By Claire Hammond and Gareth Jones, Senior Delivery Managers, Digital Transformation Division
Risk management isn’t just a compliance exercise – it’s fundamental to delivering our ambitions. Across the Digital Transformation Division, every team and role has a part to play in identifying, understanding and managing risk.
Risk management is how the University identifies, understands and responds to the things that could prevent us from achieving our goals. It helps us anticipate challenges, prioritise what matters most, and make informed decisions – whether that’s delivering major programmes of work, protecting our services, or supporting staff and students effectively. When done well, risk management isn’t about being risk-averse; it’s about creating the conditions for successful delivery.
When we joined the Division in April 2025, we took on responsibility for overseeing the Divisional risk register in CAMMS, the University’s corporate risk management system. While the risks we inherited were sensible, it quickly became clear that the register no longer fully reflected the realities and challenges facing the Digital team.
Some risks had been on the register for a long time, and others lacked the clarity needed to drive meaningful action. With fresh eyes, we saw an opportunity to reset our approach.
Why Structure Matters in Risk Management
In our previous roles, we’d seen the value of writing risks in a clear, structured way. Widely accepted best practice is to frame risks as:
There is a risk that <an event will occur> because of <root causes> resulting in <impacts>.
This structure forces us to identify root causes, which makes it far easier to agree actions that genuinely reduce the likelihood or impact of a risk – rather than just describing the problem.
For example:
There is a risk of a data breach because of a lapse in security protocol, resulting in fines and reputational damage.
Clear structure leads to clearer thinking – and better decision-making.
From Theory to Practice: The Risk Workshop
To put this approach into practice, we brought together the Digital Leadership Team for a half-day, in-person workshop in August. The aim was simple: rewrite the risk register collaboratively.
We began with an open question:
“What keeps you awake at night?”
When ideas began to slow, we introduced a scenario:
“Imagine it’s 2028. UEB calls you in and says, ‘You’ve failed to deliver the Digital Strategy for 2030.’ What could have happened to get us here?”
It was a challenging exercise, but also a powerful one. It created space for honest conversation and surfaced concerns that don’t always emerge in day-to-day discussions.
Turning Concerns into Action
Next, we asked:
“What would give you comfort for each risk or cause you’ve identified?”
This was a turning point. Many colleagues realised that much of the work already underway across the Division directly mitigates our biggest risks – but we hadn’t previously articulated it that way.
This conversation helped us:
- Recognise what we already do well
- Distinguish between what’s in our control, what we can influence, and what sits outside our control
- Focus actions on the risks that matter most
From there, we:
- Collated all risks using the corporate CAMMS structure
- Assessed each risk consistently using the CAMMS framework
- Assigned owners, actions and review periods
What’s Next for Risk Management?
In the coming months, we’ll continue to mature our approach by:
- Reviewing how risks are categorised
- Defining our acceptable level of risk (or “future risk”), a recent addition for corporate risks in CAMMS that we’ll also apply to operational risks
This will help ensure our actions target the most significant residual risks and keep us on track to deliver the Digital Strategy for 2030.
Key Takeaway
Risk management isn’t about avoiding failure, it’s about planning for success. By refreshing our risk register, we’ve made risks more visible, more actionable and more clearly aligned with our strategic priorities.
It’s easy for risk management to become just another task on a long to-do list. Taking a step back, approaching it differently, and using interactive workshops can re-energise the process and make risk management feel like what it should be: an integral part of how we deliver successful change.
Stay Involved
To stay up to date with our work across Digital Transformation, including how we manage delivery, risk and change, join our monthly Digital Demo sessions, held on the second Tuesday of every month.
Take a look at our 2030 Digital Strategy.
Read our previous blog post to learn about the MyExeter usage highlights for last term.