How risk, compliance and assurance underpin academic excellence

Lukasz Bohdan, Oxford’s first ever Director of Assurance, talks about changes to the collegiate University’s approach to risk, compliance and assurance in the five years since the department was created and how this work supports the academic mission of the University. 

Key points:

• Explains how risk, compliance and assurance support the academic mission of the University
• Illustrates how Assurance can help academic and professional services staff
• Highlights the help available with business continuity, data protection, information security and risk management and invites colleagues to get in touch for practical guidance and support
• Reminds us all to complete our annual training on information security and data protection, conflicts of interest and anti-bribery

The Assurance Directorate was first formed five years ago to help the University navigate risk, compliance, data, cyber security and business continuity issues. We are now a centre of expertise staffed by over 30 colleagues, here to provide practical guidance and responsive support.

Back in 2019, the Registrar’s goal was to improve the University’s approach to risk and compliance. This quickly proved vital as the business continuity framework developed by Assurance, with input from colleagues across Oxford, helped the University operate during the pandemic. This involved scaling the University's operations up and down in response to lockdowns and the relaxation of COVID-19 rules; helping move teaching online; helping manage the outbreaks; and protecting the vaccine and clinical trials from cyber attacks.

It also set the tone for how Assurance wanted to work: proactively and collaboratively, supporting academic and professional services colleagues with useful tools and pragmatic advice.

We developed a coherent, strategic approach to risk and compliance management and related areas and linked risk management with planning and committee work. 'Making things easier for you’ is our mantra, and we are busy every day simplifying processes, digitising services and challenging ourselves to do only what adds value, in line with the principles and collective ambition of Professional Services Together.

Before we introduced multi-factor authentication (MFA) four years ago, our Information Security team would disable over 1,800 email accounts every year as a direct result of phishing. Since then, there’s been a 98% drop in this – introducing enhanced security protocols has freed up time to enable us to focus on other vital areas of work.

The volume of information requests sent to the University has more than doubled since our formation – these are people asking for more information either about us or the data we hold about them. Our Information Compliance team now deals with over 3,400 of these every year and has developed processes, guidance and training to support colleagues. We have matured our data protection practice and now meet the required timelines and the Information Commissioner’s Office (ICO) concerns have been allayed. The Information Compliance Service Review has just presented its recommendations and the accompanying change programme will help us improve further, while minimising the administrative burden for staff.

We all know how important it is to stay ahead in any sphere and funders need us to keep pace with evolving international standards: be it securing our research data or managing conflicts of interest, it’s clear that a small investment of academic time early on in the life of a research project means securing that coveted grant and avoiding reputational damage later on. After all, who wants their clinical trials data hacked or integrity challenged because competing interests have not been disclosed?

And fear not: we don’t like bureaucracy either and are here to walk you through every step of the process and demystify and simplify risk and compliance so that you can focus on your world-class research.

Since our formation we’ve helped colleagues win grants, secure research and protect our reputation, and, in doing so, we have reduced a number of risks to our community, particularly in cyber security and business continuity. Along the way, we’re also proud to have been a catalyst for improvement in areas beyond our directorate, like export controls, health and safety, and counter-fraud – truly a case of professional services working together.

Business continuity is vital and we have spearheaded live exercises to stress test existing plans in traditional college environments, and run large-scale simulations focused on cyber security and protecting our people and our data. We have more in the pipeline too and will be rolling out a new instant alert system and a risk system for the collegiate University in the coming months.

It pays to think ahead; this is what risk and resilience is all about. So, if this is prompting you to review and test your existing plans or if you’re wondering where to start, we’re here to help with all aspects of business continuity and risk, data protection and cyber security.

Last year we updated the information security and data protection training module which needs to be done every year by all of us. We also created training on conflicts of interest and anti-bribery that is now available on CoSy. I’ve just made a diary note to do mine again, and I’d encourage you all to do the same; it’s a great reminder of the good practices we should all be building into our day-to-day work, and of where to find more in-depth support and guidance.

You’ll find us in Wellington Square and online; we’re always happy to talk all things assurance. We look forward to seeing and working with many of you in this, our anniversary year.