Higher Education Strategic Risk Analysis Report 2025/26 24 Management of Strategic and Corporate Risks Building on our commentary from our previous year’s reports, we’ve taken a deep dive into the design and content of strategic risk registers employed and how they’re being used by audit committees. It’s clear across the sector that risk management and assurance is a live topic, with most institutions continuing to review and evolve their risk management practices. Table 3 below highlights notable findings and suggests opportunities for further enhancement. Table 3: design and content of University corporate or strategic risk registers and their usage 18 The terms “strategic” and “corporate” risk registers are used interchangeably in HE and refer to the enterprise wide documentation of the most significant strategic and compliance risks that a university is managing. Risk register observation Opportunities for enhancement Frequency and depth of audit committee discussion: the majority of audit committees review and discuss a corporate or strategic risk register at each meeting. All institutions review this at least every six months. While cover papers typically highlight significant risks and/or those out of appetite, the priority given to risk management on the agenda, depth of scrutiny, and time spent varies considerably. Audit committees should consider whether they spend sufficient time discussing and challenging the description, quantification and effective management of strategic risks. Committees should consider whether covering papers provide sufficient depth of analysis and assurance, particularly in relation to interconnected risks and risk mitigations. Risk organisation and granularity: institutions demonstrate a very wide range of approaches to organising corporate and strategic risks. This includes: no categorisation of risks; using a small set of overarching strategic risks; categorising by business area/theme or by strategic aim; or dividing risks into strategic and compliance areas. The total risks captured at institutional level ranges from 9 to 71 with a mean of 23 and median of 16 reflecting different approaches to aggregation. Audit committees should consider whether they’re receiving information about strategic risks at an appropriate level of granularity. Information on 30+ risks may make it hard to identify the most significant concerns. Information on less than 10 could result in information being aggregated at too high a level to enable effective challenge. Linkage to strategy: only half of our sample specifically document the linkage between their corporate risks and their strategic objectives. A lack of connectivity between corporate risks and strategic objectives potentially indicates a limited approach to risk management. Good practice emphasises the development of enterprise risk management which seeks to use risk proactively to drive strategic choices and inform decision-making. Institutions should consider the benefits of adopting a more enterprise-based approach to risk management and ensuring that risks to delivery of strategic ambitions are appropriately identified, quantified and managed. Legal and regulatory compliance: all bar one of the risk registers examined include legal and regulatory compliance risks in some form. However, 50% do not reference Health and Safety risks. Compliance with Health and Safety legislation should be a consideration for audit committees when providing assurance to the governing body on the effectiveness of risk management and internal controls. This is particularly the case given legal duties to employees, open campuses, and the range of public events held at university-managed venues. Audit Committees should satisfy themselves that Health and Safety risks - and other key compliance risks - are appropriately documented and managed even if they do not feature as a strategic risk e.g. via an annual report, periodic deep dive or audit. Design of risk model: over two thirds of the risk registers examined use a 5x5 risk matrix framework, which is standard good practice for large and complex organisations. Other institutions use 4x4 model or a 3x3 model. Where institutions have chosen not to use a 5x5 model, audit committees may wish to explore why, and whether, particularly in an uncertain and challenging operating environment, a 3x3 or a 4x4 model provides sufficient discrimination between risks and the effectiveness of mitigating actions.
RkJQdWJsaXNoZXIy NTI5NzM=