Internal Control Framework

The College’s Internal Control Framework supports the delivery of its strategy and compliance with its regulatory objectives. The objectives are to:

  • manage risks which impact the achievement of the College’s objectives;
  • safeguard the assets for which Council are responsible;
  • ensure that liabilities are recorded and managed effectively;
  • prevent and detect corruption, fraud, bribery and other irregularities.

It is designed to manage rather than eliminate the risk of failure to achieve the College’s objectives and can only provide reasonable, and not absolute, assurance against material misstatement or loss.

Council is responsible for determining and monitoring the adequacy of the system of internal control. It delegates authority to the  Audit and Risk Committee and receives regular updates from them throughout the year. The Audit and Risk Committee meets four times a year to review ‘deep dives’ into different risks and controls conducted by the Internal Audit team and track progress on improvement actions. The role of the Committee is to assure Council that the systems in place are robust and the risk owners are capable.

KPMG, as the College’s internal auditors, judged that significant assurance could be taken on the overall adequacy and effectiveness of the College’s framework of governance, risk management and control for the period 1 August 2020 to 31 July 2021 with only minor improvements needed. The Council consider there were no significant internal control weaknesses requiring disclosure.

PwC, as the College’s external auditors, also consider internal controls relevant to the preparation of the financial statements. The audit is not designed to identify all internal control deficiencies but will report any significant deficiencies if required. There were no significant control weaknesses identified.

The College’s Risk Management Framework is designed to support the College strategy to deliver its academic mission and comply with all its regulatory obligations. It adopts the three lines of defence model as an integral part of its framework to manage risk.

The Audit and Risk Committee regularly reviews the College’s strategic risk dashboard which summarises the high-level risks the College faces and the likely impact with and without mitigation. The discussion on the key risks at Audit and Risk Committee and, more generally, at President’s Board and Provosts’ Board, are valuable and thought-provoking. In particular, around questions of what risks have we missed and what are the unintended consequences of the controls we have put in place especially with regard to other risks.

Our response to the COVID-19 pandemic is an excellent example of the value of these conversations. Like most institutions, this was not a risk that we had directly planned for. However, we had spent time reviewing our response to business continuity more generally, including designing a crisis response structure and testing this via several table-top exercises. This stood us in good stead when the crisis struck, and we needed to move rapidly online whilst continuing our essential COVID-related research.

Our actual response also taught us a great deal about the strengths and weaknesses of our crisis-response structure especially when asked to operate for long periods of time under conditions of great stress. There were lessons learned and change implemented about: frequency and clarity of communication; how to manage the trade-off between inclusive and rapid decision making; the need to rotate crisis leadership to avoid burn-out.

The issue of overlapping and conflicting controls tends to arise mainly when resources are limited. For instance, the need to improve regulatory compliance can lead to additional strain on staff heightening the risk around employee retention. Managing these trade-offs requires careful thought, for instance by designing reporting processes that are quick  and easy to use.

Line of defence and responsibilities

First line of defence

The first line of defence lies with the faculties, schools, institutes, departments and process owners whose activities create and manage the risks that can facilitate or prevent the College’s objectives from being achieved. This includes taking the right risks. The first line owns the risk, and the design and execution of the College’s controls to respond to those risks.

Second line of defence

The second line of defence is responsible for the design and maintenance of frameworks, polices, procedures and instructions that support risk and compliance to be managed in the first line. It is also responsible for monitoring and judging how effectively the first line are doing it and is more commonly referred to as functional oversight. The second line is directed by management.

Third line of defence

The third line of defence is independent assurance that management operate an effective framework of controls to manage risk and that governance is appropriate around management of risk. The third line is directed by the Audit and Risk Committee and has organisational independence from management.

Strategic Risk Dashboard

Our current risks in the Strategic Risk Dashboard and our approach to responding to them are described below. At the May 2021 Audit and Risk Committee meeting, the updated College principal risks were reviewed and approved and subsequently shared with Council.

It is worth noting the absence of two items from this latest version: Brexit and USS Pensions. The impact of the UK leaving the EU is clearly being felt in everything from reduced access to research funds to more complicated supply chains, but now that the risk has materialised the focus has shifted to mitigation and control by function.

The recent negotiations around reforms to the USS pension were an example of the difficulties and cost of trying to manage long-term risk. We are pleased that the agreed changes will put USS on a firmer footing for the future and recognise the importance of a reliable pension as part of the College’s total remuneration package.

Strategic Risk Dashboard

Financial sustainability

We are unable to generate sufficient funds, both short-term and long-term, to maintain our position as a world-class academic institution. This includes both generating sufficient income to fund attractive salaries and sufficient unfettered cash flow to support our capital expenditure programme.

Risk management approach

Work had already started prior to the crisis to improve the operating cashflow of the university through both reducing costs and increasing revenue. We remain on track to meet our cash flow targets date despite the impact of COVID-19 due to continued strong demand for our courses.

Given the growth in student numbers even during the pandemic the emphasis is now shifting to cost management, in particular ensuring that we get the balance right in how much we invest in staff costs.

We continue to lobby relevant external bodies so that they are aware of the impact that changes in our operating environment might have, for example student numbers, tuition fee rates, pension contributions and research funding.

Income diversification

We remain over-reliant on the fees generated by international students and postgraduate courses to fund the shortfalls in our research funding and our capital programme.

Risk management approach

This remains a key risk for the university. We are still not resilient enough to deal with a major drop in demand from foreign students. Ironically, the College’s strong financial response during pandemic has exacerbated this risk as the rapid growth in student numbers has decreased our other revenue as a percentage of total revenues.

The Advancement division is focused on increasing philanthropy through its systematic approach to building relationships with alumni and other potential donors. The Related Ventures portfolio continues to market our commercial real estate, against adverse market conditions, and the Enterprise division our Intellectual Property. Whilst the pandemic has led to a decrease in income in the short-term, this is expected to bounce back as the economy returns to normal.


We fail to optimise financial and resource investment in physical infrastructure, particularly with our commitment to carbon neutrality by 2040.

Risk management approach

Capital projects largely continued through the crisis. Our infrastructure has continued to be maintained and our key worker teams and suppliers have continued to work on campuses throughout the series of lockdowns to support maintenance and critical COVID-19 research activities. The sale of the Medical School building at St Mary’s and our commitment to reinvest the proceeds to provide upgraded facilities demonstrate our commitment to the capital programme.

To help manage this risk and determine the investment requirement, Council have broadened the remit of the White City Syndicate to that of a Property Committee overseeing the College’s strategy for all of its estate. The College is working with the Property Committee and the Finance Committee on an overall property strategy which is due to be reviewed at a Council Away Day in February 2022.

Education and student experience

We fail to innovate and improve the quality of our education.

We fail to support our students’ wellbeing and quality of their experience.

These could impact our reputation for excellence and ability to recruit the best students, impacting our competitive position and ability to meet our regulatory requirements.

Risk management approach

The mixed-mode education model and the need for us to deliver a positive student experience in the context of the pandemic has continued through this academic year, with mixed-mode education extending into the 2021–22 academic year. The crisis has provided an opportunity for us to introduce changes and improvements much more rapidly than in normal years and we were pleased to see our NSS ranking increase to 15th – an improvement of 80 places on the previous year.

We have invested significantly in new recording studios at South Kensington to improve the quality of our online teaching and in new flipped classrooms for the Business School in our ScaleSpace joint venture at White City to improve our face-to-face teaching. We have also invested in our academic and learning and teaching staff to support delivery of our mixed-mode education model.

Student recruitment and widening participation

We fail to attract a share of the best international students from diverse markets.
We fail to increase our pool of home students from disadvantaged or under-represented backgrounds, risking intervention from the Office for Students and reputational damage.

Risk management approach

One of our initial actions at the beginning of the pandemic was to establish an Immediate Marketing Group with a remit to adopt a more proactive approach to attracting the best students from around the world.

We have created a new Marketing, Recruitment and Admissions team to oversee the development and delivery of our global, integrated programme of marketing, student recruitment and admissions strategies, in collaboration with the faculties. Key priorities will be international diversification, strengthened candidate engagement and technological innovations.

We can and will do more about diversity. Current initiatives include outreach activities, mentoring programmes, The Invention Rooms at White City and an assessment of Race Equality at Imperial.

Managing our people

Our approach to pay and benefits and culture, including addressing diversity and inclusion, reduce our ability to recruit and retain high calibre staff.

The pandemic has introduced the additional complexity of staff’s increased desire for flexible working.

Risk management approach

We have recently completed a benchmarking exercise of academic pay and have introduced a new set of pay scales for teaching staff. We are rolling out modifications to our approach to ensuring equity in pay and recognition of achievement and arein the midst of reviewing our approach to pay for our Professional, Technical and Operational staff.

We have established the ‘Working Together Task Group’ with a specific focus on listening to our community and delivering concrete proposals that will help set the conditions for a positive working environment and culture for our staff and students. The task group aims to complement areas of review already under way.

Once national pandemic restrictions were lifted, we implemented our plan for the return to campus, with some staff requesting a move to  more flexible working arrangements. The ‘Return to Campus Working Group’ has been chaired by senior leadership with objectives to draft  the roadmap for return and provide guidance for managers around  work location.

Transition to a new normal

We fail to deliver and/or derive targeted benefits and cost savings from strategic and operational transformation in support of the academic mission and cannot deliver the scale of improvements and change needed to improve the effectiveness and efficiency of our operating model.

Risk management approach

Our Professional and Academic Services transformation plans are being taken forward and proposals for a future operating model in advanced development.

Restructuring of some support services has been completed and building on lessons learnt from previous transformation initiatives is important in shaping our future operating model.


Our Research quality, volume and/or impact does not stay at its current level or fails to keep pace with our peer group. A key risk is the impact of the pandemic on businesses and their capacity to engage with us properly in this challenging context.

Risk management approach

We ensure we are competitive in hiring excellent academic staff and that we support a vibrant environment to facilitate creative research. Investment in physical infrastructure conducive to discovery and impact, including state-of-the-art laboratories, as well as support for research staff, PhD students and innovation, are key factors. We dedicate resource to building our entrepreneurial ecosystem and relationships with government and corporate partners.

Legal and regulatory compliance

We fail to follow our policies and procedures, or to develop policies and processes adequately to comply with legal and regulatory requirements. There will be greater notification requirements from introduction of the National Security & Investment Act later in 2021.

Risk management approach

We have established the Scrutiny Committee, which provides increased governance over this broad category of risks, and which provides a specific group to consider how we comply and refine our process to meet these new requirements.

We have recently appointed a Regulatory and Compliance Manager, whose role will be to build on the existing regulatory compliance framework adopting recommendations identified by internal audit.

NHS partnerships

Continuing pressure on NHS budgets, staffing and organisational changes leads to substantial weakening in the capability of College’s NHS Partner Trusts with consequent serious impact on the capability of the Faculty of Medicine.

Risk management approach

The Imperial College Academic Health Science Centre (AHSC) manages the key relationships between the College and its main acute NHS partners in north-west London. The Dean of the Faculty of Medicine is also a Director of the AHSC.

We closely monitor the potential for changes to the composition of NHS Trusts we are associated with, the NHS Bill trailed in the Queen’s Speech, changes to the Chair positions at AHSC and Imperial College Healthcare NHS Trust (ICHT) and other matters related to our relationship with NHS Trusts. The AHSC Partnership Board has been reinvigorated this year. The revised AHSC terms, which incorporated the Follett Principles, is working well and there are no requirements for formal bilateral agreements.

We also have arrangements in place to ensure appropriate provision of clinical training placements for our MBBS course with individual NHS Trusts.

Business disruption

A serious incident or event causes harm or loss of life to humans/animals or physical damage to College buildings, in addition to severely impacting continuity of our critical operations.

Risk management approach

We have continued to develop our expertise in managing the pandemic. The College uses a specialist third party provider to monitor planned events in proximity to campus to respond to possible threats from  activist groups.

Digital infrastructure

We fail to invest in digital infrastructure to a sufficient level, including its resilience and security, to support the future educational requirements and deliver the academic mission.

Risk management approach

Over the past twelve months, the pandemic has forced us to deliver tactical online solutions to address the immediacy of supporting a globally distributed teaching and learning model. The security of our IT systems and services is paramount as education and research services are accessed beyond traditional College boundaries.

Our COVID-19 research attracts significant external interest and extra measures have been put in place to protect the security of this valuable work. With cyber security as a key focus, resources allocated to ICT security have been increased more than three-fold as part of the ICT restructure completed in 2020. In addition, our ISO 27001 Security Management certification was renewed in February 2021. Information Security Awareness training for employees has remained a key priority for this year.

Staff and student safety

There is disruption to teaching, research and student experience from a further outbreak of COVID-19.

Risk management approach

The COVID-19 pandemic changed the health and safety priorities for the year predominantly providing a focus on support to COVID-19 research, remote working and wellbeing, and the faculty plans for returning to campus post-lockdown.

Guidance has been developed to clarify health and safety measures required for shared spaces and for ‘hybrid’ areas where control, responsibilities and the provision of services are shared between College departments.

The testing and contact tracing team have continued to monitor the spread of COVID-19 and its variants across the College community. This has been a valuable tool to inform the development of the College’s safety roadmap to contain the virus and facilitate a gradual and measured return to normal operations.

Read next

Financial review