Risk management at Cambridge

Definitions

The University uses the following definitions relating to risk and risk management:

  • Risk is the threat or opportunity that an action or event will adversely or beneficially affect the University's ability to meet its objectives.
  • Risk management is the process by which risks are identified, assessed, prioritised and managed in order to support well-informed decision-making and maximise the realisation of opportunities across the University.
  • Risk appetite is the level of risk that the University is willing to pursue or retain.

Risk Management Policy

The University's Risk Management Policy sets out the University's underlying approach to risk management and provides guidance on how colleagues are expected to assess and manage risk within their day-to-day activities to ensure that well-informed decisions are made and that the University's activities are sustainable and compliant. The Policy forms part of the University's internal control and governance arrangements. 

University statement of risk appetite

The University will generally accept a level of risk proportionate to the benefits expected to be gained, and the scale or likelihood of damage. The University has a high appetite for risk in the context of encouraging and promoting critical enquiry, academic freedom, freedom of expression, and open debate. The University has a very low appetite for risk where there is a likelihood of significant and lasting reputational damage; significant and lasting damage to its provision of world-class research or teaching; significant financial loss or significant negative variations to financial plans; loss of life or harm to students, staff, collaborators, partners or visitors; illegal or unethical activity; or regulatory non-compliance.

Risk registers

University

The University's risk register identifies those risks that are considered to have a fundamental impact on the University's ability to deliver its mission or to operate effectively. The University's risk register is reviewed at least twice a year by the senior leadership team within the context of the University's priorities. The Audit Committee has responsibility for scrutinising the risk register and challenging the senior leadership team on the management of the risks to provide assurance to the Council. The Council formally approves the University's risk register at least annually.  

School and Non-School Institutions

Each School and major Non-School Institution (NSI) must maintain an up-to-date risk register, which is reviewed regularly by its relevant management committee (Council of the School or equivalent). In addition, key risks from School and NSI risk registers will be reviewed by the extended senior leadership team at least annually to ensure that emerging risks are escalated and added to the University's risk register as and when necessary. Improvement actions and risk indicators will be monitored regularly.

Risks will vary widely across the University, and Schools, Faculties, Departments and other institutions are responsible for managing risk in a manner appropriate to each institution. 

The risk management framework contains further guidance on risk management for Schools and Non-School Institutions in Section 6. 

In the event of an emergency...

Even under the most robust risk management practices, emergencies cannot always be prevented. The University's emergency management plan operates at an institution-wide level and can be invoked directly in response to a major or widespread incident or as the result of a local management team asking for help in responding to an emergency. Visit our incident management and business continuity pages to see the University's emergency management plan and other guidance.