Universities are not short of governance frameworks, regulatory expectations or compliance obligations. If anything, the problem in 2026 is the opposite: the stack of overlapping requirements has grown to the point where the real challenge is no longer knowing what is expected, but evidencing - consistently and at pace - that it is actually being done.
For Heads of Risk, compliance leads and governance professionals in English universities, this creates a specific operational problem. Boards, regulators and auditors are not asking whether you have a risk policy. They are asking whether you can demonstrate that risks are owned, controls are tested, decisions are recorded, and assurance is flowing through to the governing body in a way that holds up under scrutiny.
This article sets out the major expectations English universities face, where operating models typically break down, and what a more robust approach looks like in practice.
Why This Is Getting Harder
The governance and compliance environment for universities has always been layered. But in recent years, the layers have multiplied. OfS expectations have sharpened. Financial sustainability has moved from a background concern to an acute one. Cyber, data protection and freedom of speech have all developed their own distinct regulatory weight. And through all of this, the scrutiny that governing bodies, audit committees and internal audit functions apply to risk management has intensified.
The difficulty is not any single obligation in isolation. It is the combination:
- More expectations across governance, finance, student protection, information rights, cyber and sector-specific duties.
- More scrutiny from OfS, governing bodies, audit committees and internal audit.
- More pressure on committees to evidence that assurance is working, not just that it exists.
- Fewer resources in many institutions, with cost reduction programmes affecting the very functions responsible for governance and risk.
The result is that risk and compliance teams are expected to do significantly more - with the same or fewer people, and often with the same tools they had five years ago.
What Universities Are Actually Expected to Evidence
The compliance landscape for English universities is not one single regime. It is a stack of overlapping governance, regulatory and operational expectations. Below is a practical summary of the major areas.
OfS Registration Conditions and Governance
Universities registered with the Office for Students must continue to meet ongoing conditions of registration. OfS expects providers to have adequate and effective management and governance arrangements, operate in line with their governing documents, deliver public interest governance principles in practice, and continue complying with registration conditions. These are not one-off requirements - they are continuous obligations that OfS can and does test.
Public Interest Governance Principles
The governance expectations connect directly to the public interest governance principles. These include accountability, student engagement, value for money, academic freedom and freedom of speech within the law. For risk and compliance teams, the practical implication is that governing bodies need to be able to show these principles are embedded in decision-making - not just stated in a governance framework document.
Student Protection and Consumer Protection
OfS guidance makes clear that providers need arrangements to ensure accurate and timely course information, fair and transparent student contracts, and clear, accessible complaint handling. This is consumer protection applied to higher education, and it creates specific compliance obligations around how information is published, how changes are communicated, and how complaints are managed and evidenced.
Consumer Protection Is a Risk and Controls Problem
Student protection obligations are often treated as a marketing or academic quality issue. In practice, they create specific compliance risks - around course information accuracy, contract fairness and complaint handling - that need clear control ownership, evidence of compliance, and a route through to the governing body. If these sit outside the risk register, they sit outside governance oversight.
Financial Sustainability and Governance
Given the financial pressure many universities are under, this has become a major live issue. OfS defines financial viability in terms of whether there is material risk of insolvency within three years. Its 2025 guidance is explicit that boards should consider the effect of cost reduction or strategic change on key control functions - including risk management, internal audit and governance support.
This creates a difficult tension for risk teams: exactly when institutions are under the most pressure, the functions that provide assurance are themselves at risk of being cut. Evidencing to the governing body that risk management capacity is adequate - and being honest when it is not - becomes a governance obligation in its own right.
The CUC Higher Education Code of Governance
The CUC Code remains a key benchmark. It frames the governing body as collectively responsible and accountable for institutional activities. The self-assessment checklist explicitly says the governing body should identify, understand and manage risk appetite and strategic risk with the executive. The CUC Audit Committees Code extends this further, making clear that audit committee remit is broader than finance and should be risk-based - covering governance, culture, risk management, control, and institutional effectiveness.
Audit Committees Should Be Risk-Based, Not Finance-Based
The CUC Audit Committees Code makes clear that the audit committee remit should cover governance, culture, risk management, control and institutional effectiveness - not just financial controls. If the committee agenda is dominated by finance, there is a governance gap. And if the risk information feeding the committee is compiled manually from disconnected sources, the quality of that oversight is inherently limited.
Information Governance: GDPR and Freedom of Information
Universities sit inside the normal information governance landscape. UK GDPR applies fully, and the ICO notes that organisations have a duty to report certain personal data breaches to the ICO within 72 hours where feasible. Given the volume and sensitivity of data universities hold - student records, research data, staff information, health data - this is a significant operational obligation, not a background compliance task.
Publicly funded universities are also subject to the Freedom of Information Act, which gives rights of access to official information held by public authorities, including universities. Managing FOI requests consistently, within statutory timescales, and with clear records is itself a compliance and controls challenge.
Cyber Resilience
Cyber risk in higher education is no longer generic IT risk. The NCSC, working with Universities UK, Jisc and UCISA, has published guidance explicitly aimed at university leaders. It frames cyber resilience as a governance and leadership responsibility, not just a technical one. For risk teams, this means cyber should appear on the strategic risk register, with clear ownership, defined controls, and assurance flowing through to the governing body - not sitting in an IT silo.
Sector-Specific Duties
Depending on the institution, there are additional obligations that carry their own risk and compliance weight:
- Prevent duty: Still applies in higher education settings in England and Wales, requiring institutions to have due regard to the need to prevent people from being drawn into terrorism.
- Freedom of speech and academic freedom: Since 1 August 2025, new rules have come into force for universities and colleges, adding a distinct compliance layer that intersects with governance, HR, student engagement and events management.
- Foreign interference: In February 2026, the government published guidance on protecting UK higher education from foreign interference, aimed at helping providers recognise, prevent and report those risks while protecting research and academic freedom.
- Charity law: Some universities qualify as exempt charities if registered with the OfS and meeting relevant criteria. This brings additional governance duties, including those around charitable purpose, trustee responsibilities and public benefit.
Where the Operating Model Usually Breaks Down
Most universities have the right policies. Many have well-drafted risk frameworks, governance structures and terms of reference for their committees. The breakdown is not in policy design - it is in operating discipline.
The patterns are consistent:
- Risks tracked in spreadsheets that fall out of date. Risk registers live in Excel or SharePoint. They get updated before committee meetings and go stale in between. Nobody has a real-time picture of the institution's risk position.
- Controls owned on paper but not reviewed in practice. A control is listed against a risk, but there is no structured process to test whether the control actually works, who last reviewed it, or what evidence supports its effectiveness.
- Committee papers compiled manually from disconnected sources. Risk reports, assurance maps and compliance updates are assembled by hand before each meeting. The process is slow, error-prone and dependent on individual knowledge.
- No clear audit trail. If a regulator, auditor or governing body member asks "show me the evidence that this risk is managed," the answer often involves searching through emails, shared drives, and meeting minutes - not pulling a single linked record.
- Weak linkage between risks, controls, evidence and oversight. A risk might sit on the register. A control might sit in a policy. Evidence might sit in a folder. The committee report might reference all three. But nothing connects them in a way that can be quickly verified or audited.
- Inconsistent ownership. Risk owners are named, but ownership is passive - nobody is prompted to review, nobody is reminded to update, and the committee only finds out something has lapsed when it comes up in a report or an audit finding.
Policy Without Operating Discipline Is Not Governance
A well-written risk appetite statement, a comprehensive risk register, and a clear committee structure are necessary - but they are not sufficient. Governance is only effective when risks are actively owned, controls are regularly tested, evidence is linked and current, and assurance flows through to the right people at the right time. Without that operating discipline, the framework is a document, not a process.
What a More Robust Setup Looks Like
Fixing this does not require a complete transformation of a university's governance structure. In most cases, the structure is sound. What needs to change is the operating layer beneath it - the way risks, controls, evidence and reporting actually flow through the institution day-to-day.
A more robust operating model has a few consistent features:
- Clear, active ownership. Every risk and every control has a named owner who is prompted to review on a defined cycle. Ownership is not a label - it triggers action.
- Consistent review cycles. Risks and controls are reviewed on a regular cadence, not just ahead of committee meetings. The institution has a standing rhythm that keeps the risk picture current.
- Linked controls and evidence. Each risk is connected to the controls that manage it, and each control is connected to the evidence that supports its effectiveness. There is no gap between what is claimed and what can be demonstrated.
- Easier committee reporting. Reports to audit committee, risk committee and the governing body are generated from the same underlying data - not rebuilt from scratch each quarter. Consistency is structural, not dependent on who compiles the paper.
- Stronger audit trail. Every change to a risk, control or assessment is logged. When internal audit or an external reviewer asks for evidence, it is immediately accessible - not buried in a shared drive.
This is the kind of operational foundation that platforms like Initia are designed to provide. Not as a layer of additional complexity, but as a way to make the governance processes that already exist work more reliably - with less manual effort, less dependence on individual knowledge, and a clearer evidence trail for everyone who needs it.
For a deeper look at how to structure risk ownership so it actually works, see our guide on how to create real risk ownership. And for the committee reporting side, see how to produce board-ready risk reports.
Practical Checklist for Heads of Risk
A scannable reference for university risk and compliance leads. This is not exhaustive - it is designed to surface the gaps that matter most.
| # | Area | Question to Ask |
|---|---|---|
| 1 | OfS conditions | Can we demonstrate ongoing compliance with each OfS registration condition - not just at the point of registration, but now? |
| 2 | Governance principles | Can the governing body evidence that public interest governance principles are embedded in decision-making - not just stated in a document? |
| 3 | Student protection | Do we have clear control ownership over course information accuracy, contract fairness and complaint handling - with evidence of regular review? |
| 4 | Financial sustainability | Has the board specifically considered the impact of cost reductions on risk management, internal audit and governance support functions? |
| 5 | Risk appetite | Has the governing body defined and documented risk appetite - and does the executive use it to guide operational decisions? |
| 6 | Audit committee scope | Does the audit committee agenda cover governance, culture, risk management and institutional effectiveness - or is it dominated by financial controls? |
| 7 | Risk ownership | Is every strategic risk actively owned by a named individual who reviews it on a defined cycle - or is ownership nominal? |
| 8 | Control effectiveness | For each key control, can we show when it was last tested, by whom, and what evidence supports its effectiveness? |
| 9 | Data protection | Do we have a tested breach reporting process that can meet the 72-hour ICO notification requirement - and do relevant staff know how to trigger it? |
| 10 | Freedom of information | Are FOI requests tracked centrally, responded to within statutory timescales, and managed with clear records? |
| 11 | Cyber resilience | Does cyber risk appear on the strategic risk register with defined controls, named ownership, and assurance reporting to the governing body? |
| 12 | Prevent duty | Is the Prevent duty risk assessment current, with clear controls and evidence of staff training? |
| 13 | Freedom of speech | Have the new freedom of speech and academic freedom requirements been mapped into the institution's risk and compliance framework? |
| 14 | Foreign interference | Has the institution assessed its exposure to foreign interference risks across research partnerships, funding and governance - in line with the February 2026 guidance? |
| 15 | Committee reporting | Are risk and assurance reports generated from a single source of truth - or rebuilt from spreadsheets and emails before each meeting? |
| 16 | Audit trail | If an auditor asks to see the full history of a strategic risk - every change, every review, every decision - can we produce it immediately? |
The Bottom Line
English universities are expected to evidence effective governance, sound decision-making, student protection, financial resilience, information governance, and increasingly, controls over cyber, speech and research-security risks. Most institutions have the policies and the frameworks. What many still lack is the operating discipline to demonstrate, consistently and under pressure, that those frameworks are actually working.
That gap - between policy and evidence, between framework and practice - is where risk and compliance teams either build credibility or lose it. Closing it does not require a governance transformation. It requires a better operating layer: one that connects risks to controls, controls to evidence, and evidence to the committees and boards that need to see it.
If you are looking to build that operating layer, we would welcome a conversation.