24 City of Glasgow College Annual Report & Accounts 2019-20
line with the Scottish Government Audit and Assurance
Handbook, and the Committee renamed the Audit and
Assurance Committee.
• Risk Management
The College's Risk Register and Risk Management Actions
Plans for key risks, and highest scoring risks, were reviewed
at each meeting of the Committee. In May 2020, the
Committee received a review of strategic risks, all of which
had been updated to take account of the coronavirus crisis,
with commensurate increases to Risk scores. In addition, a
new risk was added to the Risk Register: "Failure to manage
acute threats relating to coronavirus outbreak".
A full review of Risk Management through 2019-20 is
provided below.
• Annual Report 2018-19
The Committee reviewed the draft annual report for 2018-
19, noting that while whilst the statements record a deficit
of over £6.5m, the full financial statements showed an
underlying operating surplus of £1.2m following adjustments
made for depreciation, payment to Forth Valley College as
directed by SFC (following the sale of North Hanover Street
building) and pension and early retirement adjustments.
• Freedom of Information
The Committee received an update report on the nature
and volume of requests received in relation to the Freedom
of Information (Scotland) Act 2000 (FOISA) and the
Environmental information (Scotland) Regulations 2004
(EIRs). It was noted that the volume of requests rose
significantly during 2017-18 and had fallen in 2018-19,
with a significant reduction in requests associated with
procurement/finance and the New Campus which accounts
for most of the overall reductions. The improvement in
response times required within the 20-day timescale from
90% in 2016-17 to 97% in 2018-19 was noted.
• Data Protection and Health and Safety Audit Updates
Following the internal audit reports on these issues in 2018-
19, a number of recommendations were followed up via
action plans. Regular updates on progress with reference
to these action plans were provided to the Committee
throughout the session. Data Protection Officer support was
provided via HEFESTIS. Various improvements to Health and
Safety provision were implemented including IOSH training
for all mangers, improvements to risk assessment, and
purchase and installation of defibrillators on campus.
The Committee received a report that there had been 8
data breaches in 2018-19, none of which were sufficiently
serious to warrant a report to the Information Commissioner.
However, all of these instances provided indications of how
various controls and training might be improved.
Risk Management
The College Risk Management strategy is embodied in the
following Documents:
• Risk Management Policy
• Risk Management Procedure
• Risk Management Guidance
• Risk Register
• Risk Management Action Plans (currently numbering 23 at
June 2020)
The College Risk Management Policy outlines its approach
to risk management and internal control, and the roles of the
Board of Management and senior management, while the
Risk Management Procedure outlines how this is delivered.
In March 2020, the College's Internal Auditors, Henderson
Loggie undertook an internal audit of Risk Management,
presented to the Audit Committee in May 2020. The Internal
Auditor provided a level of assurance of "good" reporting
that: "There is a robust risk management framework in place,
including a Risk Management Policy…(etc)" and "From our
review of the risk management framework it exhibited most
aspects of good practice:" (CoGC Risk Management Internal
Audit; MHA Henderson Loggie, May 2020; p3: Summary of
Main Findings).
The concept of Risk Tolerance has been introduced to all
Risk Management documents, and explained in detail within
the Risk Management Guidance. This reflects the Board's
agreement to an adjusted position with regard to risk,
accepting a less risk-averse position in some categories of
risk, such as major change or Development activities, but
not with regard to matters of, for example, reputation or
compliance.
From the College Risk Management Policy:
"In broad terms, appetite relates to the willingness to seek
potential benefits, while tolerance sets limits on acceptable
loss in pursuit of these benefits, with reference to the
organisation's strength and resilience. The Institute of Risk
Management states that: "While risk appetite is about the
pursuit of risk, risk tolerance is about what an organisation
can actually cope with." In short, the terms relate to whether
an organisation is respectively "willing" and "able" to take the
risk, or sustain the potential consequences of the risk.
These are the definitions of the respective terms understood
in all College documents relating to Risk Management."
(CoGC Risk Management Policy p5).
The most recent new strategic risks were added to the
College Risk Register in 2019-20:
• Risk 26: "Failure to achieve taught degree awarding
powers"
• Risk 27: "Failure to manage acute threats relating to the
coronavirus outbreak".
These additions brought the total of Strategic (Level 1) Risks
on the College risk register to 23, which were highlighted
and discussed by the Committee, via the individual Risk
Management Action Plans. Risk scores were adjusted
throughout the session, and as a consequence of various
considerations, principally and most recently, the coronavirus
outbreak, several risks were scored high (RED) thus:
• Risk 6: Negative impact upon College reputation (Fraud
investigation)