62 Virtual Brochure – March 2025 Confidential - only for use by the intended party Strategy • Setting the tone. A strategic desire, which is championed by the head of the institution and executive, for the risk process to be linked and integral to assisting institutions manage uncertainty and future challenges. This includes ensuring that the strategic risk register is linked to the achievement of strategic objectives. • Risk management policy. A key building block and enabler of effective risk management is a comprehensive and documented risk management policy that captures and clearly articulates the framework, roles and responsibilities for the identification and assessment of risk, including the effective management and monitoring of controls to ensure compliance with institutions’ risk appetite and reporting mechanisms. More specifically, guidance on risk appetite, via institutional risk appetite statements, aligned to the key themes from strategic plans, and risk scoring, in the form of the institutions’ risk scoring matrix. The policy should be developed and updated in consultation with a range of key stakeholders across the institution, including engagement and incorporation of feedback from the Audit and Risk Committee. • Embedding risk appetite. The development of risk appetite descriptors against key activities, with further embedding through review and alignment of policies and governing documents, such as schemes of delegation, to align activities to risk appetite. The inclusion of a statement within risk registers on whether each risk is operating withing or outside appetite. Inclusion in cover templates used for strategic, business and / or financial planning processes and decisions. • Risk acceptance / tolerance. Establishment of a process and governance for accepting / tolerating risks that cannot be mitigated or treated within an immediate timeframe, as part of evolving risk thinking and maturity. Such risks should be formally captured and recorded with a defined review period. Risk registers • Strategic risk register. For each strategic risk, the register should clearly capture and articulate risk ownership, links to strategic objectives, inherent, residual and target scores, narrative summaries on each of the risks, risk indicators, a list of existing controls / mitigations and planned / additional ones, and the capturing of related assurances (first, second and third line). • Scoring consistency. A consistent risk scoring scheme should be deployed, supported by targeted training, across the institution to ensure comparability. • Equity between gross and residual risk scores. The capture of explanatory commentary where gross and residual risk scores are the same. This can help identify instances where capacity to address risks is constrained, dictated by external factors outside of institutions’ control or current mitigations to manage the risk are not having the desired impact. • Key risk indicators. The introduction of lead, lag, trend and contextual risk indicator metrics to support risk narrative included in the strategic risk register. These should be aligned to the strategy areas in which the risks are positioned, to provide greater visibility and objectivity of how risks are changing. Such risk metrics may encompass the risk theme areas of reputation, finance, staff, expenses, estates, student, cyber / information security and / or health and safety. • Risk management resource repository. The introduction and maintenance of a risk management repository / portal as a centralised, accessible online hub to provide better visibility of institutional and local risk registers, risk scoring instructions, risk appetite guidance and training resources etc., which holds and collates all relevant documentation in one place. This documentation should clearly articulate the processes by which risks are identified, responded to, assured, tracked and monitored, including the coordination of risk updates and promotion and relegation of risks, risk register structures, content and links between the strategic and operational risk registers and any other risk processes.
RkJQdWJsaXNoZXIy NTI5NzM=