25 Risk register observation Opportunities for enhancement Risk descriptors: risk descriptors should capture information about the causes of risks and their potential impacts or consequences. However 35% of registers in our sample don’t detail risk factors, and 40% don’t spell out the consequences of risks materialising. Including this information gives audit committees greater transparency and helps to identify likely dependencies between significant risks. Audit committees should ensure that risk descriptors provide sufficient information about the factors which cause significant risks to crystallise and the consequences if they do. Interdependencies should also be captured. Risk assessment and risk appetite: institutions use different approaches to risk assessment and reporting e.g. presenting: • Inherent risk + current risk • Inherent risk + current risk + target risk • Current risk + target risk • Inherent risk + target risk 40% of institutions don’t employ a measure of risk appetite or a target risk score for individual risks. An approach that provides information on inherent risk, current risk and target risk or risk appetite represents good practice. Using a target risk score or risk appetite measure provides a clear view of the level of risk a university is prepared to tolerate in a given area. This helps to prioritise mitigation activities, measure progress in strengthening controls, and identify where additional assurance may be needed. Audit committees should: • consider whether they have sufficient clarity about current risk exposure and trend; • encourage institutions to incorporate risk appetite or target risk scores into strategic risk registers; and • require risk appetite to be discussed and reviewed at least annually. Controls: a small number of risk registers do not document existing risk controls, and 50% of institutions do not clearly differentiate between existing controls and mitigations and planned activity to manage or reduce likelihood or impact. In order to provide assurance on risk management effectiveness, audit committees need to have clarity about the extent of existing controls and planned activities. This is especially the case when risks are outside of appetite. Audit committees should consider whether they have sufficient clarity about: • the extent and effectiveness of existing controls and mitigations • what further actions will be taken to reduce likelihood or impact of risks, action owners and timescales. Documentation of assurance: Audit committees rely on multiple sources of assurance that risks are being accurately documented, quantified and managed. These span the “three lines” of operational management, senior oversight by the executive or other governance committee, and external review or audit. However, in 55% of risk registers considered there are no references to assurance mechanisms. Audit committees should encourage institutions to incorporate assurance information into strategic or corporate risk registers or to consider the development of a complementary assurance framework. This should strengthen focus on the adequacy of governance and internal controls. Use of KPIs and data: KPIs and key statistics can provide assurance on the effectiveness of risk mitigations and controls, as well as providing early warning indicators of potential concerns. However, use of data is currently limited to a small number of institutions and largely draws on historic output data and lagging indicators. Audit committees should discuss what KPIs, leading indicators or other data might be useful in providing insight on risk proximity and assurance on the management of the most significant risks. The terms “strategic” and “corporate” risk registers are used interchangeably in HE and refer to the enterprise wide documentation of the most significant strategic and compliance risks that a university is managing.
RkJQdWJsaXNoZXIy NTI5NzM=