15
4.1 Oversight of risk and setting the
risk culture of the organisation
The calculation and management of risk has
become a key task for colleges across the UK
following a number of well-publicised failures
for which lack of governance oversight has
been blamed. Guidance and principles for risk
management to be followed by government
organisations in the UK are set out in HM
Treasury's Orange Book: Management of risk
principles and concepts (HM Government, 2020).
The Orange Book defines a principal risk as
'a risk or combination of risks that can seriously
affect the performance or reputation of the
organisation' (p. 9). It sets out a key role for
boards as being to 'determine and continuously
assess the nature and extent of the principal risks
that the organisation is exposed to and is willing
to take to achieve its objectives - its risk appetite
- and ensure that planning and decision-making
reflects this assessment' (p. 9). The board is thus
fundamentally concerned with oversight of risk
and setting the 'risk culture' of the organisation.
The Orange Book was explicitly referred to in the
risk management policy/guidance by two of our
colleges and informed the policy and thinking
of others.
In addition to guidance provided by the Orange
book, colleges in the UK are also expected
to abide by their respective codes of good
governance which vary in the extent to which
they prescribe the role of the board in respect
to risk management. The Scottish code (Good
Governance Steering Group, 2016) sets out
the responsibilities of boards in rather broad
terms in relation to balancing risk and
opportunity and setting the risk appetite of
the body. By contrast, the almost identically
worded English (AoC, 2019) and Welsh codes
(Colleges Wales, 2016) make numerous
references to risk as part of internal control
measures and scrutiny of risk is required in
relation to new ventures. The Northern Ireland
guidance (Department for the Economy,
2016, 2019) requires boards to demonstrate
risk management expertise and includes a
competence framework.
4.2 Oversight of risk: How do boards
engage in risk management?
Risk management policies and procedures varied
across the colleges. Six colleges used a form of
strategic risk management based on the now
widespread traffic lighting system. In its most
common and basic manifestation the risk register
presents each identified risk as a calculation
based on a 5x5 matrix of severity of impact
versus likelihood of the event. This gives rise
to a risk score which is then colour coded, Red
(high risk, 15-25), Amber (medium risk, 6-12),
Green (low risk, 1-5). This initial calculation,
or RAG-rating, produces the 'inherent risk',
which is then subject to various mitigations
to give a lower, 'residual' risk. In two of our
colleges the risk score was formally allocated
a financial value, either as a discrete amount
or as percentage of turnover.
Although this was the basic form, some colleges
adopted more sophisticated procedures.
For example, in one college, the Risk
Management Policy included definitions of
risk appetite and risk tolerance and set risk
tolerance levels, on a scale of 1 (low tolerance)
to 6 (high), for seven key categories: Reputation,
Compliance, Financial, Student experience,
Major Development activities, Environment
and Social responsibility, People and Culture,
and Business continuity. While the limit of
acceptable risk score for Reputation was 1,
for Major Developments, it was 4, reflecting
greater willingness to accept risk in pursuit
of benefits.
SECTION B: KEY TASKS FOR BOARDS
4. STRATEGIC RISK MANAGEMENT AND THE ROLE OF THE BOARD