Module 5: Financial, Resource and Risk Management

4.1 The risk management process

The risk management process entails the systematic application of management policies, procedures, and practices to the tasks of establishing the context of risks; identifying, analysing, and assessing risks; and treating, monitoring, and communicating risks.
It is an iterative process of well-defined steps which, when taken in sequence, enables you to continually improve your decision-making by providing you with greater insights into research risks and their potential impacts. The main elements of the risk management process are as follows:

1. Communicate and consult

Communicate and consult with internal and external stakeholders about the process as a whole and at each stage of the risk management process.

2. Establish the context

Establish the external, internal, and risk management context in which the rest of the process will take place. Establish the criteria against which risk will be evaluated. Define the structure of the analysis.

3. Identify risks

Identify where, when, why, and how certain events could prevent, minimise, delay, or improve the achievement of your research objectives.

4. Analyse risks

Identify and evaluate existing controls. Determine the likelihood, severity, and the resulting level of risk.

5. Evaluate risks

Rank and prioritise the risks to assist decision-making regarding the extent and nature of treatments required.

6. Treat risks

Develop and implement appropriate risk treatment strategies to address the risks.

7. Monitor and review

Monitor the effectiveness of all steps in the risk management process to ensure continuous improvement.

The figure in section 4.3 illustrates this iterative process.

4.2 Benefits of risk management

Applying and maintaining the risk management process brings these benefits:

• provides a structured framework for more effective strategic planning, ensuring that opportunities are maximised and losses are minimised;
• widens researcher perspective and encourages initiative and pro-active behaviour;
• contributes to improved school/faculty efficiency and effectiveness;
• optimises the use of resources;
• promotes greater openness in decision-making and improves communication;
• provides heads of school/deans with a concise summary of the major risks affecting the university and a mechanism to ensure that appropriate resources are directed towards areas of high risk;
• provides an effective and systematic approach that enables researchers to focus on areas of risk in their projects;
• improves the level of accountability in the university.

 

4.3 Example of a risk assessment technique

The following figure shows how the threat of any particular risk factor can be tackled.

 

4.4 Internal control

Internal control refers to all those systems, processes, and procedures aimed at protecting university assets; collecting, recording, and protecting revenue; and ensuring that expenditure is properly approved, classified, recorded, and paid in full at the appropriate time.
The following describes some of the types of controls:

Organisational. All enterprises, including universities, should have an organisation plan which defines and allocates responsibilities and identifies lines of reporting for all aspects of its operations, including controls. The delegation of authority and responsibility should be clearly specified.

Segregation of duties. One of the prime means of control is separating those responsibilities or duties which, if kept single, would enable one individual to record and process a complete transaction. Segregation of duties reduces the risk of error or intentional manipulation and provides an element of checking. Functions which should be separated include authorisation, execution, custody, recording, and, in the case of a computer-based accounting system, systems development and daily operations.

Physical. These are concerned mainly with the custody of assets and involve procedures and security measures designed to ensure that access to assets is limited to authorised personnel. This includes both direct access and indirect access via documentation. These controls assume importance in the case of valuable, portable, exchangeable, or desirable assets.

Authorisation and approval. All transactions should require authorisation or approval by an appropriate responsible person. The limits for this authorisation should be specified in a delegation manual.

Arithmetical and accounting. These are the controls within the recording function which check that the transactions to be recorded and processed have been authorised, that they are all included, and that they are correctly recorded and accurately processed. Such controls include checking the arithmetical accuracy of the records, the maintenance and checking of totals, reconciliations, control accounts and trial balances, and accounting for documents.

Personnel. There should be procedures to ensure that personnel have capabilities commensurate with their responsibilities. Inevitably, the proper functioning of any system depends on the competence and integrity of those operating it. The qualifications, selection and training, and innate personal characteristics of the personnel involved are important features when setting up any control system.

Supervision. Any system of internal control should include the supervision of day-to-day transactions by responsible officials who ensure that transactions are properly recorded.

Management. These are the controls exercised by university management (heads of centre/school/faculty) outside the day-to-day routine system. They include the overall supervisory controls exercised by management, the review of management accounts and their comparison with budgets, the internal audit function, and any other special review procedures.