Skip navigation

Risk Management About the university

Information about business risk management at the University of Greenwich and guidance for staff, students and visitors on the university's Health & Safety risk management activities.

View guidance on the university's Health & Safety risk management activities.

The University of Greenwich is committed, as part of its remit to ensure effective governance, to developing and maintaining an effective approach to risk management.  All staff at the university, both academic and non-academic, can benefit from an organised and structured approach to their activities in which the extent of business risk is properly evaluated.

Risk management involves a planned, systematic approach to identification, evaluation and
control of financial, administrative, commercial and reputational risks, whether internal or external, which might occur in the performance of business (including academic) activities.

Risk management is an aid to decision-making.  The process should not be onerous, and should result in a better understanding of the context in which activities are carried out, the potential risks inherent in those activities, and an understanding of how those risks can be better managed.

Risk management needs to be embedded in the university's everyday operations.  By taking a systematic approach to risk management we can be assured that we work in a more effective and efficient manner. 

Frequently asked questions

Risk management is a process whereby business risks are assessed and steps are taken to reduce them by introducing control measures. Risks are assessed from two points of view: the likelihood of the risk occurring, and, if it does occur, the impact of the event on the business of the university.

Risk management can apply to any University activity. We should always evaluate the risks involved in the course of our day-to-day business as well as for major projects. A risk assessment should most certainly be carried out during the planning stages of any substantial project. Examples are:

i.academic developments such as new programmes
ii.academic partnerships
iii. financial investment
iv. major estates projects
v. new IT systems
vi. special events.

By looking carefully at the risks involved in an activity before we undertake it, we can plan for unexpected or adverse events. By identifying a potential problem, considering the potential impact it would have and the likelihood of its occurrence we can decide how best to reduce that risk. In carrying out an assessment, we do not simply look at the financial impact of an adverse event occurring (although that is an important consideration): we also consider the effect on our reputation, our health, staff morale, students, and any other relevant concern, tangible or otherwise. Risk management is a method of quantifying otherwise intangible significant risks (such as reputation) and seeing what can be done to minimise the risk occurring, or the impact on us if it does occur.

Download a risk assessment form (Word).

Download a risk register template (Excel).

The questions you need to consider are:

  • Who is responsible for the project?
  • What can go wrong with the project?
  • For each risk identified, who would have control over that risk?
  • What is the likelihood, if no action were taken, of each risk occurring?
  • What would be the impact, if no action were taken, of each risk occurring?
  • By multiplying Impact x Likelihood, you will arrive at a Raw Risk Score. Find out what this means (PDF).
  • What are the early warning signs that an identified risk might be about to occur?
  • How could we best mitigate / avoid each risk occurring?
  • What are the sources of assurance for the mitigating actions? In other words, how would we know that the mitigating actions are being implemented, or how effective they are? (This would normally be an external source of assurance).
  • What, after all the mitigating actions have been put in place, would be the residual impact if the risk occurred?
  • What, after all the mitigating actions have been put in place, would be the residual likelihood of the risk occurring?
  • By multiplying Residual Impact x Residual Likelihood, you will arrive at a Residual Risk Score. Find out where this should be referred to depending on the Residual Risk Score (PDF).
  • What improvement actions have been taken to mitigate each risk?
  • Finally, who has carried out those improvement actions?

This should normally be located in your Faculty Office or with the Head of Directorate. The register should be reviewed at Faculty/Directorate management meetings on a regular basis (at least twice annually) before being sent to the Director of Governance & Compliance (Vice Chancellor's Office) for collation with other Faculty/Directorate submissions and review at Executive Committee. The reviews normally happen in Spring and Autumn.

The current Institutional (University-wide) Risk Register, and previous versions. This document is internal access only.

Risk Management is managed by the University Secretary's Office. John Wallace, Director of Governance & Compliance, is responsible centrally for Risk Management in the institution. However, all staff have a responsibility to ensure they carry out risk assessments where appropriate and consider the risks involved in their day-to-day activities. The Risk Management Guide sets out in detail who is responsible for the Risk Management process.

  • What to do next depends on the final residual risk score that you identify for your project. See what level of risk your score indicates (PDF). 
  • Your risk assessment should be kept by you and reviewed regularly throughout the project. 
  • You may well find that new risks are identified during a project in which case, repeat the process. 
  • The risk assessment should be forwarded to your Faculty or Directorate or the person who compiles your Faculty/Directorate Risk Register. 
  • The risk assessment will be a component part of your Faculty/Directorate Risk Register, and should be considered when the register as a whole is reviewed in your Faculty/Directorate, at least twice annually. This review will inform the Institutional Risk Register. 
  • You can also refer to the Institutional Risk Register when making your risk assessment. 
  • Some activities with a higher risk may need to be reviewed at each Faculty/Directorate management meetings; others may be considered to carry an acceptable level of risk and no further action other than normal management controls will be needed. The Residual Risk Score tells you this. 
  • We therefore have a cyclical process, with each tier of risk management providing the others with information which may influence the identification of risk, its treatment and score.