk actually happened.

There will be occasions when there are factors outside of the University’s control which limit the control measures that
can be implemented to manage a risk. Examples might include government policies on student funding or student visa
controls. In such cases, it should be recognised that it may not be possible to significantly reduce the level of residual risk
to the University.

14
 APPENDIX 3

RESIDUAL RISK MAP

Plotting residual risks onto a risk map provides a summary of residual risk scores and helps the
University to maintain an overview of its entire portfolio of risk. This also helps to ensure that
account is taken of the dependencies that exist between risks (for instance, a decline in student
recruitment will impact upon financial health) and plotting related risks within a risk map can help to
ensure that account has been taken of these dependencies.

An example of a residual risk map is outlined below:

15
 RESIDUAL RISK MAP

Impact
score
1 2 3 4 5
Likelihood
Score

1 1 2 3 4 5

Failure to meet Poor financial

external quality strategy and
standards management

Failure to meet Failure to provide

external R&I fit for purpose
standards buildings /
infrastructure

2 2 4 6 8 10

Failure to meet Failure to recruit

research and to budgeted
innovation targets target

Loss of significant Reduction in

estate or IT facility league table
position
Fail to attract /
retain high calibre Failure to provide
staff sufficient places in
halls /
accommodation
Fail to develop
workforce in line
with University
needs

3 3 6 9 12 15

4 4 8 12 16 20

16
 Impact
score
1 2 3 4 5
Likelihood
Score

5 5 10 15 20 25

17
The residual risk map is accompanied by charts that provide:

(a) A summary of changes to residual risk status over the previous 12 months.
(b) A summary of the reasons for any changes in residual risk status since the previous iteration of the
risk register was considered.

Examples of these summaries are outlined below:

SUMMARY OF CHANGES IN RESIDUAL RISK STATUS

RISK INHERENT RISK STARTING RESIDUAL RISK RESIDUAL RESIDUAL

No DESCRIPTION POINT @ SCORE @ RISK SCORE @ RISK SCORE
JULY 2017 SEPTEMBER FEBRUARY @ MAY 2018
2018 2018
1 Failure to meet
Home/EU student 8 4 NO CHANGE 8
number targets
(including under or over
recruitment)

3 Failure to optimise REF

rating (new risk N/A N/A 3 6
introduced in February
2017)

REASONS FOR CHANGES IN RESIDUAL RISK STATUS @ MAY 2018

RISK INHERENT RISK DESCRIPTION REASONS FOR CHANGE IN RISK STATUS

No

1 Failure to meet Home/EU student
number targets (including under or
over recruitment)
3 Failure to optimise REF rating (new risk
introduced in February 2017)
Adjusted upwards to reflect the University’s current
Home/EU full-time undergraduate recruitment
position, the increasingly competitive student
recruitment market and the availability of alternative
routes such as apprenticeships.
Adjusted upwards to reflect ambiguity over intentions
and criteria for assessment in the next Research
Excellence Framework.

18
ADDITION OF NEW RISKS

RISK RISK DESCRIPTION RESIDUAL RISK SCORE

No @ MAY 2018

3 Partnership arrangements are insufficiently developed and

supported to ensure that recruitment is optimised 6

4 Loss of reputation through association with strategic

partners who are inappropriate or fall into disrepute 4

DELETED RISKS

RISK RISK DESCRIPTION RESIDUAL RISK SCORE

No @ MAY 2018

9 The economic environment adversely impacts on the

funding received for research and enterprise activities 6

10 Partnership activities are insufficiently supported to ensure

that all responsibilities are delivered 4

19
University House T: +44 (0)23 9284 3199
Winston Churchill Avenue E: corporate-governance@port.ac.uk
Portsmouth PO1 2UP W: www.port.ac.uk
United Kingdom
20