Higher Education Strategic Risk Analysis Report 2025/26 Uniac
Uniac Higher Education Strategic Risk Analysis Report 2025/26 CONTENTS Executive Summary 3 Overall Risk Trends 8 Commentary on Selected Risks 10 Management of Strategic and Corporate Risks 24 Appendix A - Methodology 26
3 1 As our sample contained registers with different scoring matrices, we have normalised the inherent (re-mitigation) and residual (post-mitigation scores) by scaling to a common factor in order to allow for more effective comparison. Executive Summary Uniac is pleased to publish its annual higher education (HE) strategic risk analysis report for 2025/26. This report provides a comprehensive assessment about how universities are thinking about, defining, and managing their strategic risks, alongside observations about the design and use of strategic and corporate risk frameworks. It highlights good practice and pinpoints topics and issues that governors and leaders may want to consider to ensure that they’re having the right conversations about risks and risk management to inform strategic decision-making. Our analysis draws on the strategic risk registers of 20 universities of widely diverse size, mission, and organisation, as well as the latest published research and analyses of the UK higher education sector’s performance. As we publish this year’s report, the Committee of University Chairs (CUC) is part way through its review of the HE Governance Code. The CUC review aims to ensure that HE governance frameworks are suitably future-facing and designed to meet the growing risks and challenges that university leaders and their governing bodies are trying to navigate. It’s significant that the call for evidence asked searching questions about the breadth of risk analysis that governors should have access to, and about what effective and proportionate risk management should address. Risk headlines As in previous years, the body of our report considers the HE risk landscape in detail and examines how institutions are describing, mitigating, and reporting on their most significant strategic risks. Undoubtedly global political upheaval and ubiquitous access to AI, alongside weak economic growth and deepening political divides and inequality in UK, continue to impact on universities in numerous ways. We explore these themes further in our EU risk analysis report. While the government’s announcement that tuition fees in England will increase in line with inflation in the short term has eased immediate financial sustainability risks, rises in national insurance and pension contributions and the planned introduction of an international student levy continue to drive increases in the institutional cost base. At the same time, more students are having to work while studying to make ends meet, and the graduate employment market remains challenging. With tuition fees the predominant source of income, new dynamics are in evidence in the competition for home and international students. It’s therefore no surprise that this year our strategic risk analysis finds that overall, normalised inherent risk scores are higher in 2025/26 than in 2024/25 in 65% of the strategic risk areas examined¹. This points to a shared belief that: • the likelihood of risks occurring is increasing; and/or • the severity of the impact of these risks is likely to be more significant; and • the recognition of a more uncertain and riskier operating environment. By comparison, average residual risk scores show a broadly similar range and pattern to 2024/25 suggesting that while certain risks may be increasing, institutions remain broadly confident in their abilities to manage these risks effectively. In some cases, for example in relation to compliance risks, this also appears to reflect effective planning and rapid implementation of controls and processes to respond to new requirements. Table 1 below shows the highest ranked inherent risks based on average risk scores over the last three years. The table shows that consistently the three most significant risks universities are managing are cybersecurity and the paired risks of student recruitment and financial sustainability. This is likely to remain the case for the majority of institutions in the medium term. Rank 2025/26 2024/25 2023/24 1 Cybersecurity Cybersecurity Cybersecurity 2 Student recruitment Student wellbeing Student outcomes 3 Financial sustainability UK policy environment Student recruitment Student recruitment Student wellbeing
Higher Education Strategic Risk Analysis Report 2025/26 4 Our key findings in these areas highlight: • Cybersecurity: Cybersecurity remains the most significant and fastest evolving strategic risk area for HE. Higher inherent risk scores reflect a preponderance of increasingly sophisticated cyberattacks exploiting AI-driven impersonation and supply chain vulnerabilities. Institutions exhibit wide variation in the confidence they have in their controls, which is likely to be a consequence of significant differences in size, mission, organisation, and the age and complexity of their digital estate. Balancing the needs of staff and students against strengthening access controls remains a live debate. Audit committees should ensure that they are receiving sufficient assurance about the identification and management of cyber risks in light of organisational objectives and evolving threats. The National Cyber Security Centre toolkit for boards provides advice on effective reporting and questions to ask. • Student recruitment: 2025/26 has seen a further increase in average inherent risk scores around student recruitment in response to even tougher competition for home and international students, changes to the UK visa and post-study work regime, and wider perturbations in international recruitment markets. Institutional confidence in mitigating recruitment risks varies significantly, in all likelihood reflecting factors such as market position and competitors, geography, brand, and operational effectiveness. • Audit committees should ensure that they have direct visibility of recruitment risks and mitigation strategies to enable them to test assurance around short, medium and longer term recruitment forecasting models. • Financial sustainability: the average inherent risk score has increased this year, and we observe greater differentiation and detail in descriptions of financial sustainability risks, reflecting divergent financial circumstances. There is a wide variation in risk scores and in mitigating actions across universities, suggesting that some institutions are much more confident than others about their ability to maintain a sufficiently strong financial position to realise their strategic goals. While oversight of financial sustainability primarily resides with the governing body and finance committee, audit committees should have the opportunity to discuss financial risks, challenge assumptions and scenarios, and satisfy themselves about where and how second and third line assurance is obtained, including on student number and financial forecasting. A joint annual meeting between the audit and finance Committees provides a valuable opportunity to discuss the financial statements and going concern assessment. Other areas where there has been a notable increase in average inherent risk scores are: • Partnership risks: risks typically relate to the management of partnerships, the delivery of quality outcomes, and realisation of income targets. The observed increase in frequency of partnership risks and elevated risks scores likely reflects growing government and regulatory scrutiny of value for money and the anticipated strengthening of regulatory controls. Audit committees should satisfy themselves about the effective oversight and management of UK and international partnerships, including the quality of the student experience and student outcomes. • IT and digital estates risks: these risks now appear on the majority of risk registers, and average inherent scores are increasing. Risks cover a broad range of themes, including risk of infrastructure or system failures, ability to deliver major IT changes, and the risks of not capitalising on new technology and AI. Audit committees should ensure that they understand the core IT systems and infrastructure employed at their institution and how AI is governed and used in a responsible and ethical way. • UK policy environment risks: this risk features on just over half of institutional risk registers and relates to issues such as risks to international student recruitment, policies favouring some subject areas over others, and the ability to realise opportunities from regional devolution. Audit committees should understand the particular risks which apply to their institution.
5 Our analysis also highlights a number of other significant risk areas: • Estates: only two thirds of institutions have a strategic risk relating to their estate despite student recruitment challenges and risks of under (or over) utilisation of space and accommodation, maintenance, and carbon management challenges. There is a need for more comprehensive and current data about the condition and utilisation of estates. • University employees: people related risks now appear on most strategic risk registers. Risks increasingly address the multiple consequences of significant headcount reductions, with both inherent and residual average risk scores increasing, reflecting concerns with morale, wellbeing, and operational resilience. • Research: Research risks are increasingly appearing on strategic risk registers and typically relate to risks around securing funding, with a growing focus on the next Research Excellence Framework (REF). Audit committee attention on research tends to be limited to transparent approach to costing (TRAC) returns. There is likely to be a greater need for consideration of risks relating to the REF and securing an effective trusted research framework. • Students: average risk scores relating to the student experience, outcomes and wellbeing are broadly similar to 2024/25, and risks typically reflect potential impacts on conditions of registration, national student survey results and league tables. There is remarkably little reference to underlying changes in student behaviours, for example the switch to living at home and commuting and the fact that a majority of undergraduate students now combine work and study. We also note a wide variation in practice in sharing lessons learned from serious safeguarding cases and student deaths with audit committees and governing bodies.
Higher Education Strategic Risk Analysis Report 2025/26 6 Audit committees should ensure that they have sufficient visibility and understanding of people related risks, the condition and usage of the university estate, research capabilities and priorities, and the composition of their student community. Members should familiarise themselves with employees’ concerns and with students’ living, study and working experiences. Committees should be clear where and how risks in these areas are captured within institutional risk management frameworks, and how assurance is provided. Further detail is provided in sections 1 and 2 of the report. How universities think about strategic risk To complement this review, we’ve taken a deep dive into the design and use of strategic risk registers, and how they’re used by audit committees and governing bodies as part of enterprise-wide risk management. This highlights opportunities for enhancement and sharing of good practice, including: • More frequent and in-depth discussion about strategic risks and interconnections between risks, in the context of organisational strategy; • Ensuring that governors understand underpinning risks factors and have visibility of both existing and planned controls; • Having an agreed and regularly reviewed statement on acceptable risk appetite, and using this proactively; • Ensuring appropriate governance oversight of legal and regulatory risks; • Making better use of data, KPIs and leading indicators to evidence the proximity of risks and evidence assurance; and • Developing risk and assurance frameworks. Further detail is provided in section 3 of the report. We hope the analysis will provide a useful input to this work and in supporting institutions in applying the updated HE Governance Code when it is released. Placing higher education risks in a wider context Alongside our strategic risk analysis report, we’re publishing our companion report which examines and contrasts the UK higher education sector’s perspective on strategic risks with that of a wide swathe of European businesses. This draws upon the insight from the 2026 European Confederation of Institutes of Internal Auditing (ECIIA) survey and also the World Economic Forum’s Global Risks Report (2026). Once again, this highlights growing risks from AI and technology developments, disruption from worldwide macroeconomic and geopolitical uncertainty, and highlights growing risks to business continuity. This points to an ever more volatile and uncertain operating environment for universities, particularly those with a high dependency on income from international students and overseas campuses and partnerships. Institutions with more data-led and risk-informed strategic decision-making are more likely to be able to develop their resilience and respond rapidly and effectively to changing circumstances.
7 About Uniac Uniac is an HE-sector owned shared service. Our goal is to support the effective and efficient delivery of UK HE through innovative expert-led assurance and advice. We are the UK’s leading provider of expert internal audit and assurance services exclusively for the higher education sector. This gives us an unrivalled perspective about how the HE sector thinks about its strategic risks and how effective controls and mitigations are designed and implemented. This enables us to offer governing bodies, audit committees and senior leaders valuable insight about how to strengthen risk management and risk assurance to support effective governance and challenge. If you’re interested in learning more about our risk insight activities or your Governing Body would welcome a presentation on our findings, please get in touch. Helen Thorne Director (Author) hthorme@uniac.co.uk Jane Forbes Chief Executive Officer jforbes@uniac.co.uk Uniac
Higher Education Strategic Risk Analysis Report 2025/26 8 Overall Risk Trends Our university risk register analysis provides an indepth analysis of the strategic risk registers of 20 universities of widely diverse size, mission, and organisation. We categorise each strategic risk against one of 23 themes and establish normalised scores for inherent and residual risk scores using a 0-1 scale. This enables us to compare and consider how different institutions score their strategic risks pre and post-mitigation, and provides a means to explore how attitudes to strategic risk and effective risk controls change over time. Information about our methodology can be found at Appendix A. One noticeable change from our 2025/26 analysis is that overall, normalised inherent risk scores are on average higher in 2025/26 than in 2024/25. Across the 23 risk categories, inherent risks in 15 areas (65%) were, on average, scored more highly than in 2024/25. This suggests that institutions believe that in these 15 areas, either the likelihood of the risk occurring and/or the severity of its potential impact for the institution, is increasing. In particular, there are four areas where there is a significant differential in the increased score: in relation to partnerships; institutions’ IT and digital estates; the UK policy environment; and student recruitment. These issues are explored further in Section 2. By comparison, average residual risk scores show a broadly similar range and pattern to 2024/25, suggesting that while certain risks may be increasing, institutions remain confident in their abilities to manage these risks effectively. It should be noted that the risk registers used for this analysis pre-date the publication of the English Post-16 Education and Skills White Paper and the Budget. While these announcements, particularly those relating to proposed tuition fee increases, the levy on international students, and the regulation of partnerships, may have subsequently influenced risk scores in relation to financial sustainability or partnerships, they are unlikely to have significantly changed the risk landscape. Figure 1 summarises our overall analysis, showing the average inherent and residual risk score for each thematic area, ranked in order by average inherent risk score. As over the last three years, cybersecurity remains in pole position as the most significant inherent risk that institutions are managing. It’s no surprise that student recruitment and financial sustainability risks, rank second and joint third respectively, are in very similar positions to 2024/25 (third and fifth respectively). This is to be expected given the increasingly competitive markets for domestic and Figure 1
9 international students, continued falls in the real value of home tuition fees, and continued challenges to operating costs in terms of pay, pensions, energy, and estates management. These themes are considered in detail in Section 2. Notably, the three most significant increases in average inherent risk scores across our sample relate to partnerships, IT and digital estates, and UK government policy. While we examine some of the HE specific aspects of these risks in section 2.8, these areas mirror significant strategic risks identified by a broad spectrum of businesses. We evaluate these trends further in our European Risk Analysis Report. Figure 2 below shows the difference in average scores between inherent and residual risks, giving an indication of how confident institutions feel in mitigating key risks. The larger the number, the more confident institutions are in managing that risk. As in 2024/25, the analysis indicates that institutions continue to have a high level of confidence in their ability to managing risks which relate to legal and regulatory compliance and cybersecurity. Additionally, this year we looked at the range of inherent and residual scores within each risk theme to determine whether patterns of risk scores and confidence in risk control were similar or dissimilar across different institutions or types of institutions. This suggests that the greatest variations in inherent risk scores occur in areas where a) inherent risk is highest, and b) where there is likely to be significant variability based on mission, size, and location, i.e. in the areas of cybersecurity, financial sustainability, student recruitment, and estates infrastructure. However, we did not detect any consistent patterns based on mission, size or geography. The greatest variations in residual risk scores also occur in higher risk areas, namely cybersecurity, student recruitment and estates infrastructure. As noted above, the frequency with which risks appear in institutional risk registers informs the volume of risks analysed and the reliance which can be placed on the findings. Figure 3 below shows how often a risk theme appears as a distinct area on risk registers. Building on the upward trend observed over the last three years, financial sustainability, student recruitment and cybersecurity now feature on almost all corporate or strategic risk registers, alongside staffing and legal and regulatory compliance risks. Figure 2
Higher Education Strategic Risk Analysis Report 2025/26 10 Commentary on Selected Risks This section focuses on the most significant strategic risks faced by higher education institutions: 2.1 cybersecurity 2.2 student recruitment 2.3 financial sustainability 2.4 estates infrastructure 2.5 university employees 2.6 research 2.7 teaching and learning (student experience, student wellbeing, and student outcomes) 2.8 risks with the most substantial increase in inherent score (partnerships, digital estate, and UK policy) Table 2 below summarises the average inherent risk scores and risk rankings of the most substantial sector risks Inherent rank Change 24/25 to 25/26 Average inherent score Change 24/25 to 25/26 Cybersecurity 1st 0.81 Student recruitment 2nd 0.78 Financial sustainability Joint 3rd 0.72 UK policy environment Joint 3rd 0.72 Industrial relations 4th 0.68 Digital estate 5th 0.67 Office for Students 6th 0.65 Estates infrastructure Joint 7th 0.64 Student outcomes Joint 7th 0.64 Partnerships Joint 7th 0.64 Apprenticeships Joint 7th 0.64 Other compliance 8th 0.62 Employee lifecycle Joint 9th 0.59 Research Joint 9th 0.59 Student wellbeing Joint 9th 0.59 Student experience Joint 10th 0.58 Business continuity Joint 10th 0.58 Note: Dense ranking is employed. Our analysis concentrates on risks that appear on more than a third of risk registers sampled.
11 2.1 Cybersecurity ranked 1st inherent, ranked 2nd residual Risk findings: Almost all institutions in our sample include a specific cybersecurity risk in their strategic risk registers, and we continue to encourage every institution to do so. The average inherent risk score for cybersecurity risks has increased this year compared to 2024/25, while there is no major difference in the average residual score. This may reflect concerns about the increased likelihood of a serious incident, irrespective of investment in controls. We also note a wide variability between institutions in the confidence they have in their controls. This is likely to be a reflection of significant differences in size, mission, organisation, the age and complexity of the digital estate, and the countries in which they operate. Core controls increasingly reflect business norms, incorporating: network design; segmentation; configuration; improved patch management; continuous monitoring and detection solutions; encryption, access and authentication controls; proactive supplier management; compliance with standards and frameworks; and investment in employee training, testing, backup solutions and incident management. Balancing the needs of staff and students for access to data and systems from a wide range of devices and locations while minimising cybersecurity risks remains a live debate. Risk commentary and recommendations: As demonstrated by high profile cyberattacks on UK and global businesses, the cybersecurity threat landscape is constantly evolving. Attacks can result in major disruption to operations and significant financial losses. Threat actors are highly organised, increasingly using AI to deploy convincing impersonation strategies, automate attacks and target weaknesses in supply chains and outsourced services. Universities are targeted in order to steal identity or financial information or intellectual property, for ransomware purposes, or to disrupt research and business activities. Institutions are vulnerable, typically having decentralised structures and (often) aging infrastructure, large and transitory groups of students, staff, and visitors with unmanaged devices, and open networks geared to collaborative working. The government’s cybersecurity statistics for 20252 report that 91% of HE institutions reported cybersecurity breaches or attacks in the previous 12 months. Phishing attacks were reported by 97% of institutions in the government survey, with impersonation, malware, and denial of service attacks increasingly common. Maintaining effective cybersecurity defences that embrace people, culture, partner and supplier policies and processes as well as technology, coupled with well-designed and tested incident management and disaster recovery plans, are essential for organisational resilience and success. Yet the depth and frequency of reporting to the audit committees and governing bodies on cyber risks varies widely. Governors need to satisfy themselves that they are receiving sufficient assurance about the identification and management of cyber risks in light of organisational objectives and evolving threats. The NCSC Cyber Security Toolkit for Boards3 provides guidance and resources to help governors to ask the right questions, and we recommend that audit committees should: • have at least one committee member with a high-level of IT expertise; • ensure that cybersecurity risks and controls are adequately differentiated and documented in strategic and operational risk registers; • understand the core controls in place for managing cybersecurity risks (including with third party suppliers and partners), how threats are monitored, and how controls are being developed and strengthened, including through training for staff and students and regular testing; • regularly discuss cyber risks, informed by reporting and KPIs (e.g. on preparedness against attack, incidents, incident management and resolution data, patching standards, compliance with training and test results); • seek assurance on the robustness and testing of plans for managing incidents, IT disaster recovery and business continuity; and • ensure that there is an ongoing programme of cybersecurity audit to provide assurance on the effectiveness of controls, incident management and disaster recovery. 2 https://www.gov.uk/government/statistics/cyber-security-breachessurvey-2025/cyber-security-breaches-survey-2025-educationinstitutions-findings 3 https://www.ncsc.gov.uk/collection/board-toolkit
Higher Education Strategic Risk Analysis Report 2025/26 12 2.2 Student recruitment ranked 2nd inherent, ranked 1st residual Risk findings: Student recruitment risks feature on every institutional risk register, either directly or as a component of financial sustainability risks, and this year tops the list of sector residual risks. This compares to sixth place in 2024/25 and reflects even tougher competition for home students, and growing competition for international students, changes to the UK visa and post-study work regime, and wider perturbations in international recruitment markets. It should come as no surprise that average inherent and residual risk scores have increased, and this is a consistent pattern across institutions. Institutional confidence in mitigating recruitment risks varies significantly, in all likelihood reflecting factors such as market position and competitors, geography, brand, and operational effectiveness. As in recent years, student recruitment risks are almost entirely conceptualised in terms of failure to meet desired recruitment targets and/or recruit the right number of the “right” students. Mitigations and controls vary depending on market position, extent of reliance on agents, and recent recruitment success. Risks are increasingly disaggregated to detail mitigations for the recruitment of specific cohorts of students. Typical mitigations include: • Greater focus on portfolio review and changes to course content and/or modes of delivery, with increasing emphasis on embedding workplace skills and employment opportunities; • Changes to entry requirements, offer, contextual offer and targeted conversion strategies; • More detailed forecasting and scenario planning, tightly linked to financial plans; • Tighter and more granular monitoring of recruitment and enrolment data with more agile marketing strategies making greater use of real time data and insight; • Diversification of international markets and recruitment channels, including strengthening controls on use of agents; • Refresh of scholarship schemes and changing deposit requirements; and • Driving further process efficiency to speed decision-making.
13 Risk commentary and recommendations: Income from student tuition fees is the primary revenue stream for most universities. While a record number of students were accepted into UK HE in 2025 via UCAS4, the entry rate for UK 18 year olds continues to fall back, likely in response to cost of living challenges and changing perceptions about the value of a degree and concerns about debt. Analysis of enrolment data5 points to significant changes in recruitment strategies in 2025, with some larger, research intensive institutions taking in excess of 20% more undergraduate students. This has had knock-on consequences for local competitors and institutions with typically lower entry requirements, who have been unable to realise home recruitment targets. In the medium term, the decline in the number of 18 year olds in the UK population after 20306 is likely to create a further recruitment squeeze. While demand for internal higher education is growing, international student recruitment is increasingly volatile7 in the face of strong competition from a growing range of global study destinations. The cost of studying in the UK is high compared to many European countries, there are dependent visa restrictions, and there is a planned reduction in the duration of the post-study period to 18 months from 2027, all of which act to supress demand. The introduction of the new international student levy from August 2028 will increase the cost burden further (for students and/or for institutions), while the new tier 4 sponsor thresholds (active from September 2025) may act to supress diversification and drive up competition for students from established markets. Coupled with signals of a fundamental shift in international students’ study patterns8, these changes increase the likelihood that institutions may struggle to meet international recruitment forecasts. While in-year recruitment data and forecasts, competitor information, and details of recruitment strategies are shared with governing bodies and finance committees, the level and detail of information provided to audit Committees about recruitment risks and controls is often limited. We recommend that Audit Committees should: • Ensure that student recruitment risks are appropriately disaggregated in the strategic risk register e.g. by home and international, different types of provision or locations; • Challenge and test the assurance around short, medium and longer term recruitment forecasting models, in light of OfS’ assessment that many financial forecasts are still based on overoptimistic recruitment models; • Be confident in where and how second and third line assurance is provided on key controls and address any gaps. Key controls include: accurate market intelligence; forecasting models; pricing; the design and effectiveness and efficiency of marketing, recruitment and admissions functions and processes; UKVI compliance; and the use of agents; and • Discuss student value for money reporting, particularly how assurance is provided on the accuracy and completeness of data on student outcomes, and breadth and coverage of case studies across the student experience and employment destinations. This should include consideration that the value of a degree and return on investment is integrated into content for prospective students. 4 https://commonslibrary.parliament.uk/research-briefings/ 5 https://wonkhe.com/blogs/ucas-end-of-cycle-2025-providerrecruitment-strategies/ 6 https://www.hepi.ac.uk/2024/10/24/the-coming-decline-in-thenumber-of-18-year-olds-makes-the-future-bleak-for-some-universities 7 https://wonkhe.com/blogs/the-international-recruitment-market-ischanging-and-international-education-strategies-will-need-to-changewith-it/ 8 https://wonkhe.com/blogs/responding-to-the-internationaleducation-strategy-requires-an-appreciation-of-how-fast-the-world-ischanging/
Higher Education Strategic Risk Analysis Report 2025/26 14 2.3 Financial sustainability ranked joint 3rd inherent, ranked 4th residual Risk findings: Financial sustainability risks feature on all corporate risk registers in various forms. 90% of institutions in our sample this year have a defined financial sustainability risk, a similar percentage to the last three years. The relative inherent risk ranking has increased from 5th to 3rd, while the average inherent risk score has also increased. This reflects the year-on-year real terms decrease in the value of home tuition income, compounded by escalating energy, materials and staff costs, and increasingly volatile and competitive home and international recruitment markets. Although the relative ranking of the residual risk falls from 3rd to 4th, the average risk score is largely unchanged. While welcoming the uplift in tuition fees from the current academic year, and potential future inflationary increases where institutions meet quality expectations, universities are continuing to pursue a wide range of cost reduction, restructuring, and income diversification and growth activities. Inevitably, the nature of the challenge varies, with some institutions highlighting liquidity risks, whereas for others risks relate more to generating sufficient surplus for investment, or diversifying income streams to spread risk. Risk controls and mitigating actions invariably reflect institutions’ individual financial positions, but typically include: • Greater emphasis on medium and longer term financial forecasting/reforecasting, scenario modelling and stress testing, and more frequent governing body scrutiny of accounts and cashflows, reflecting lessons learned from the University of Dundee9; • Strengthened, multi-year planning and budgeting processes; • Income diversification and growth options, including new market opportunities; • More regular reviews of pensions provision and exploration of alternatives • Strengthening of treasury management, cash management and cost controls; • Strengthening or developing workforce planning with closer monitoring of staff costs, restructuring, and voluntary severance schemes; • Efficiency programmes, process re-engineering, re-prioritisation, and scaling back or delaying capital expenditure; • Market-led portfolio and curriculum review; and • Hedging energy costs, increasing energy efficiency, and driving more value from procurement and supplier management; We also note that fraud risks are now appearing on strategic risk registers with greater frequency, likely reflecting the challenging economic climate and the new duty to prevent fraud under the Economic Crime and Corporate Transparency Act (2023). This is driving stronger interest in the automation of financial controls and detection of irregularities, the development of fraud risk registers, and review of cross-organisational policies and procedures. Risk commentary and recommendations Despite increases to home tuition fees and the wide range of mitigations outlined above, at a sector level a number of factors point to increasing, rather than declining financial sustainability risks. These include international market dynamics and the international student levy, global uncertainties impacting partnerships 9https://guildhe.ac.uk/news-and-policy-insights/lessons-dundee-reportessential-checklist-senior-leadership-teams-and
15 and collaboration, continuing challenges around managing staff and estates costs, and driving efficiencies using complex, aging and often disconnected digital estates. The OfS acknowledges this in its latest reporting10, noting that home and international recruitment remains below aggregate sector forecasts and that there is a risk that 46% of institutions could be in a deficit financial position at the end of 2025/26. The OfS notes that: “although some institutions are undergoing significant transformation to deliver sustainable long-term business models, others are still taking short-term cost-saving measures to respond to recruitment challenges, or are undergoing transformation that does not go far enough.” In the post-16 education and skills white paper, the government has signalled that it wants English institutions to move away from a “one size fits all” model for teaching and research because it believes that there are too many institutions with similar course offerings chasing the same students. Institutions are encouraged to “specialise in areas of strength”, with the government outlining a vision for greater collaboration between HE and further education providers, aligned to regional economic and skills requirements. The government believes that this could result in more consolidation and formal collaborations to strengthen financial sustainability, and the OfS has asked governing bodies to consider strategic change alongside cost reduction activities. While financial sustainability will primarily be a concern of the governing body and finance committee, we recommend that audit committees should: • Satisfy themselves that risks to financial sustainability and core controls are identified and documented at an appropriate level of detail, and that it is clear where and how second and third line assurance is obtained on the effectiveness of controls. The committee should have the opportunity to regularly discuss financial sustainability risks and challenge underlying assumptions, stress tests and scenarios; • Seek assurance that student number and financial forecasting is informed by detailed analysis of domestic and international competitors, markets, and student insight data rather than using solely historical institutional data; • Ensure that risk appetite is discussed and reviewed annually, and that risk appetite and a detailed risk analysis informs all scenarios for transformation, collaboration, consolidation or structural change; • Review the information published about HE regulatory and fraud cases, and seek assurance and evidence of a robust counter-fraud culture; and • Consider the benefit of a joint annual meeting with the finance committee and the external auditors to discuss the draft report from the external audit of the financial statement and accounts. 10 https://www.officeforstudents.org.uk/for-providers/finance-andfunding/financial-pressures-and-financial-sustainability/
Higher Education Strategic Risk Analysis Report 2025/26 16 2.4 Estates infrastructure, ranked joint 7th inherent and 3rd residual Risk findings Around two thirds of institutions have a strategic risk relating to their estate. Average normalised inherent and residual scores and rankings are broadly the same as in 2024/25, suggesting that risk profiles are stable. As might be expected, there is a particularly wide variation in both inherent and residual normalised risk scores, reflecting the differing sizes, types, ages, conditions, and locations of University estates, as well as their missions, subject mix, teaching delivery models and scale of research. Common mitigation strategies and controls include: • Development and more regular and agile review of estates strategies and space management plans aligned to changes in the curriculum offer and modes of delivery; • Strengthening data and analysis on space utilisation, with a focus on use of generalist and office space; • Review and reprioritisation of capital expenditure plans, with strengthened governance and oversight; • Regular review and risk-based reprioritisation of estates maintenance plans; • Changes to student accommodation strategies and partnerships; and • Changes to the design of capital projects to control costs and maximise value. Risk commentary and recommendations It’s recognised that utilisation of university estates is inefficient compared to other business sectors, with over provision of space ranging from an estimated 10-40%11. Given the financial challenges the HE sector is facing, this position is no longer tenable in terms of energy and running costs, maintenance, efficiency, or carbon management. Institutions are also looking to make better use of their estates to generate commercial income through, for example, events and conferencing. 11 https://www.aude.ac.uk/news-and-blogs/publications/
17 Aside from the obvious financial drivers behind estates risks, hybrid study and working patterns continue to impact space usage, alongside significantly more students choosing to live at home and commute. As noted at 3.2 above, while many institutions have struggled to meet recruitment targets, some have substantially increased their undergraduate intake, resulting in different space utilisation challenges. All these factors point to institutions needing to be able to take a much more agile approach to planning, managing, and adapting the size and utilisation of their estates to continue to provide a welcoming, safe, and fit-for-purpose environment for students, academics, professional services, and visitors. This requires much better data and analysis about the estate, its condition, and its utilisation than has traditionally been available. While some institutions have invested in occupancy sensors and digital planning tools, there are wide disparities in the availability of the data and insight that institutions need to inform choices about “rightsizing” (e.g. refurbishment, repurposing, disposal or new build), as well as to prioritise maintenance and improvement activities. While estates is likely to be the primary responsibility of a different committee, we recommend that the audit committee should: • Ensure that estates risks are reflected in the strategic risk register if there is significant under utilisation of space or significant space constraints, and/or maintenance and investment challenges; • Satisfy themselves where and how second and third line assurance is obtained on the effectiveness of controls, and particularly the effective alignment and review of student recruitment scenarios and forecasts with estates and space utilisation plans; • Seek assurance on the quality, completeness, accuracy, and frequency of estates and space utilisation data used to inform strategic decision-making; and • Ensure that value for money reporting addresses estates and space utilisation and energy efficiency. 2.5 University employees/staff lifecycle: ranked joint 9th inherent and 6th residual Risk findings: In comparison with five years ago, risks relating to the staff lifecycle appear on almost all university risk registers. Risks cover business as usual activities around recruiting, developing and retaining the right people and realising equality, diversity and inclusion (EDI) ambitions, and increasingly, risks to morale, productivity and high quality teaching and research arising from restructuring and reductions in headcount. This includes risks around staff workload, wellbeing, motivation and performance and by extension, employee relations risks. Both inherent and residual average risk scores have increased this year, with a wider variation appearing in normalised inherent scores. This variation is likely to reflect differing financial positions of institutions and the extent of reductions in their workforce. Mitigation activities and controls necessarily reflect local circumstances and include: • Growing emphasis on people strategy, workforce planning and succession planning; • Strengthening employee relations, staff engagement and staff wellbeing initiatives; • Planned and structured approaches to headcount reduction, with emphasis on engagement and support for both departing and retained staff; • Review of recruitment and reward activities, career pathways, and performance frameworks; • EDI strategy and initiatives; • Expanding management information and frequency of reporting on key staff metrics; and • Leadership and management development.
Higher Education Strategic Risk Analysis Report 2025/26 18 Risk commentary and recommendations People related risks in HE are increasing. Published information12 indicates over 13,000 roles were cut from 90 universities in 2024-25, alongside changes to terms and conditions and pensions provision, as part of efforts to reduce operating costs. While press coverage focuses on the headline numbers, the impacts of job cuts on this scale is likely to be far-reaching in terms of morale, wellbeing, commitment to collaborative working, and driving change and innovation in teaching and research. In this environment, continued focus on workforce planning and staff engagement is essential to build resilience and maintain a high-quality student experience and impactful research. While people and human resources is likely to be the primary responsibility of a different Committee, we recommend that the audit committee should: • Ensure that people related risks are appropriately reflected in the strategic risk register, particularly if there have been, or are likely to be, significant reductions in staffing and/or restructuring; • Seek assurance that reductions in staffing are carefully planned and managed, and that leaders and managers are appropriately trained and supported to help minimise the loss of critical skills and negative impacts on morale; • Test and seek assurance on dependencies between people risks and other strategic risks, for example in relation to delivering student and research outcomes; 12 https://www.timeshighereducation.com/news/pay-spend-two-thirdsuniversities-shed-13000-jobs 2.6 Research ranked joint 9th inherent and 7th residual Risk findings: This year 65% of universities in our sample feature research as a strategic risk, compared to 47% three years ago. Average inherent and residual risk scores are very similar to 2024/25, and scores do not tend to vary widely between institutions, despite the universities having significantly different research portfolios in terms of subjects and scale. Research risks are primarily characterised in terms of an inability to secure sufficient external funding to support strategic aims, either from research funders and/or from the 2029 REF exercise. Risk mitigation activities include: • Actions to attract and support research talent through pay and reward, working patterns, and investment in research leadership and development. Many institutions identify a separate risk around retaining academic researchers; • Strengthening research support teams, management software, and internal peer review; • More emphasis on setting research objectives, financial planning, and management of income targets; and • Relationship building with research funders and greater focus on building local and regional partnerships for research and innovation.
19 Risk commentary and recommendations: Most public research and charitable funding doesn’t cover the full cost of undertaking research, and while the government has signalled an intention to fund research on a more sustainable basis, this may result in funding a lower volume of research overall. For example, the government has stated in the English post-16 education and skills white paper that it wants to incentivise “a more strategic distribution of research activity across the sector”, ensuring that all parts of the country have “the right volume and mix” of research capabilities through greater collaboration between institutions and “specialisation”, i.e. moving away from a business model that encourages all academics to undertake research and all universities to support research across a range of disciplines. The next REF has been framed to support this aim. Greater concentration of research funding will impact institutions disproportionately, and points to research being an area of increasing risk. Audit committee focus on research risks tends to be lighter than on other areas of university activity, and is often limited to consideration of transparent approach to costing (TRAC) returns and, increasingly, assurance on securing an effective trusted research framework. We recommend that committees should: • Familiarise themselves with the scale and scope of the research and innovation endeavour at their institution, and the fundamentals of the REF exercise; • Ensure that research and innovation risks are reflected in the strategic risk register, or if not, that the rationale for this is clear; • Satisfy themselves where and how second and third line assurance is obtained on the effectiveness of controls around research funding, research management, compliance, and participation in the REF; and • Test whether risks related to research income, particularly forecast income from RFE2029 and cross-subsidy from teaching and other income streams, are adequately reflected in strategic and operational plans.
Higher Education Strategic Risk Analysis Report 2025/26 20 2.7 Teaching and Learning. Student outcomes (ranked joint 7th inherent and joint 4th residual), student experience (ranked joint 10th inherent and 11th residual), and student wellbeing (ranked joint 9th inherent and joint 13th residual) Risk findings: Student outcome and student experience risks are not always easily delineated, and root causes and mitigations often overlap. Compared to 2024/25, student experience and student outcomes risks appear on marginally fewer strategic risk registers (65% and 50% respectively), while overall inherent and residual risk scores are broadly the same, with outcome risks being scored more highly on average. Student wellbeing risks in comparison appear on relatively few strategic risk registers, either as a standalone risk (30%) or incorporated in other risk areas. Patterns of risk scores do not vary significantly between institutions, despite substantial differences in the size and composition of student populations. Where student outcomes risks are documented as strategic risks, these invariably point to risks around student retention, completion, and securing positive graduate outcomes in terms of employment or further study. The description of these risks is typically detailed, often referencing OfS B3 conditions of registration, and indicating that most institutions have a strong and detailed grasp of the underlying data and are designing and implementing both broadbrush and targeted interventions. The consequences of not realising B3 conditions or increasing relative performance are made clear in terms of potential financial loss, regulatory action, and adverse impact on brand, reputation, league tables, and the future Teaching Excellence Framework. As with student experience activities, controls are increasingly based on data and insight about student attendance, engagement and academic performance, both to target support to individual students at the right time, and to design and test increasingly tailored interventions and activities. Student experience risks appear more frequently in strategic risk registers and risks address a broad range of concerns. These include risks associated with National Student Survey performance (e.g. in relation to teaching, assessment or feedback) and other forms of student voice, subject specific concerns, digital pedagogy and digital literacy, and risks specifically associated with the international student experience. Mitigating actions typically focus on strengthening teaching quality and
21 academic support, the redesign of the curriculum, timetabling or assessment, and a stronger emphasis on analytics to monitor student engagement and deploy support services effectively and efficiently. Student wellbeing risks are more tightly defined, primarily referring to mental health needs, as well as financial hardship. Controls and mitigating actions point to increasing integrated, end-to-end student support services, drawing on professional and peer support, close collaboration with Student Unions, and clear pathways for internal and external referral where needed. Risk commentary and recommendations: While estimates vary, the last five years has seen a notable increase in the proportion of students living at home and commuting to university. Coupled with a substantial rise in students working in term time to cover living costs (68% of full time undergraduates now combine work and study during term time13), this is resulting in lower levels of in-person attendance on campus and less time spent on independent study and engaging with extracurricular activities. Interestingly, university strategic risk registers tend not to reference these fundamental, underlying changes in student choices and behaviours. From a regulatory standpoint, the government has noted that “between 13% and 18% of providers failed to meet OfS minimum expectations on outcomes for full-time first degree students14”. This observation, coupled with challenges around specific groups of students at individual providers, continues to drive OfS’ regulatory monitoring, investigations and action. Additionally, the OfS has also recently closed a consultation on reforming the Teaching Excellence Framework (TEF). This moots the possibility that in future only institutions meeting a certain quality standard will be able to increase their tuition fees in line with inflation, which could have serious consequences for financial sustainability. While the outcome of the TEF consultation is awaited, this analysis demonstrates that institutions are continuing to undertake significant and ongoing activity to address student experience and outcome risks, with investments in underpinning technology and analytics, academic support, and student services despite financial constraints. Typical audit committee engagement in this area is through an annual report on OfS compliance, although not all institutions do this. 2025 also saw the publication of the national review into student suicide deaths15. This highlights circumstances where harm arose “not from a lack of concern, but from failures in institutional processes – such as errors in academic administration, uncertainty around escalation and restrictive interpretations of consent”16. We note that while some governing bodies or audit committees annually review information and lessons learned from serious safeguarding cases or student deaths, this practice varies widely between institutions. We recommend that audit committees should: • Understand the composition of their study community and familiarise themselves with different living, study and work experience patterns; • Ensure that student experience, wellbeing and outcome risks are reflected in the strategic risk register, or if not, that the rationale for this is clear; • Satisfy themselves where and how second and third line assurance is obtained on the robustness of safeguarding and the regular review and application of lessons learned from serious cases and student deaths; • Ensure that Committee members are familiar with the core B3 datasets, National Student Survey data, and how to interpret the results; • Request an annual report on compliance with OfS conditions of registration; and • Seek assurance on the quality, timeliness and reliability of student attendance data, and core retention, progression, and outcome metrics and statutory data returns; and Familiarise themselves with the Teaching Excellence Framework and the outcomes from the OfS consultation. 13 https://www.hepi.ac.uk/reports/student-academic-experience-survey2025/ 14 https://www.officeforstudents.org.uk/data-and-analysis/sectordistribution-of-student-outcomes-and-experience-measures-datadashboard/ 15 https://www.gov.uk/government/publications/national-review-ofhigher-education-student-suicide-deaths 16 https://www.hepi.ac.uk/2026/02/08/weekend-reading-parliamentslatest-debate-on-duty-of-care-what-problem-are-we-really-trying-tosolve/
your-brochure-online.co.ukRkJQdWJsaXNoZXIy NTI5NzM=