Corporate Risk Policy
Corporate Risk Policy Statement
Hartpury College will adopt, wherever possible, recommended best practice in the identification, evaluation and cost effective control of business risks to ensure, as far as possible, that they are eliminated or reduced to a level that is acceptable to the Corporation of the College. The policy explains the College's underlying approach to risk management, documents the roles and responsibilities of the board of governors, the risk management group and other key parties. It also outlines key aspects of the risk management process, and identifies the main reporting procedures. In addition, it describes the process the Board of Governors will use to evaluate the effectiveness of the College's internal control procedures.
1. The Objectives of this Policy are:
- To integrate risk management into the culture of the College.
- To manage risk in accordance with recommended best practice.
- To establish legal compliance as a minimum standard.
- Explain how risk management will be implemented.
- Detail the different responsibilities.
- To continue to respond to changing social, environmental and legislative requirements.
- To prevent injury and damage wherever possible and so reduce the cost of risk.
- To continually raise awareness amongst all employees of the need for the management of business risk.
2. The Objectives will be met by:
- The establishment of a Risk Management Group.
- Appointment of a Risk Management Champion.
- The continuous development of risk management strategies throughout the College.
- Monitoring the risk management action plan.
- The dissemination of information relating to risk management to all employees to maintain effective communications on this key activity.
- The development and maintenance of appropriate procedures and records to assist in the management of business risk.
- The preparation of contingency plans in those areas and activities that are deemed to be potentially high risk.
3. Role of the Board of Governors
The Board of Governors' role in the management of risk is to: -
- Set the tone and influence the culture of risk management.
- Determine whether the College is "risk taking" or "risk averse" as a whole or any relevant individual issue.
- Determine what types of risk are acceptable and which are not, and setting the standards and expectations of staff with respect to conduct and probity.
- Approve major decisions affecting the College's risk profile or exposure.
- Monitor the management of significant risks to reduce the likelihood of unwelcome surprises or impact.
- Satisfy itself that the less significant risks are being actively managed, with the appropriate controls in place and working effectively.
- Annually review the College's approach to risk management and approve changes or improvements to key elements of its processes and procedures.
4. Role of the Risk Management Group
Key roles of the risk management group are to:
- Take overall responsibility for the administration and implementation of the risk management process;
- Identify and evaluate the significant risks faced by the College for consideration by the Board of Governors;
- Provide adequate information in a timely manner to the Board of Governors and its committees on the status of risks and controls;
- Report on risk management action plan implementation and the top ten significant risks at each meeting of the Audit Committee.
5. Risk Management as part of the system of internal control
The system of internal control incorporates risk management. This system encompasses a number of elements that together facilitate an effective and efficient operation, enabling the College to respond to a variety of operational, financial, and commercial risks. These elements include:
Policies and Procedures
Attached to significant risks are a series of policies that underpin the internal control process. The policies are set by the Board of Governors and implemented and communicated by senior management to staff. Written procedures support the policies where appropriate.
The risk management group meets periodically to monitor key risks and their controls. Decisions to rectify problems are made at regular meetings of the senior management team and the Board of Governors if appropriate.
Business Planning and Budgeting
The business planning and budgeting process is used to set objectives, agree action plans, and allocate resources. Progress towards meeting business plan objectives is monitored regularly.
High Level Risk Action Plan (significant risks only)
The risk management action plan is compiled by the risk management group and helps to facilitate the identification, assessment and ongoing monitoring of risks significant to the College. The document is formally appraised annually but emerging risks are added as required, and improvement actions and risk indicators are monitored regularly by the risk management champion.
The Audit Committee overseas internal audit, external audit and management as required in its review of internal controls. The committee is therefore well placed to provide advice to the Board of Governors on the effectiveness of the internal control systems, including the system for the management of risk.
Internal Audit Programme
Internal audit is an important element of the internal control process. Apart from its normal programme of work, internal audit is responsible for aspects of the annual review of the effectiveness of the internal control system within the organisation.
External audit provides feedback to the Audit Committee on the operation of the internal financial controls reviewed as part of the annual audit.
Third Party Reports
From time to time, the use of external consultants will be necessary in areas such as health and safety, and human resources. The use of specialist third parties for consulting and reporting can increase the reliability of the internal control system.
6. Annual Review of Effectiveness
The Board of Governors is responsible for reviewing the effectiveness of internal control of the College, based on information provided by the Audit Committee.
For each significant risk identified, the board will:
- Review the previous year and examine the College's track record on risk management and internal control
- Consider the internal and external risk profile of the coming year and consider if current internal control arrangements are likely to be effective.
In making its decision the board will consider the following aspects:
- The College's objectives and its financial and non-financial targets.
- Organisational structure and calibre of the senior management team.
- Culture, approach, and resources with respect to the management of risk.
- Delegation of authority; and public reporting.
On-going identification and evaluation of significant risks
- Timely identification and assessment of significant risks, the prioritisation of risks and the allocation of resources to address areas of high exposure.
Information and communication
- Quality and timeliness of information on significant risks; and time it takes for control breakdowns to be recognised or new risk to be identified.
Monitoring and corrective action
- Ability of the College to learn from its problems and its commitment and responsiveness with which corrective actions are implemented.
The Chair of the Audit Committee will prepare a report of its review of the effectiveness of the internal control system annually for consideration by the Board of Governors at the December Corporation Meeting.