Assurance Framework relating to Risk Management
- Corporate governance
- Risk management policy
- System of internal control
- Roles and responsibilities
- Monitoring and review
- The audit of scrutiny and responsibility
- External audit
- Risk Management policy
- 'Corporate Governance' is the system by which an organisation is directed and controlled at its most senior levels, in order to achieve its objectives and meet the necessary standards of accountability, probity, and openness. The requirement for improved corporate governance has increased significantly in recent years, following various reports, including the Turnbull report.
- The University's Code of Corporate Governance includes the following statement: 'Governance involves defining policies and setting objectives, the setting of objectives for the securing of resources, the appointment of senior staff sufficient to meet the objectives and the monitoring of progress towards those objectives. Council members need to be satisfied that processes and procedures are in place which are sufficient, necessary and effective in running the business of the University. They do this by asking probing, searching questions and ensuring responses are sound, confident and consistent, rather than doing direct checking themselves.'
The HEFCE Accounts Direction to Higher Education institutions for 2006/07 makes the following statement in relation to corporate governance:
(i) Institutions are required to ensure that the following key principles of effective risk management have been applied.
Effective risk management:
- covers all risks - governance, management, quality, reputational and financial. However it is focused on the most important key risks.
- Produces a balanced portfolio of risk exposure;
- Is based on a clearly articulated policy and approach;
- Requires regular monitoring and review, giving rise to action where appropriate;
- Needs to be managed by an identified individual and involve the demonstrable commitment of senior governors, academics, and officers;
- Is integrated into normal business processes and aligned to the strategic objectives of the organisation.
(ii) Institutions are required to review at least annually the effectiveness of their system of internal control. In carrying out an assessment of the system it is suggested that institutions refer to the HEFCE guidance on risk management in the web-only publication 'Risk management in higher education: a guide to good practice' (HEFCE 2005/11) and the complementary publication 'Risk management - A guide to good practice for higher education institutions' (HEFCE 2001/28).
(iii) Institutions are required to include in their annual financial statements a statement on internal control (corporate governance). In formulating their disclosure statements on corporate governance it is recommended that institutions refer to best practice guidance, including from the Institute of Chartered Accountants in England and Wales and the framework given in the BUFDG guidance 'Corporate Governance in Higher Education'. As a minimum these disclosures should include an account of how the following broad principles of corporate governance have been applied:
- The identification and management of risk should be an ongoing process linked to the achievement of institutional objectives;
- The approach to internal control should be risk-based, including an evaluation of the likelihood and impact of risks becoming a reality; review procedures must cover business, operational and compliance as well as financial risk;
- Risk assessment and internal control should be embedded in ongoing operations;
- The governing body or relevant committee should receive regular reports during the year on internal control and risk;
- The principal results of risk identification, evaluation and management review should be reported to, and reviewed by, the governing body;
- The governing body acknowledges that it is responsible for ensuring that a sound system of control is maintained, and that it has reviewed the effectiveness of the above process;
- Where appropriate, set out details of actions taken or proposed, to deal with significant internal control issues.
(iv) In disclosing their policy on corporate governance it is recommended that institutions use the model disclosure notes included in the BUFDG guidance 'Corporate Governance in Higher Education' as the basis for their corporate governance statement. It is recognised that the model note may need to be adapted to more accurately reflect the different internal structures and systems in place in each individual institution.
Risk management policy
The public sector is being encouraged to adopt well-managed risk taking. Institutions such as this therefore need to have in place the skills, management arrangements, and organisational structures to take advantage of opportunities to do things better and to reduce the possibility of failing to achieve key objectives. The University's Risk Management Policy (set out in Annex A) defines the University's approach to risk and how risk management should be embedded into management processes to ensure that the key strategic risks are being effectively managed.
Risk management involves a planned and systematic approach to the identification, assessment and mitigation of the risks which could hinder the achievement of strategic objectives. It involves the following main steps:
- Identifying the key strategic risks that would prevent the achievement of objectives;
- Assigning ownership;
- Evaluating the significance of each risk;
- Assessing the University's risk appetite;
- Identifying suitable responses to each risk;
- Ensuring the internal control system helps manage the risk;
- Regular review.
(i) Risk identification
A strategic approach to risk management depends on identifying risks against key organisational objectives. The University's Corporate Plan for 2005/6 to 2009/10 sets out the key objectives on which the following risk management process is based. Operating within this framework helps to ensure a consistent approach across the organisation and enables a clear structure to be established.
(ii) Assigning ownership
Having identified the key strategic risks, it is necessary to allocate responsibility for managing them.
The risk identification process for this University is based on the major corporate strategic risks set out in the Strategic Risk Register (see Annex B). Where risks are delegated to named officers, those officers will be asked to make regular reports on the risks for which they are responsible. These statements will form part of the assurance that the Vice-Chancellor will draw upon in order to sign off the statement of internal control.
(iii) Evaluating the significance of each risk
The significance of each of the major strategic risks has been assessed by considering their probability and impact.
Because of the nature of the University's business, even though an activity might be assessed to carry a high probability and high impact risk, it may still be pursued. This does not negate the value of good risk management practice. The activity in question will require a monitoring and reviewing procedure commensurate with the level or risk.
Some risks will be connected to, or dependent upon, other risks. It is important to understand the relationship between risks so that they can be effectively prioritised. This process has led to the production of the Strategic Register, which will be kept under review.
(iv) Risk appetite
The main focus of private sector risk management is on maintaining and enhancing profitability. In contrast the public sector focuses on the fulfilment of objectives and delivery of a beneficial outcome in the public interest. It is recognised that risk taking is essential if public bodies are to innovate and improve. The National Audit Office and the Public Accounts Committee support well thought-through risk taking and innovation. This approach was also endorsed in the report by Richard Lambert on Business-University Collaboration issued in December 2003.
Bearing in mind that the University is a charitable body and in receipt of significant public funds, the Government's priorities and objectives have a significant impact on the University's risk appetite. The University needs to balance opportunities to innovate and improve with its responsibilities in terms of accountability, propriety, regularity, and value for money. It is involved in a wide range of activities so that it is not possible to define its risk appetite in absolute terms. In some areas it has to be risk averse, such as in matters of finance; in others it would be regarded as a risk taking University, for example in areas of new and ground-breaking research.
The University's risk appetite is reflected in its strategic objectives. It has considered its overall portfolio of risks to ensure, as far as possible, that the mix of risk remains tolerable and well-balanced.
(v) Responding to each risk
Having identified the key strategic risks, consideration has then been given to how they should be managed to reduce their probability or impact, should they occur.
It is essential to understand the interaction between the identified risk and mitigation.Two or more risks may be effectively controlled by a single mitigation. Alternatively, one risk may require several mitigations to be in place to ensure it is effectively managed.
System of internal control
A control is any action or procedure performed by management to increase the likelihood of activities achieving their objectives. In other words, control is a response to risk, either to contain the risk to an acceptable level or to increase the likelihood of a desirable outcome.
A system of internal control provides a framework for all processes and activities designed to give reasonable assurance regarding achievement of objectives. Such systems should be designed to manage, rather than eliminate, the risk of failure. Controls are often broken down into three categories:
- Operational controls: relating to the effective and efficient use of resources;
- Financial controls: relating to the proper management and oversight of the organisation's finances, leading to the preparation of reliable published financial statements;
- Compliance controls: relating to compliance with applicable laws, regulations and codes of practice.
Roles and responsibilities
(i) The Vice-Chancellor
As Accounting Officer, the Vice-Chancellor remains ultimately accountable for the organisation and its management of risk. He/she must:
- Have a clear understanding and assessment of the risks that could prevent delivery of objectives;
- Ensure that the organisation has effective risk management and control processes;
- Be provided with assurance that the processes and the key strategic risks are being effectively managed.
- He/she will require these assurances in order to sign off the statement of internal control.
Council has a fundamental role in the management of risk which includes :
- Receipt of an annual opinion from the Audit and Scrutiny Committee that will include its review of the processes of risk management and internal control;
- Consideration of risk issues as they affect Council decisions (where appropriate all Council papers will include a discussion of the impact on the key strategic risks);
- Reviewing key strategic risks that will be analysed alongside the Corporate Plan;
- Periodically reviewing risks as part of the monitoring of the annual operating plans.
Senior Officers who have designated responsibility for managing specific risks will be asked to provide regular reports to the General Purposes Committee of Council and to Council where appropriate.
(iii) General Purposes Committee of Council
The committee's remit includes both consideration of policy in respect of issues or activities which are university-wide and transcend the remit of the other main committees of Council or other specialist committees and monitoring of the University's governance arrangements and as such considers policy issues relating to risk management prior to submission to Council. It was agreed by Council in December 2004 that the committee should take over formal responsibility for strategic issues relating to risk management and that the Risk Management Committee be abolished.
(iv) Risk and accountability co-ordinator
The secretary of the General Purposes Committee acts as the risk and accountability co-ordinator responsible for:
- Facilitating the identifications of key strategic risks and control mechanisms;
- Co-ordinating Council's arrangements for risk management;
- Promoting risk awareness and skill in assessment and reporting.
(v) All employees
All staff should be aware of, and understand, the assurance framework, the policies on risk and how these apply to their own roles and responsibilities. In particular, senior staff need to understand and manage the risks relating to their activities and the impact on the University's key strategic risks.
Monitoring and review
(i) Because risk management is explicitly linked to the achievement of objectives, reporting will be embedded within the regular processes for reporting on the University's operating performance. The Strategic Risk Register (Annex B) will be reviewed by the General Purposes Committee of Council on a termly basis and reports will be made to Council by the committee at least twice each year.
(ii) Other mechanisms for gaining assurance
The Vice Chancellor, as the University's Accounting Officer, is responsible for ensuring that an effective system of internal control is maintained and operated by the University. While such a system can only provide reasonable and not absolute assurance that risks are appropriately managed, it should be based on a framework of regular management information, administrative procedures including segregation of duties, and a system of delegation and responsibility.
The role of internal audit is to provide an opinion to the Accounting Officer on the effectiveness of corporate governance, risk management and internal control. The work required to provide such an opinion will be reduced by having effective risk management arrangements.
The Accounting Officer is also ultimately responsible for ensuring that the University's internal audit service accords with the objectives and standards outlined in the HEFCE Audit Code of Practice, which specifically includes an analysis of risk.
The audit of scrutiny and responsibility
The main purpose of the Audit and Scrutiny Committee is to give advice to the Vice-Chancellor and Council on the adequacy of audit arrangements and on the implications of assurances provided in respect of risk and control in the University. It also provides a view on the adequacy of VFM arrangements.
The duties of the Audit and Scrutiny Committee as set out in the University's Statutes and Regulations are to:
(1) Call for any investigation that it considers necessary and to call any individual or call for any document or documents relevant to any such investigation that it considers necessary;
(2) Receive regular reports from the Value for Money Committee regarding satisfactory arrangements in place to promote economy, efficiency and effectiveness;
(3) Receive any relevant reports from the National Audit Office, HEFCE and other organisations;
(4) Receive the minutes and annual internal audit programme of the Oxford University Press Audit Committee as well as regular reports from the chairman of that committee; consider any matters arising out of those minutes or reports which are of concern to the Audit Committee of the University and ask for further investigation and reporting as necessary;
(5) Receive an annual report from the Oxford University Press Audit Committee in preparation for the drafting of the Annual Report of the Audit Committee of the University for submission to Council and Congregation;
(6) Receive and consider requests for internal audit reviews submitted by twenty or more members of Congregation via the Proctors and Assessor;
(7) Keep under review the effectiveness of the risk management, control and governance arrangements, including reviewing the external auditors' management letter, the internal auditors' annual report, and all management responses;
(8) Undertake audit reviews, including project reviews, at the request of Council;
(9) Oversee the institution's policy on fraud and irregularity, including being notified of any action taken under that policy;
(10) Satisfy itself (a) as to the proper use and control of the public funds transferred from the University to the colleges and (b) that appropriate arrangements are in place concerning the delivery of value for money in relation to those funds; and report annually on these matters to Council;
(11) Review the internal auditors' audit risk assessment, strategy and audit plan; consider major findings of internal audit investigations and the management responses; and promote co-ordination between the internal and external auditors, ensuring that the resources made available for internal audit are sufficient to meet the institution's needs;
(12) Monitor the implementation of agreed audit-based recommendations, from whatever source;
(13) Ensure that all significant losses have been properly investigated and that the internal and external auditors, and where appropriate the HEFCE accounting officer, have been informed;
(14) Consider and recommend to Council the appointment of the external auditors, the audit fee, the provision of any non-audit services by the external auditors and any questions of resignation or dismissal of the external auditors;
(15) Agree with the external auditors, before the audit begins, the nature and scope of the audit;
(16) Discuss with the external auditors problems and reservations arising from the interim and final audits, including a review of the management letter incorporating management responses, and any other matters the external or internal auditors may wish to discuss (in the absence of management where necessary);
(17) Consider and decide on the appointment and terms of engagement of the internal audit service (and the head of internal audit, if applicable), the audit fee, the provision of any non- audit services by the internal auditors and any questions of resignation or dismissal of the internal auditors;
(18) Monitor annually the performance and effectiveness of external and internal auditors, including any matters affecting their objectivity, and to make recommendations to Council concerning their reappointment, where appropriate;
(19) Consider the annual financial statements in the presence of the external auditors, including the auditors' formal opinion, the statement of members' responsibilities and the statement of internal control, in accordance with HEFCE's Accounts Directions;
(20) Report annually to Council and thereafter to Congregation on activity for the year, drawing attention to significant issues and providing the committee's opinion on the adequacy and effectiveness of the institution's arrangements for the following:
(a) Risk management, control and governance (the risk management element includes the accuracy of the statement of internal control included with the annual statement of accounts);
(b) Economy, efficiency and effectiveness (Value for Money);
(21) Request to Council that any matter, which in the view of the committee merits special and immediate consideration, be brought to Congregation's attention at any time during the academic year;
(22) Publish on the Oxford intranet within one month of acceptance by the committee the full opinion in each internal audit report, including reports produced under sub-section (6) or the summary produced on why such a requested review is considered unnecessary, save for the opinion in any report that the committee considers requires immediate reference to Council;
(23) The full report of any internal audit review, except any report referred to Council, will be available for consultation by arrangement with the secretary of the committee.'
It is the responsibility of external audit to provide an annual opinion as to whether the financial statements of the University give a true and fair view and are properly prepared in accordance with HEFCE guidance. This opinion covers the question of whether, in all material respects, the expenditure and income of the University have been applied to the purposes for which they were intended. This will involve reviewing the University's processes and systems of control. These systems of control will include the effectiveness and efficiency of the internal audit function and the comprehensiveness of the University's risk management framework.
- The risk environment of any organisation is constantly changing and developing. Therefore the priorities of objectives and the consequent importance of risks will also change. The risk management process is dynamic and ongoing and must therefore involve periodic review of risks and the consequent adjustment of the control responses.
Risk Management policy
At its meeting on 11 March 2002, Council agreed the policy set out below in relation to risk management and assessment. [This has been updated to take account of Council’s decision in 2004 to abolish the Risk Management Committee].
The University of Oxford follows and adopts best practice in the identification, evaluation and control of risks to ensure that, as far as is reasonably practical, risks are eliminated or reduced to an acceptable level. Although it is acknowledged that risks exist and can never be eliminated, it is important that all staff are aware of the nature of risk and the types of risks associated with their area of work. Senior staff accept responsibility for dealing with risks in their areas. Senior management provide support and assistance in the risk assessment and evaluation process.
The University's objectives in relation to risk management are:
- To integrate risk management into the culture of the University;
- To manage risk in accordance with best practice;
- To consider legal compliance as a minimum standard;
- To anticipate and respond, wherever possible, to changing social, environmental and legislative requirements;
- To raise awareness of the need for risk management.
Achievement of these objectives requires:
- Ongoing work by the General Purposes Committee of Council ;
- Action to demonstrate the application of risk management principles;
- The provision of risk management and risk assessment awareness training;
- The codification of documented procedures for the control of risk and the provision of suitable information, training and supervision. These will include appropriate incident reporting and recording systems, with investigatory procedures to establish cause and prevent recurrence, and contingency plans in areas where there is potential for an occurrence having a catastrophic effect on the activities of the University;
- Effective communication with, and the active involvement of, all members of staff;
- The establishment of monitoring arrangements and appropriate review procedures.
The General Purposes Committee of Council is responsible to Council for identifying strategic risks across the whole University range of activities, for prioritisation of those risks, for the development of a risk management strategy, and ensuring the implementation and operation of that strategy.
Annex B (284kb)