You are in :
  HEFCE

HEFCE 01/24

Risk management

A briefing for governors and senior managers

Introduction

Effective risk management is an essential element in the framework of good corporate governance in higher education institutions (HEIs). The purpose of this document is to give the council or board (‘the governing body’) and the vice-chancellor or principal an introduction to risk management to help them assess whether the current risk management activities at their institutions are satisfactory.

The document has been produced in consultation with UUK, SCOP and other representative bodies, and draws on best practice from the higher education, public and private sectors.

We are also publishing a detailed, practical guide to best practice in risk management. This and other supporting material are available on the HEFCE web-site, www.hefce.ac.uk under ‘Good practice’.

Corporate governance and risk management

1. Demand for improved corporate governance has been a feature of the last decade. Reports from the Cadbury Committee and the Hampel Committee have been supplemented by reports from Rutteman, Nolan and Turnbull, to produce a body of guidance on corporate governance, including risk management and internal control.

2. The latest guidance on internal control, produced by the Turnbull Committee, directs the governing body towards a high-level, risk-based approach to establishing a sound system of internal control, covering all types of risk, and reviewing the effectiveness of the process on a regular basis. Although the Turnbull guidance was originally written for companies quoted on the stock exchange, the principles are being adopted by the public and private sectors, in order to reflect best practice. Although HEIs have different purposes and legal/governance positions to those of quoted companies, there are benefits to be gained from the Turnbull approach – quite apart from the improvements in accountability and stakeholder confidence.

3. The HEFCE has been engaged with the sector’s representative bodies in drawing up guidance specifically for higher education. Formally, the HEFCE’s Accounts Direction (Circular letter 24/00) requires HEIs to include a statement in their annual financial statements, by 2002-03 at the latest, to confirm that ‘the effectiveness of the internal control system has been reviewed’. This guidance will help institutions to meet that obligation.

4. HEIs have a distinctive ethos, with diverse backgrounds and traditions, and are responsible for the management and direction of their own affairs. It follows therefore that there is not one ‘correct’ approach to managing an institution. This document and the associated guidance are not prescriptive, but seek instead to highlight the key issues to assist institutions in developing their own approach and support governors in discharging their responsibilities.

What is meant by ‘risk’?

5. It is important to have a common definition of risk and one frequently used is:

‘the threat or possibility that an action or event will adversely or beneficially affect an organisation’s ability to achieve its objectives’.

6. All organisations have expressed or implied objectives. Risk management will actively support the achievement of those objectives. It is not a process for avoiding risk: when used well it can actively allow an institution to take on activities that have a higher level of risk (and therefore could deliver a greater benefit), because the risks have been identified, are understood and are being well managed, and the residual risk is thereby lower. Risk management is not just negative (ensuring that bad things are less likely to happen) but also positive (making it more likely that good things will happen).

Benefits of effective risk management

7. There are many potential benefits to the effective use of risk management techniques. The most significant are shown in Figure 1 below.

Figure 1 Potential benefits from an effective risk management process

 Figure 1 Potential benefits from an effective risk management process

Text description of image

Exposure to risk

8. Risks can be managed through the operation of controls. But controls will not always eliminate risk: any remaining risk is the organisation’s ‘exposure’ to risk or its ‘net’ or ‘residual’ risk. There is a relationship between an organisation’s objectives, risks and controls and its risk exposure. Broadly, to deliver large benefits, tough objectives will be needed which means greater risk. The risk remaining then depends on the level of control in place, as illustrated by the following risk exposure matrix.

Figure 2 Risk exposure matrix

Level of risk Level of control
Tight Medium Light
High Medium High High
Medium Low Medium High
Low Low Low Medium

9. However, it is important to recognise that improving control is not just about increasing the numbers of controls or the frequency they are operated, but is also achieved by designing and introducing better controls.

10. Control obviously comes with a cost:

  • direct costs – such as supervisory staff and information systems
  • opportunity costs – such as missed research opportunities or less entrepreneurship.

11. So institutions will not want to deploy all the possible controls when managing risks. Instead HEIs need to determine their own overall risk exposure and ensure that this fits with their agreed approach to risk.

The role of the governing body in managing risk

12. The governing body has a fundamental role to play in the management of risk. It is entrusted with funds, both public and private, and therefore has a particular duty to observe the highest standards of corporate governance. It must ensure that the institution has a sound system of internal management and control, and delivers value for money from public funds. However, the governing body is not responsible for the operational management of the institution. In the context of risk management the governing body should, as a minimum, ensure that there is an ongoing process for identifying, evaluating, and managing the risks faced by the institution, and should review this process regularly. Most governing bodies will also wish to consider the most significant risks facing their institution at appropriate intervals.

13. The governing body’s job, therefore, is to:

  1. Set the tone and influence the culture of risk management within the whole institution. For example:
    • is it a ‘risk taking’ or ‘risk averse’ institution?
    • which types of risk are acceptable and which are not?
    • is the portfolio of risk suitably balanced between high risk/high return and low risk/ low return?
    • what are the expectations of staff with respect to conduct and probity?
    • is there a clear policy that describes the risk culture, defines scope and responsibilities, assesses resources and defines performance measures?
  2. Determine the appropriate risk appetite or level of exposure for the institution:
    • for example, is an activity with a potential loss of 5 per cent of total income acceptable, or should the risk be spread by working with another organisation or transferred through the use of insurance?
  3. Actively participate in major decisions affecting the institution’s risk profile or exposure:
    • for example, major financial investment, mergers, and overseas partnerships.
  4. Monitor the management of significant risks to reduce the likelihood of unwelcome surprises:
    • for example, by receiving regular reports from management focusing on key performance and risk indicators (probably no more than 20), supplemented by audit and other internal and external reports.
  5. Satisfy itself that the less significant risks are being actively managed, possibly by encouraging a wider adoption of risk management.
  6. Report annually on the institution’s approach to risk management, with a description of the key elements of its processes and procedures.

Next steps

14. Governing body members will need to strike the right balance between keeping an overview and avoiding involvement in day to day management. Again, there is not one single right approach, since governing bodies play different roles in different institutions. Nevertheless governors could consider asking themselves the following questions:

  1. Do I know the key risks being faced by this institution and are they being adequately managed?
  2. Is there a clear risk policy for the institution?
  3. Do the work priorities of the governing body and its committees appropriately focus on the key risks to the institution?
  4. Are management communications with governing body members timely, candid, relevant and sufficiently comprehensive with respect to the key risks?
  5. Does management have an ongoing risk assessment process to identify and measure the impact and likelihood of risks?
  6. What are the mechanisms to provide the governing body with an early warning of unwelcome surprises?

15. If the answers to some of these questions are unclear then governors are advised to:

  1. Find out what risk management work is undertaken at the institution. If an institution-wide programme has not started, there will probably already be strong risk management practices in some areas to consider – such as health and safety, estates, or finance.
  2. Make sure that risk management is on the agenda for the next appropriate governing body meeting. The governing body should determine the extent to which it would like the institution to comply with good practice, as set out in, for example: the HEFCE’s guidance on effective financial management (HEFCE 98/29), the latest CUC guide for governors (HEFCE 01/20), this document, and the Turnbull report, published by the Institute of Chartered Accountants in England & Wales (www.icaew.co.uk).