Imperial College Risk Policy
1. Introduction and policy overview
1.1 Imperial College is committed to evolving continually its approach to risk management and fostering a positive risk culture across College. Everyone is expected to consider risk when planning and managing activities from strategic planning, operational planning through to contract management and project planning and implementation. This policy applies directly to all staff, working at or with Imperial College, who manage risk as part of their daily activities, or who have roles or responsibilities in relation to risk management.
1.2 The College is accountable to the Office for Students and must demonstrate that it is appropriately identifying and mitigating its strategic risks and providing assurance that these risks are being managed at an appropriate level. One objective of the College risk process is to provide a mechanism for identifying systemic risks, common themes and strategic risks for the College to help us in managing our significant risks.
1.3 Management at all levels of the College are encouraged to support and promote good practice in risk management and foster a positive risk culture in their areas of responsibility, directly contributing to meeting our statutory requirements for risk management, defined by the Office for Students, in addition to meeting the requirements of regulatory bodies, funding bodies, donors and partners.
1.4 Risk management is a shared responsibility and Schools, Institutes and Departments (SIDs) and Faculties across the College actively participate in the risk management process, contributing to identifying and managing risks to their objectives and to the overall College strategy. As a devolved organisation, it is important we define minimum expectations within a policy framework to support meeting our shared risk management obligations. The Risk Policy aims to provide this framework in support of Imperial’s Risk Strategy.
1.5 The risk policy provides principles for effective risk management governance to support the College in implementing a successful risk management approach, setting out clear accountability for risk management.
1.6 This policy contains information on:
- definition of risk;
- risk strategy and appetite;
- risk framework governance
- roles and responsibilities for risk management
- our risk cycle and basic expectations for risk management
- risk reporting
The Policy does not contain information on how to identify, assess and manage risks, this is available in our Risk Guidance section on the Risk Management web page: Risk Management
2.1 From the ISO 31000 (2018), the purpose of risk management is: ‘the creation and protection of value. It improves performance, encourages innovation and supports the achievement of objectives.’
2.2 The College defines risk in line with the Office for Students definition:
“The threat or possibility that an action or event will adversely or beneficially affect an organisation’s ability to achieve its objectives”.
Please see our Risk Management Guidance for further support and definitions.
3 Risk Strategy and Appetite
3.1 Imperial recognises that understanding the most significant risks to strategic and operational delivery will help to support informed decision making, strategic delivery and future sustainability.
3.2 Helping Imperial to realise and demonstrate the benefits of effective risk management is important to our people, our future as a world leading institution and helps us to provide evidence and assurance that we are committed to meeting our regulatory commitments, and that we are able to demonstrate the appropriate level of assurance to the OfS, our donors, funding bodies and partners.
3.3 Our approach to risk management must be sufficiently agile to adapt to a changing global economic landscape and its related regulatory complexity, with due consideration of balancing risk taking with resource and investment management. Risk management does not just mean avoiding risks. We need to balance the risks we take with the achievement of our strategic goals – if we take no risk we are unlikely to achieve our goals. Risk management is not limited to the identification and mitigation of threat risks, it is also important to recognise opportunities that may involve some level of risk, but that also have the potential to lead to positive outcomes in support of the achievement of our objectives.
3.4 Our Risk Management strategic priorities are defined within six principal areas:
- Strategy and risk appetite
- Governance, risk and assurance
- Risk culture and capability
- Developing risk management practice and strengthening our control environment
- Improving transparency and communicating risk insights
- Building our organisational resilience
3.5 Our Risk Strategy sets a clear direction and provides us with a platform to build our risk management capability in support of continuous improvement for Imperial over a 5-year period. Our overarching goal is to ensure the right focus is made on those risks that enable the College to deliver its strategy. Please refer to the Risk Strategy for further information.
3.6 Risk appetite is defined as the amount of net risk an organisation is willing to take in pursuit of value, or the total impact of risk an organisation is prepared to accept in pursuit of its strategic objectives.
The College will consider the amount and type of risk that it may or may not take relative to its objectives as part of its decision-making process and may define risk criteria to evaluate the significance of a risk within the context of the College operating environment in support of this approach. Risk appetite will be considered in College risk discussions and developed to indicate acceptable levels of risk taking in the context of College risk.
4 Risk expectations
The purpose of the risk policy is to assist the College in integrating risk in to its core activities, governance and decision making. The effectiveness of our risk management approach will depend on how successfully we achieve this across the College. Our risk expectations describe our risk framework, governance and roles and responsibilities to support delivery of effective risk management across the College. Guidance on how to identify, assess and manage risks is provided in our Risk Management Guidance
4.2 Leadership and Commitment
Imperial College Council have overall responsibility for Risk Management and in providing assurance to the Office for Students that we are meeting Risk Management requirements.
Our Executive team have delegated responsibility for Risk Management from the Council, led by the President and Provost, with responsibility for providing leadership, managing College risks and supporting a risk aware culture across the College.
Senior Management are accountable for risk management in their areas of responsibility and will support the integration of risk management in to their core activities and allocate the necessary resources to managing their significant risks with clear risk ownership.
4.3 Risk Management Framework
Our aim is to create a governance structure which encourages two-way risk communication and engagement, simplifying the risk cycle to make it easier for staff to engage in risk management. Embedding risk discussions into existing governance structures as part of day-to-day management and oversight will avoid duplication and help to develop a risk culture (for example, integrating risk discussion into existing management meetings).
The Risk Management Framework provides a governance structure to facilitate the identification, assessment, management, review and escalation of Imperial College’s significant risks. Imperial’s Risk Management Framework is presented below indicating roles and responsibilities for risk management across the College:
- The College is responsible for identifying and prioritising significant strategic and operational risks to Imperial’s strategy (defined as ‘College risks’), these risks may be managed centrally by the College or involve shared responsibility across College depending on the nature of the risk.
- Senior Management across the College are responsible for the successful delivery of risk management in their Schools, Institutes, Departments and Faculties and may escalate risks for College consideration where they feel College level input or ownership is warranted
Risk tools and methodologies are available to support consistent risk management within this framework, reflecting standard ISO31000 process involving risk context, risk identification, risk assessment, risk management and risk review. The Risk Team will provide support where needed, providing advice and supporting monitoring and continual improvement.
4.4 Roles and Responsibilities for Risk Management within the College
The overall responsibility for the strategic direction and control of Imperial College rests with the Council who oversee key aspects of our risk management approach and discuss College risks annually.
The Audit and Risk Committee is appointed by the Council to advise on risk management and financial control. The Audit and Risk Committee cyclically reviews College risks (the strategic and operational risks identified by Imperial College) in each meeting and seeks assurance over our risk management activities from multiple sources.
The Finance Committee undertakes regular reviews of financial risk including capital projects and reports to the Audit and Risk Committee.
The Executive Directors, through the President’s and Provost’s Board support, actively consider, identify, assess, manage and review risks (both threats and opportunities) that could be advantageous or detrimental to Imperial’s strategy. The Executive team are named accountable owners for College risks; overall accountability sits with the President and Provost.
The President’s Board will discuss risk formally at least annually as part of a Board meeting. Both the President’s Board and Provost’s Board have risk embedded in their meeting agendas and will discuss individual risks by exception where risks are escalated to College level through the risk cycle or outside of the formal cycle.
Significant risks may be escalated from Faculties/ Professional Services to the President’s or Provost’s Board with agreement from the President or Provost.
The Risk and Business Continuity Committee formally reviews and discusses risks bi-annually in line with the College risk cycle on behalf of the President’s and Provost’s Board, and updates are provided to the Audit and Risk Committee.
Faculties and Departments will provide clarity in roles and responsibilities for identification, management and escalation of risk in their areas of responsibility, and incorporate risk management into their normal management cycle, ensuring it is adequately resourced. Risks will be updated bi-annually in the College risk management system in line with the risk cycle requirements. Risks should be formally discussed in Department and Faculty meetings at least bi-annually and the risk information submitted to College should be approved by the HOD for Department risks, and Faculty Operating Officer and Dean for Faculty risks.
The Dean’s and Heads of Departmentsand Directors in Professional Services, supported by Faculty Operating Officers, Department Operating Managers or Management teams, are responsible for encouraging good risk management practice within their Faculties and SIDs, identifying risks in their area of responsibility relating to strategy or operations and managing the risks appropriately.
Dean(s): The Dean of each Faculty is accountable for the identification and management of risks and opportunities within their Faculty, with oversight across their Departments. Where necessary, they will support the appropriate escalation of risks from Department to Faculty or College level.
Heads of Department (HODs): HODs are accountable for identifying and managing risks and opportunities within their Department and supporting appropriate risk management governance. HODs will approve risk registers submitted to the College as an accurate representation of their Department’s position.
Faculty Operating Officers (FOOs): The Faculty Operating Officers are responsible for appropriate risk management and control procedures being operationally effective in their Faculty and supported by appropriate resource.
Department Operating Managers (DOMs) and individuals with risk responsibilities: DOM’s, or nominated individuals, are responsible for supporting risk and opportunity identification and enabling and supporting Risk Management process and awareness within their Departments.
Departments are advised to assign an individual(s) to support and promote effective risk management in their area and develop a wider awareness of Risk Management. This individual(s) will be a key point of contact between management, the risk owners, the risk network and the risk management team. Individuals assigned with risk responsibilities in Departments and Faculties will play a vital role in helping to embed Risk Management practice throughout the organisation within our devolved operating model and the Risk Management team will provide appropriate training to support them in their role.
The Risk Team will provide supporting policy, guidance and advice to help in identifying and managing risks and in supporting appropriate risk management and control.
Internal Audit will provide assurance over our risk mitigation through a programme of internal audits delivered throughout each academic year.
Specific teams and individuals with subject matter expertise will develop policies and procedures and conduct appropriate checks to ensure compliance with those policies and procedures. They are also responsible for providing advice and guidance on areas of higher risk, examples include Security, Safety, Insurance, Estates Management, Research Office Finance, HR and ICT.
All staffare required to operate within the policies, procedures and controls set out by the College and for identifying, assessing and managing risks within their area of responsibility.
4.5 Risk Cycle
Imperial operates a bi-annual risk cycle, requiring Faculties, Schools, Institutes and Departments to consider and develop their risks at least bi-annually; please note this is a minimum requirement and more frequent formal discussion of risks within appropriate operating structures is encouraged:
Cycle 1 (by mid - March): Complete a full review of all risks and opportunities, updating your risk registers in advance of the annual planning round, considering existing new and emerging risks to strategic and operational objectives and reviewing and updating the risks, their controls, ownership and review dates within the College risk system.
Cycle 2 (by mid - September): Complete a light touch review of significant risks (with a risk score >25; see here for risk scoring guidance) and consider and include any new and/or emerging risks. Risks should be updated if they have changed and controls reviewed and updated as necessary.
Please do include significant risks which apply to the College, where applicable, for consideration in the College risk process.
Risks may be escalated by exception outside of this cycle for attention at Department or Faculty Management Meetings/Committees or Faculty /Committee escalation to the Provost Board or President’s Board where the Dean’s or individual members of the Boards feel College level attention is warranted.
The College risks represent significant strategic and operational risks to our overall organisational objectives. College risks will be updated and formally reviewed annually at the President’s Board, Audit and Risk Committee and Council with sign off at Council in July each year. An interim review of College risks will also be completed at the half year point to check on the trajectory of the risks and consider new themes – a brief summary will be submitted to the President’s Board.
The College will use risk data from several sources to inform the College risks, including information from the College wide risk cycle, from the risk owners, available quantitative or qualitative data available relating to specific risks and information from external sources and benchmarking. Management of College risks is a shared responsibility and will require support from College, Faculty and SID resources to implement an effective control environment.
Throughout the year, specific College risks will be discussed within meetings in the Risk Management Framework, for example, the Risk and Business Continuity Committee, Audit and Risk Committee and other specific Committees as appropriate. They may also form part of Faculty and Department discussions.
Horizon Scanning: Horizon scanning risks will be considered in line with the risk cycle bi-annually and updated formally during the annual College Risk review process.
4.6 Risk Management requirements
The College, Faculties, Schools, Institutes and Departments (SIDs) are encouraged to actively identify and manage significant risks to the successful implementation of their strategic and operational objectives, in turn supporting delivery of Imperial’s overall strategic aims.
This should include consideration and management of risks to our people and community, delivery of strategy, operating model, compliance with regulatory requirements and our reputation or values, with clear risk ownership, controls and timescales. This may include consideration of risks for large projects or initiatives, where appropriate.
Standard Higher Education risk categories are provided in our Risk Guidance here to help in identifying significant risk to your strategy and operations. Risks should be recorded in a formal Risk Register according to College process in the Risk Management System.
A number of Imperial policies require completion of a formal Risk Register or Risk Assessment. It is strongly advised and/or mandated for Risk Assessments to be completed in relation to these policies and activities. Examples of these are Health and Safety, Events, Travel, Safeguarding, Due Diligence, Data Privacy Impact Assessments, Security Questionnaires and Projects.
It is important that HODs/Managers ensure risk registers/assessments are completed and approved in line with respective policy requirements. Where the risks are deemed to be unacceptable, it is the responsibility of the Head of Department or Deanto stop the activity, or Imperial’s participation in the activity, or to manage the risks such that they are reduced to an acceptable level.
Spot checks on risk management process and risk registers will be undertaken periodically by Internal Audit or external Auditors for control environment assurance purposes. Any gaps identified will be reported to the risk owner and respective accountable owner for action.
Risk owners and control owners should be identified for each risk. The owners are responsible for ensuring the risk is managed appropriately and reviewed in line with the risk cycle.
Risk measurement should be informed by available qualitative and quantitative data and risk owners should assign risk likelihood, impact and tolerance values to each risk.
It is important to prioritise resources on significant risks to delivery of strategic objectives at College, Faculty and SID levels.
Opportunities to enhance strategic performance should be considered as part of the risk management process.
Risk tolerance and appetite:
Risks identified at Faculty and SID level will be managed within defined risk tolerance, set by the Faculty and/or Department Senior Management, with controls identified to ensure risks are managed within the set criteria. Risks scoring above tolerance will be escalated through the appropriate Department or Faculty management structures and the Head of Department or Dean will determine risk treatment and further inputs required.
Risks will be identified and managed at different levels across the College as per the Risk Management Framework and escalated to College level where devolved leadership and management is not possible or where management of the risk warrants centralised College input, awareness or support.
New and emerging risks will be considered and incorporated in to the bi-annual risk cycle at all levels. The Risk Management team will monitor external risks and sector risks and review external benchmarking sources periodically.
4.7 Developing our risk control environment
A key part of Risk Management is in developing risk treatment; guidance on options for risk treatment is provided under procedures. Developing risk mitigation through an appropriate and effective set of controls is a critical part of managing risk. When considering the control environment, we encourage consideration of the ‘three lines of defence’ approach to risk management, which promotes defining a suitable systems and processes (controls) delivered though a defined governance structure and reporting process. The three lines of defence model is provided at high level.
4.8 Risk Reporting and Communication
Improving College wide risk engagement and supporting transparency of risks is key to developing a risk aware culture. Communication is key, hence ownership and visibility at multiple levels in the College. It is important to define a clear process for risk reporting in support of our Risk Management Framework and promote effective risk management.
Risk reports providing an overview of College risks, risk related activities and insights, Faculty and Department risk trends and emerging risks will be provided to the Faculties and Departments, the Risk and Business Continuity Committee and the Audit and Risk Committee in line with the bi-annual risk cycle. Faculties, Departments, Schools and Institutes are encouraged to provide feedback on the reports to support continuous improvement.
Risk deep dive reports will be completed bi-annually and reported to the relevant function/ areas and specific Committees and the Risk and Business Continuity Committee. Deep dive reports will be shared with the Audit and Risk Committee if appropriate and aligned with specific risk based discussions.
College Risks will be reported annually to the Risk and Business Continuity Committee, the President’s Board, the Audit and Risk Committee and Council.
An Annual Risk Report will be provided to the Audit and Risk Committee providing evidenced risk assurance across risk management activities throughout the year in line with Office for Students annual statutory requirements.
Any useful risk insights or information on College related topics will be shared throughout the year.
The Risk Team will actively communicate risk information and work with Departments in support of improving their approach to risk management and reporting.
4.9 Supporting a positive risk culture and capability
The Council, President and Provost are responsible for setting the risk culture of the College. This is achieved by communicating the importance to staff of identifying, assessing, managing and reviewing risks as part of their decision making and promoting good risk management practice in College activities.
Departments will nominate individuals to support Risk Management in their Department, or Service area, and contribute to a Risk Network across the College. Training support will be provided from the Risk Management Team as required.
Heads of Department and Department Operating Managers should encourage interactive risk discussions to identify and discuss risks and opportunities and their impacts proactively within existing management structures and committees where possible, supported by 1:1 discussion and engagement with the risk team, as needed.
The risk team will support a risk based culture by:
- promoting effective risk management as an integral part of supporting Imperial values.
- providing and supporting risk management training and awareness at a basic level or specialist level, subject to a role based assessment.
- providing staff with the tools and methodologies needed to ensure they are equipped to identify, assess and manage risks.
- Facilitation of risk workshops /discussions for significant risks and/or deep dive analyses where appropriate.
The Risk Team are available to offer advice and guidance on any aspect of risk management in support of Imperial’s strategy.
Risk insights and College risk information will be shared during each cycle to support Department and Faculty consideration of risks and how they may relate to different operating contexts.
All staff are responsible for supporting a proactive risk culture throughout Imperial and ensuring the expectations of the risk policy are upheld and supported throughout relevant activities.
Externally, in line with Higher Education requirements, Imperial College is required to manage risks in line with standards from the Office for Students, regulatory requirements specific to our activities and operations and the requirements of our donors and grant awarding bodies. Our Risk Management process aligns with advice from several best practice sources including ISO31000 and IRM guidance.
Internally, we must work within the parameters of our own governance and policy frameworks.
4.11 Communication and questions
If you have any questions or concerns relating to Risk Management or adherence to the Risk Policy, please contact the risk team in the first instance at firstname.lastname@example.org.
Updated May 2021 next review September 2022