Risk Management and Audit

Risk Management at the University is overseen by the Directorate of Planning and Governance.

The University has in place a comprehensive Risk Management Framework, which is applicable at all levels: at University level, within Schools and Directorates, and on projects. As part of the Framework, the University also has a Strategic Risk Register (SRR).

At the University level, risk management and the management of strategic risk is an integral part of the wider strategic planning function; recognising risk management as a key mechanism which supports delivery of the strategic ambitions outlined in Aberdeen 2040.

The University's risk management arrangements are overseen and managed as part of a comprehensive governance system, designed to ensure that the appropriate levels of checks and balances are in place. Overarching accountability for risk management at organisational level sits with the University Court, and by extension, the Audit and Risk Committee (ARC); a sub-committee of Court with an important assurance function, which all universities in Scotland are required to have by the Scottish Funding Council (SFC).

At executive level, responsibility for risk management sits with the Senior Management Team (SMT). SMT is responsible for ensuring that robust risk management arrangements are in place University-wide, which it does through the Risk Management Framework, while it also has responsibility for the management of strategic risks at institutional level, via the Strategic Risk Register (SRR). SMT reviews the SRR on a routine, rolling basis throughout each year, with an update provided to Court bi-annually, via ARC. The University's risk management function sits within the Directorate of Planning and Governance.

The University's Strategic Risk Register (SRR) is currently comprised of eight high-level, strategic risks. The SRR is a live document which is subject to ongoing change, as the University's operating environment changes, as risks evolve, and as new risks emerge. It is underpinned by a wider University Risk Register (URR), which is more operational in focus, and comprised of 14 distinct risk areas. Within the URR, each risk area captures a number of discrete risks. If or when appropriate, risks can be escalated or de-escalated between the SRR and URR. Responsibility for managing the SRR sits with SMT, with different SMT members designated as Risk Owners or Managers. Risk Owners and Managers are required to liaise with different key stakeholder groups and committees in managing their risks, as appropriate.

All University risk management resources can be accessed via the Risk Management Resources site on SharePoint. This includes:

• The Risk Management Framework - which articulates the University's Risk Management Policy, Appetite Statement, and Process.
• Risk Register Templates - this includes the University's formal risk register template, available in different formats.
• Risk Management Guidance - including a How to Guide on use of the risk register template.
• Risk Management Fundamentals - this includes some risk management essentials, useful for anyone new to risk management.

If you have any queries about University risk management or the University's Strategic Risk Register, please contact Iain Grant or Chris Sojka.

It is a Scottish Funding Council (SFC) requirement that all Higher Education institutions in Scotland appoint an Audit and Risk Committee.

The role of the Audit and Risk Committee is to oversee the effectiveness of the University's risk management, control and governance arrangements and to provide assurance to the SFC that the institution has arrangements in place to promote economy, efficiency and effectiveness in the conduct of all aspects of its business.

Internal audit provides the University Court, through the Audit and Risk Committee, with an independent and objective opinion on governance, risk management and internal control and their effectiveness in achieving the organisation's agreed objectives. It also has an independent and objective advisory role to help senior managers improve governance, risk management and internal control. The work of internal audit forms a part of the University's overall assurance framework.

To ensure objectivity, the University outsources its Internal Audit function and these services are currently provided by PricewaterhouseCoopers.

Further details are available from the Clerk to the Audit and Risk Committee Jan Whitfield, who coordinates the Internal Audit Plan on behalf of the University.

External audit services are currently provided to the University by EY.

External Audit is focussed on the production of the audited annual financial statements at the end of the University financial year (31 July). It is the External Auditor's role to confirm that the accounting policies, judgements and estimates made by the University's Finance managers are appropriate and in line with generally accepted practice.

Following approval by Court, the External Auditor's report forms part of the University's annual financial assurance submission to the SFC.