HEFCE, in its circular 01/28 "Risk Management - A Guide to Good Practice for Higher Education Institutions", defines risk as "the threat or possibility that an action or event will adversely or beneficially affect an organisation's ability to achieve its objectives".

This definition links risk to achieving the University's objectives and also identifies that risk management is not just about recognising and mitigating a negative risk but also enables the identification of risk-taking opportunities that may lead to positive benefits. Risks exist at Corporate or Strategic level, Faculty and Departmental level, and Project level.

Internal controls are the range of Statutes, Ordinances, regulations, procedures, and policies the University and Faculties and Departments use to govern their work; and any additional controls or mitigating actions taken to deal with a particular situation. Controls are often broken down into three categories:

The aim of risk management is to ensure that these controls are effective in identifying, monitoring, and controlling the risks the University faces in its day-to-day activities or any future ventures. Risk management is "a process which provides assurance that: objectives are more likely to be achieved; damaging things will not happen or are less likely to happen; and beneficial things will be or are more likely to be achieved."

The risk management method enables:

1. the identification of risks;
2. the evaluation of risks;
3. helps in setting acceptable risk thresholds;
4. the identification and mapping of controls against those risks; and
5. helps identify risk indicators that give early warning that a risk is becoming more serious.

Click here to see the schematic diagram of risk management framework. (Ref : Risk management in higher education: A guide to good practice, prepared for Higher Education Funding Council for England (HEFCE) by Pricewaterhouse Coopers, Feb. 2005)