Risk Management Policy
Purpose of this document
This Risk Management policy forms part of Exeter College’s internal control and corporate governance arrangements.
The policy explains Exeter College’s approach to risk management, documents the roles and responsibilities of the Governing Body, College Officers, and college staff. The document also outlines key aspects of the risk management process, and identifies the main reporting procedures.
In addition, it describes the process that will be used to evaluate the effectiveness of Exeter College’s internal control procedures.
Attitude to risk
In pursuing its objectives, as expressed in its Strategic Plan and elsewhere, the College will generally accept a level of risk proportionate to the expected benefits to be gained, and the scale or likelihood of damage.
Exeter College has a high appetite for risk in the context of encouraging and promoting critical enquiry, academic freedom, freedom of expression, and open debate.
Exeter College has a very low appetite for risk where there is a likelihood of significant and lasting reputational damage; significant and lasting damage to its provision of world-class research or teaching; significant financial loss or significant negative variations to financial plans; loss of life or harm to students, staff, collaborators
Approach to risk management
Exeter College follows and adopts good practice in the identification, evaluation and control of risks to ensure that, as far as reasonably practicable, risks are avoided or reduced to an acceptable level. Although it is acknowledged that risks exist and can never be eliminated, it is important that all members and staff are aware of risk associated with their area of work. The following key principles outline Exeter College’s approach to risk management:
- the Governing Body has responsibility for overseeing risk management within Exeter College as a whole
- Senior College Officers advise on and implements policies approved by the Governing Body and are responsible for encouraging good risk management practice within their areas of responsibility
- key risks will be identified and monitored on a regular basis.
Role of the Governing Body
The Governing Body has a fundamental role to play in the management of risk. Its role is to:
- Integrate risk management into the culture of Exeter College. This includes: determining Exeter College’s approach to risk as a whole or on any relevant individual issue, determining which types of risk are acceptable and which are not setting the standards and expectations of members and staff with respect to conduct and probity, considering legal compliance as a minimum standard, anticipating and responding, whenever possible, to changing social environmental and legislative requirements, and raising awareness of the need for risk management.
- Take major decisions affecting Exeter College’s risk profile or exposure.
- Monitor the management of significant risks to reduce the likelihood of unwelcome surprises.
- Ensure that the less significant risks are being actively managed, with the appropriate controls in place and working effectively.
- Annually review Exeter College’s approach to risk management and approve changes or improvements to key elements of its processes and procedures.
Role of Senior College Officers
The Senior College Officers are the Rector, Finance and Estates Bursar, the Domestic Bursar, the College Accountant and the Academic Dean. Their responsibilities are to
- Implement policies on risk management.
- Identify and evaluate the significant risks faced by Exeter College for consideration by the Governing Body.
- Provide adequate information in a timely manner to the Governing Body and its committees on the status of risks and controls.
- Undertake an annual review of effectiveness of the systems of internal control and report to the Governing Body.
Risk management and the systems of internal control
Exeter College’s risk management policy includes systems of internal controls. These controls encompass a number of elements that together facilitate an effective and efficient operation, enabling Exeter College to respond to a variety of operational, financial, and commercial risks. These elements include:
Policies and procedures.
Attached to significant risks are a series of policies that underpin the internal control process. The policies are set by the Governing Body through its committees and implemented and communicated by Senior College Officers to members and staff. Written procedures support the policies where appropriate.
Regular reporting.
Regular reporting is designed to monitor key risks and their controls. Decisions to rectify problems identified are made at regular meetings of the relevant committees of the Governing Body and, if appropriate, of the Governing Body itself.
Risk Register
The Finance and General Purposes committee is responsible for overseeing the compilation and annual review of an overall Risk Register to facilitate the identification, assessment and ongoing monitoring of major risks to which Exeter College is exposed. Emerging risks are added as required, and improvement actions and risk indicators are monitored regularly.
Departmental responsibilities of College Officers
College Officers are encouraged to develop and use this approach to ensure that significant risks in their department are identified, assessed and monitored through each department’s risk management systems and procedures.
Internal audit programme
College Officers are encouraged to develop further internal audit programmes.
External audit.
External audit of the financial statements provides feedback to the Governing Body on the operation of the internal financial controls reviewed as part of the annual audit. Other external audits (e.g., health and safety, personnel, and food safety) may also be the subject of periodic reports to the Governing Body.
Annual review of effectiveness
The Governing Body is responsible for reviewing the effectiveness of internal control of Exeter College. It will review the Risk Register in the last meeting of Trinity term and consider the internal and external risk profile of the coming year and consider if current internal control arrangements are likely to be effective.
This policy was approved by the Governing Body on 19th June 2019 and is due for review in June 2022