About risk management

Expand All

Risk is defined as ‘the effect of uncertainty on objectives’. This may also be expressed as a deviation from expected outcomes, either positive (opportunity) or negative (threat).

Risk management is defined as ‘co-ordinated activities to direct and control an organisation with regard to risk’.

Risk appetite is defined as ‘the amount of risk that an organisation is willing to pursue or retain’.

A risk management framework is defined as ‘a set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation’. A risk management framework would be expected to include policy, objectives, mandate and commitment to manage risk; together with plans, accountabilities, resources, processes and activities for risk management.

These definitions are specified in international standards ISO Guide 73:2009 and reflected in ISO 31000:2009

The University’s objectives for risk management are:

  • to align risk management with the University’s objectives (as set out in the Strategic Plan and elsewhere);
  • to appraise and manage risks and opportunities in a systematic, structured and timely manner, in accordance with best practice;
  • to strengthen decision-making, prioritisation and planning;
  • to achieve the appropriate balance between stability and innovation; and
  • to assign accountability and responsibility for risk within the University. 

In developing and implementing its approach to risk management, the University follows best practice in the management of risk.  The University is mindful of international standards on risk management (specifically ISO Guide 73:2009 and ISO 31000:2009); guidance from HEFCE; guidance from the Committee of University Chairs; and other relevant sector bodies.

The University is required to implement adequate arrangements to promote effective risk management, control and governance, under the terms of the Memorandum of Assurance and Accountability between HEFCE and Higher Education Institutions (HEFCE2014/12).  The Audit Code of Practice, Annex A to the Memorandum, requires Audit Committees of Higher Education institutions to produce an annual report to their governing body, giving the Committee’s opinion on the adequacy and effectiveness of the institution’s system of risk management.

HEFCE's annual Accounts Direction requires HEIs to publish a Statement of Internal Control and Risk Management as part of their audited financial statements. This statement must include an account of the risk management arrangements in place, and set out how risk assessment and internal control is embedded in the organisation's operations.  The Accounts Direction also sets out HEFCE’s requirements for risk management. HEFCE notes that effective risk management should:

cover all risks – including those of governance, management, quality, reputation and finance – but focuses on the most important risks

  • produce a balanced portfolio of risk exposure
  • be based on a clearly articulated policy and approach
  • require regular monitoring and review, giving rise to action where appropriate
  • be managed by an identified individual and involve the demonstrable commitment of governors, academics and officers
  • be integrated into normal business processes and aligned with the strategic objectives of the organisation.

 The University’s risk management framework   is designed to ensure that the University is able to comply with applicable risk management standards and regulatory requirements. 

Contact us

Douglas Thornton, (Acting) Head of Risk, Compliance and Assurance 

Email: compliance@admin.ox.ac.uk