Risk Management and Audit

Risk Management at the University is overseen by the Directorate of Planning.

The University has in place a comprehensive Risk Management Framework, which is applicable across the University at all levels; institutionally, within Schools and Directorates, and on projects. As part of this, it also has a Strategic Risk Register.

At University level, risk management arrangements are an integral part of its wider strategic planning function; risk management is a key mechanism which supports delivery of the strategic ambitions outlined in Aberdeen 2040. In line with this, identified risk areas at a strategic level will generally reflect the Aberdeen 2040 vision, or the key enabling functions which will underpin its realisation. 

The University’s risk management arrangements are oversee and managed as part of a comprehensive governance system, designed to ensure that the appropriate level of checks and balances are in place. This includes a bi-annual reporting process to both the University’s Audit and Risk Committee and to Court, via the Senior Management Team. Court is the institutional body with ultimate accountability for risk management. The University’s risk management function sits within the Directorate of Planning.

The University’s Strategic Risk Register is comprised of 14 key risk areas, shown below. Each risk area is overseen by a Risk Owner who is accountable for its effective management, and at least one Risk Manager, who is responsible at a more operational level. The Risk Owner will normally be a member of the Senior Management Team (SMT). Risk Owners and Managers are required to liaise with different key stakeholder groups and committees in managing their risk areas as appropriate, with formal reporting requirements on a bi-annual basis, referred to in the section above.

• Risk Management Framework: this is the University’s Risk Management Framework, which applies University-wide.
• Risk Register Technical Guide: this is a supporting document which provides a detailed overview on how to use the University’s Risk Register template.
• Risk Register Template: the standard University template for creating and developing a risk register.

It is a Scottish Funding Council (SFC) requirement that all Higher Education institutions in Scotland appoint an Audit and Risk Committee.

The role of the Audit and Risk Committee is to oversee the effectiveness of the University’s risk management, control and governance arrangements and to provide assurance to the SFC that the institution has arrangements in place to promote economy, efficiency and effectiveness in the conduct of all aspects of its business.

Internal audit provides the University Court, through the Audit and Risk Committee, with an independent and objective opinion on governance, risk management and internal control and their effectiveness in achieving the organisation’s agreed objectives. It also has an independent and objective advisory role to help senior managers improve governance, risk management and internal control. The work of internal audit forms a part of the University’s overall assurance framework.

To ensure objectivity, the University outsources its Internal Audit function and these services are currently provided by PricewaterhouseCoopers.

Further details are available from the Clerk to the Audit and Risk Committee Ruth MacLure, who coordinates the Internal Audit Plan on behalf of the University.

External audit services are currently provided to the University by KPMG.

External Audit is focussed on the production of the audited annual financial statements at the end of the University financial year (31 July). It is the External Auditor’s role to confirm that the accounting policies, judgements and estimates made by the University’s Finance managers are appropriate and in line with generally accepted practice.

Following approval by Court, the External Auditor’s report forms part of the University’s annual financial assurance submission to the SFC.