23 Virtual Brochure – March 2025 Higher Education strategic risk management Our analysis is based upon the strategic risk registers of 22 English institutions at the end of the 2023-24 academic year. These range from the small and specialist to large metropolitan and research-intensive institutions covering a broad spectrum of HE provision. There are a wide range of practices when it comes to strategic risk registers. While on average, strategic risk registers contain 18 risks, the largest in our sample contains 48 risks while the smallest has just 7. We note that there’s no evident correlation between the size of the institution and its mission and the number of strategic risks it captures. While all risk registers include core information about risk descriptors, drivers, mitigating actions, inherent and mitigated risk scores or ratings, and risk owners, invariably the level of detail provided varies considerably. We note that some registers don’t cross refer to institutional strategy or objectives, use specific scores or contain information about risk proximity, risk indicators, or risk appetite or target risk score. As highlighted in our briefing note on risk management in HE (May 2024), the use of performance indicators provides greater visibility and objectivity about the likelihood of risks and how these may be changing over time. Employing numerical scores rather than a risk rating and using target risk scores or risk appetite can prompt deeper reflection about the nature of risks and the institutional response. This can also inform the choice and frequency of assurance and audit activities. As such we’d encourage audit committees to discuss the value of adopting these practices where they’re not already in place. In terms of risk management practice, audit committees have responsibilities for providing assurance to the governing body about the effectiveness of risk management arrangements. To do this effectively it’s essential that the committee understands institutional risk culture and risk appetite and discusses risks and risk management regularly. While some audit committees review strategic risks at each meeting (either collectively or taking a deep dive into specific areas), some review risks perhaps once or twice a year.
RkJQdWJsaXNoZXIy NTI5NzM=