Information Risk Management Group - Terms of Reference
Approved by the Board: January 2020; Next Review: January 2021
The Terms of Reference for the Information Risk Management Group (IRMG) were agreed by the Medical Sciences Divisional Board as follows:
The Membership of the IRMG should remain small and multi-disciplinary. The Group’s tasks include operational and coordinating activities as well as strategic advice. The initial membership of the Group is as set out below. Membership may be changed from time to time by approval of MSD Board.
- Head of Commercial Strategy and Risk, MSD (Chair)
- Data Privacy Coordinator, MSD (Secretary)
- Director of MSD IT Services
- NDM Compliance Manager
- Security, Governance, Risk and Compliance Officer, IT Services
2. Interaction with other Committees and Groups
- The IRMG will report to MSD Board on its activities and on the current Risk Analysis status twice in each academic year
- The Information Risk Advisory Group (IRAG) will report to the IRMG on a termly basis, following each of IRAG’s meetings, to provide input from across the Division on emerging risks relating to information governance and relevant proposals for improvement.
- Represent the Division at the University Joint Information Security Advisory Group (JISAG). Refer critical issues to and receive advice from JISAG for formal or informal guidance.
- To raise and maintain awareness of information governance as a fundamental element of good organisational governance and integrity in research;
- To provide assessments, advice, guidance and recommendations to the MSD Board on managing information governance risks;
- To embed information governance policy, procedure and processes across the Division, achieving consistency unless this is incompatible with local requirements;
- To encourage a culture of information governance across the Division that enables compliance with regulatory and procedural obligations to be clearly demonstrated;
- To support work towards a higher level of information governance maturity to enable proactive use of information for strategic planning purposes;
- To review the processes used across MSD for the delivery of training and advice on information governance requirements and risks;
- To provide assurance, through audit and other review activities, on the satisfactory maintenance of information governance standards across the Division; and
- To foster a culture of continuous improvement through ‘lessons learned’ and other appropriate means.
- To compile, review and maintain an information governance risk analysis relevant to the Division on behalf of the Board;
- To identify priority projects to mitigate information governance risks in the Division and scope, seek approval for and undertake such projects;
- To identify gaps in information governance which require central University action and support central functions to deliver solutions;
- To create and support a community of information governance professionals across the Division;
- To plan training programmes for relevant staff groups and seek appropriate resource to implement training programmes where not centrally provided;
- To plan and implement audit and review activities to test the effectiveness of information governance and selected projects; and
- To assess the Division’s business continuity plans and advise the Board on their adequacy with regard to information governance requirements.