Information about business risk management at the University of Greenwich and guidance for staff, students and visitors on the university's Health & Safety risk management activities.
View guidance on the university's Health & Safety risk management activities.
The University of Greenwich is committed, as part of its remit to ensure effective governance, to developing and maintaining an effective approach to risk management. All staff at the university, both academic and non-academic, can benefit from an organised and structured approach to their activities in which the extent of business risk is properly evaluated.
Risk management involves a planned, systematic approach to identification, evaluation and
control of financial, administrative, commercial and reputational risks, whether internal or external, which might occur in the performance of business (including academic) activities.
Risk management is an aid to decision-making. The process should not be onerous, and should result in a better understanding of the context in which activities are carried out, the potential risks inherent in those activities, and an understanding of how those risks can be better managed.
Risk management needs to be embedded in the university's everyday operations. By taking a systematic approach to risk management we can be assured that we work in a more effective and efficient manner.
- University of Greenwich Risk Management Policy (PDF)
- Risk Management Guide (PDF)
- Risk Appetite Statement (PDF)
- Risk assessment form (Word)
- Risk register template (Excel)
- University Risk Registers (Internal Access Only)
Do I need to carry out a risk assessment for my project?
Risk management can apply to any University activity. We should always evaluate the risks involved in the course of our day-to-day business as well as for major projects. A risk assessment should most certainly be carried out during the planning stages of any substantial project. Examples are:
i.academic developments such as new programmes
ii.academic partnerships
iii. financial investment
iv. major estates projects
v. new IT systems
vi. special events
Why do I need to carry out a risk assessment?
By looking carefully at the risks involved in an activity before we undertake it, we can plan for unexpected or adverse events. By identifying a potential problem, considering the potential impact it would have and the likelihood of its occurrence we can decide how best to reduce that risk.
In carrying out an assessment, we do not simply look at the financial impact of an adverse event occurring (although that is an important consideration): we also consider the effect on our reputation, our health, staff morale, students, and any other relevant concern, tangible or otherwise. Risk management is a method of quantifying otherwise intangible significant risks (such as reputation) and seeing what can be done to minimise the risk occurring, or the impact on us if it does occur.
How do I carry out a risk assessment?
Download a risk assessment form (Word).
Download a risk register template (Excel).
The questions you need to consider are:
- Who is responsible for the project?
- What can go wrong with the project?
- For each risk identified, who would have control over that risk?
- What is the likelihood, if no action were taken, of each risk occurring?
- What would be the impact, if no action were taken, of each risk occurring?
- By multiplying Impact x Likelihood, you will arrive at a Raw Risk Score. See the Risk Management Guide to find out what this means.
- What are the early warning signs that an identified risk might be about to occur?
- How could we best mitigate / avoid each risk occurring?
- What are the sources of assurance for the mitigating actions? In other words, how would we know that the mitigating actions are being implemented, or how effective they are? (This would normally be an external source of assurance).
- What, after all the mitigating actions have been put in place, would be the residual impact if the risk occurred?
- What, after all the mitigating actions have been put in place, would be the residual likelihood of the risk occurring?
- By multiplying Residual Impact x Residual Likelihood, you will arrive at a Residual Risk Score. See the Risk Management Guide to find out what action should be taken.
- What improvement actions have been taken to mitigate each risk?
- Finally, who has carried out those improvement actions?
Where can I find the Faculty/Directorate Risk Register?
This should normally be located in your Faculty Office or with the Head of Directorate.
The register should be reviewed regularly (normally quarterly) at Faculty/Directorate management meetings before being sent to the University Secretary on a quarterly basis for review at the Chief Operating Officer's Operations Management Group and consideration with respect to the Corporate Risk Register.
Where can I find the Institutional Risk Register?
The current Institutional (University-wide) Risk Register, and previous versions. This document is internal access only.
Who is in charge of Risk Management in the University?
Risk Management is managed by the University Secretary's Office. Peter Garrod, University Secretary, is responsible centrally for Risk Management in the institution. However, all staff have a responsibility to ensure they carry out risk assessments where appropriate and consider the risks involved in their day-to-day activities.
The Risk Management Guide sets out in detail who is responsible for the Risk Management process.
I've done my risk assessment - what now?
- What to do next depends on the final residual risk score that you identify for your project. See the Risk Management Guide for further information.
- Your risk assessment should be kept by you and reviewed regularly throughout the project.
- You may well find that new risks are identified during a project in which case, repeat the process.
- The risk assessment should be forwarded to your Faculty or Directorate or the person who compiles your Faculty/Directorate Risk Register.
- The risk assessment will be a component part of your Faculty/Directorate Risk Register, and should be considered when the register as a whole is reviewed in your Faculty/Directorate, normally quarterly. This review will inform the Corporate Risk Register.
- You can also refer to the Corporate Risk Register when making your risk assessment.
- Some activities with a higher risk may need to be reviewed at each Faculty/Directorate management meetings; others may be considered to carry an acceptable level of risk and no further action other than normal management controls will be needed. The Residual Risk Score tells you this.
- We therefore have a cyclical process, with each tier of risk management providing the others with information which may influence the identification of risk, its treatment and score.
What is risk management?
Risk management is a process whereby business risks are assessed and steps are taken to reduce them by introducing control measures. Risks are assessed from two points of view: the likelihood of the risk occurring, and, if it does occur, the impact of the event on the business of the university.