FAQs
- What is Risk Management at Imperial?
- Who is responsible for Risk Management at Imperial?
- What types of risks does Risk Management cover?
- What are Principal Risks?
- What are University Risks?
- What is a risk / what is not a risk?
- How does Imperial prioritise risks?
- What is the CoreStream platform, and how is it used?
- How does Imperial ensure business continuity during disruptions?
- How does Risk Management support Imperial’s academic mission?
- Is Risk Management training available at Imperial?
- What role does the Audit and Risk Committee play in Risk Management?
- How can I report a risk?
- How can I access more information about Risk Management at Imperial?
Risk Management at Imperial is a structured approach to identifying, assessing, and managing risks that could impact the delivery of Imperial’s academic mission, strategy, operations and regulatory obligations. It integrates risk management into decision-making across all levels, covering financial, operational, reputational, and compliance risks. The Risk Management Framework supports Imperial’s Internal Control Framework and aligns with its strategic objectives.
The Risk Management team, under the direction of the Director – Institutional Compliance & Risk Management. The primary point of contact for Risk Management at Imperial is the Risk Manager. The Risk Management team reports to the Audit and Risk Committee and the Risk and Compliance Committee. Faculties, schools, institutes and departments, and risk owners (the “first line of defence”) actively manage risks, while the central risk management team and governance bodies provide oversight.
Imperial’s Risk Management framework addresses a broad range of risks, including:
· Strategic: Failure to deliver Imperial’s strategy, or strategies at Faculty/ Departmental levels.
· Financial: Inability to generate sufficient funds due to rising costs or reduced revenue.
· Operational: Disruptions to services from ICT failures, building issues, or external crises. Failure to deliver operational objectives.
· Compliance: Non-compliance with regulations like GDPR, or the Office for Students’ requirements.
· Reputational: Incidents or crises that could harm Imperial’s global standing.
· Emerging Risks: Climate change, cybersecurity threats, and social-political instability affecting operations.
Principal risks are the most significant risks that could have a substantial impact on Imperial’s ability to achieve its strategic objectives. These risks are prioritised due to their high likelihood, severe consequences, or both, requiring close monitoring and robust mitigation strategies. Imperial’s Principal Risks are reported to Risk and Compliance, Audit and Risk Committees at each Committee meeting. Principal Risks are also reported to University Management Board and Council. Principal Risks are reported on the by the Risk Manager, who is also responsible for coordinating updates with Principal Risk owners.
Principal risks are the most significant risks that could have a substantial impact on Imperial’s ability to achieve its strategic objectives. These risks are prioritised due to their high likelihood, severe consequences, or both, requiring close monitoring and robust mitigation strategies. Imperial’s Principal Risks are reported to Risk and Compliance, Audit and Risk Committees at each Committee meeting. Principal Risks are also reported to University Management Board and Council. Principal Risks are reported on the by the Risk Manager, who is also responsible for coordinating updates with Principal Risk owners.
University Risks comprise all of the risks raised across Imperial’s Faculties, Schools, Institutes, Departments and Professional Service areas.
A risk is an uncertain event or condition that, if it happens, can positively or negatively affect your goals, comprising the following components:
· Event: The risk event itself.
· Cause(s): Something that could trigger the risk, e.g. equipment failure.
· Consequence(s) What happens if the risk occurs.
· Likelihood: The chance of it happening, e.g., a moderate 30% probability.
· Impact: The effect on your objectives, e.g. financial losses.
In risk management, something is not considered a risk if it lacks uncertainty and potential impact on objectives. Specifically:
· Certain events: If an event is guaranteed to happen (100% probability) and its outcome is fully predictable, it’s not a risk—it’s a fact or a known issue. For example, "the sun will rise tomorrow" is not a risk because it’s certain.
· Events with no impact: If an event has no effect on organisational objectives (e.g., no financial, operational, or reputational consequences), it’s not a risk. For instance, "it might rain this afternoon, but we’re indoors" is irrelevant if it doesn’t affect your goals.
Identifying risks is a critical first step in risk management, involving the systematic discovery of uncertainties that could impact objectives. Below is a concise guide on how to identify risks:
· Understand Objectives:
· Clarify the goals (e.g., strategic, operational, financial) to pinpoint what could help or hinder success.
· Gather Input from Stakeholders:
· Engage staff, management, and external partners through discussions, surveys, or workshops to capture diverse perspectives on potential risks.
· Use Risk Identification Techniques:
· Brainstorming: Generate a list of potential risks in a group setting.
· SWOT Analysis: Assess strengths, weaknesses, opportunities, and threats to uncover internal and external risks.
· Checklists: Refer to industry-specific risk categories (e.g., financial, operational, reputational).
· Scenario Analysis: Imagine “what-if” situations, like a cyberattack or economic downturn.
· ‘Pre-Mortem’: imagine a risk event has occurred, and work backwards using knowledge to identify how it might have crytsallised.
· Review Historical Data and Trends:
· Analyse past incidents, near-misses, or industry reports to identify recurring or emerging risks.
· Consider External and Internal Factors:
Risks are prioritised based on their likelihood, impact, and alignment with short-, medium-, and long-term objectives.
CoreStream is Imperial’s risk management software, accessible via Single Sign-On, is used to maintain risk registers and track systemic and common risks across the College. Staff with risk register responsibilities are trained to use it. If you have a risk register and haven’t been contacted about CoreStream, email m.tickle@imperial.ac.uk.
Imperial’s Business Continuity programme plans for service delivery during disruptions (e.g. ICT outages, building issues). The University conducts horizon scanning, develops emergency arrangements, maintains business continuity plans, and organises exercises to validate these plans. Staff can contact the Risk Management team for support.
Risk Management ensures resources and management effort is directed toward risks that could hinder academic excellence, such as funding shortages or failure to attract top students.
The Risk Management team offers training and awareness sessions for staff, including one-on-one sessions and group workshops. Training covers risk identification, CoreStream usage, and risk management principles. Contact the Risk Management team at m.tickle@imperial.ac.uk to arrange training.
The Audit and Risk Committee reviews and approves principal risks, ensuring they align with Imperial’s strategy. It receives updates on risk management activities and provides oversight, supported by the Risk and Compliance Committee, which was established to enhance governance.
Risks or incidents should be reported to your department’s risk register owner or directly to the Risk Manager. CoreStream allows staff to document and escalate risks. Email m.tickle@imperial.ac.uk for guidance.
Visit the Risk Management website for policies, resources, and updates. For specific questions, contact the risk Manager at m.tickle@imperial.ac.uk or reach out to your department’s risk register owner.
The Three Lines of Defence (3LoD) model is a risk management framework that organizes and clarifies roles and responsibilities for managing risks within an organization. It ensures effective risk identification, control, and oversight while promoting accountability and independence. Here’s a concise explanation, with a general example:
· First Line of Defence: Operational Management (Risk Owners)
· Role: Owns and manages risks directly in day-to-day operations by implementing controls and procedures.
· Responsibility: Identify, assess, and mitigate risks within their area, reporting issues as needed.
· Second Line of Defence: Risk Management and Compliance (Central Risk Management function)
· Role: Provides oversight, support, and guidance to the first line, establishing risk policies, frameworks, and monitoring compliance.
· Responsibility: Monitor risk controls, advise on best practices, and ensure alignment with organisational objectives and regulations.
· Third Line of Defence: Internal Audit
· Role: Offers independent assurance by evaluating the effectiveness of risk management and control processes across the first and second lines.
· Responsibility: Provide objective assessments, identify gaps, and recommend improvements, free from operational influence.
Purpose: The 3LoD model ensures risks are managed at multiple levels, with clear separation of duties to avoid conflicts of interest. It balances operational efficiency with robust oversight, fostering a culture of risk awareness.