62 Virtual Brochure – March 2025 Appendix A: Methodology and thematic categorisation of risks Our analysis has examined in detail the strategic or corporate risk registers of 22 institutions. This covers a broad range of institutions from small and specialist, to large metropolitan and research intensive. Strategic risk registers take a variety of forms and include varying levels of detail. In our sample, the mean number of risks included is 18, but the largest risk register has 48 risks while the smallest has 7. Some institutions set out a small number of overarching risks, with detailed sub-risks below. While all risk registers include core information about risk descriptors, drivers, mitigating actions, inherent and mitigated risk scores, and risk owners, invariably the level of detail provided varies considerably. We note that some registers still do not include any linkage or reference to institutional strategy, and some do not contain information about risk proximity, risk indicators, and risk appetite or target risk score. Each of the risks has been documented and categorised against one of the 23 common sector themes which are set out in the table below. Analysis undertaken includes: - An assessment of the total risks recorded under each theme and the frequency of risk themes across the set of institutions - An assessment of the inherent, unmitigated score given to each risk and the subsequent score post-mitigation. Scores have been normalised using a 0-1.0 scoring system, and averages calculated for each risk theme - Calculation of the difference between the average normalised inherent and residual risk scores for each theme to examine the extent to which institutions believe that risks are being managed - An analysis of the distribution of risk scores for each theme across institutions.
RkJQdWJsaXNoZXIy NTI5NzM=