Risk Management - an overview

What is Risk Management?

Risk Management is the name given to the process of identifying and planning for the risks of any major new project and of ongoing operational activities. This process is explained in the Finance Division's project guide. It is a HEFCE requirement that project appraisals should be put through this process. While the most obvious forms of risk that come to mind are financial, others, such as legal, environmental (in the broad sense), or reputational, should also be considered.

Risk management process

Risk identification involves producing a note of the risk items which might affect the outcome of any new project or initiative, or of ongoing operational activities. In terms of new projects or initiatives such factors as the accuracy of the budget and costings, the timetabling and the consequences of not meeting its deadlines, the recruitment of staff, and possible contractual issues, are some of the factors that may need to be taken into account. Other possibilities for consideration include the project's relationship to the existing infrastructure, and how it fits in with other existing projects which may relate to it.

Some of the questions that should be asked are:

  • Do the assumed requirements of the new project accurately reflect the needs which have been identified? Is the project larger than ever attempted before?
  • Are the costings accurate? What are the risks of overspend? Has funding been secured for the project, or is it to be part of a competitive application process?
  • Is the schedule/timetabling realistic? Is it very tight? What are the consequences of failing to meet the timetable?
  • If the new project involves staff, are the staff needed already available or do they have to be recruited? Are staff of the kind needed likely to be easy to recruit? Will timing of recruitment be an issue?
  • Are there issues relating to staff safety or other types of safety/security which need to be considered?
  • Are there contractual matters which might give rise to difficulty?
  • Will the new project have any impact on the existing infrastructure? Are there any separate but associated projects which need to be taken into account when planning and implementing the new project (especially any which may need to interface with it?)
  • Will any failure within the project lead to a loss of reputation for the University?

Similar questions need to be posed in regard to ongoing operational activities when failure to take account of risks could pose a threat to the functioning of the institution. Risk Analysis follows on the identification of a potential risk, when it is necessary to look at both the probability, and also the impact if that risk were to occur, including its possible impact on the organization as a whole. A risk is scored against both probability factors and the level of potential impact, and the combined scores are used to give a measure of the overall risk posed. A risk can then be categorized as high, medium or low, and a strategy worked out accordingly, although in many cases it may not be necessary to devise one for the low risk items, which may simply be recorded.

There are six main ways of managing risks (Risk Control):

  • Avoidance – identifying and implementing alternative procedures or activities to eliminate it.
  • Contingency – having a pre-determined plan of action to come into force as and when the risk occurs.
  • Prevention – employing countermeasures to stop a problem from occurring or having impact on an organization.
  • Reduction – taking action to minimize either the likelihood of the risk developing, or its effects.
  • Transference – transferring the risk to a third party, for example with an insurance policy.
  • Acceptance – tolerating the risk when its likelihood and impact are relatively minor, or when it would be too expensive to mitigate it.

Disaster Recovery/ Business Continuity Plan

Information or help which can be provided centrally is set out if available - see the Disaster Recovery/Business Continuity Plan.

Useful links

The following is an explanation of the links on the side menu bar:

The Finance Division's Project Guide.

The HEFCE pages on risk management; briefing for governors and senior managers; guide to good practice; case studies; sample policy, and so on. Downloadable as Word or pdf files.