The Group undertook a comprehensive review of its governance structures and its risk management processes in early 2019, which led to a substantial re-working of the risk architecture previously in place. Specifically, Risk has been explicitly integrated within the Audit Committee under the guise of the new Audit and Risk Committee, with Terms of Reference and practical operation reflecting this new approach.
Internal Audit plans have been amended to focus more on key strategic risk areas, and internal audit has been tasked with providing more value enhancing and business-oriented insight as well as continuing to identify areas requiring improvement.
Risk Registers have been substantially simplified, reduced in size and re-worked to make them more user-friendly and to ensure focus is on key risk items, but in more depth and detail than previously identified.
Risk Plans have been introduced for “red” net risks for the first time. These identify in much greater detail than previously captured the potential risk scope, expected quantification of the impact, any opportunities arising, set out detailed mitigation plans and clear programmes for implementation, compares cost of mitigation implementation against expected risk quantum, track success of mitigation plans and can subsequently be used as a key “lessons learned” resource.
In-year, the first Risk Plan was developed relating to occupancy concerns at a single University site, a risk that was ultimately managed to the Boards’ satisfaction. Subsequently a second Risk Plan, related to Covid-19 risks, has been developed and implemented. Risks are tracked weekly, and reported to the ELC where anything has changed.
The key review of risks is now carried out at the monthly ELC meetings, with the product of discussion being an agreed “Top Ten” risks, with the accompanying revised Live Risk Register. Value Killers and Strategic Risk Registers are provided, in addition to the Live Risk Register and Top Ten risks, to the UGHL Board and Audit and Risk Committee for consideration and approval. Risk registers are also maintained at subsidiary company and functional level, including for each operational site, with reviews at appropriate levels including Boards and Committees.
With a revised governance framework in place, we have created a new post of Director of Corporate Governance, who will start in the first month of financial year 2020/21. This position will take on much of the day to day responsibility of risk management oversight, governance and compliance matters as well as the role of Company Secretary.
It will enable the Group Legal Director to more fully support operational matters and, with technical expertise, the Director will oversee our approach to specific risks we have identified as the next key areas of focus, including data privacy and cyber security. As part of their role, the Director of Corporate Governance will carry on considering further improvements in the governance structure and processes.