16
Although codes of good governance speak of
the need to balance risk and opportunity, on
all the RAG-rated risk registers, the focus was
on failure. Risks were almost universally written
in the form, 'Failure to …'. While there was
reference to the need to accept risk in board
meetings ('risk appetite'), this was not reflected
in the language of the strategic risk register.
The only example we found where risks were
not defined in terms of threatened failure was in
one of the colleges which did not produce a risk
register based on RAG-rating, and in this case
the term 'opportunity' did make an appearance.
In colleges adopting the RAG-rating approach
the risk register was a colourful affair and
a powerful means of conceptualising risk.
One college used commercial software to
produce these charts, giving a very professional
gloss. The more sophisticated the presentation,
the more persuasive it is in ensuring buy-in
through presenting risk management as a
highly rational business holding out the promise
of control and management of the future.
This was reflected in comments from some
of our participants. As one chair said to us:
Although stated in rather uncompromising
terms, this was not an unrepresentative view.
This indicates the way in which specialised areas
are understood by non-experts (Jordan et al.,
2018) and suggests that the seductive nature of
risk management may in itself give rise to risks.
Certainly, a more cynical view was expressed by
one governance professional who told us,
Indeed, faith in risk management may be
misplaced. One college suffered a serious cyber
attack despite risk oversight. And risk of global
pandemic only made an appearance on risk
registers in 2020 (though one college did refer
to 'corona virus pandemic' in its business
continuity plan some time prior to this).
This raises questions about the purpose of risk
management and whether risk management
'works'. Some research suggests that risk
management is really only effective at times
of 'low perceived environmental uncertainty',
i.e., when risk can be more easily predicted
(Braumann et al., 2020, p. 15). Which, in reality,
may be never!
While RAG-rating clearly sets out risk
management in very rational terms, it does not
take account of the relational nature of risks.
For example, in one college, nine 'significant
risks' were identified, clustered into two
groupings - risks to Financial health and
Reputational risk. Treatments of the financial
risk included voluntary redundancy and not
replacing staff who left. However, there was no
discussion of how this might impact adversely
on reputational risk, which in turn could result in
reduced student recruitment and/or attainment.
The appearance of rationality must therefore be
balanced with a consideration of the relational
nature of risks. This has implications for the
allocation of responsibility for risk to committees,
as was common practice in our participant
colleges, and points up the importance of risk
oversight by the main board.
Strategic risk management undoubtedly
influences the way colleges understand the
nature of risks. There was a tendency for risks
"�[We]�identify�and�capture�and�
quantify�the�risks�…�it's�robust,�
it's�comprehensive�and�it�works�and�
it's�also�simple.�If�you�don't�have�
that kind of discipline and those tools
in�place,�yeah,�risk�is�a�nightmare.�
But�the�first�thing�you�do�is�just�tidy�
up the risk and get it all captured in
front�of�you."�(Chair)
" The slight concern I have is of the
'risk�industry'�and�that�actually�some�
of us spend our lives producing
information�for�it�rather�than�actually�
doing�the�stuff�that�mitigates�the�risk."�
(Governance�Professional)