Higher Education Strategic Risk Analysis Report 2025/26 4 Our key findings in these areas highlight: • Cybersecurity: Cybersecurity remains the most significant and fastest evolving strategic risk area for HE. Higher inherent risk scores reflect a preponderance of increasingly sophisticated cyberattacks exploiting AI-driven impersonation and supply chain vulnerabilities. Institutions exhibit wide variation in the confidence they have in their controls, which is likely to be a consequence of significant differences in size, mission, organisation, and the age and complexity of their digital estate. Balancing the needs of staff and students against strengthening access controls remains a live debate. Audit committees should ensure that they are receiving sufficient assurance about the identification and management of cyber risks in light of organisational objectives and evolving threats. The National Cyber Security Centre toolkit for boards provides advice on effective reporting and questions to ask. • Student recruitment: 2025/26 has seen a further increase in average inherent risk scores around student recruitment in response to even tougher competition for home and international students, changes to the UK visa and post-study work regime, and wider perturbations in international recruitment markets. Institutional confidence in mitigating recruitment risks varies significantly, in all likelihood reflecting factors such as market position and competitors, geography, brand, and operational effectiveness. • Audit committees should ensure that they have direct visibility of recruitment risks and mitigation strategies to enable them to test assurance around short, medium and longer term recruitment forecasting models. • Financial sustainability: the average inherent risk score has increased this year, and we observe greater differentiation and detail in descriptions of financial sustainability risks, reflecting divergent financial circumstances. There is a wide variation in risk scores and in mitigating actions across universities, suggesting that some institutions are much more confident than others about their ability to maintain a sufficiently strong financial position to realise their strategic goals. While oversight of financial sustainability primarily resides with the governing body and finance committee, audit committees should have the opportunity to discuss financial risks, challenge assumptions and scenarios, and satisfy themselves about where and how second and third line assurance is obtained, including on student number and financial forecasting. A joint annual meeting between the audit and finance Committees provides a valuable opportunity to discuss the financial statements and going concern assessment. Other areas where there has been a notable increase in average inherent risk scores are: • Partnership risks: risks typically relate to the management of partnerships, the delivery of quality outcomes, and realisation of income targets. The observed increase in frequency of partnership risks and elevated risks scores likely reflects growing government and regulatory scrutiny of value for money and the anticipated strengthening of regulatory controls. Audit committees should satisfy themselves about the effective oversight and management of UK and international partnerships, including the quality of the student experience and student outcomes. • IT and digital estates risks: these risks now appear on the majority of risk registers, and average inherent scores are increasing. Risks cover a broad range of themes, including risk of infrastructure or system failures, ability to deliver major IT changes, and the risks of not capitalising on new technology and AI. Audit committees should ensure that they understand the core IT systems and infrastructure employed at their institution and how AI is governed and used in a responsible and ethical way. • UK policy environment risks: this risk features on just over half of institutional risk registers and relates to issues such as risks to international student recruitment, policies favouring some subject areas over others, and the ability to realise opportunities from regional devolution. Audit committees should understand the particular risks which apply to their institution.
RkJQdWJsaXNoZXIy NTI5NzM=