The Risk Management Framework is an integral part of the Internal Control Framework and is designed to support delivery of Imperial’s strategy and its academic mission and comply with all its regulatory obligations. We consider risks in the short, medium and longer term, to help prioritise and direct management time and investment to the right risks. The core principles of the Risk Management Framework are based on the ‘three lines of defence’ model for the management of risk:
Line of defence and responsibilities
First line of defence
The first line of defence lies with the faculties, schools, institutes, departments and process owners whose activities create and manage the risks that can facilitate or prevent Imperial’s objectives from being achieved. This includes taking the right risks. The first line owns the risk, and the design and execution of the University’s controls to respond to those risks.
Second line of defence
The second line of defence is responsible for the design and maintenance of frameworks, polices, procedures and instructions that support risk and compliance to be managed in the first line. It is also responsible for monitoring and judging how effectively the first line is achieving its aims and is more commonly referred to as functional oversight. The second line is directed by management.
Third line of defence
The third line of defence is independent assurance that management operate an effective framework of controls to manage risk and that governance is appropriate around management of risk. The third line is directed by the Audit and Risk Committee and has organisational independence from management.
Principal Risk Dashboard
Our principal risks and approach to responding to them are set out in a Principal Risk Dashboard in the table below. At the June 2024 Audit and Risk Committee meeting, the updated principal risks were reviewed and approved and were shared with Council in September 2024. As part of a broader governance review the University Management Board set up a Risk, Compliance and Ethics Committee to support the Audit and Risk Committee in providing oversight of our organisational risk.
Principal Risk Dashboard
- Financial sustainability
- Research
- Education and student experience
- Supporting our people and culture
- NHS partnerships
- Major incident or crisis leading to business disruption
- Cyber incident and/or data loss
- Climate Change
- Damage to reputation
Risk: insufficient cash flow to deliver Imperial’s academic mission over the long term.
Risk management approach
Our financial performance is regularly monitored by the Council and the University Management Board. The Operations and Infrastructure Committee reviews and prioritises competing investments in our estate and the University Management Board oversees the annual planning round, the development and implementation of our financial strategy. The Endowment Board oversees the University's investment portfolio.
Our annual planning process ensures we manage our expenditure appropriately and operate within our budget. Our capital plan manages our investment in our campuses to support our financial sustainability in the longer term.
Staff costs are one of our biggest sources of expenditure. Our annual pay and benefits review ensures we continue to operate within our means whilst paying our staff fairly.
We liaise with the Government and other external bodies so that they are aware of the impact changes to research and STEMB teaching funding have on our operating model.
We ensure our revenue streams remain diversified so we do not become overly reliant on one source of income.
Risk: our research quality, volume and/or impact does not stay at its current level or fails to keep pace with our peer group.
Risk management approach
Our Research Office oversees our research and champions professional standards and consistency in research administration across Imperial to ensure that institutional governance responsibilities and obligations are met, including checking compliance with funder requirements.
Grant applications require departmental approval and departments provide wider support, such as grant proposal clinics, mock interviews and peer review, to maximise the likelihood of success. Faculties are expected to have action plans to improve research success rates and quality.
We work closely with external partners such as research councils, UK Research and Innovation and the Advanced Research & Invention Agency to understand changes in the research environment. We engage in strategic bi-lateral partnerships with other institutions in Europe and the rest of the world, as well as through the Horizon programme to maximise research opportunities.
Risks: Education – Failure to innovate and improve the quality of our education.
Students – Failure to support our students and improve their mental health, wellbeing, safety and quality of experience.
Risk management approach
Imperial has a number of governance groups tasked with the oversight of education. Each faculty has an education committee. The Senate is the academic authority of Imperial and regulates our teaching work. The Registry is responsible for the administration of all academic matters, including the approval of new programmes of study, quality assurance, assessments and examinations.
Our Learning and Teaching Strategy articulates our institution-wide approach for the development of our education. The strategy enables us to share best practice, collaborate and partner internally, as well as deliver the infrastructure and resources needed to support perpetual innovation.
A new academic strategy project focussed on the ‘Imperial Experience’ will help to prioritise work to join up our support services and systems by taking a holistic view from pre-application to post-graduation.
Last year we launched our Mental Health and Wellbeing Strategy. The strategy includes a commitment to taking a proactive approach to support student and staff mental health and wellbeing. It also strengthened collaboration by improving and developing our partnerships with other providers of mental health services. We have continued to implement this strategy during 2023–24 with the University Management Board taking overall responsibility for implementation of the strategy.
This risk comprises four elements: a) ability to recruit and retain high calibre staff; b) ability to continue to provide the appropriate services to staff; c) ability to change the culture to support delivery of the University’s strategic aims; and d) managing the mental health and wellbeing of our staff throughout Imperial
Risk management approach
The People and Culture Committee, a sub-committee of the University Management Board, is responsible for considering strategic issues relating to people, culture, and EDI (Equality, Diversity & Inclusion). The Remuneration Committee, a committee of the Council, annually reviews Imperial’s reward strategy and determines the remuneration of senior staff.
Each year, the University enters into a local pay bargaining process with the Joint Trade Unions to determine the annual pay award. Imperial also conducts a national benchmarking salary review against the relevant London markets for all job families. The annual Equity and Achievement Pay Review processes allow managers to address equal pay and internal benchmarking disparities in their area and to reward staff for exceptional contribution and achievement.
Our People Strategy aims to develop diverse talent, create an inclusive culture, and build a resilient workplace. We are continuing with a programme of regular staff surveys, and recommendations from these are taken to the University Management Board for action.
Risk: changes in the capability of Imperial’s NHS Partner Trusts impact delivery of the academic mission of the Faculty of Medicine and the University.
Risk management approach
The Imperial College Academic Health Science Centre (AHSC) manages the key relationships between the University and its main acute NHS partners in North West London.
Legal agreements (based on national templates) underpin individual research projects between the University and any NHS partner.
The Faculty of Medicine estate strategy is to consolidate activities on fewer sites to reduce risks associated with a shared NHS estate.
Risk: a serious incident that severely impacts continuity of the University’s critical operations.
Risk management approach
Imperial has an established risk management framework and business continuity capabilities. Through business impact assessments, Imperial has developed business continuity plans for its most critical operations. Exercises test these plans and improvements identified are incorporated into updates.
When plans are invoked to respond to an incident or event, we carry out a lessons learned review to improve our future response to similar incidents or events.
Imperial uses a specialist third-party provider to monitor planned events in proximity to campus to respond to possible threats from activist groups. We are developing improvements to business resilience through ICT business continuity plans.
Risk: probability of exposure to, or loss resulting from a cyber-attack or data breach causing significant disruption to the Information Technology environment and products used by the University.
Risk management approach
We continue to invest substantially in new protective controls to safeguard the security of this valuable work. We have a dedicated Cyber Security function focused on countering this risk.
Information Security Awareness training is mandatory for all staff and also requires the learning to be repeated every two years.
We have invested heavily in our network monitoring capabilities, and in case of a breach, we have a detailed plan to limit any damage to University operations.
Risk: our operations, finances and/or plans are adversely affected by climate change:
- Transition risk – impact of climate change on Imperial operations
- Damage to our reputation – impact on Imperial should we be seen to be acting against our commitment to our transition to carbon net zero and what our own research is telling us
- Physical risks – impact of climate change on our estate.
Risk management approach
The Sustainability Strategy Committee, a sub-committee of the University Management Board, oversees the goals, priorities and implementation of our Sustainability Strategy, including management of our transition to meet our carbon net zero ambition and the risks associated with this. We have employed an external consultant to support a deep-dive analysis of the adaptation risks we face associated with climate change.
We have also built a central Sustainability Hub to support implementation of our sustainability strategy. Our capital plan includes resource to continue decarbonisation of our South Kensington Campus and develop a roadmap to support the long-term transition to zero carbon.
Risk: damage to reputation could result from Imperial’s actions, practices, associations, sector implications, or negative publicity, whether accurate or not. Reputational damage can hurt Imperial’s financial sustainability, customer base, and ability to find and retain skilled employees. Reputation damage is often unexpected and can occur with little or no warning.
Risk management approach
The University Management Board is supported by sub-committees to facilitate leadership review of decision making across the organisation.
We maintain political relationships at a local, national and international level to manage changing stakeholder expectations and to support transparent and positive communication channels.