1 Virtual Brochure – March 2025 HE Updates Virtual Brochure – April 2025
1 Virtual Brochure – March 2025 Introduction to Uniac Who we are Uniac has been providing assurance services to the UK Higher Education sector for over 30 years and delivers fully outsourced internal audit services to 25 UK Higher Education Institutions and co-sourced support to several others. Our members and clients range from large metropolitan universities to research intensives and specialist providers. Our purpose We deliver expert-led assurance and advice for Higher Education. Our mission To support the effective and efficient delivery of Higher Education through innovative expert-led assurance and advice. Using our surplus to re-invest in our people, services, benchmarking and thought leadership, enabling the sector’s economic and social impact. Our vision To be the most trusted and sought-after provider of internal audit, assurance and regulatory support for UK Higher Education. Renowned for our exceptional sector knowledge, benchmarking and insight. CEO’s Foreword “Working with such a large and diverse portfolio of Higher Education Institutions, enables us to provide unique insight on the sector risk landscape which we share through a regular series of briefing notes. This brochure provides a round-up of our most recent publications. If your Governing Body or Senior Leadership Team would welcome a presentation on any of these briefings, please do get in touch.” - Jane Forbes In this issue 01. A European View on the Risk Environment: An Analysis for UK Higher Education 02. Risk Register Analysis 03. Modern Slavery Act 2015 04. Risk Management 05.Corporate Governance Failures in Accountability and Ethical Decision Making 06. Asset Management
2 Virtual Brochure – March 2025 Our Services The higher education sector is vast and diverse. Here are some of the key areas where we support our clients: Risk Management and Assurance Mapping Financial Systems and Processes Student Experience and Supporting Processes Digital and Digital Transformation Cyber and Information Governance Fraud Prevention, Detection, and Investigation OfS Conditions of Registration Regulatory Data Returns UK Visas and Immigration Research and Enterprise Universities UK Accommodation Code of Practice Academic Governance Programme and Project Assurance Equality, Diversity and Inclusion Competition and Markets Authority Compliance Governance Sustainability Marketing Value for Money Grant Audit and Grant Record Keeping Apprenticeship Delivery Estates
3 Virtual Brochure – March 2025 1. AforEuUrKopHeigahneVriEewduocnattihoenRisk Environment: An Analysis Executive summary As the UK’s leading provider of internal audit and assurance services for higher education (HE), we support institutions in managing risks effectively to facilitate strategic ambitions and comply with legal and regulatory requirements. A key contribution to this is our annual insight briefing about how European businesses are thinking about strategic risks and how this compares with the UK HE sector. This provides HE institutions with an external perspective on core risks and mitigation strategies to inform their own risk management assessment and practice. It is also a companion piece to Uniac’s annual HE risk register briefing. We hope that this will be of interest to HE leaders and non-executives, as well as HE risk professionals, and will provide a useful input to debate about strategic risks, risk management and shaping future assurance activity. Our analysis uses the European Confederation of Institutes of Internal Auditing (ECIIA) 2025 Risk In Focus report as its basis. The ECIIA report draws on a wide-ranging survey of just under 1,000 Chief Audit Executives (CAEs) from multiple business sectors across 20 European countries, as well as roundtable discussions.
4 Virtual Brochure – March 2025 This briefing provides: • a summary of the most significant current and future business risks as rated by CAEs working across a broad range of sectors, including financial services, technology, healthcare, consumer and retail, and leisure and hospitality (section 1) • our commentary on the highest ranked risk areas and areas of increasing risk in a UK HE context, with questions for senior leaders and audit committees (section 2); and • a comparative analysis of internal audit effort relative to the top risk areas and commentary on changing internal audit practice (section 3). Overall, this year’s analysis outlines a risk assessment that appears relatively consistent with the previous year. This follows a period of rapid and substantive changes in strategic risk priorities as a consequence of changes in working practices following the pandemic, rising inflation and energy costs, and increasing global instability. Notably, in comparison with the UK HE sector, overall financial liquidity and insolvency risks are reported to be stable. Against this backdrop, one escalating risk stands out - AI and digital disruption. This is reported to be the fastest rising risk area, becoming the third most significant strategic risk for businesses. The pervasive impact of AI also means that its identified as key driver of risks in other areas, particularly in relation to cybersecurity and human capital. More broadly the operating environment for businesses continues to be volatile, characterised by high levels of geopolitical, financial, digital, and environmental uncertainties. The ECIIA observes that having an integrated approach to “strategy, risk management and skills” will likely differentiate successful organisations from competitors, enabling them to respond rapidly and decisively to threats and opportunities. It also cautions that in too many businesses, risk management still appears peripheral to strategic decision-making rather than at its centre.
5 Virtual Brochure – March 2025 Our headline observations on strategic risks are: Cyber Security Cybersecurity continues to be rated as the most significant risk across all business sectors. Organisations expect this to remain the case for the foreseeable future. Businesses particularly highlight increases in targeted phishing and AI-generated deep fake attacks and raise growing concerns about the adequacy of security controls at suppliers. We encourage institutions to ensure that new forms of cyberattacks are addressed in systems testing and employee training, and that cybersecurity at suppliers and partners is regularly tested and assurances received. Human capital, diversity, and talent management Human capital, diversity, and talent management remains the second highest ranked risk, with businesses expecting it to remain significant in the medium term. The ECIIA report highlights a growing challenge of effective workforce planning and a general trend towards faster staff turnover. Businesses are concerned about access to digital skills, upskilling their workforce to enable effective use of AI, and the continuing challenges of meeting expectations around work life balance. We encourage institutions to ensure that needs for AI and other emerging digital skills are identified and embedded in recruitment and training strategies. Institutions may also want to test that onboarding, induction and exit processes are efficient and effective, and that business continuity plans are revised to take account of changing personnel and organisational structures. Macroeconomic and geopolitical uncertainty Macroeconomic and geopolitical uncertainty. Overall, businesses continue to rate the risks of disruption from macroeconomic and geopolitical events highly, citing conflict in Ukraine and the Middle East, escalating risks of hostilities elsewhere, and growing risks from the deliberate undermining of supply chains by foreign actors. We encourage all institutions to produce an annual report on security risks and adopt good practice developed by UUK, to draw upon a wide range of expertise to inform scenario planning, and to regularly review and test business continuity plans. Digital disruption, new technology and Artificial Intelligence (AI) Digital disruption, new technology and AI is the fastest increasing risk in this year’s report, with businesses predicting that this will be their second most significant risk area by 2028. The ECIIA emphasises the necessity of organisations having a clear strategy and effective governance and change management to ensure that the adoption of AI is joined up, secure, and efficient. As highlighted in our report last year, there is a pressing need for all institutions to have clarity about how they intend to use AI and about how this is governed and managed in a coordinated way. We also encourage institutions to discuss and document AI risks (both opportunities and threats) including those which may emerge from partners, suppliers, and competitors.
6 Virtual Brochure – March 2025 Climate change and environmental sustainability Risks around climate change and environmental sustainability continue to edge up the ranking of strategic concerns year-on-year. Businesses highlight growing risks to their buildings, infrastructure and suppliers. This is prompting greater demand for weather modelling data to forecast likely impacts and develop contingency plans. We encourage institutions to ensure that climate risks are appropriately reflected in strategic planning, risk management and contingency planning. Institutions should also seek assurance on the adequacy and coverage of metrics chosen to quantify risks and assess the effectiveness of mitigating actions. The final section of our briefing analyses European businesses’ views about where internal audit effort is invested compared to strategic risk priorities. The picture here is similar to last year with a strong assurance focus on cybersecurity, compliance with changing laws and regulations (particularly EU legislation on sustainability reporting and cybersecurity), and business continuity management. Uniac’s analysis of its programme of activity across the ECIIA risk themes shows notable increases in assurance effort in HE around cyber and data security and human capital risks. Uniac offers comprehensive audit and assurance services on all elements of risk covered in this briefing as well addressing the specific needs and risk profiles of HE institutions. If you would like further information on how we can help your institution with internal audit and assurance services, please get in touch. Helen Thorne Senior Audit and Assurance Consultant Email: hthorme@uniac.co.uk www.uniac.co.uk
7 Virtual Brochure – March 2025 Key risk trends Our analysis at Table 1 below looks at how the collective views of Chief Audit Executives (CAEs) on their top five strategic risks have changed, or may change, over time. At a very high level, this describes a broadly similar risk landscape to last year. Across multiple business sectors and organisations there are consistent views about the most significant strategic risks, and the relative ranking of these is largely unchanged. The notable exception are risks attributable to digital disruption, new technology and especially AI which show the largest increase in ranking this year, and which are expected to increase substantially over the next three years. Risk Area 2025 (% rating risk as top 5) 2024 (% rating risk as top 5) 2023 (% rating risk as top 5) Diff 24-25 3 year trend (22-24) Likely priority in 2027 1 Cybersecurity and data security 83% 84% 82% -1 ppt 2 Human capital, diversity, and talent management 52% 58% 50% -6 ppt 3 Changes in laws and regulations 46% 43% 44% +3 ppt 4 Digital disruption, new technology, and AI 40% 33% 38% +7 ppt 5 Macroeconomic and geopolitical uncertainty 39% 43% 46% -4 ppt 6 Climate change and environmental sustainability 33% 31% 38% +2 ppt 7 Business continuity, crisis management, disaster response 33% 35% 36% -2 ppt 8 Market changes, competition and changing consumer behaviour 32% 30% – +2 ppt 9 Supply chain, outsourcing, “nth” party risk 28% 30% -34% -2 ppt 10 Financial, liquidity and insolvency risks 27% 26% 28% +1 ppt
8 Virtual Brochure – March 2025 Commentary on significant and increasing risks In this section we delve into what businesses are identifying as the key drivers and mitigation strategies across the top six areas of risk and consider what insights UK HE could learn and adopt from this. Our analysis covers: cybersecurity; human capital; changes in laws and regulations; digital disruption and AI; macroeconomic and geopolitical uncertainty; and environmental sustainability.
9 Virtual Brochure – March 2025 Commentary on significant and increasing risks 1.1 Cybersecurity and data security ppt compared to 2024 It’s no surprise that cybersecurity continues to be the top rated strategic risk for the majority of European businesses and organisations covered by the ECIIA survey. Respondents expect this to remain the case in five years’ time, although the overall percentage ranking this as their top risk is anticipated to decline. The report highlights a large increase in sophisticated phishing attacks, hybrid attacks, and the emergence of AI-generated deepfake attacks over the last 12 months. Additionally, businesses highlight growing concerns about security vulnerabilities at suppliers and partners and the imperative of evidencing the adequacy of security controls at third parties, rather than taking this on trust. While having robust incident management, disaster recovery and business continuity plans – and testing these - are considered to be essential controls for businesses, the report identifies an increased emphasis on strengthening identity and access management across the employee lifecycle, the greater use of analytics to identify potential weaknesses, and the increasing use of AI- powered defense tools. Considerations for HE Government statistics on cybersecurity breaches 1 for 2024 suggest that 97% of HE institutions were subject to an attack in the last year. Of those surveyed, 100% reported phishing attacks and 90% impersonation attacks. Perhaps surprisingly, 27% reported unauthorised access by staff, higher than unauthorised access by outsiders (20%). While 97% reported that they have identity and access management in place, the incident data questions the effectiveness of controls. Additionally, only 58% reported that they monitor supply chain cyber risks. We encourage institutions to discuss: - Does your governing body and audit committee membership have sufficient understanding of cyber risks and industry standard approaches to management and mitigation? - To what extent are new forms of attacks, particularly hybrid attacks involving impersonation, included in your employee training and systems testing? - How well integrated, secure and effective are your HR and identity and access management processes? What evidence do you have that this is rigorous and robust? - How strong is the cyber and data security culture of your suppliers and any partners with access to your systems? How is this being tested and evidenced in practice? - How effective is the overall design of your assurance framework? How is this being tested and reported through governance structures? 1 https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024/cyber-securi- tybreaches-survey-2024-education-institutions-annex -1
10 Virtual Brochure – March 2025 Commentary on significant and increasing risks 1.2 Human capital, diversity, and talent management ppt compared to 2023 For the third year in a row the challenges of attracting, recruiting, and retaining the right people is rated as the second most significant strategic risk across all business sectors. Businesses expect this to remain a core strategic risk, although falling to third place behind digital disruption and AI by 2028. The ECIIA report notes that many sectors are seeing a more rapid turnover in staff. It highlights the increasing complexity of workforce planning in a fast-changing environment where the digital skills needed to drive transformation and realise efficiency gains are in high demand and constantly evolving. Businesses are also concerned about the growing challenge of upskilling employees to enable them to adapt to using AItools and new ways of working, while meeting their expectations about work-life balance and demonstrating a commitment to social values. Similar sentiments about AI skills gaps in the UK appear in numerous recent reports 2 together with continuing concerns about a lack of diversity in the technology sector. Considerations for HE As in previous years, risks related to the recruitment, motivation and retention of staff feature on almost every HE institutional risk register. We note that institutions tend to describe their people risks in generic terms, and overall, inherent and mitigated risk scores tend to be low, with institutions demonstrating a relatively high degree of confidence in existing controls. This implies an environment in which, at least in broad terms, institutions find it relatively easy to recruit, engage, reward and retain the staff they want. However, continuing headcount reductions and funding cuts are creating more challenging conditions and pose business continuity questions. Mitigation actions point to a range of local interventions looking at turnover, reward, wellbeing, work loading models, academic career pathways, and succession planning. At present, the ability to recruit people with appropriate digital and AI skills and the need for upskilling staff to adapt to new ways of working do not appear to be considered as strategic risks by the HE sector. We encourage institutions to discuss: - What AI skills does your institution need and how is this integrated into recruitment and training strategies? Does a lack of skills pose any significant risks to realisation of strategic objectives? - Is workforce planning sufficiently well-designed and agile to be able to respond to changing institutional priorities and transformation opportunities? - How well prepared is your institution to deal with any increased turnover in staff? Are onboarding, induction and exit processes effective and well-honed? -6
11 Virtual Brochure – March 2025 Commentary on significant and increasing risks 1.3 Digital disruption, new technology and AI ppt compared to 2023 The growing understanding of the risks and opportunities from digital disruption, particularly AI, have resulted in this becoming the fastest rising strategic risk area in the 2025 survey. Respondents said they expect the risks from AI to continue to increase and become the second most significant strategic risk to their business by 2028. The ECIIA report comments that the speed of integration of generative AI tools into everyday software applications and their rapid adoption by the general population means that all businesses need to have a clear strategy about how they intend to use AI, now and in the longer term. Without an agreed strategy, effective governance and controlled change management there are risks of fragmented, insecure, and inefficient adoption of AI tools. The speed of uptake has been such that some businesses have had to retrospectively map where AI tools are being used to identify and manage risks, while some have prohibited the use of generative AI until reliability and security can be more effectively evaluated. Businesses also need to consider how AI use in the wider environment could impact them and how risks will be managed. Considerations for HE When it comes to AI, institutions have an advantage in that the UK has adopted principles-based non-statutory guidance around the use of AI rather than the legislative and regulatory approach adopted in the EU. As noted in last year’s report, AI has the potential to automate, personalise and analyse a huge array of activities supporting education, research and professional services. However, to date there remains little recognition of the risks from AI or other disruptive technologies in institutional strategic risk registers. While institutions are developing their thinking about strategic opportunities, use cases, security, governance and training, much of the risk focus to date has been on preventing mis-use of AI by students for assessment purposes. We encourage institutions to consider: - How effectively governed and coordinated are decisions about the use of AI and how is change managed and benefits assessed? - How do you gain sufficient assurance about responsible and ethical use of AI? - Where and how are AI risks (both opportunities and threats) assessed and owned? Does risk assessment address the external threats and opportunities across suppliers, partners and competitors as well as internal adoption and use risks? - How are needs to upskill staff, governors and students to use AI tools safely, responsibly and ethically being identified and addressed?
12 Virtual Brochure – March 2025 Commentary on significant and increasing risks 1.4 Changes in laws and regulations ppt compared to 2024 On average, addressing the implications of changing laws and regulations continues to be rated a highly significant strategic risk across multiple European business sectors. It’s clear from the ECIIA report that underlying factors derive particularly from new EU legislation. As in previous years, respondents cite the challenges of implementing the European Union’s Corporate Sustainability Reporting Directive (CSRD) which requires large companies to report on a wider range of environmental and social issues. The report also highlights the implementation of the Digital Operational Resilience Act (which is intended to harmonise cybersecurity rules across financial organisations), the NIS2 Directive (aimed at strengthening cybersecurity measures in organisations supplying essential services); and the impact of embargoes and sanctions. Considerations for HE The legal and regulatory changes cited by European businesses are unlikely to apply to many UK HE institutions directly, unless they’re operating with the EU. Reflections on sustainability reporting are addressed at 2.6 below. Uniac’s analysis of HE strategic risk registers indicates that on average, while compliance with changing UK laws and regulations ranks highly as an inherent risk, it ranks relatively lowly in terms of residual score. This suggests a high degree of confidence in the controls in place. However, the cost to institutions of complying with regulatory requirements which apply specifically to the HE sector is high. Universities UK (UUK) has called out 3 the complexity and lack of coordination between a number of HE sector’s regulators and the need for review and reform, while GuildHE 4 has called for the disproportionate cost of regulation on smaller institutions to be reviewed. While much of the sector’s focus will be on engagement with the government regarding, HE regulation, we would encourage institutions to ensure they continue to monitor relevant legal and regulatory developments in the EU which may impinge on UK-based organisations in future. 2 https://www.universitiesuk.ac.uk/what-we-do/policy-andresearch/publications/ opportunity-growth-and-partnership 3 https://guildhe.ac.uk/guildhe-spending-review-submission/
13 Virtual Brochure – March 2025 Commentary on significant and increasing risks 1.5 Macro-economic and geopolitical uncertainty ppt compared to 2024 After a huge leap in the ranking of geopolitical risks in the 2023 ECIIA survey in response to consequences of the war in Ukraine, European businesses’ perceptions of risks arising from macroeconomic and geopolitical uncertainty have fallen back this year from third to fifth overall - although the survey was undertaken before the US presidential election. The fall in ranking is linked to Europe-wide reductions in the rate of inflation, improving the economic conditions for business. However, overall scores remain high due to the impacts of conflicts in the Middle East, risks of hostilities erupting elsewhere, and growing risks from the deliberate undermining or disruption of businesses and supply chains by foreign actors. To mitigate risks, businesses are updating and reviewing stress testing, scenario planning and business continuity plans to reflect a wider range of potential disruption. Robust and agile governance is singled out as a key competence for building resilience, alongside financial sustainability and strong cyber defenses. Considerations for HE few UK institutions specifically call out geopolitical risks in their strategic risk registers. Where they do so, risks and mitigating actions focus on supporting staff and students whose countries or allies are involved in conflicts, strengthening planning around the management of demonstrations and processes, and reviewing investment policies. It is likely that similar risks, and those relating to staff and students working overseas, are captured at an operational level. While risks to international student recruitment tend to be identified separately, it is surprising that risks about illicit attempts to access research, intellectual property and data do not feature more highly on strategic risk registers. We encourage institutions to: - Produce an annual report for governing bodies on security risks and adopt good practice recommended by UUK 5 - Consider how geopolitical factors influence other strategic risks and how this is integrated in risk registers - Work with a broad range of individuals from outside of the HE sector to inform scenario planning and ensure that planning is sufficiently wide-ranging and long term - Stress test strategic assumptions and scenarios to take account of potential international conflict and economic volatility - Regularly review and test business continuity plans. 4 https://www.universitiesuk.ac.uk/topics/funding-financeand-operations/security-and- -4
14 Virtual Brochure – March 2025 Commentary on significant and increasing risks 1.6 Climate change and environmental sustainability ppt in 2024 In the ECIIA’s 2019 report, 8% of respondents to their survey rated climate change and environmental sustainability as a top five strategic risk. While this percentage has fluctuated year-on-year, the overall trend is steadily upwards, with 33% flagging it as a top five risk in the 2025 report and a majority expecting risks to increase further. In part, this reflects concerns around compliance with the EU Corporate Sustainability Reporting Directive (CSRD) as noted above. However, businesses also highlight growing concerns about physical risks to their buildings, infrastructure and suppliers. In response some are turning to weather modelling data and simulations to explore the potential impacts of storms, flooding or extreme heat, and to develop contingency plans for different scenarios. Considerations for HE Environmental sustainability risks feature on around a third of institutional strategic risk registers in Uniac’s sample. Risks are often described in simple terms, although we note that some institutions are breaking this down to describe more specifically the vulnerabilities of their estates to climate change, risks to staff and students, risks to their local environment, and risks to realising net zero. While most institutions publish some form of annual sustainability report, recent research 6 suggests that institutions tend to focus on reporting “visible interventions” such as energy efficiency and recycling rather than addressing more difficult but necessary social and cultural challenges. We noted last year that only 4% of institutions were reported to have undertaken any scenario modelling of the impacts of climate change on strategy and finances, and there is little indication that this has changed substantially. We encourage institutions to consider: - How are climate change and environmental sustainability risks reflected in strategic planning, scenarios and business continuity planning? - Are climate change risks adequately reflected in strategic risk registers? - Are you collecting and analysing the right data about your climate risk exposure and sustainability performance? - How are you gaining assurance about the validity of climate related data and KPIs, including across supply chains and partners? 5 https://srheblog.com/2024/05/08/unveiling-the-role-of-sustainability-reporting-in- uk-universities/
15 Virtual Brochure – March 2025 Focus of internal audit effort As in previous years, the ECIIA survey examined the extent to which CAEs think that internal audit effort is aligned with their most significant risk areas. For the top 10 strategic risks in the survey, table 2 below shows where CAEs expect to spend internal audit time in 2024-25. The pattern this shows is similar to previous years, with businesses choosing to focus their internal audit resources on cybersecurity and data security risks, as well as providing assurance on preparing to comply with changing EU laws and regulations and on business continuity planning. To complement this, we’ve analysed Uniac’s internal audit programmes for 2024-25 against the ECIIA risk areas. We were able to map 30% of our programme (based on days budgeted) to the ten ECIIA risk areas. The other 71% of our programme delivers compliance audits across financial controls and statutory reporting, and a broad portfolio of risk-based audits aligned to institutional risks across education, research, estates, and HE professional services. Our 2024-25 programme evidences a substantial increase in audit focus on cybersecurity and data security audits reflecting the challenging risk environment, as well as substantial growth in human capital. Many of these focus on employee wellbeing.
16 Virtual Brochure – March 2025 Focus of internal audit effort Table 2 Risk Area 2025 (% rating risk as top 5) CAE view on audit effort 2024-25 Uniac effort 2024-25 (% of these areas) Uniac effort 2023-24 (% of these areas) 1 Cybersecurity and data security 83% 74% 31% 19% 2 Human capital, diversity, and talent management 52% 28% 31% 13% 3 Changes in laws and regulations 46% 52% 0% 2% 4 Digital disruption, new technology, and AI 40% 23% 3% 20% 5 Macroeconomic and geopolitical uncertainty 39% 7% 0% 5% 6 Climate change and environmental sustainability 33% 21% 2% 11% 7 Business continuity, crisis management, disaster response 33% 47% 4% 3% 8 Market changes, competition and changing consumer behaviour 32% 13% 11% 12% 9 Supply chain, outsourcing, “nth” party risk 28% 36% 9% 10% 10 Financial, liquidity and insolvency risks 27% 40% 9% 5% Note (1): excludes fraud risks.
17 Virtual Brochure – March 2025 The ECIIA report notes a number of trends in relation to internal audit practice: • Dynamic audit planning: most internal audit functions are now using dynamic audit planning to respond to changing and more uncertain operating conditions. This approach employs an annual planning exercise to identify potential audit themes, which are refined and assigned on a quarterly basis. Uniac supports its HE clients in this way responding to changing needs throughout the year. • Increased investment in automating audit testing and analysis: this frees up auditor time to concentrate on conversations with individuals and testing risks and controls where data is not readily available. Uniac has an established approach and protocol to deploying data analytics techniques which incorporates, for example, whole population testing and data trend assessment. • Using AI to support internal audit: Internal audit teams are exploring how to use generative AI tools to realise efficiency benefits in audit practice, for example to support testing. However, it was noted that some businesses have prohibited the use of generative AI over concerns about data security, potential bias, and the accuracy and effectiveness of existing tools. Uniac is currently testing a number of approaches to using AI to improve the efficiency of its service to customers. • Developing methodologies to audit the use of AI: many CAEs reported that their initial focus is on developing approaches to provide assurance on AI governance processes and small, specific AI use cases. These approaches are likely to consider compliance with data governance and privacy, equality and diversity, and reputational risks. Uniac is developing a specific methodology for auditing use of AI in HE settings.
18 Virtual Brochure – March 2025 2. Risk Register Analysis Executive summary Much has been written about the financial crisis in UK higher education in recent months. The underlying causes are well-documented – capped, non-index linked domestic tuition fees; stagnant domestic demand; tough international recruitment challenges exacerbated by immigration rules; rising pay, pension and tax costs; and upward the pressure of inflation on every aspect of operations. In the last year institutions have made significant cuts to staff, running costs and capital investments, as well as reviewing their education offer and streamlining ways of working. Despite the recent uplift in English tuition fees (which are tempered by the increase in national insurance contributions), an increasing number of institutions are struggling to return a surplus. As Universities UK (UUK) has said in its blueprint for change “the funding of universities across the UK is structurally unsustainable”. In this context, Uniac’s 2024 risk register analysis provides timely insight about how institutions are discussing, scoring and mitigating the risks to their financial sustainability, and how this is colouring the management and mitigation of other significant strategic risks. Uniac is the UK’s leading provider of expert internal audit and assurance services exclusively for the higher education sector. This gives us unrivalled insight into how institutions are thinking about their strategic risks, how risks are described and scored, the design of approaches to management and mitigation, and critically how these are changing over time. It also enables us to offer a perspective on the visibility that audit committees, and governing bodies have about strategic risks, risk appetite and therefore the breadth and depth of challenge that governance provides.
19 Virtual Brochure – March 2025 The main headlines from our 2024 analysis are: Financial Sustainability Unsurprisingly this risk appears on almost all institutional risk registers and 2024 has seen an increase in the ranking of the average unmitigated and mitigated scores. Despite 80% of institutions undertaking efficiency programmes to address financial challenges, neither doing more with less nor expecting to substantially increase income from student recruitment provide viable solutions in the medium term. While the sector seeks to engage with policy makers about future funding, innovation and reform, it is essential that audit committees and governing bodies assure themselves that they have sufficient understanding of financial sustainability risks and opportunities to challenge assumptions, stress tests and scenarios. This should include consideration of impacts on other strategic risks as well as the achievement of strategic goals and ensuing that transformation activities are subject to robust risk assessment. How Uniac is supporting institutions We have a comprehensive and tested methodology which provides institutions with assurance on the management of their financial sustainability risks, including the effectiveness of governance, data quality and contingency planning. Additionally, Uniac’s approach to every piece of work we undertake aims to identify actionable efficiency opportunities. Student recruitment Human capital, diversity, and talent management remains the second highest ranked risk, with businesses expecting it to remain significant in the medium term. The ECIIA report highlights a growing challenge of effective workforce planning and a general trend towards faster staff turnover. Businesses are concerned about access to digital skills, upskilling their workforce to enable effective use of AI, and the continuing challenges of meeting expectations around work life balance. We encourage institutions to ensure that needs for AI and other emerging digital skills are identified and embedded in recruitment and training strategies. Institutions may also want to test that onboarding, induction and exit processes are efficient and effective, and that business continuity plans are revised to take account of changing personnel and organisational structures. How Uniac is supporting institutions We have specific expertise in domestic and international student recruitment, provided by a team with direct experience of running these services. We provide assurance around the design and effectiveness of recruitment strategies and processes, including optimising the use of recruitment agents and managing associated risks.
20 Virtual Brochure – March 2025 Cybersecurity The HE sector experiences a high volume of cyberattacks and cybersecurity continues to be rated as the most significant strategic risk for institutions. Risk registers demonstrate that while progress continues to be made in the development, deployment and testing of cybersecurity defenses, some institutions face continuing issues around legacy infrastructure, and all are having to respond to a rapidly changing threat landscape, currently characterised by sophisticated phishing attacks. Audit committees should ensure that all strategic risk registers address cybersecurity risks and should satisfy themselves that they’re receiving sufficient assurance about the management of cyber risks in light of evolving threats and funding constraints at their institutions. How Uniac is supporting institutions We have a comprehensive cybersecurity offer which utilises establishes professional frameworks to assess performance and develop a programme of tailored assurance activities which reflect the maturity of digital infrastructure, architecture, services and support. Estates infrastructure 2024 has seen a notable increase in the average ranking of estates risks, both in terms of inherent and mitigated risk scores. Risk registers point to a number of drivers including a need to improve space utilisation, manage maintenance demand, and the affordability and deliverability of refurbishments and major projects. Increases in risk scores in this area are likely to reflect an increasing demand from staff and students to be back on campus and an element of affordability and/or a need to improve efficiency in light of income constraints. We can expect risks in this area to retain a relatively high rating in the short to medium term as institutions seek to maximise the effective and efficient use of their buildings and land. As with other escalated risks, audit committees should ensure they understand the nature, scale and potential impact of estates risks at their institution and have confidence in the management of capital projects. How Uniac is supporting institutions We have expertise in estates strategy and space management delivered by former sector leaders. We provide detailed assurance on the design and implementation of estates plans, space utilisation, and estates asset management, alongside associated assurance on capital projects and timetabling.
21 Virtual Brochure – March 2025 Risk management practice in higher education Our analysis shows a wide range of practices around the design, content and use of strategic risk registers as part of the institutions’ assurance frameworks. We would encourage audit committees to consider whether institutional strategic risk registers provide enough detail about risks, impacts and actions to enable effective governance challenge, and whether discussions about strategic risks are frequent enough. Committees should also support the use of risk appetite or target risk scores to inform both debate and the design and coverage of assurance activities. Where there’s a significant reduction between the inherent score to the mitigated score this suggests a significant reliance on internal controls, and a need for regular and rigorous testing to provide assurance that controls are working as intended. From our 2024 analysis this would point to focusing on cybersecurity, student recruitment, student wellbeing and apprenticeships in particular. How Uniac is supporting institutions Uniac’s internal audit and assurance service is grounded in a well-established riskbased methodology, which takes full account of higher education governance and regulation. We also provide assurance on the effectiveness and efficiency of institutional assurance and risk-management frameworks.
22 Virtual Brochure – March 2025 Placing higher education risks in a wider context Alongside our risk register analysis, we’re publishing our companion briefing which examines and contrasts the UK higher education sector’s perspective on strategic risks with that of a wide swathe of European businesses. This draws upon the insight from the 2025 European Confederation of Institutes of Internal Auditing (ECIIA) survey. Notable amongst the escalating strategic risks highlighted by businesses this year are risks from AI and digital disruption and security risks such as supply disruption, intellectual property theft, and hostile cyberattacks. It’s notable that these strategic risks tend not to feature prominently on higher education institutional risk registers, and this should be further food for thought for audit committees. If you’re interested in learning more about our risk insight activities or our audit and assurance services please get in touch. Helen Thorne Senior Audit and Assurance Consultant
23 Virtual Brochure – March 2025 Higher Education strategic risk management Our analysis is based upon the strategic risk registers of 22 English institutions at the end of the 2023-24 academic year. These range from the small and specialist to large metropolitan and research-intensive institutions covering a broad spectrum of HE provision. There are a wide range of practices when it comes to strategic risk registers. While on average, strategic risk registers contain 18 risks, the largest in our sample contains 48 risks while the smallest has just 7. We note that there’s no evident correlation between the size of the institution and its mission and the number of strategic risks it captures. While all risk registers include core information about risk descriptors, drivers, mitigating actions, inherent and mitigated risk scores or ratings, and risk owners, invariably the level of detail provided varies considerably. We note that some registers don’t cross refer to institutional strategy or objectives, use specific scores or contain information about risk proximity, risk indicators, or risk appetite or target risk score. As highlighted in our briefing note on risk management in HE (May 2024), the use of performance indicators provides greater visibility and objectivity about the likelihood of risks and how these may be changing over time. Employing numerical scores rather than a risk rating and using target risk scores or risk appetite can prompt deeper reflection about the nature of risks and the institutional response. This can also inform the choice and frequency of assurance and audit activities. As such we’d encourage audit committees to discuss the value of adopting these practices where they’re not already in place. In terms of risk management practice, audit committees have responsibilities for providing assurance to the governing body about the effectiveness of risk management arrangements. To do this effectively it’s essential that the committee understands institutional risk culture and risk appetite and discusses risks and risk management regularly. While some audit committees review strategic risks at each meeting (either collectively or taking a deep dive into specific areas), some review risks perhaps once or twice a year.
24 Virtual Brochure – March 2025 Overall risk trends For our risk register analysis, we categorise each strategic risk against one of 23 common risk theme areas and establish normalised scores for both inherent and mitigated or residual risk scores using a 0-10 scale1. We then calculate an average score for each theme. This enables us to compare how different institutions think about and score their strategic risks pre and post- mitigation and to understand how this varies over time. Information about our methodology can be found at Appendix A. 1 We recognise that certain risks may span more than one risk theme areas. For these risks, we have categorised them in accordance with their primary description. For instance, a risk around the downturn in interna- tional applications would be classed as student recruitment risk. If however this risk was framed as a driver placing downward pressure on income under an overarching financial sustainability risk, it would be classed as a financial sustainability risk.
25 Virtual Brochure – March 2025 Figure 1 Figure 1 provides an overall summary of our analysis for 2024. This shows the average intrinsic and mitigated risk score for each thematic area, ranked in order by average intrinsic risk score. As in previous years, cybersecurity is ranked as the most significant strategic risk facing institutions, alongside student recruitment, and financial sustainability. These risks appear on most, but not all, strategic risk registers. Student wellbeing, which appears on less than 20% of strategic risk registers, also continues to score highly. Average Net and Residual Scores by Risk Theme Normalised Average Risk Scores (adjusted for commonality) Cyber Security Student Wellbeing Student Recruitment Estates Infrastructure Financial Sustainability Apprenticeships Other Compliance Governance Industrial Relations UK Policy Environment Student Outcomes Research Office for Students Staff Lifecycle Business Continuity Student Experience Operational Delivery Data Environmental Sustainability Geopolitics Digital Estate Reputation and Brand Partnerships Other Compliance Score Type Inherent Risk Score Residual Risk Score
59 Virtual Brochure – March 2025 Notable changes in terms of increases in risk score and/or relative positioning compared to 2022/23 include: • Estates infrastructure: while the proportion of risk registers including estates as a strategic risk has fallen, it still appears on 55% of risk registers, and intrinsic scores have increased. Risk definitions reflect a wide range of issues and concerns, taking account of individual institutional footprints and strategies. This is explored further in section 3. • Other compliance: this category includes a broad range of legal and regulatory requirements and appears on 55% of registers in our sample. The increased prominence in our analysis this year appears to be driven largely by compliance with UKVI requirements, although safeguarding, Prevent and health and safety are also prominent. • Research: 50% of the risk registers have research as a strategic risk. The increase in intrinsic risk ranking this year appears to be solely linked to risks around the non-achievement of income targets for research and knowledge exchange. This is explored further in section 4. • Apprenticeships: while only appearing on 27% of strategic risk registers, 2024 has a seen sharp increase in ranking in terms of intrinsic risk score. This is likely to reflect the experiences of institutions following ESFA and Ofsted audits and inspections which have highlighted gaps in compliance and resulted in financial clawbacks at a number of institutions. We also analysed the distribution of inherent risk scores for each theme across institutions. This demonstrates a strong consensus about the scoring of well-understood legal, regulatory or compliance risks, and also a consensus in some areas risk appetite is likely to be low (e.g. industrial relations, data, and also apprenticeships). In all other areas, we see wide variability across institutions in terms of inherent risk scores. This is a reflection of different institutional missions, strategies, financial positions and estates. We note that the widest variability in relation to financial sustainability, estates infrastructure and cybersecurity.
60 Virtual Brochure – March 2025 Figure 2 Figure 2 shows this difference between average inherent scores and mitigated scores, giving an overview of how effectively institutions believe that they are managing strategic risks. The graph shows that institutions continue to have a high degree of confidence in managing and mitigating risks around legal and regulatory compliance, student mental health and wellbeing, and cybersecurity. As we have noted in the past, given number of cyberattacks causing disruption, institutions may wish to reflect on the confidence they are placing on cyber controls. There is, as might be expected, less confidence in mitigating externally driven risks such as the UK policy environment, environmental sustainability, and geopolitics. Average Change Between Inherent Risk and Residualk Risk by Risk Theme (Descending Order) Other Compliance Apprenticeships Cyber Security Student Recruitment Staff Lifecycle Student Experience Estates Infrastructure Research Financial Sustainability Office for Students Reputation and Brand Governance Data Industrial Relations Operational Delivery Student Outcomes Digital Estate Partnerships Environmental Sustainability Geopolitics Business Continuity UK Policy Environment Student Wellbeing Average Cgange Risk Themes
61 Virtual Brochure – March 2025 Figure 3 Our analysis takes account of the frequency with which risks appear on risk registers, and we include Figure 3 below to provide additional context. This shows the number of times that a risk area appears uniquely in our sample. As might be expected, financial sustainability, student recruitment, and staff lifecycle risks appear on almost every risk register in our sample. Student experience and cybersecurity are the next most frequently occurring risks, appearing on 77% of risk registers. The largest increase in frequency this year is operational delivery, which now appears on 59% of risk registers. The largest falls in frequency include risks relating to the Office for Students (OfS), industrial relations and business continuity. This is likely to reflect increasing familiarity with the requirements of the HE regulatory framework and confidence in demonstrating compliance, a current reduction in strike action, and greater confidence in business continuity arrangements post-pandemic. Financial Sustainability Staff Lifecycle Student Recruitment Student Experience Cyber Security Student Outcomes Digital Estate Operational Delivery Estates Infrastructure Other Compliance Partnerships Industrial Relations Student Wellbeing Business Continuity Geopolitics Apprenticeships Governance UK Policy Environment Environmental Sustainability Data Office for Students Reputation and Brand Research Count
your-brochure-online.co.ukRkJQdWJsaXNoZXIy NTI5NzM=