EPSRC's risk management policy aims to ensure that the benefits of risk management are realised in EPSRC in the most effective and efficient way by enabling:
- Embedding of risk management into EPSRC's management culture.
- Ensuring that everyone involved in risk management is aware of their roles and responsibilities.
- Ensuring best practice in risk management throughout EPSRC.
- An understanding of EPSRC's risk appetite and confidence in the organisation’s ability to manage risks.
The overall responsibility for the management of risk process lies with the Associate Director of Finance and Operations with the full support of the EPSRC Leadership Team (ELT). ELT is corporately responsible for managing the strategic risks to EPSRC categorised as ‘corporate risks’.
This responsibility is delegated from ELT to the EPSRC Governance Group, which comprises the Chief Executive, Directors and Associate Director Finance and Operations. For management purposes individual risks will be assigned to a particular Governance Group owner.
The EPSRC Risk Manager, reporting to the Associate Director of Finance and Operations, will be responsible for implementing and maintaining the Management of Risk framework at corporate level and co-ordinating this framework at all levels.
The EPSRC Governance Group will oversee EPSRC's risk management arrangements. This includes:
- EPSRC risk policy and risk appetite.
- Oversight of Corporate and other Risk Registers.
- Monitoring and Control mechanisms.
All individuals who are explicitly identified as managers of specific risks are expected to have response plans in place to manage these risks. Regular monitoring of risk management takes place. The formal risk registers are updated quarterly as a minimum. The process involves risk owners reviewing and where necessary re-scoring their inherent and residual risks and reviewing the existing controls, proximity and mitigation actions. Also mitigation action owners will score their mitigation actions quarterly using the red amber green approach. The corporate risk register is reviewed at each meeting of EPSRC Governance Group. A risk paper and the corporate risk register is presented to the EPSRC Resource Audit Committee on a regular basis for review.
Independent review of EPSRC's risk management approach will be undertaken by the Research Councils Internal Audit Service (RCIAS) as required. The most recent review by RCIAS was carried out in February 2010. EPSRC will also undertake a periodic self assessment of risk maturity against a recognised risk management assessment framework. The purpose of this self assessment will be to determine what level of risk management maturity is appropriate for EPSRC. The self assessment will also determine what (if any) actions are required in order to bring risk management in EPSRC to the appropriate level.