POLICY: School Governance and Management - Risk Management Policy POLICY URL: https://lsi-ac.uk/policy/97c19d67-6ac0-42b4-a142-41b18a111cb8 POLICY STATEMENT: The School is committed to a comprehensive Risk Management Policy that proactively identifies, assesses, and mitigates risks across all operations. This policy underpins our governance framework, ensuring the safety, resilience, and sustainable growth of our academic community. Through rigorous oversight, continuous improvement, and strategic risk management, we safeguard our institution’s objectives and uphold the highest standards of educational excellence and corporate governance. POLICY PRINCIPLES: ------------------ - Proactivity : Risks are anticipated and addressed before they escalate, fostering a culture of forward-thinking and prevention; - Accountability : Clear roles and responsibilities are defined, ensuring individuals and teams understand their part in managing risks; - Transparency : Open and honest communication about risks is essential, promoting trust and informed decision-making within the School community; - Engagement : The whole School community is involved in the risk management process to ensure a broad range of perspectives and knowledge; - Integration : Risk management is embedded within all levels of decision-making processes, enhancing strategic outcomes and operational effectiveness; - Adaptability : The School’s approach to risk management is flexible, responding to changing contexts and emerging threats; - Compliance : Adherence to legal, regulatory, and ethical standards is paramount, protecting the School’s integrity and reputation; - Empowerment : Staff and students are encouraged and enabled to manage risks within their areas of control and expertise; - Sustainability : Decisions account for long-term risks and opportunities, ensuring the resilience and longevity of the School; - Innovation : Encourages and safeguards the creative approaches necessary for academic and operational advancement; - Education : Continuous learning and development in risk management practices are promoted, building a knowledgeable community; - Collaboration : Partnerships and alliances are fostered, both internally and externally, to share knowledge and strengthen risk management capabilities. REGULATORY CONTEXT: ------------------ This Policy has been developed in line with the applicable laws, regulations, regulatory advice, and sector best practices, including the following: R1. Quality Assurance Agency (QAA): The Quality Code - This code represents a shared understanding of quality practice across the UK higher education sector, protecting public and student interests and championing the UK's reputation for quality. R2. Advance HE: Code of Governance for Universities - A code of governance that sets out the principles and standards that universities in the UK should follow. R3. Office for Students (OfS): Regulatory Notices and Advice - Regulatory notices are additional information about OfS' regulatory requirements and are part of the regulatory framework. Regulatory advice helps providers understand and meet OfS requirements. R4. UK Government: Higher Education and Research Act 2017 (HERA) - A UK legislation that reformed the higher education and research sector, particularly by establishing the Office for Students and UK Research and Innovation. R5. Committee of University Chairs : The Higher Education Code of Governance - A code aimed at ensuring the highest levels of governance at higher education institutions. METRICS AND KPIS: ------------------ The following metrics will be measured and regularly reviewed as key performance indicators for the School to ensure the effectiveness of this policy and associated operations: M1. Annual Risk Review Completion: Monitor the completion of a full risk review for each department annually, with a target of 100% by the end of each academic year. Ensures that all departments are regularly reassessing risks, contributing to the overall resilience of the institution. M2. Incident Response Time: Monitor the average time taken to respond to critical incidents identified in the risk register, aiming for a response time of under 24 hours. Ensures rapid response to incidents, reducing potential damage and disruption to School operations. M3. Mitigation Plan Implementation Rate: Track the percentage of risks with mitigation plans implemented within the specified timeline, targeting 95% completion within the deadline. Ensures that mitigation strategies are applied promptly, reducing the impact of identified risks on the School’s operations. M4. Monthly Risk Report Submission Rate: Track the percentage of departments submitting monthly risk reports to the Executive Committee on time, targeting 100% compliance. Ensures regular monitoring and communication of risks, facilitating proactive management. M5. Risk Identification Compliance Rate: Measure the percentage of identified risks documented in the Risk Register within 5 working days of discovery, aiming for 100% compliance. Ensures all risks are promptly recorded and addressed, reducing the likelihood of unmonitored risks impacting the School. M6. Risk Register Update Frequency: Track the number of updates made to the Risk Register each quarter, with a target of at least one update per department per quarter. Keeps the Risk Register current and reflective of the School's evolving risk landscape. SECTION 1: Risk Register and Management Procedures ------------------ 1.1. Risk Management Through the Automated Governance System (AGS) (by Executive Committee): All risks must be recorded and managed through the School's automated governance system (AGS) using the dedicated risk register functionality; The AGS risk register provides a structured and efficient method for tracking and addressing risks, ensuring consistent management and mitigation across the School. 1.2. Risk Probability Assessment (by Executive Committee): The likelihood of each risk materialising within the following 12 months (24 months for strategic risks) should be regularly assessed on a scale of 1 to 5:; Rare - Highly unlikely, but still some remote possibility of materialising; Unlikely - Possible but quite improbable and not expected; Plausible - Reasonably conceivable to materialise; Likely - Quite probable and expected to occur; Impending - Highly likely or almost certain to materialise. 1.3. Granular Impact Assessment (by Executive Committee): The potential maximum impact of every risk, should it materialise, should be assessed in the following categories:; Academic : Impact on teaching effectiveness and learning outcomes; Staff : Impact on working practices, employment or employee experience; Student experience : Impact on student satisfaction and overall experience; Financial : Impact on budgets, financial viability and sustainability of the organisation; Reputation : Impact on the external approval of the School and the credibility of its awards; Rating the potential impact in each aspect individually helps to ensure that impact assessments are carried out thoroughly and with good granularity. It also enables more insightful and detailed reporting and governance intelligence. 1.4. Risk Impact Rating (by Executive Committee): The impact of each risk should be rated in each category on a scale of 1 to 5, taking into account any existing mitigating controls and assurances already present to mitigate the impact of the risk should it materialise:; Very low; Low; Moderate; High; Severe; The rating should be selected based on the most credible and probable worst-case, given the available information, rather than simply a best-case or worst-case scenario. 1.5. Academic Impact Rating (by Executive Committee): For every risk, the maximum academic impact, should it materialise, should be rated as either of the following:; Very low - No reduction in learning or teaching quality, student satisfaction, or award quality; Low - No discernible impact on learning or teaching quality, student satisfaction, or award quality; Moderate - Impact on learning or teaching quality, student satisfaction, or award quality that can be resolved without impacting student retention, progression, or success; High - Material but manageable impact on learning or teaching quality, student satisfaction, or award quality that can be resolved without impacting student retention, progression, or success; Severe - Significant and unmanageable impact on learning or teaching quality, student satisfaction, or award quality that can be resolved without impacting student retention, progression, or success. 1.6. Staff Impact Rating (by Executive Committee): For every risk, the maximum impact on staff or working practices, should it materialise, should be rated as either of the following:; Very low - Small modifications necessary to how tasks are completed; Low - Adjustments to working practices or modifications to staff roles; Moderate - Potential changes to employment positions which may require formal processes; High - Formal change processes to manage potential employment issues, including the risk of redeployment, or redundancies; Severe - Possibility of critical skills/personnel not being available or needing to downsize staff through redundancies. 1.7. Student Experience Impact Rating (by Executive Committee): For every risk, the maximum impact on the overall student experience, should it materialise, should be rated as either of the following:; Very Low - No noticeable change to the student's overall campus life, access to resources, engagement opportunities, or sense of belonging; Low - Minimal disruptions to certain aspects of student life, but the overall experience remains largely unchanged. Temporary inconveniences might be experienced, but they don't significantly detract from the holistic student journey; Moderate - Changes that can be felt in specific areas of the student experience, such as in extracurricular activities, campus facilities, or support services. However, with proper interventions, the impact can be mitigated, ensuring a continuity of the student experience; High - Substantial disruptions that might lead to students reconsidering their choice of institution or course of study. This could include extensive limitations in campus resources, lack of access to essential services, or severe disruptions in communal and social activities. Immediate action would be required to ensure student retention and satisfaction; Severe - Drastic changes to the student experience where the essence of campus life, culture, or sense of community is lost. There might be long-term repercussions, affecting the reputation of the institution, with potential drops in enrolment rates or student recommendations. Major strategic interventions would be necessary to restore trust and rectify the situation. 1.8. Financial Impact Rating (by Executive Committee): For every risk, the maximum financial impact, should it materialise, should be rated as either of the following:; Very low - Little to no effect on budgets; Low - An effect on one or more budgets that is manageable within those budget(s); Moderate - Financial consequences to the budget or budgets involved, which can be managed by underspending in unaffected budgets; High - Financial repercussions that require the use of cash reserves, in-year transfers from unaffected budgets, or, transitional funding from external sources; Severe - Significant financial losses we can only address through external funding. 1.9. Reputation Impact Rating (by Executive Committee): For every risk, the maximum reputational impact, should it materialise, should be rated as either of the following:; Very low - No outside opposition or disapproval projected; Low - Some external criticism that is unlikely to be significant enough to cause reputational damage; Moderate - External criticism of the School that it is within our power to address or mitigate, thereby minimising the impact or degree of reputational damage; High - Potential external criticism of the School that could lead to substantial reputational damage; Severe - Negative press coverage and regulatory or governmental intervention due to significant national and international criticism. 1.10. Risk Overall Impact Rating (by Executive Committee): Based on the granular impact assessment, the overall impact rating of each risk will be calculated (automatically by the AGS) based on the following weighted formula:; ( 3 x Academic + 2 x Student experience + Staff + Financial + Reputation ) / 8; This formula is to emphasise the School's strategic prioritisation of the student's interests and wellbeing in our risk management and prioritisation. 1.11. Risk Overall Score (by Executive Committee): An overall score shall be calculated (automatically by the AGS) for each risk based on the following formula:; (Probability of materialising) X (Overall impact rating); Since each factor is on a scale of 1 to 5, the overall score will be on a scale of 1 to 25, labelled as:; Operational:; Very low (1 to 3); Low (4 to 6); Strategic:; Medium (8 to 10); High (12 to 16); Very high (Over 16) 1.12. Systematic Risk Mitigation and Monitoring (by Department Directors): The School must systematically mitigate risks by documenting the following in the risk register:; Prevention: Measures to reduce the likelihood of risk materialisation; Alleviation: Measures to minimise adverse effects if the risk occurs, such as backup plans; Plans: Current and future steps to improve risk scores; Target Score: Expected risk rating (red, amber, green) after mitigation; This structured approach ensures risks are effectively controlled, minimised, and reported, enabling proactive management and safeguarding the School’s objectives. 1.13. Departmental Ownership for Risk Management (by Executive Committee): Departmental directors must actively engage with the risk register routinely as part of their operational management. In collaboration with the Quality, Compliance, and Audit Committee, they are responsible for routinely identifying, assessing, and monitoring risks relevant to their departments; They should foster a culture where risk awareness is integrated into daily operations, not just considered during audits or reviews. Staff at all levels should feel empowered to raise concerns early, knowing that they will be acted upon promptly; Effective risk management relies on clear roles and responsibilities across the institution. By involving departmental directors in ongoing risk monitoring, the School ensures timely identification and mitigation of risks, supporting strategic goals and regulatory compliance. 1.14. Risk Identification and Assessment Process (by Executive Committee): Risks should be identified through ongoing monitoring of departmental activities, stakeholder feedback, and external benchmarking. Departments must hold risk review meetings at least fortnightly to evaluate risks using both quantitative and qualitative measures. High-priority risks must be addressed immediately, and all identified risks must be recorded in the risk register and reported to relevant committees; Fortnightly risk assessments ensure emerging risks are identified and managed swiftly, reducing the likelihood of significant issues developing. This frequent monitoring enhances the School’s ability to respond proactively to potential threats and safeguard its strategic objectives. 1.15. Scenario Planning (by Executive Committee): The School must develop and maintain comprehensive scenario planning processes to prepare for potential 'what if' situations, including regulatory changes, pandemics, and IT failures. This involves creating specific action plans for each identified scenario, conducting regular drills or simulations to test these plans, and updating them as necessary to reflect changes in the external environment or internal operations; Proactively preparing for various scenarios enables the School to respond swiftly and effectively to unexpected challenges, minimising disruption to operations. Scenario planning fosters resilience and adaptability, ensuring the institution can maintain continuity of services and safeguard the interests of students and staff during crises. 1.16. Crisis and Incident Management (by Executive Committee): In the event of a major incident or crisis—such as financial mismanagement, cybersecurity breaches, or campus safety events—the School must activate its immediate response strategy. This includes notifying key stakeholders within the first hour, initiating a crisis management team, and following predefined communication protocols. Recovery plans must be implemented promptly to minimise disruption, and all actions documented in an incident report for review; A clear and well-coordinated response is crucial in preventing escalation and minimising operational disruption during a crisis. Efficient communication and prompt recovery ensure the School can resume normal operations swiftly, safeguarding its reputation and stakeholder trust. 1.17. Training and Awareness (by Executive Committee): All staff must undergo regular risk management training to ensure they can identify, assess, and escalate risks effectively. Training should occur annually, with additional refresher sessions provided as needed. The School must also run regular awareness campaigns to promote a risk-conscious culture and keep staff informed of any changes to risk management procedures; Comprehensive training and ongoing awareness efforts ensure that staff are equipped to manage risks confidently. Embedding risk management into daily practices across the School helps identify potential issues early, creating a proactive environment that minimises risks and ensures compliance with institutional policies. 1.18. Overarching Responsibilities and Meetings of the Quality, Compliance, and Audit Committee (by Quality, Compliance, and Audit Committee): The Quality, Compliance, and Audit Committee meets at least three times a year, aligned with key dates in the operating cycle. Its responsibilities with regards to risk management, as outlined in the Governance Structure Statement, include:; Reviewing and reporting on the School’s internal control, mitigation systems, and risk management processes; Reviewing and reporting on insurance and other risk management mechanisms; Advising the Board of Governors and other bodies on quality and compliance matters; Overseeing, reviewing, and reporting on the Strategic and Operational Risk Registers; Reviewing and reporting on the integrity of financial statements, formal financial announcements, and communications with the Office for Students; Reviewing and advising on the effectiveness of internal and external audit functions; Reviewing and advising on legal and regulatory compliance; Reviewing and advising on ethical standards compliance; Reviewing and reporting on the operational efficacy of Health and Safety arrangements; Investigating, resolving, and reporting on alleged ethical or other breaches involving the Executive Committee or Academic Board, while breaches by other principal bodies are addressed by the Board of Governors; Advising on the appointment and removal of accountants and auditors; Advising on annual financial statements, performance, and reports; Investigating and reporting on suspected financial irregularities; These structured responsibilities ensure the School maintains robust governance, risk management, and compliance, safeguarding institutional integrity and accountability. Regular meetings allow the Committee to effectively oversee and advise on critical aspects of the School’s operations. 1.19. Project Risk Management and Reporting (by Department Directors): Projects may require their own risk register and management; When proposing any substantial new initiative or change to ongoing activities, departmental directors must:; Identify and assess potential risks; Maintain a project-specific risk register. If the project impacts the entire School, include these risks in the School's risk register; Regularly submit a summary report to:; Executive Committee; Quality, Compliance, and Audit Committee; Board of Governors (only if strategic, sensitive, or high-impact risks are identified); This ensures that all significant risks associated with new projects are effectively managed and communicated, safeguarding the School’s overall stability and strategic objectives. 1.20. Policy Review and Continuous Improvement (by Executive Committee): The risk management policy must be reviewed and updated at least annually to reflect changes in the external environment, regulatory requirements (including OfS standards), and the School’s internal risk landscape. This process should include a commitment to learning from past incidents and making necessary adjustments to enhance the policy’s effectiveness; Regular reviews and updates ensure that the policy remains relevant and effective in addressing emerging risks and regulatory changes. By learning from past incidents, the School can improve its risk management practices, fostering a culture of continuous improvement and resilience in the face of new challenges.