The College’s Internal Control Framework supports the delivery of its Strategy and compliance with its regulatory objectives. The aims of this Framework are to:
- support the effective management of risks that could impact upon the achievement of the College’s objectives;
- provide a system through which to safeguard the assets for which Council is responsible;
- ensure a mechanism exists to record and effectively manage liabilities;
- ensure processes are in place to prevent and detect corruption, fraud, bribery and other irregularities.
It is designed to support effective mitigation of risk rather than the elimination of risk and can only provide reasonable, and not absolute, assurance against material misstatement or loss.
Council is accountable for determining and monitoring the adequacy and effectiveness of the Internal Control Framework. It delegates responsibility to the Audit and Risk Committee and receives regular updates from it throughout the year. The role of the Audit and Risk Committee is to assure Council that the systems in place are robust and Risk Owners are capable of identifying and effectively managing risks.
The Audit and Risk Committee also reviews ‘deep dives’ into different risks and controls conducted by the Internal Audit team, and tracks progress on improvement actions.
KPMG, as the College’s internal auditors, judged that significant assurance with minor improvement opportunities could be taken on the overall adequacy and effectiveness of the College’s framework of governance, risk management and control for the period 1 August 2021 to 31 July 2022. Council considers there were no significant internal control weaknesses requiring disclosure.
PwC, as the College’s external auditors, also consider internal controls relevant to the preparation of the annual financial statements. The audit is not designed to identify all internal control deficiencies but will report any significant deficiencies if required. There were no significant deficiencies in internal control identified.
The Risk Management Framework is an integral part of the Internal Control Framework and is designed to support delivery of the College Strategy and its academic mission and comply with all its regulatory obligations. The core principles of the Risk Management Framework are based on the “three lines of defence” model for the management of risk:
Line of defence and responsibilities
First line of defence
The first line of defence lies with the faculties, schools, institutes, departments and process owners whose activities create and manage the risks that can facilitate or prevent the College’s objectives from being achieved. This includes taking the right risks. The first line owns the risk, and the design and execution of the College’s controls to respond to those risks.
Second line of defence
The second line of defence is responsible for the design and maintenance of frameworks, polices, procedures and instructions that support risk and compliance to be managed in the first line. It is also responsible for monitoring and judging how effectively the first line is achieving its aims and is more commonly referred to as functional oversight. The second line is directed by management.
Third line of defence
We consider risks in the short, medium and longer term, to help prioritise and direct management time and investment to the right risks. During 2021–22, monthly deep dive reviews of our principal risks took place at our President’s Board, where through robust discussion, the members considered the risks, interdependencies between risks and the adequacy and effectiveness of existing controls to manage those risks, together with any proposed improvements to the Risk Management Framework.
Principal Risk Dashboard
Our principal risks and approach to responding to them are set out in a Principal Risk Dashboard in the table below.
At the May 2022 and July 2022 Audit and Risk Committee Meetings, the updated College principal risks were reviewed, approved and subsequently shared with Council. Although it is a global risk and not one the College alone can mitigate through the adoption of controls, the impact of climate change is considered at all levels of the organisation and is reflected across our Principal Risks through the actions we are taking to reduce our carbon impact on society and the planet from the emissions we create.
Principal Risk Dashboard
- Financial sustainability
- Income diversification
- Property infrastructure
- Education and student experience
- Student recruitment and widening participation
- Managing our people
- Transformation of the College's operating model
- Research
- Regulatory compliance
- NHS partnerships
- Terrorist attack or protestor activity leading to business disruption
- Cyber incident and/or data loss
- Staff and student health and safety
We are unable to generate sufficient funds, to deliver the College academic mission over the long term.
Risk management approach
Demand for our courses remains strong and we continue to see growth in revenue from tuition fees.
Management efforts are focused on cost management and efficiencies, given inflationary pressures and the increasing costs to the College of pension schemes.
This exercise will become increasingly important if recent increases in energy prices continue over the longer term.
We continue to liaise with relevant external bodies so that they are aware of the impact that changes in our operating environment might have.
Failure to grow cash generation from our commercial and investment activities and Advancement.
Risk management approach
COVID-19 has limited the ability of the Advancement division to hold face-to-face engagement with alumni and other donors, however, it has maintained philanthropic growth in challenging times.
The Commercial and Investment Activities team continue to market our commercial real estate and the Enterprise division our Intellectual Property. Different assets and markets are in different stages of recovery but have remained resilient.
We fail to optimise financial and resource investment in physical infrastructure and/or direct appropriate investment to degrading infrastructure and academic facilities, particularly with our target of carbon neutrality by 2040.
Risk management approach
Our infrastructure has been successfully maintained throughout the pandemic enabling essential workers and key research to continue.
The Estates Strategy Group (a sub-committee of President’s Board) was set up to help ensure competing investments on our estate are appropriately prioritised. It is the prima facie group that informs the Capital Plan and any amendments to it as a result of external influencing factors.
We fail to innovate and improve the quality of our education. We fail to support our students’ wellbeing and quality of their experience.
Risk management approach
The College has offered significant support to students in a wide variety of areas. Hardship and other funds have been put to good use in support of students.
Mental health services have been expanded and our accommodation and catering teams have ensured self-isolating residents were comfortable, and assessments have been covered by ‘safety net’ policies to ensure learners have been treated fairly.
The mixed-mode education model and the need for us to deliver a positive student experience in the context of the pandemic has continued through this academic year and we have invested heavily to revise the curriculum and develop our digital learning.
We fail to attract a share of the best international students from diverse markets. We fail to increase our pool of home students from disadvantaged or under-represented backgrounds, risking intervention from the Office for Students and reputational damage.
Risk management approach
The success of our Marketing, Recruitment and Admissions team in collaboration with the faculties has seen a noteworthy increase in applications from under-represented nationalities.
We have established a Marketing, Recruitment and Admissions Group, a Scholarships and Studentships Steering Committee and a project board with colleagues across the College who meet regularly to align pre-enrolment priorities and take appropriate action as one.
We have invested in widening participation initiatives across the faculties as part of our access and participation plan. Significant progress includes the Imperial College London Maths School – with the application process launched ahead of the planned opening in September 2023 – continued engagement in White City and In2MedSchool, made up of over 2,500 doctors and medical school volunteers, who want to give back and inspire the next generation of medical students.
Our approach to pay and benefits and culture, including addressing diversity and inclusion, reduce our ability to recruit and retain high calibre staff. The pandemic has introduced the additional complexity of staff’s increased desire for flexible working.
Risk management approach
Pay and benefits are benchmarked annually to facilitate recruitment and retention of all staff. The annual pay review process has been further modified to strengthen pay equity and is underpinned by an Equality Impact Assessment. We continue to publish both our gender and ethnicity pay gap reports.
We have introduced an interim Work Location Framework to support managers and staff to determine their work location. The framework will be reviewed in early 2023 to evaluate the impact on delivery of the College mission.
A number of initiatives have been introduced to strengthen the working culture, including the introduction of College Values and the Imperial Together action plan.
We fail to deliver targeted benefits from strategic and operational transformation in support of the academic mission and cannot deliver the scale of improvements and change needed to improve the effectiveness and efficiency of our operating model.
Risk management approach
Our Professional Services Transformation Programme enabled by significant investment in technology has been approved in principle by the Provost’s Board. Detailed planning is underway to understand the potential cost and impact.
The Programme will increase professional service effectiveness, improve data quality and consistency, increase process simplicity, consistency and standardisation, to better support delivery of the Academic Mission.
Our Research quality, volume and/or impact does not stay at its current level or fails to keep pace with our peer group.
Risk management approach
World-leading research quality and impact is central to the College strategy, and the excellent REF results should feed into our research funding positively.
We continue to invest in our physical infrastructure creating highly desirable working spaces to conduct our research. Our pay structures are continually reviewed to ensure we attract the best academic staff to deliver ground-breaking research outcomes.
The College fails to comply with its regulatory requirements.
Risk management approach
We have established a regulatory compliance function which provides oversight and support of the College’s arrangements for meeting its many statutory and regulatory compliance obligations.
As part of the risk management framework, the regulatory compliance function supports the development of additional and modified controls in response to new and developing regulation.
Following introduction of the National Security and Investment Act, we established a National Security and Investment (NSI) Act Working Group that considered how compliance with the Act should be managed operationally, and the Scrutiny Committee provides increased governance over this broad category of risks.
Changes in the capability of the College’s NHS Partner Trusts impact delivery of the academic mission of the Faculty of Medicine and the College.
Risk management approach
The College has multiple linkages with NHS Trusts and other health bodies. These partnerships are fundamental to the fulfillment of the College’s mission in biomedical and health research, education and societal impact across all Faculties, primarily in the Faculty of Medicine.
The Imperial College Academic Health Science Centre (AHSC) manages the key relationships between the College and its main acute NHS partners in North-West London. The Dean of the Faculty of Medicine is also a Director of the AHSC.
The North-West London NHS sector is aligning delivery of services across organisations through the newly established Integrated Care System, which also includes Local Authorities with responsibility for public health and social care. The Integrated Care System will be key to future delivery of health services in the North-West London NHS sector and the transformation of services envisioned in the NHS Long Term Plan.
A serious incident that severely impacts continuity of the College’s critical operations.
Risk management approach
Through business impact assessments, the College has developed business continuity plans for its most critical operations. Exercises test these plans and improvements identified are incorporated into updates.
When plans are invoked to respond to an incident or event; we subsequently undertake a lessons learned review to improve our future response to similar incidents or events.
The College use a specialist third-party provider to monitor planned events in proximity to campus to respond to possible threats from activist groups.
Risk of exposure to, or loss resulting from a cyber-attack or data breach causing significant disruption to the Information Technology environment and products used by the College.
Risk management approach
Our research attracts significant external interest and hence we continue to invest substantively in new protective controls to safeguard the security of this valuable work.
Human behaviour and non-compliance with the College’s Information Security Policy increases the risk of an information security breach which, depending on the nature of the incident, could be significant to the College. Information Security Awareness training has been made mandatory which also requires the learning to be repeated every two years.
We have invested heavily in our network monitoring capabilities, and in case of breach, we have a detailed plan to limit any damage to College operations.
There is an incident or event which compromises staff and/or students and visitors’ safety causing disruption to teaching, research and student experience.
Risk management approach
In the main, students have returned to face-to-face tuition, with the College retaining capability to deliver some of the larger events on-line, based on the outcome of risk assessments.
With staff returning to campus after long periods of absence there is a focus on safety induction and re-establishing practical skills and competencies.