home / governance / key governance functions / risk / risk management processes

Risk Management Processes

Governing bodies are normally expected to approve and, from time to time, review a risk management policy. This may well include its scope and objectives, setting out roles and responsibilities, tools and techniques and reporting arrangements. HEFCE has produced an example of a policy.

Risk is related to the ability of the institution to achieve its objectives, so risk management should be integrated into strategic planning and review processes.

There are various ways in which risks can be identified; this is usually a management responsibility. When identified risks have to be assessed. See chapter 4 of Getting to Grips with Risk [PDF, 77KB]. It is then important to respond to the identified risks and take steps to mitigate them. Governing bodies will also require a reporting and review system.

Business Continuity

Risk management and business continuity planning are closely related. Business continuity is intended to achieve an effective and robust framework that will enable an organisation to plan for and recover as quickly and effectively as possible from a major incident that interrupts normal business operations, such as:

A major fire, flood or other environmental incident that involves death or significant injury to numbers of employees or students, or major damage to facilities that required emergency services.
Major demonstrations against an institution or one of its research centres.
Any incident involving a major breach of security, either physical security of plant and facilities or logical security eg computer virus attack.
Terrorist incidents directly or indirectly affecting employees, staff, or facilities.
Loss of computer applications, telecommunication links or utilities.

More information [PDF, 77KB]

<<Return to previous page To next page>>