Risk Strategy (under review, September 2021)
Paper by the Director of Risk Management
The Office for Students (OfS) defines risk as “the threat or possibility that an action or event will adversely or beneficially affect an organisation’s ability to achieve its objective.”
Imperial recognises that understanding the most significant risks to strategic and operational delivery will help to support informed decision making, our strategy and future sustainability.
Helping Imperial to realise and demonstrate the benefits of effective Risk Management is important to our people, our future as a world leading institution and to evidence that we are committed to meeting our regulatory commitments, and providing the appropriate level of assurance to our funding bodies, donors and partners
We are undergoing regulatory change within the Higher Education sector and this is likely to change the way we operate in the future. As we evolve, it is important that we continue to understand and manage risks to our strategy and operations in support of maintaining our world leading position. In developing our Risk Strategy, our approach and plans must be sufficiently agile to adapt to this changing global economic landscape and regulatory complexity. This will require us to adapt to an integrated Governance, Risk and Compliance approach.
We have reviewed and developed our approach to Risk Management in recent years and worked to understand where our gaps are, identifying opportunities to improve our approach.
Articulating a risk strategy will help us to respond to our dynamic operating environment and provide a route to iterate Risk Management in support of both a pre-emptive and reactive Risk Management framework, enabling us to find the right balance of risk, cost and value for Imperial.
This paper represents a first draft of our Risk Strategy for review and consideration. Given that Risk Management is our collective responsibility, it is imperative that we are comfortable with its strategic direction.
OUR RISK STRATEGY
Our Risk Management strategic priorities are defined within 6 core areas:
1. Strategy and Risk Appetite
2. Governance, Risk and Assurance
3. Risk culture and capability
4. Developing Risk Management practice and strengthening our control environment
5. Improving transparency and communication of risk insights
6. Building our organisational resilience
This Risk Strategy sets a clear direction and provides us with a platform to build our Risk Management framework in support of continuous improvement for Imperial. Our overarching goal is to ensure the right focus is made on those risks that enable the College to deliver its strategy.
Risk Management is a shared responsibility and all areas of the College will contribute to identifying and managing risks to their Departmental, Faculty and overall College strategic objectives to support our commitment to strategic delivery, operational excellence and to meet our assurance requirements from the OfS and other regulatory bodies.
Our strategic risk priorities and supporting principles are:
1 Risk Strategy & Appetite
Supporting prioritisation and focus on the risks that enable the College, Faculties and Departments to deliver Imperial’s strategy within our risk appetite.
- We will ensure risks to delivery of Imperial’s strategic objectives are clearly understood, communicated across the College and reflected in our College risk profile.
- We will prioritise College risks and ensure these risks are managed effectively with an appropriate and effective control environment.
- Faculties and Departments are encouraged to actively manage risks to the successful implementation of their strategic objectives, in turn supporting delivery of Imperial’s overall strategic aims.
- We will identify and communicate significant risks to compliance with our Regulatory Environment, with clear risk ownership and accountability.
- We will ensure risks to our reputation are clear and mitigate risks impacting on Imperial values.
- We will develop our Risk Appetite for College Risks and work towards managing the risks within our appetite over time.
- As we develop our approach to Risk Management, we will consider both opportunities and threats in line with Office for Students guidance and risk best practice.
2 Governance, Risk and Compliance
Develop Risk Management governance across College to support a dynamic approach to Risk Management, creating improved integration of Governance, Risk and Compliance (GRC).
- We will review and simplify risk governance structures to support improved flow of information, quality discussion and appropriate mechanisms for risk escalation.
- We will create a governance structure that encourages two-way risk communication and engagement, simplifying the risk cycle to make it easier for staff to engage in Risk Management.
- Faculties will update their Faculty and Department risks bi-annually in March and September.
- The College will develop a risk framework with a clear risk policy, defined roles and responsibilities and simple guidance material, to support communities across College in meeting their Risk Management responsibilities and to clarify accountability for Risk Management across Imperial.
- Faculties and Departments will ensure roles and responsibilities for identification, management and escalation of risk are clear, in their areas of responsibility, and incorporate Risk Management into their normal management cycle.
- We will use risk data provided by Departments to inform our approach to College risk, linking bottom up and top-down risk perspectives.
- We will explore use of technology to provide more integrated analysis of risk across College.
- We will align with Risk Management best practice to keep pace with developments in Risk Management.
3 Risk culture and capability
Continue to work with stakeholders across the College to build risk awareness and engagement, supporting College wide risk ownership and improvement.
- Develop a common understanding of the College Risks and everyone’s contribution to managing them.
- Encourage Departments in managing their risks and developing their control environment, offering support where required.
- Provide risk insights and data to Faculties and Departments at least bi-annually to inform their planning and support risk benefits and improved use of risk management insights.
- Encourage interactive risk discussions to identify and discuss risks and their impacts proactively within existing management structures and committees, supported by 1:1 discussion as needed.
- Develop user friendly risk training and awareness tools using multiple channels.
- Improve the communication across risks and risk themed topics and increase transparency across College, promoting group activities and working on ‘live’ risk challenges to demonstrate a risk-based approach to problem solving.
- Seek risk perspectives from a range of stakeholders across the Imperial College community to continue to evolve and develop our approach and listen to emerging risks and themes.
- Build a Risk Network of individuals across College, with interest or expertise in Risk Management, to help with our risk control and evolution of our approach.
4 Developing Risk Management practice and strengthening our control environment
Improve our approach to risk identification, measurement, management, monitoring and assurance, enabled by appropriate technology.
- It is important to apply an appropriate balance of resource and investment to Risk Management, recognising our resource capabilities, the following risk categories should be prioritised:
- People (staff, students, children and visitors to Imperial): staff and student welfare, health, safety, security and child safeguarding.
- Strategic delivery of Imperial’s strategy and associated Faculty and Departmental objectives.
- Imperial’s reputation and ranking as a world leading organisation.
- Financial sustainability: to support delivery of our core activities
- Legal and regulatory compliance: minimising our regulatory risk exposure
- Faculties and Departments will manage their Risks in line with the Risk Management Policy, guidance and support, supporting control effectiveness in their areas of responsibility.
- The Risk team will focus on College Risks and in supporting the College-wide Risk Management governance, providing assurance that the process is operating effectively in line with OfS requirements.
- We will ensure our College Risk Profile captures the significant strategic and operational risks facing the College, as well as emerging risks in the sector.
- We will develop aggregate risk views and work in collaboration with risk owners and stakeholders to determine strategies to manage them, to avoid detriment to the College.
- Risk and Control owners will develop the control environment for College Risks, strengthening the controls where our level of risk is unacceptable or where controls are found to be ineffective. We will develop both gross and net risk views so we can understand the effectiveness of our risk controls.
- We will develop Key Risk Indicators linked to our strategic performance indicators to understand if our risks are improving over time.
- The risk team will periodically meet with Departments and Faculties to discuss risk direction and challenge their risks.
- Support good practice risk management for our capital plan, partnerships and investment portfolio.
- We will test and consider adoption of the three lines of defence methodology for College Risks to help to define gaps in our risk management approach.
5 Improving transparency and communication of risk insights
improving College wide risk engagement and supporting transparency of risks is critical in developing a risk aware culture. Communication is key, hence ownership and visibility at multiple levels in the College.
- Introduce new ways of reporting risk to facilitate deeper understanding of key challenges faced by the College and to provide decision support, adapting College wide risk reporting to yield increased usefulness to Faculties.
- Share risk insights between Departments and at Faculty level, improving flow of risk information across the College.
- Work with Risk Owners on risk deep dives to provide risk assurance and clear visibility of vulnerabilities and proposed risk mitigation plans.
- Work collaboratively on ‘live’ risk challenges to demonstrate a risk-based approach to problem solving and decision making.
- Introduce a termly horizon scanning process into our Risk Management process to bring external perspectives into Imperial.
- Explore use of risk technology to improve our risk analysis in a user-friendly way.
6 Building our organisational resilience
Our ability to effectively manage our operational risks is key to our strategic success and reputation. We will seek to increase our resilience capability and use effective risk management to support a pre-emptive risk management approach.
- Encourage Departments and Services College-wide to manage their risks proactively and develop controls, considering new and emerging risks from internal and external perspectives.
- Aim to move from a reactive to proactive risk and business continuity approach.
- Collaborate proactively with Communications, Business Continuity and Departments to support identification of risks to business interruption and their mitigation.
- Develop our approach to reputational risk management and ensure risks impacting our organisational values are understood and managed.
- Develop our Crisis and Incident Management capability and reporting.
Following approval of the principles within the Risk Strategy, a Risk Management Plan will be developed to underpin the Strategy and measurable deliverables will be defined, closely monitored and reported periodically through our risk governance structure.