Chris Walker, head of risk management at Durham University, and president of ALARM, speaks with Deborah Ritchie about building resilience in higher education and the wider public sector, from streamlined risk registers and integrated assurance to principles-based AI guardrails and more open, learning-driven risk cultures


How can public sector risk leaders sustain resilience as budgets tighten and scrutiny intensifies?

The focus should not be on doing more with less, but on protecting what matters most. That means identifying core services, clarifying statutory and contractual duties, understanding which outcomes would cause the greatest harm, and directing scarce resources towards the controls that genuinely safeguard continuity. Prioritisation is central. Many public bodies have historically tried to satisfy multiple stakeholders across multiple markets. That model is no longer sustainable. Risk leaders need to help executive teams concentrate on a smaller set of clearly articulated principal risks, directly linked to strategy, service objectives and agreed tolerances. Streamlined, outcome-focused risk registers are more useful than narrative-heavy documents that obscure priorities.

Assurance must evolve in parallel. Where fewer risks and controls carry more weight, assurance activity has to be intelligence-led and integrated. Merging insights from risk, audit, performance and programme management functions enables shared assurance and reduces duplication. Senior leaders need clarity over which risks threaten service continuity, what indicators truly matter, how frequently they are reviewed, and what challenge is applied to the data. In an environment saturated with metrics, disciplined selection of meaningful key risk indicators becomes critical.

Importantly, tighter finances should not automatically translate into lower risk appetite. In higher education, in particular, there has been a tradition of caution. Yet when operating conditions become more demanding, institutions may need to accept carefully calibrated risk in new student markets, research ventures or partnerships to remain viable. Clear understanding of exposure, coupled with disciplined prioritisation, enables defensible strategic decisions rather than reactive retrenchment.

How is enterprise risk management evolving in universities to support commercial complexity without undermining academic integrity?

ERM is shifting from a compliance-led activity to a strategic enabler. The emphasis is increasingly on alignment; risk should dovetail with strategy, corporate intelligence and long-term sustainability planning. Clear, board-owned risk appetite statements are crucial. When appetite is explicit, risk management ceases to be a mechanism for suppressing proposals and instead becomes a framework for informed trade-offs, opportunity cost analysis and transparent escalation.

The sector’s risk profile has changed markedly. Institutions now face global operations through transnational education, overseas offices and international recruitment pipelines. They carry substantial technological debt while pursuing digital innovation. Revenue models are more commercial. These introduce interconnected financial, geopolitical, regulatory and cyber exposures that demand greater maturity. In this context, risk leaders must engage executives and governing bodies in their own language. Discussions should centre on resilience, sustainability, brand value and competitive positioning rather than compliance checklists.

Which frameworks and controls can provide true and robust protection for information integrity?

Established frameworks such as ISO/IEC 27001 and NIST provide a solid foundation for information security and control design, offering structure, discipline and a common language. But digital transformation demands more than static compliance.

Information risk now permeates every service, not just the remit of an information governance team. Data underpins teaching, research, finance, student administration and external partnerships. As a result, its governance should be treated as a business enabler embedded within ERM. A principles-based approach is proving effective here. Rather than layering increasingly prescriptive controls, institutions are setting parameters within which innovation can occur safely. Zero trust concepts, strong identity and access management, data classification regimes and rehearsed breach response arrangements form part of the baseline. But technical controls must be complemented by training and clarity of accountability.

The challenge universities have is balancing security with academic freedom. Researchers must be able to collaborate internationally and explore new domains. Overly restrictive controls can undermine institutional missions. Linking cyber and data risks to service delivery, tolerable disruption thresholds and brand value helps determine where enhanced safeguards are non-negotiable – such as student records or core financial systems – and where flexibility is appropriate.

Further, a major data breach affecting students or partners could rapidly erode trust in a competitive global market, so robust frameworks support both resilience and brand.

How can HE institutions manage the risks of expanding generative AI use, without stifling innovation?

AI is evolving faster than most governance frameworks can keep pace; attempting to codify every possible use case is unrealistic. Instead, institutions are establishing guardrails grounded in clear principles and explicit risk appetite.

The first step is defining what is acceptable, what is outside tolerance, and where red lines sit. These boundaries should then be cross-referenced against existing policies, procedures and practices to identify gaps. Human oversight is essential: designated individuals must understand both the capabilities and the limitations of AI tools, including the risks of bias, model drift and intellectual property exposure. Training is therefore critical. Staff and students need to understand how tools function, where outputs may be unreliable, and what constitutes appropriate use. Assurance processes should be iterative, using pilot schemes and sandbox environments to test applications before broader deployment. Controls can then be refined in light of experience.

A proportionate approach is key. Excessively low risk appetite risks leaving institutions behind competitors that harness AI to enhance student experience and operational efficiency. Conversely, unbounded experimentation could damage quality or reputation.

An emerging practical dilemma illustrates the complexity. In one recent recruitment process, concerns arose that a candidate in a face-to-face interview might have been using AI-enabled wearable technology to generate responses in real time. Yet challenging such behaviour raises difficult questions: could those cues also indicate neurodiversity? Is it appropriate to request removal of wearable devices? Such scenarios demonstrate that AI governance extends beyond policy documents into nuanced, human judgement calls. Clear principles and appetite statements provide a reference point when novel situations arise. Institutions are monitoring international regulatory developments, including the EU’s AI framework, but internal clarity over appetite and consistency of approach remains more decisive than formal alignment with any single code.

Is risk culture in public institutions still broadly compliance-driven?

Historically, risk functions in parts of the public sector were perceived as gatekeepers – the team that said no. Risk registers were often siloed, with limited transparency. There could be reluctance to escalate issues for fear of scrutiny or blame.

That’s changing. Constrained resources, heightened demand and greater competition have made collaboration and openness more necessary. Mature risk culture is increasingly characterised by transparent escalation and shared ownership. The quality and frequency of risk escalation is one of the clearest indicators. Are emerging risks discussed early, or concealed until they crystallise into crises? Are near misses reported and analysed? How is bad news handled? Organisations that encourage timely escalation demonstrate confidence and learning orientation.

Decision-making processes offer another diagnostic. Is risk appetite actively referenced when major choices are made, or does it sit unused on a shelf? Do board papers articulate trade-offs and residual exposures? When risk considerations are embedded into strategic deliberation, culture has shifted from compliance to enablement.

Transparency can reinforce that shift. At Durham, internal barriers between risk registers have been removed so that registers are visible across the institution. Openness encourages shared understanding of exposures and shared responsibility for mitigation, particularly amid constrained resources.

Finally, structured learning mechanisms – scenario testing, post-project reviews and systematic lessons learned – signal behavioural resilience. A mature organisation acknowledges that not every initiative will succeed. The critical question is whether it adapts. When past shortcomings inform future design, risk management becomes a driver of continuous improvement rather than a retrospective audit exercise. Across the UK public sector and higher education in particular, the trajectory is towards integration, prioritisation and principled flexibility. Under financial and technological pressure, risk leadership is less about expanding documentation and more about sharpening focus, clarifying appetite and enabling informed, accountable decision-making.

---