Risk management and the role of the audit committee

Ian GrossHead of Internal Audit & Projects

Risk Management and the role of the Audit Committee

Higher Education Funding Council for England

What is risk?

A risk is:

‘the threat or possibility that an action or event will adversely or beneficially affect an organisation’s ability to achieve its objectives’.

All HEIs have (or should have) objectives

What is risk management?

• Risk management is defined as

‘the systematic application of management policies, practices and procedures to the task of analysing, assessing, treating, monitoring and reporting on risks’.

Is risk management really new?

• Yes and no• Understanding risks is not new at all - most of

us have an inherent understanding of risk ; e.g. health and safety risk assessments are well established; audit and others use it

• However, risk management in a corporate governance sense is new. It promotes ownership of the RM process at a high level

Why manage risks?

• It supports the achievement of objectives• It allows higher risks to be taken• It reduces the chance of serious errors• Risks exist at all levels:

corporate/strategic, faculty, departmental, functional, personal, project . . . . So we all need to be risk managers in a way appropriate to our own responsibilities

Benefits of risk management

Fewer shocks andunwelcomesurprises

Reassures

stakeholders

Quick grasp of newopportunities

Helps focusinternal auditprogramme

Promotes continualimprovement

Supports strategicand business

planning

Supports effectiveuse of resources

Enhancescommunication

between facultiesand departments

Potential benefits

Why now?

• Implementing the latest development in corporate governance (Turnbull report)

• All sectors in the economy are now doing it• Ongoing process of promoting good practice• Accountability burden - promotes ownership

of internal control and helps to provide assurance to stakeholders

Why use in HE?

• Improve management within HE sector• Help maintain/enhance the reputation of HE• It is good practice• Helps encourage innovation (= risk taking)• Contributes to the management of change• It’s not just about financial risks, but all kinds

including academic reputation

What are the types of risk in HE?

0

5

10

15

20

25

30

35

40

45

Health &Safety

Financial Estates Strategic MIS Students Reputation Staffing Teaching Overseasoperations

Research

n=48

What have we done about it?

• Accounts direction - three year transition• Briefing for senior managers/governors • Hands-on guide• Web-based material

– case studies

– model policy

– illustrative list of risks

What do we expect HEIs to do?

• Obtain senior manager & governor commitment and agreement to policy

• Establish approach, plan and commence implementation

• Start to embed process at all levels• Manage, monitor and report on main risks• Achieve balanced risk portfolio

Audit Committees & Risk Management - 1

Ensure the Committee has an independent

appreciation of what constitutes good practice

in risk management, e.g. by considering:

- the Turnbull report & HEFCE guidance

- the use of independent training for members

- advice from other sources e.g. CUC

- how risk management works in your own organisations.


Ensure the Committee is well informed about

the University’s approach to risk management, e.g. by:

- ensuring the internal auditors conduct reviews of the risk management arrangements (see HEFCE advice)

- asking the Vice Chancellor, senior managers and/or the risk co-ordinator to explain aspects of it periodically . . . .


- considering the comments made by HEFCE at its periodic institutional review

- ensuring the external auditors plan to satisfy themselves on the adequacy of risk management

- asking for high-level risk owners to make presentations to the Committee about “their” risks . . . .


- asking for departmental and functional heads to make presentations to the Committee

- making risk management a standing item on the Committee’s agenda

- ensuring the Clerk to the Committee is well informed about risk management issues

- asking to see the corporate level risk register periodically (say, annually)


- asking to see subsidiary risk registers and/or risk assessments periodically (e.g. for a large capital project or a re-organisation or a new IT/estates/research strategy)

- ensuring that management uses risk management in a positive way, e.g to help assess opportunities arising.


Test the effectiveness of the risk

management arrangements in place where

appropriate, e.g. by:

- enquiring how a risk assessment was actually carried out

- questioning the effectiveness of the mitigating controls

- directing the internal auditor’s work towards risks of concern to the Committee . . . .


- asking to see the results of the Vice Chancellor’s annual review of the effectiveness of internal control

- asking for periodic monitoring reports on the high-level (and other significant) risks

- ensuring that ‘early warning indicators’ are in place where appropriate

- seeking management assurances on mitigating controls, further actions and residual risks . . . .


- ensuring that all corporate objectives are adequately mapped against risks

- ensuring that there is a process in place to identify new or emerging risks

- challenging the treatment of residual risks

- ensuring that ‘further actions’ identified in the risk management process are actually undertaken . . . .


- enquiring how well risk management is embedded throughout the University and identifying areas where risk management is weak.


At the year end (November/December meeting)

the Committee should:

- review the Vice Chancellor’s statement of internal control and the process behind it

- review the internal auditor’s annual report

- review the external auditor’s management letter

- report to the University Council on the effectiveness of the risk management arrangements


In summary, the Committee should:

- familiarise itself with risk management

- catalyse risk management

- ensure appropriate audit work is undertaken

- review information on risks and risk management

- review internal and external audit reports

- review corporate governance statements

- report to the governing body.

Business

Risk management and the role of the audit committee