Comply and Thrive – Moving to a Governance, Risk and Assurance Culture

Sarah Litchfield, Secretary and General Counsel, and Mat Cooling, Director of Risk and Assurance, at the University of Surrey,  explain how universities can establish a governance, risk and assurance (GRA) culture, and why this is particularly important since the pandemic.

Posted by Sarah Litchfield on

A changeable compliance landscape

On 23 March, the UK entered lockdown.

There were curbs to individual and business freedoms not seen before. These restrictions have changed the society in which we all live and how organisations operate.

Understandably, this has led to organisations reviewing how they continue to grow, thrive, or simply survive.

Such an external shock to any organisation is difficult. However, it poses particular challenges to the higher education sector, with its multiple stakeholders and complex regulatory framework.

In response to the pandemic, the Office for Students moved quickly by adjusting their regulatory requirements. This created a changeable compliance landscape, which was evolving at pace.

These changes highlighted that there was a greater need for one version of truth across the sector, in respect of the compliance requirements that we face, and our current position.

In addition, the risk of non-compliance arguably increased during lockdown as a result of:

  • Requirement changes
  • Furlough of staff
  • Sickness of staff
  • Difficulties in carrying out statutory requirements, such as gaining access to student accommodation to carry out necessary healthy and safety checks.

It became clear that decision-making could become sub-effective, and non-compliance could go unaddressed. Universities needed a coherent and co-ordinated approach to monitoring compliance and providing assurance. This approach would need to ensure effective risk management, and provide a balanced picture to senior management.

The solution is a Governance, Risk and Assurance (GRA) culture.

Understanding GRA culture

A GRA culture is a coherent system of risk, control and compliance assurance, embedded within decision-making across the organisation.

An established GRA culture is a sign of a strong and successful business. It leads to improved efficiency and greater insight, supported by high quality information.

But often, when an integrated GRA function is debated, compliance professionals argue that there are ‘rules to the game.’ If these rules are not followed, an organisation could be hit with:

  • Significant fines
  • Reputational damage
  • Decreasing student satisfaction.

This is true.

But persuading through fear is not the best way to help an organisation become more risk and control aware.

It also prevents organisations from developing and applying a risk profile across their various functions, which could help to identify areas where (stretched) resources are most needed.

How to establish a GRA culture

The journey to establishing a GRA culture involves two key initial stages:

1) Identifying the compliance burden

The first stage in any maturity model begins by mapping how your university performs in key compliance areas.

A new integrated GRA must understand your compliance requirements. These may have been managed in disparate areas across the university, without a single version of the truth.

Once achieved, it becomes possible to develop a hierarchy of what senior management should care about most, and what could derail the strategy. You can then build a monitoring dashboard accordingly.

2) Driving decision-making

The next step is effective decision making.

This should be a natural progression. The insight driven by the newly-established GRA begins to underpin decision-making across the university.

One of the signs of success will be if decision-making begins to be underpinned by the consideration of risk, and the university’s appetite towards that risk. Governance processes would be the end point in ensuring that decisions concerning strategic activity are properly informed by risk.

In the current climate, universities need to provide ‘more for the same,’ therefore data analytics are a useful tool to automate reporting. This provides senior management with realtime information on key issues emerging across the university.

The successful implementation of data analytics is a topic for exploration in its own right. But in the context of risk assurance, your GRA team will need to understand the data landscape and the veracity of the data they wish to use.

Beginning our GRA journey

We are at the beginning of our journey building a GRA function within the University of Surrey.

We are starting with the key areas of health and safety, operational risk, and information compliance, although there is more to be done.

Our initial goals are simple but ambitious:

  • Build the GRA function
  • Embed a culture of risk and compliance assurance consistently across the organisation.

The first will be quick. The second will take time, and will develop over the years to come.

But the journey that the GRA will undergo will not be in isolation. In order for us to be successful, the University will learn and grow with us, and help to drive the change.

Sarah Litchfield is Secretary and General Counsel, and Mat Cooling is Director of Risk and Assurance, at the University of Surrey.

1 Comment

  • David Duncan

    #1749
    An interesting and thought-provoking piece - thanks to Sarah and Mat. Is there a danger that too much emphasis on compliance with regulations and internal policies leads to an excessively bureaucratic culture and a pusillanimous mindset among managers? An unwillingness to try anything new or do anything quickly because we’re always worrying about the risks? A tendency to look at what others are doing and not to step out of line? It would be good to hear what other registrars think.

Leave a Reply

Preventing and Responding to Gender-Based Violence on Campus

Application deadline: Friday 10th January 2025

This free workshop is offered to those in senior roles to develop their understanding of gender-based violence; the requirements and expectations of Higher Education Institutions in preventing and responding to it; and to support the move from single initiatives to more integrated approaches.

Find out more