Uniac - February 2024

1 Virtual Brochure – February 2024 HE Updates Virtual Brochure – February 2024

1 Virtual Brochure – February 2024 Introduction. Who we are and what we do. We are here to make a difference to the institutions we serve. We work in partnership to manage risk, promote effective and efficient mitigation measures and, more broadly, help develop risk, assurance and audit arrangements. What we offer. • objectivity, integrity and constructive challenge • drive, innovation and creativity • confidence and diligence and • detailed and specialist knowledge of higher education. We pride ourselves on the knowledge and experience of our staff who are empowered and encouraged to deliver value adding reviews for a diverse range of higher education providers across the UK. We have a flexible and tailored approach that recognises the differences between working at large and research- intensive universities through to niche specialist providers. Director’s Foreword. “In addition to the delivery of the internal audit programmes across institutions, we also produce regular, topical briefing notes – aimed at boards, audit committees and senior management. This brochure contains a few of those.” If you’d like to know a bit more about Uniac and our services, please do get in touch.” In this issue. 01. Risk Register Analysis 02. A European View on the Risk Environment 03. Expenses Benchmarking 04. Artificial Intelligence & HE Sector 05. The Cost-of-Living Crisis and Student Hardship 06. Shouldering the responsibility for regulatory compliance: a challenge for higher education governance

2 Virtual Brochure – February 2024 Our Services. The higher education sector is vast and diverse. Here are just a few examples where our staff excel: Risk Management and Assurance Mapping Financial Systems and Processes Student Experience and Supporting Processes Digital and Digital Transformation Cyber and Information Governance Fraud Prevention, Detection, and Investigation People and Organisational Development Data Returns UK Visas and Immigration Research and Enterprise Universities UK Accommodation Code of Practice Academic Governance Programme and Project Assurance Equality, Diversity and Inclusion Competition and Markets Authority Compliance Governance Sustainability Marketing Value for Money Grant Audit and Grant Record Keeping Apprenticeship Delivery Estates

3 Virtual Brochure – February 2024 1. Risk Register Analysis – Dec 2023 Executive summary Uniac’s annual risk analysis briefing comes at a time when the UK university sector is finally emerging from the shadow of the pandemic but contending with high inflation, difficult economic circumstances and flat tuition fees, ongoing industrial disputes, and ferocious competition for home and international students. Although a general election in 2024 could pave the way for changes to higher education (HE) funding and regulation, institutions are dealing with more immediate concerns around the impacts of cost of living and the housing crisis on the wellbeing of staff and students, tackling aging estates, and aiming to capitalise on digital developments while protecting systems, data, and intellectual property from cyberattacks. In this context, the effective identification and management of strategic risks matters more than ever to help leaders and governors to have the right conversations about realising strategic ambitions while protecting essential assets.

4 Virtual Brochure – February 2024

5 Virtual Brochure – February 2024 Uniac supports a diverse group of Higher Education Institutions (HEIs) across the UK, including small and specialist providers, large metropolitan universities, research-intensive universities, and those fulfilling specific local and regional needs. This gives us a unique overview of the strategic risk concerns of UK HE and enables us to produce an annual snapshot of how strategic risks are being captured, assessed, and mitigated across a broad cross-section of institutions. Our briefing comprises of: • an analysis of overall risk trends, exploring average ratings of inherent and residual risk across key areas, as well as views on the effectiveness of mitigation activities and the frequency of common risks. • an in-depth consideration of six of the more significant risks facing institutions or those where there has been a significant increase in the average ranking of the risks (financial sustainability, student recruitment, student outcomes, industrial action, cybersecurity, and environmental sustainability). This section provides a commentary on common mitigation actions and draws on recent internal audit observations to suggest topics that institutions may wish to consider. • a commentary on selected risk areas, risks trends, and further considerations for institutions, exploring risk themes around student wellbeing, staffing, business continuity, the digital estate, and the Office for Students (OfS). A companion piece (page 21) provides a comparative assessment of strategic risks from a broad range of business sectors such as financial services, technology, healthcare, consumer and retail, and leisure and hospitality, based on the 2024 European Confederation of Institutes of Internal Auditing (ECIIA) survey. We hope that this will be of interest to senior leadership, audit committees and governors in informing discussions about risk appetite, risk management, and the focus of future internal audit programmes.

6 Virtual Brochure – February 2024 Overall risk trends Our analysis is based on the strategic risk registers of 17 HEIs at the end of the 2022-23 academic year. Details of our approach our set out in Appendix A, but in brief: • each risk has been categorised against one of the 23 common sector themes • we have normalised the inherent and residual risk scores, using a 0-1.0 scoring system, and calculated the averages of these for each risk theme • we have calculated the difference between the average normalised inherent and residual risk scores for each theme to examine the extent to which institutions believe that risks are being managed • we have analysed the frequency of risks and the occurrence of risk themes across the group of institutions. Figure 1, overleaf, presents the average intrinsic and mitigated risk score for each thematic area, ranked by the inherent risk score. Risks with the higher intrinsic scores tend to be those areas such as cybersecurity, student recruitment, industrial relations, and UK policy environment, where factors outside of institutions’ control have a stronger influence on the likelihood and severity of risk impacts. It is notable this year that student outcomes features highly as an inherent risk, when student experience features as the risk area with the lowest intrinsic score. Figure 2, page 8, presents the difference between the average unmitigated and mitigated risks scores. This reflects how confident institutions are feeling collectively about the effectiveness of their actions in managing and mitigating risks in the different thematic areas. This shows, for example, a high degree of confidence in managing and mitigating risks around student mental health and wellbeing, data issues, business continuity, cybersecurity, and legal and regulatory compliance activities. As would be expected, there is less confidence in mitigating risks largely driven from external factors such as the UK policy environment, environmental sustainability, and geopolitics. In Figure 3, page 9, it is important to recognise that the analysis is in part influenced by the frequency with which risks appear on strategic risks registers. Risks to the lefthand side of the graph relating to financial sustainability, staffing, student recruitment, estates, OfS compliance and cybersecurity (which may be grouped with digital estate) are matters for concern for almost all institutions. In contrast, risks around the UK policy environment, governance and data quality and management do not feature highly, suggesting that risks in these areas are of lesser concern to the majority of institutions in our analysis.

7 Virtual Brochure – February 2024 Figure 1

8 Virtual Brochure – February 2024 Figure 2

9 Virtual Brochure – February 2024 Figure 3

10 Virtual Brochure – February 2024 Commentary on selected risk areas As part of our analysis, we have examined institutions’ perspectives on risk trends, as well as comparing the trends in the ranking of risks themes in our analysis year-on-year. We observe that while institutions report that most risks are stable over time, our year-on-year comparison has identified some significant changes which we explore in our commentary on selected risks. This section provides an in-depth scrutiny into six areas which have the highest residual risk scores and/or where there are significant increases in the ranking of risks in terms of average inherent and residual risk scores since 2022. We would encourage institutions to reflect on the extent to which attention and resources are being directed to the areas highlighted.

11 Virtual Brochure – February 2024 A) Financial Sustainability Financial sustainability remains a significant strategic risk, featuring on almost every risk register. Generating sufficient surplus to invest in strategic initiatives remains the key issue, with concerns about the impact of inflation on pay and operating costs, and the real terms decrease in the value of tuition fees featuring more prominently than in 2022. Most institutions also highlight concerns about their pension liabilities. There is a consistent pattern of mitigation approaches, which institutions have a substantial degree of confidence in. Mitigation activities include: - more emphasis on longer-term integrated financial forecasting and use of scenarios and stress testing - strengthening and refinement of continuous planning and review activity - income diversification, particularly international postgraduate recruitment - efficiency programmes and tighter controls on operating costs, particularly people and energy costs - a renewed focus on fraud assurance. 1 https://www.officeforstudents.org.uk/publications/financial-sustainabilityof-higher-education-providers-in-england-2023-update/ Risk commentary In their latest report1 the OfS notes that institutions have acted rapidly “to manage risks to their financial performance from the pandemic and subsequent increases in the cost of living”, but that “the financial environment and outlook is increasingly challenging” and there is significant variation in the financial position of providers. Almost all of the institutions in our sample reported that the status of this risk was “stable”. We observe that risks in the area tend to be well defined, with detailed mitigation strategies set out. Compared to 2022, we note a more pragmatic approach to scoring residual risks. One area of concern is some institutions making assumptions that the likelihood of fraud is very low. Evidence from our audit work and broader sector engagement suggests that the likelihood of fraud is due to the expansion in online systems, growth in identity theft, money muling, and wider economic conditions. We encourage audit committees and boards to challenge risk ratings, particularly low likelihood scores, and to ensure fraud policies / procedures are reviewed and awareness raising activities undertaken.

12 Virtual Brochure – February 2024 B) Student Recruitment Student recruitment remains a high-level strategic risk on most risk registers given that maintaining or growing student numbers is central to securing financial sustainability. While the specifics reflect different institutions market positions, common risk factors include: more challenging domestic competition; reduction in foundation year funding; over reliance on specific cohorts such as home undergraduates or students from China; increasing disruption to international student recruitment; and concerns about the attractiveness and viability of elements of the portfolio. Mitigation activities include: - increased resource and effort on market research, modelling, and scenario planning. - increased investment in targeted marketing and even closer monitoring of performance. - strategies to substantially grow international taught postgraduate provision, including development of existing partnerships. - more extensive portfolio review and process changes to launce and retire programmes more effectively. Risk commentary The picture is very similar to 2022. Our analysis shows a consistent pattern of intrinsic high likelihood and impact scores, and on average, a high degree of confidence in the effectiveness of mitigation strategies. We note, however, that a growing number of institutions have flagged this as a rising risk and this is likely to have increased further following the 2023 recruitment round when a range of institutions were unable to realise their ideal recruitment targets. In 2022 we highlighted the importance of institutions needing to pay greater attention to understanding changing political and economic circumstances in key international recruitment markets. Some institutions have been impacted by currency changes in Nigeria, reinforcing the need for institutions to develop their local insight and scenario plans for responding rapidly to changes. We also observe that almost every institution is seeking to grow its population of international taught postgraduate students. This comes with attendant risks around geopolitics and security, brand, the UK immigration and housing context, and experience provided to international students. Audit committees and governing bodies may wish to ensure that they have sufficient visibility of portfolio changes and how the related risks are being managed effectively.

13 Virtual Brochure – February 2024 C) Student Outcomes Student outcomes risks appear on the majority of the risk registers in our sample. 2023 saw a large jump in the average risk scores for student outcome risks, both in terms of the inherent and mitigated scores. While some of the risk factors are similar to previous years, for example students’ financial concerns and mental health, we note new and specific concerns about around student retention at a number of institutions (potentially linked to the fallout from educational disruption during the pandemic) and growing concerns about graduate employment prospects. Mitigation activities include: - early identification of students who may struggle in order to offer enhanced support - closer monitoring of student engagement patterns, retention rates and investigation of underlying factors - expansion of hardship funding - whole-university strategies to build confidence and employability skills through a students’ programme of study - offering placements to all students and improving placement opportunities. Risk commentary The higher likelihood and impact scores for inherent and mitigated risks, as well as higher average rankings suggests that the challenge of student outcomes is an increasing risk and an area where confidence in the effectiveness of mitigation activities has declined since 2022. While the issues reported are unlikely to place institutions at risk of falling below regulatory thresholds, they are of concern in relation to realising institutional missions for student success and increasingly to some institutions, a risk in terms of lost tuition fee income and in terms of league table positioning. It is notable that over the same period that the average rankings for student experience risks have improved substantially, optimism driven in part by improving National Student Survey results. This finding sits at odds with the increasing risks to outcomes at some institutions and may point to a bifurcation in satisfaction and outcomes between those students able to make the most of the opportunities on offer, and those who struggle from the outset. The development of new Access and Participation Plans provides an opportunity for governing bodies and committees to scrutinise and challenge activities in this area.

14 Virtual Brochure – February 2024 D) Industrial Relations While industrial relations featured in several risk registers in 2022, 2023 sees industrial action appearing in the majority of the risk registers considered either as a risk in its own right, or as part of wider concerns around organisational culture and performance. Mitigation activities include: - a focus on resolving local aspects of disputes with local and regional trade union branches - unilateral measures to ameliorate cost of living impacts on staff - strategies to manage and minimise the impacts of assessment and marking boycotts, including deployment of business continuity plans - reviewing internal policies on working practices Risk commentary It’s a positive that many institutions have explicitly documented that the current industrial action may have medium-and longerterm impacts on organisational culture and performance (for both union and non-union staff) and are considering how to address this. However, only two institutions identified the risks and negative consequences that strike action (and action short of a strike), could have on students’ experience and satisfaction. We would encourage institutions to reflect on short and longer terms impacts of industrial action on students as well as their staff.

15 Virtual Brochure – February 2024 E) Cyber Security We observed in 2022 that some institutions were likely to be underestimating their risk of exposure to a cyber incident and also overestimating the effectiveness of their mitigation strategies. In a year that has seen further significant cyberattacks against several UK universities, as well as against multiple companies and institutions, this position has changed. On the whole risks registers evidence a more in-depth consideration of risk grounded in the design and maturity of the digital estate and third-party relationships Mitigation activities include: - technical controls, e.g., multi-factor authentication (MFA) and - encryption, network access controls and segmentation, firewalls, - anti-virus/malware systems, patching, cloud configuration - vendor and supplier risk assessments - use of specialist expertise to undertake deep dives into risk exposure and inform improvement plans - improved scanning, testing, detection monitoring and incident response plans, facilitated cyberattack exercises - specific policies and procedures, mandatory staff training, awareness raising and exercises. Risk commentary In our 2022 briefing on the European risk environment, we noted that the HE sector was continuing to underestimate the likelihood and impacts of environmental sustainability risks relative to other sectors. 2023 has seen a collective shift in focus with the publication of a major report on accelerating net zero in HE2. At an institutional level there has been an evident change in risk perception this year with a substantial increase in both the ranking of both the inherent and residual risk scores. This reflects a growing recognition of the cost and practical challenges of realising decarbonisation plans across aging estates while balancing financial sustainability risks. Last year we encouraged institutions to think about the risks of climate change beyond the reputational and do so again. As complex organisations, we encourage all institutions to ensure that the full range of cybersecurity risks and controls are identified and documented, particularly taking account of international partners and relationships, and often devolved activities taking place in faculties and schools.

16 Virtual Brochure – February 2024 F) Environmental Sustainability While a significant proportion of our sample choose not to recognise environmental sustainability as a strategic risk, more are doing so, often to highlight the likelihood of not meeting net zero carbon commitments, with consequences for brand and attractiveness to staff and students. Mitigation activities include: - capital projects to decarbonise campus energy and heating - prioritisation of estates maintenance to realise carbon benefits - procurement and design requirements - senior oversight and governance of net carbon plans - publication of progress towards decarbonisation 2 https://www.queensanniversaryprizes.org.uk/wpcontent/uploads/2023/01/Accelerating-towards-Net-Zero.pdf Risk commentary In our 2022 briefing on the European risk environment, we noted that the sector was continuing to underestimate the likelihood and impacts of environmental sustainability risks relative to other sectors. 2023 has seen a collective shift in focus with the publication of a major report on accelerating net zero in HE2. At an institutional level there has been an evident change in risk perception this year with a substantial increase in both the ranking of both the inherent and residual risk scores. This reflects a growing recognition of the cost and practical challenges of realising decarbonisation plans across aging estates while balancing financial sustainability risks. Last year we encouraged institutions to think about the risks of climate change beyond the reputational and do so again. Audit Committees and Boards should ensure that environmental sustainability risks are adequately reflected in strategic risk registers, including the risks that extreme weather poses to estates and the delivery of research and teaching, and in the longer term to international student recruitment and supply chains.

17 Virtual Brochure – February 2024 Other observations Student wellbeing: We note that student wellbeing does not feature as a standalone risk on many strategic risk registers. Where it does appear, it carries a high inherent risk on average (ranked 4th) and institutions report a high degree of confidence in the effectiveness of their mitigation activities (figure 2). While the 2023 Student Academic Experience Survey shows that overall levels of student wellbeing have improved slightly, levels remain low, likely fuelled by the cost of living and the longer-term impacts of disruption to education from the pandemic. Uniac’s audits of student wellbeing often highlight dedicated but overstretched support services struggling to deal with increasing student demand. With the continuing national debate about a legal duty of care towards students we would encourage institutions to think thoroughly about their risk exposure in this area and whether actions in place to mitigate risks are as successful as risk registers imply. Staff lifecycle: Once again our European risk environment analysis indicates that in other sectors human capital, diversity, talent management and retention is the second biggest risk facing organisations. While our HE analysis shows that risks around the recruitment, retention, motivation, and retention of staff feature on almost every institutional risk register, as in 2022, they remain relatively low ranked despite being essential to the delivery of institutions’ strategic aims and ambitions. Evidence from our internal audits suggests that some institutions have a relatively low level of maturity around organisational development compared to other sectors. The definition of risks and actions in this area tends to be broad brush or devolved to individual faculties or services. Risks around competition for talent are seldom recognised. Institutions should ensure that their executives, board, and audit committees spend sufficient time considering people-related risks across the whole employment lifecycle. Business continuity: We observe a substantial decrease in the ranking of inherent and mitigated risk scores around business continuity compared to 2022, and a high degree of confidence in risk mitigation in this area. This might be expected given the lessons learned from the pandemic, from dealing with industrial action, weather damage, and cyber incidents. Our audit work demonstrates that in many institutions, business continuity policies and testing regimes have been reviewed and strengthened. However, we would caution against complacency and encourage institutions to continue to stay abreast of potential risks, have specific cyber incident plans, and maintain regular desktop and live disaster management and business recovery and continuity exercises. Digital estate: Risks around the digital estate reflect concerns about legacy systems and technical debt, the replacement of core systems, and leveraging new technologies in an inclusive and accessible way. We observe that while the ranking of the inherent risk is similar to 2022, there is a substantial decrease in the ranking of average mitigated risk scores. Mitigation activities suggest that institutions are making good progress in improving their digital infrastructure and rolling out reliable digital services to underpin education, research, and support. However, our audit experience paints a less optimistic picture, with some institutions contending with fragmented systems lacking

18 Virtual Brochure – February 2024 integration, a lack of process automation, aging platforms, and unsupported software. As noted in our EU risk briefing, there is also a general lack of coverage of risk exposures from artificial intelligence (AI). Governing bodies and committees should consider if digital estates risks and mitigations are adequately captured and treated. Office for Students: This year we have disaggregated risks relating to OfS compliance from other legal and regulatory risks. As in 2022 we note the risk of non-compliance with regulatory conditions is frequently cited, albeit having middle-ranking average inherent and residual risk scores. Whereas last year a number of institutions cited this as an increasing risk, only one in our sample does so this year suggesting a growing confidence with demonstrating compliance. This is backed up by our audit and assurance work with institutions. Notably, in institutions’ risk commentary there are growing concerns about the cost of resourcing and complying with existing and additional conditions of registration, echoing the finding of the Moorhouse Report. Institutions may wish to ensure that compliance activities are not over engineered. We can help We would welcome your feedback on the usefulness of this briefing, and if there are any themes where you’d like further information or may need support, please get in touch. Helen Thorne – Senior Audit and Risk Consultant – hthorne@unaic.co.uk Paddy Marshall – Associate Director - pmarshall@unaic.co.uk

19 Virtual Brochure – February 2024 Appendix A Methodology and thematic categorisation of risks Our analysis has examined in detail the strategic or corporate risk registers of 17 institutions. We have chosen to exclude a number of risk registers where these are undergoing major revision or redevelopment. Each risk has been categorised against one of the 23 themes in the table below. The primary changes from 2022 are: - a new category of “student wellbeing” has been introduced following institutional feedback to separate out risks specifically relating to student mental and physical health and wellbeing and financial support services - two themes of “UK policy environment” and “geopolitics” replace the former “external policy environment” category to better distinguish between domestic and international risks - “Legal and regulatory” risks have been split into “OfS” related risks and “other legal and regulatory compliance” - “EDI” risks are now allocated to “staff lifecycle” or “student experience” as appropriate. For each risk, information was captured on: - The definition of the risk - Mitigating actions, both those in place and those scheduled or in train - The inherent likelihood, impact, and risk score - The residual likelihood, impact, and risk score - The risk trend. To compare assessments of risk across institutions employing different risk matrices and scoring frameworks we have employed a 0 to 1.0 scoring system to normalise each of the risk scores to a standard model. This replaces the 1-5 scoring system used in 2022. Our analysis covers: - the frequency of the occurrence of individual risks across the set of risk registers, reflecting that some risk registers include multiple risks in the same risk theme area. - the frequency with which each risk theme area occurs, giving a score out of 17 for each theme. - calculating the average of the normalised inherent and residual risk scores for each theme. - calculating the difference between the average normalised inherent and residual risk scores for each theme to determine the extent to which institutions believe that risks are being managed. - examining the trends in the ranking of risk themes, mitigating actions and institutional perspectives on risk trends.

20 Virtual Brochure – February 2024 Appendix A

21 Virtual Brochure – February 2024 2. A European View on the Risk Environment – Dec 2023 Executive summary As the partner piece to Uniac’s annual risk analysis briefing, we’re pleased to present our analysis of the European Confederation of Institutes of Internal Auditing (ECIIA) 2024 risk in focus report. This is based on a wide-ranging survey and roundtable discussions with Chief Audit Executives (CAEs) from multiple business sectors across 17 European countries. Our briefing provides: • a summary of the most significant current and future business risks as perceived across a broad range of sectors, including financial services, technology, healthcare, consumer and retail, and leisure and hospitality • our commentary on the highest ranked risk areas and areas of increasing risk, in both a UK and UK higher education (HE) context, with questions for senior leaders and audit committees; and • a comparative analysis of internal audit effort relative to the top risk areas. We hope that this will be of use to inform discussions about strategic risks, risk management and shaping future internal audit programmes. The 2024 ECIIA report describes the challenges that leaders and organisations face in responding to multiple, simultaneous challenges and risks affecting every aspect of business operations. This year’s report particularly emphasises the impacts of inflation, regional conflicts and political and economic uncertainties, the explosion of disruptive new technologies that offer huge opportunities but also create new vulnerabilities, and growing risks from climate change. While European businesses are occupied with responding to new sustainability reporting requirements, the practical challenges of managing the consequences of more frequent extreme weather events are also being felt. Core messages from the 2023 report remain highly relevant, not least how to prepare and help employees give their best in challenging circumstances when many are struggling with cost-of-living pressures and there is evidence that discretionary commitment is waning.

22 Virtual Brochure – February 2024

23 Virtual Brochure – February 2024

24 Virtual Brochure – February 2024 Key Risk Trends Table 1 presents the summary views of Chief Audit Executives (CAEs) on their current top five risks and how these have changed, or may change, over time.

25 Virtual Brochure – February 2024 A) Cybersecurity and data security. Cybersecurity remains the top business risk identified by a majority of CAEs across all sectors. Feedback reported by the ECIIA suggests a sense that inherent risks may have plateaued, with residual risks seen as reducing slightly as a result of more robust cyber defences, improved network architecture, automated monitoring and strengthened testing and awareness raising. However, the ECIIA cautions against overoptimism noting that: more emphasis on longer-term integrated financial forecasting and use of scenarios and stress testing - hacking has become more commercialised and many attacks are more sophisticated, as evidenced by the attacks on British Airways, Boots, and the BBC via their third-party payroll provider. - There are increasing attacks by state-sponsored actors and a growing risk of attacks to global underwater cable networks. - Emerging technologies such as generative AI can be used to support cyberattacks. Most organisations now assume that they will be subject to a major cyber incident at some point and are developing more detailed business continuity plans and investing in recovery solutions that enable digital capability to be rebuilt from the bottom up in the event of significant data loss or corruption. This informs the relatively high ranking of the business continuity risk. Considerations for HE In our risk analysis this year, cybersecurity was on average, the highest ranked risk in HE sector risk registers. We note that some risks registers evidence a more in-depth consideration of cybersecurity risks and the growing maturity of controls across the digital estate and third-party relationships. Issues to consider are: - How well prepared is your institution to respond to a major cyberattack? Are the consequences for staff, students, partners, and suppliers understood and documented? Is there an integrated, business-wide response plan? - How rapidly could your institution recover from a major cyberattack, particularly at critical times of the academic year? Is there a detailed and tested business continuity plan in place? - How strong is your cyber and data security culture in faculties, departments and across partner organisations or individuals (including overseas) with access to your systems? How do you evidence this?

26 Virtual Brochure – February 2024 B) Human capital, diversity, and talent management. The challenges of attracting, recruiting, and retaining the right people is the fastest increasing risk area reported, with an 18%ppt increase over the last two years. Organisations expect the profile of this risk to remain high over the next three years. Successful organisations continue to emphasise the importance of having a strong, identifiable organisational culture which champions diversity and supports the wellbeing of its staff. In the UK, the 2023 Chartered Institute of Personnel and Development (CIPD) Good Work Index3 notes that while unemployment remains historically low, there is growing evidence of large-scale labour and skills shortages, which continues to include the IT sector. Hybrid working has become well established, with strong demand from employees for this means of flexible working. Cost of living pressures have increased stress and anxiety for many employees, and the CIPD has identified a significant adverse shift in work attitudes, with fewer people willing to put in discretionary effort. Considerations for HE While risks related to the recruitment, retention, motivation, and retention of staff 3 https://www.cipd.org/globalassets/media/knowledge/knowledgehub/reports/2023-pdfs/2023-good-work-index-report-8407.pdf feature on almost every institutional risk register, we note that these continue to be relatively low ranked, despite being central to organisational success. Evidence from our internal audits suggests that some institutions have a relatively low level of maturity around organisational development, and people-related risks are under recognised and under discussed. For example, on average, a third of academic staff are international but, postBrexit, the risks around retention are not well-articulated. However, the HE sector is likely to be well placed to take advantage of employee expectations about diversity, flexible working, and wellbeing support, if challenges around precarity of contracts and industrial disputes can be resolved. Issues to consider are: - How attractive is your institution’s employment offer (e.g., benefits, EDI, flexible working, career pathways) compared to other employers / institutions in the UK and overseas? - Do you have a clearly articulated organisational culture, underpinned by values and behavioural expectations? How do you measure and demonstrate this? - To what extent do your institution’s employee engagement surveys, forums, and activities enable a wide range of staff views to be aired around satisfaction with working patterns, diversity, personal development, and culture?

27 Virtual Brochure – February 2024 C) Macro-economic and geopolitical uncertainty. The 2023 ECIIA report saw a 14ppt increase in the ranking of risks in this area in response to consequences of the pandemic, the conflict in Ukraine, growing political instability in several regions and rampant inflation in the cost of energy, raw materials, and foodstuffs. While the 2024 report sees a slight decrease in perception of risk, feedback from CAEs indicates that risks could worsen further in the short term before the operating climate improves. Considerations for HE While these kinds of macro risks tend not to feature on institutional risk registers, we note that they are starting to appear more frequently in the context of international education and research partnerships, and in relation to international student recruitment. Potential impacts on international staff and students, supply chains for research equipment or materials for operational infrastructure can be overlooked, and we note that institutions usually report that current mitigating actions are sufficient to manage known risks. Issues to consider are: - Are the risks to strategic aims and operational delivery from geopolitical uncertainties and conflicts understood and documented? How are these risks factored into planning and decisions about new partnerships or investments? - Is your horizon-scanning capability proportionate to the institution’s level of risk exposure? - Does scenario planning and crisis management / business continuity planning include unlikely but very impact events?

28 Virtual Brochure – February 2024 D) Digital disruption, new technology and AI. Perhaps surprisingly, participants in this year’s ECIIA survey reported a small reduction in the average ranking of risks from digital disruption and AI. While these new technologies offer business opportunities, automation and efficiency benefits, there is also a recognition that they may create complexity and new risk exposures, particularly in relation to cybersecurity. As such, respondents felt that the risks from these areas would increase very significantly over the next three years Considerations for HE At present, digital disruption and opportunities and risks from AI do not feature in institutional risk registers, which tend to focus on the risks from legacy technology and the implementation of digital change projects. This presents a risk in and of itself given that AI tools are very likely already being used in education, research and support services in most institutions, and their usage will expand in the months and years ahead, posing operational and potentially legal, intellectual property, or ethical risks. This goes well beyond concerns about student plagiarism. For example, AI tools may enable: automation of recruitment and admissions; the generation of teaching and assessment materials; personalised learning and feedback; predictive analytics; and a myriad of uses in research through the ability to handle and learn vast amounts of data, write code, deliver predictions and automate activities. Issues to consider are: - How is your institution enabling conversations with staff, students and governors about the potential opportunities and risks of AI? - Given the potential of AI to impact across all institutional activities, how will decision making about strategies, policies, frameworks, and governance around the responsible and ethical use of AI tools be managed? - How is your institution preparing students for a future world of work where AI tools will be the norm?

29 Virtual Brochure – February 2024 E) Climate change and environmental sustainability. Risks related to climate change and environmental sustainability fell furthest in the 2024 ECIIA survey, but respondents expected the risks in this area to increase very substantially over the next three years. This is in part driven by rigorous new reporting requirements in the EU’s Corporate Sustainability Reporting Directive, as well as the challenges of decarbonisation, the need to manage the consequences of more extreme weather, and the need to mitigate financial and reputation risks. The lack of good quality data on organisational sustainability performance is a common issue. In the UK, debate is ongoing about strengthening regulation, while the Financial Reporting Council is reviewing the corporate governance code to recognise the growing importance of environmental, social and governance reporting. Considerations for HE 2023 saw the publication of a major report on accelerating net zero in the HE and FE sectors4 which highlighted that the sector’s 4 https://www.queensanniversaryprizes.org.uk/wpcontent/uploads/2023/01/Accelerating-towards-Net-Zero.pdf emissions are equivalent to those of a small country and that institutions are “at different stages towards decarbonising and building resilience for a warmer, riskier operating environment”. Subsequent analysis5 found that only 4% of institutions have undertaken any scenario modelling of the impacts of climate change on strategy and finances, with many struggling to get to grips with quantifying and addressing travel, waste, and supply chain net zero challenges. In our risk analysis we noted that there are still a substantial proportion of institutions who choose not to recognise environmental sustainability as a strategic risk. We suggest that institutions should reflect on this, given the challenges of reaching net zero on time and the increasing likelihood of additional regulation and reporting in the UK. Issues to consider: - Are climate change and environmental sustainability risks adequately reflected in your institution’s planning and risk management activities? - Do new EU reporting requirements impact any of your European activities, including access to research funding? - How do you obtain assurance of the validity of climate related data and KPIs, including across supply chains and partners? 5 https://sums.org.uk/app/uploads/2023/10/Integrating-climate-intostrategy-and-planning-in-universities_vf.pdf

30 Virtual Brochure – February 2024 F) Market changes, competition and changing consumer behaviour. This is a new risk area in the 2024 survey. Respondents rated this 9th out of 16 risks and felt that risks in this area were likely to increase over the next three years. This view is grounded in a belief that customer behaviour is becoming less predictable and market dynamics more uncertain as result of the impacts of higher inflation and interest rates, coupled with the growing impact of disruptive technologies, the “deglobalisation” of supply chains, and geopolitical turmoil. The report also notes a “decoupling from traditional corporate values”, suggesting that past consumer behaviour may no longer be an accurate predictor of future demands for goods and services. Considerations for HE While domestic demand for HE remains strong, initial data from the 2023 recruitment cycle6 suggests that the proportion of UK 18-year-olds choosing HE has declined, while the competition for these students remains 6 https://www.ucas.com/data-and-analysis/undergraduate-statistics-andreports/statistical-releases-daily-clearing-analysis-2023 intense. There is initial evidence7 that the cost of living crisis, and perhaps other factors, are beginning to put a brake on home demand. We observe that almost every institution is seeking to grow its population of international taught postgraduate students, and that risks about overreliance on certain international markets, UK policy changes, and the growing competition for international students are increasingly appearing on strategic risk registers. While student recruitment risks tend to be effectively reflected in strategic risk registers, changing circumstances may necessitate additional or more regular scrutiny. Issues to consider: - To what extent is your institution financially reliant on tuition fee income from international students? Are the risks in this area appropriately assessed and scrutinised? - How effective is your institution in promoting the career destinations of home and international graduates? - How effectively are potential changes in prospective students’ motivations and behaviours being captured in real time (rather than relying on historical data), and how rapidly can your institution respond? 7 https://www.hepi.ac.uk/2023/06/22/student-experience-academic-survey2023/

31 Virtual Brochure – February 2024 Focus of internal audit effort As in previous years, the ECIIA survey examined the extent to which CAEs think that internal audit effort is aligned with their most significant risk areas. This is shown in table 2, overleaf. As in 2023, there is strong alignment between risk level and estimated audit effort in relation to cybersecurity risks, with notably less internal audit effort focused on human capital and on risks arising from macroeconomic and geopolitical uncertainty. Overall, the pattern of effort is largely unchanged. While internal audit is only one means of providing assurance around the effectiveness of internal controls, this assessment provides a prompt to consider whether there is too little or too much resource expended across different elements of the risk portfolio. To complement this, we analysed the 2023-24 Uniac programmes, categorising each of our scheduled audits against the ECIIA risk areas. We were able to map 27% of our programme (based on days budgeted) to the ten ECIIA risk areas, compared to 23% last year. The other 73% of our programme delivers compliance audits across financial controls and statutory reporting, and a broad portfolio of risk-based audits aligned to institutional risks across education, research, estates, and support service activities. In line with the wider business audit environment, Uniac effort is particularly concentrated around cyber and data security, alongside risks from digital disruption and new technology. This reflects the extent of investment in people, processes and technology across the HE sector in response to growing cybersecurity threats, and also the scale of investment in digital transformation projects. We would also highlight the small but significant growth in demand, for assurance around responses to environmental sustainability risks. We hope these findings are useful in informing institutional conversations about where future internal audit effort is best directed; for example to provide additional assurance around staffing risks, macro-economic risks, and changes in markets and consumer behaviour.

32 Virtual Brochure – February 2024 Focus of internal audit effort Table 2

33 Virtual Brochure – February 2024 We can help Uniac’s sector knowledge and expertise enables us to offer a full range of compliance-based audits addressing public, charitable, and commercial activities, alongside risk-based audits addressing all aspects of higher education and research. Utilising intelligence from our business networks and established relationships with sector bodies, we design and tailor internal programmes to meet the specific needs and risk profiles of higher education institutions. We ensure that institutional audit programmes, as well as individual audits, are grounded in the UK higher education context and the wider risk-landscape of business risks that this briefing describes. Helen Thorne – Senior Audit and Risk Consultant – hthorne@uniac.co.uk

34 Virtual Brochure – February 2024 3. Expenses Benchmarking – Nov 2023 Overview In recent months, we have completed expenses reviews and included a benchmarking analysis. Regarding the latter, this note details allowable expenses and summarises relevant policies from nine institutions. The information provided is intended to aid institutions as they consider revising rates and limits and also act as a prompt on what stipulations should be included in related policies and procedures. Institutions have been updating their expenses policies driven, in part, by reflections on need and value for money in a more virtual environment. The institutions included range in size (and we give detail on student and staff population). To note: • subsistence rates / limits (travel, accommodation, food and alcohol) are broadly similar and one institution puts the onus on staff / students to claim based on a ‘reasonableness’ assessment • not all the supporting procedures make reference to the consequences of non-compliance – we suggest that the consequences of false / fraudulent claims should be detailed and a link to the related policy provided e.g., anti-fraud and corruption. This analysis concentrated on expense submission. We are seeing institutions also reflect on prior approval i.e., expenditure over a certain value needs pre-approval including some form of business case (with the level of detail depending on the scale of the expenditure) including the benefits (and to whom) from the activity.

35 Virtual Brochure – February 2024 Appendix B– Expenses Benchmarking Activity Completed in October 2023, we provide a comparison of nine institutions’ expenses policies. The first table (1.) provides an overview of allowable expenses and associated thresholds and the second (2.) covers supporting procedures covered by policy. PP= Per Person | PD: Per Day | PN= Per Night | PT: Per Trip | PA: Per Annum Please note, any amounts listed below are the max amount for each type of expense. 1. ALLOWABLE EXPENSES Subsistence Hospitality and entertainment Other Travel Accommodation Food and Alcohol Overseas External Staff Institution A Mileage: First 10,000 miles per annum - 45p per mile. Thereafter - 25p per mile. Rail: Train tickets should be standard class and booked in advance. Major cities: £150pn UK Other: £100pn Breakfast: £8 Lunch: £10 Dinner (major cities): £35 Dinner (other cities): £25 Alcohol: Excluded Same rates as UK travel £25pp Reimbursement of payments for alcohol consumed, at an evening meal only, will be limited to one alcoholic beverage per person. £25 in exceptional circumstances (long term sick employee bereavement and long service awards). Professional memberships: £100 Conference fees: Providing associated with University business. *Student number data taken from HESA 2021/22 FTE Student Numbers. For more information, please see here. ** Staff number data taken from HESA 2021/22 All Staff excluding Atypical. For more information, please see here. Institution Student Population* Staff Population ** A <7500 <750 B ~7,500 <1,000 C >7,500 <2,000 D ~10,000 ~2,000 E >10,000 <1,000 F ~20,000 ~1,150 G >20,000 <1,750 H >30,000 >4,000 I >32,000 ~4,000

36 Virtual Brochure – February 2024 1. ALLOWABLE EXPENSES Subsistence Hospitality and entertainment Other Travel Accommodation Food and Alcohol Overseas External Staff Taxi: Journeys >25 miles will not be considered unless there are exceptional circumstances. Course registration: Providing associated with University business. Institution B (Nov. 2022) Mileage: First 50 miles of each journey - 45p per mile. Thereafter - 25p per mile. Rail: Tickets should be purchased at the cheapest available fare and in advance of the journey. Taxi: Should only be used when all other modes of transport are unavailable, inappropriate London: £165pn UK Other: £120pn Must include breakfast and VAT Breakfast: £10 Lunch: £10 Dinner: £20 Alcohol: 1 x alcoholic drink when consumed with a meal, included in allowance. £230pn and three meals Laundry: £15pt Lunchtime: £20pp Evening: £30pp Business Entertainment does not include staff social events or catering for regular team meetings. -

RkJQdWJsaXNoZXIy NTI5NzM=