34 City of Glasgow College Annual Report & Accounts 2020-21
and management were highlighted and discussed by
the Committee, via the individual Risk Management
Action Plans (Risk MAPs) and the College Risk Register.
The Board Committees (above) regularly reviewed the
strategic risks associated with their areas of responsibility
throughout the session. The Risk Register sets out the
College's strategic risks under the Strategic Themes
underpinning the College Strategic Plan and associated
planning documents, ensuring alignment of risk
management with strategic planning.
In November 2016, the Board of Management approved
a revised Risk Management Policy and Risk Management
Procedure (revised and updated in 2020-21) which
included reference to Risk Tolerance and Risk Appetite.
The respective definitions employed are set out in the
Policy thus:
"In broad terms, appetite relates to the willingness
to seek potential benefits, while tolerance sets limits
on acceptable loss in pursuit of these benefits, with
reference to the organisation's strength and resilience.
The Institute of Risk Management states that: "While
risk appetite is about the pursuit of risk, risk tolerance
is about what an organisation can actually cope with."
In short, the terms relate to whether an organisation is
respectively "willing" and "able" to take the risk, or sustain
the potential consequences of the risk.
These are the definitions of the respective terms
understood in all College documents relating to Risk
Management." (CoGC Risk Management Policy p5).
In March 2020, the College's Internal Auditors,
Henderson Loggie undertook an internal audit of Risk
Management, presented to the Audit Committee in
May 2020. The Internal Auditor provided a level of
assurance of "good" reporting that: "There is a robust
risk management framework in place, including a Risk
Management Policy…(etc)" and "From our review of the
risk management framework it exhibited most aspects of
good practice:" (CoGC Risk Management Internal Audit;
MHA Henderson Loggie, May 2020; p3: Summary of
Main Findings). In 2020-21 all recommendations from this
audit were completed.
The College recognises that its appetite and tolerance
for risk vary according to the activity undertaken, and
that the College's acceptance of risk is always subject
to ensuring that potential benefits and risks are fully
understood before developments are authorised,
and that appropriate measures to mitigate risk are
established.
The College's position with regard to risk across various
categories is described in the Policy in a series of
statements for each category as follows:
• Reputation
• Compliance
• Financial
• Student Experience
• Major Change or Development Activities
• Environment and Social Responsibility
• People and Culture
• Business Continuity
Risk tolerance varies from Low, e.g. in the case
of College Reputation and Compliance, where no
potential gain may be accrued as a consequence of
accepting such risk, to Medium, such as in the case of
development activities, where potential gains may be
such that a degree of sustainable risk is acceptable, with
commensurate risk score. This represents a development
in the Board's perception and management of risk, in
the light of the new College Strategic Plan with its new
Strategic Priority 8: "To secure diversity of income and
sustainable development" (CoGC Strategic Plan 2021-
30).
The College Risk Management Procedure outlines key
aspects of the risk management process, and identifies
the main reporting procedures. In addition, it describes
the process the Board of Management will use to
evaluate the effectiveness of the Colleges' internal control
procedures.
Details of significant risk-reported matters are outlined
under the Audit section within this Annual Report
above. A number of key Strategic Risks have been
affected by the Covid pandemic, in particular those
relating to Student Experience, Commercial/International
Development, and the Financial position of the College;
however in 2020-21 there was a gradual decrease in
average risk scores, as the threats and consequences of
the pandemic were managed.
Data Related Incidents
The College maintains a register of all data-related
incidents. In the year to 31 July 2021 there were 5
reported security incidents involving personal data.
Each has been recorded in accordance with the College
obligations under Article 33 of the UK GDPR. Due to
the low level of risk associated with these incidents,
the college was not required to notify the Information
Commissioners Office.