Guidance

Risk assessment and action planning for Prevent in higher education (HE): notes for trainers

Published 22 June 2021

These notes support the points in the Risk assessment and action planning for Prevent in higher education (HE): PowerPoint presentation. The experience and expertise of the group regarding the principles of risk management and Prevent should be considered before delivering this training.

Introduction

When delivering the training, you may wish to add in references to provider documents or processes to give additional clarity and guidance to your trainees. You may also choose to use this text as the basis of a handout.

Top tips for delivering this training

  1. Apply the same principles you would to all training activities – know your audience, identify their training needs, plan your approach carefully, develop a communication plan so that staff understand the purpose of the training, and why they should engage with it.
  2. Be open and transparent – recognise that staff will have preconceptions and concerns about Prevent, draw these out and address them at the start of face-to-face sessions. This can work well as an icebreaker.
  3. Involve staff and students in discussions about training, working in partnership with staff and student representatives. Use both existing mechanisms (committees, staff-student liaison groups, departmental meetings) and any Prevent-specific mechanisms in place.
  4. Think how you can use the expertise of other specialists in Prevent training – data protection and FOI officers. For example, bringing in equality and diversity officers can help staff understand how Prevent interacts with equality and diversity legislation.

Title slide

Introduce yourself and ask attendees to explain their responsibilities in relation to Prevent.

An image of slide 1: what's required?

What is required?

Relevant higher education bodies (RHEBs) are, in accordance with legislative requirements under section 26(1) Counter Terrorism and Security Act 2015 (CTSA), required to have “due regard to the need to prevent people from being drawn into terrorism”. (RHEBs are providers that are subject to Prevent Duty monitoring.)

Guidance relating to the Prevent Duty (the Duty) produced by the Home Secretary, outlines important considerations for RHEBs including the requirement to conduct a risk assessment: “RHEBs will be expected to carry out a risk assessment for their institution which assesses where and how their students might be at risk of being drawn into terrorism” (paragraph 19, HE guidance for England and Wales).

The HE guidance also explains that “any institution that identifies a risk should develop a Prevent action plan to set out the actions they will take to mitigate this risk” (paragraph 21, HE guidance for England and Wales).

It is important that RHEBs first undertake a risk assessment and any mitigating actions should be later identified to mitigate those risks. Although some actions may seem obvious, it is important to ensure that they and the priority given to them are determined by an effective risk assessment. RHEBs compliance with the Duty is determined by the sector regulator, the Office for Students (OfS) for RHEBs in England and HEFCW for RHEBs in Wales.

Help and support for this is available from the Department for Education’s regional Prevent co-ordinators. This session will look in more detail at the wider requirements of the guidance.

An image of slide 2: understanding the law

Understanding the law

The CTSA places clear obligations on institutions. You are expected to understand the meaning of “due regard” and how to identify risks. The emphasis on due regard and a proportionate response means that effective risk management is the key to success.

A risk management process allows each institution to consider its own unique situation, balance issues of concern, and to develop and implement the necessary responses at the appropriate level. When doing so, there are many (sometimes competing) issues to take into account, including how the Prevent Duty relates to your other legal obligations – equality and diversity, freedom of speech, data protection, and so on.

Note: These aspects are covered more fully in a separate component of this training.

An image of slide 3: understanding the compliance requirements

Understanding the compliance requirements

Check the existing structures and policies in place within your organisation, whilst keeping in mind that what you are able to do depends on the resources you have in place (this includes staffing).

When reviewing your resources consider:

  • how developed are your processes?
  • how aware and cooperative are your people at all levels?
  • does your institution and its ways of working facilitate or make Prevent activity more difficult?
An image of slide 4: a thorough and dynamic action plan

Brief and plan early – anticipate

The action plan should anticipate, manage, and mitigate the risks related to Prevent, which should be considered in the context of wider business needs and priorities. The risk management process must ensure that risks are identified but that the required organisational capability to anticipate and manage risks is in place at all levels and in the appropriate departments.

It is important to be clear on regulator submission requirements and timescales. This needs to factor in the necessary governing body or the proprietor of the provider approval and sign off through established RHEB processes.

A thorough and dynamic action plan (slide 1 of 2)

Your action plan will be driven by the risk analysis. In all organisations, particularly RHEBs, there are various elements that will be the responsibility of separate departments or managers.

An effective risk assessment and action plan relies upon cooperation across many parts of the RHEB, involving people from a wide range of disciplines and skills. Effective implementation of such a complex and multi-tiered approach is often referred to as a “whole organisation” approach, allocating identified risks with those best placed to manage them – risk owners. To be effective, risk owners should be well briefed and have a good understanding of the part they play in the broader plan.

When the Duty was first introduced, many RHEBs set up Prevent teams, often with wider safeguarding and welfare responsibilities, as well as steering groups to implement the Duty. Providers will have different bodies and/or leads for Prevent but should continue to bring together people from across the organisation, including those from student and staff representative bodies, to establish (if a new entrant) or regularly update their risk assessment and action plan.

It may be useful to consider other aspects of the government’s Counter-Terrorism strategy, CONTEST, to ensure that aspects not strictly within the remit of Prevent are considered in an integral and efficient manner. (Prevent is one of the 4 strands of CONTEST, there is also Protect, Prepare and Pursue). Regional Prevent co-ordinators are well placed to assist with the development of this.

An image of slide 5: what to include in the action plan

A thorough and dynamic action plan (slide 2 of 2)

Your risk assessment and action plan (they can be separate or a combined document, it’s your choice) should include details of responsibilities and timescales. It should be updated at specified and agreed times throughout the year and in response to shifts in risk and other influences such as changes to organisational structure and external factors.

An example is offered to you in this module so that you can consider how to develop your own. This is an example, not a template, and offers some indication of the level of detail and analysis that needs to be considered as a starting point for your implementation of effective Prevent risk management.

The Department for Education’s regional Prevent co-ordinators can assist in the development of a risk assessment and action plan. Whatever structure and method you use – it should be centrally coordinated, with ownership and the associated responsibilities clearly spelled out and agreed.

An image of slide 6: getting the balance right, slide 1 of 2

Getting the balance right

Institutions are expected not only to conduct a risk assessment related to the overall risk of people being drawn into terrorism, but also to devise an action plan to mitigate any identified risk. Both the risk assessment and action plan provide an updatable point of reference and guidance for the institution when working to meet its duties in accordance with the CTSA, Prevent Duty, and any other relevant laws and regulations. It is important that your risk assessment and action plan are not only focused on internal matters but consider wider external factors which influence the risks and ultimately processes. This means you should expect to need to update both the risk assessment and action plan regularly throughout the year.

When creating and updating your risk assessment and action plan, as well as designing associated policies and processes, it is paramount to consider proportionality. The Prevent Duty guidance for RHEBs in England and Wales specifically directs that all mitigations be a proportionate response to the risks identified. It is important that the actions taken by the RHEB are neither sensationalist nor excessive and must be aligned with organisational culture, context, priorities, and the risk itself. A good example of where this is particularly difficult is found in the requirement to uphold the principles of academic freedom and freedom of speech within the law, whilst ensuring the RHEB’s care of duty to its students, staff and the broader community are adequately considered.

Whatever the identified risk, the optimal method for ensuring balance is by developing plans that are based on well evidenced and clear understanding of the risks, and of the processes that need to be considered to manage them.

Note: Another component in this series deals specifically with freedom of speech and external speaker events.

An image of slide 7: getting the balance right, side 2 of 2

Questions and discussion so far

We will now move onto discussing how we conduct risk management in the context of Prevent.

Capture everything you can

When considering the overall risk profile for your institution, it is important to utilise internal and external sources of information to capture as many potential risks as possible under appropriate headings in your risk assessment and action plan.

The Prevent Duty guidance for RHEBs in England and Wales provides some headings which you may find useful when writing your risk assessment and action plan, for example, effective partnerships, staff training, and IT policies. However, you do not have to use these, and your headings should be relevant to your organisation. If you do choose to use the headings from the HE guidance document, you may find they need adjusting to suit your institutional needs – this is fine. For example, it is common for larger universities to have a chaplaincy service (hence the section ‘Welfare and pastoral care or chaplaincy support’) but this may not be the case for smaller institutions or providers. The HE guidance does not mean that you have to have a chaplaincy, nor do you need to have a specific chaplaincy section in your action plan. However, the need for adequate and inclusive pastoral care is a must, and so you may choose to use the heading ‘Welfare and pastoral care’.

When writing your document, you should spend some time to identify the risks that are relevant to your institution. Be sure to include as much information as is necessary to make your risk assessment and action plan useful documents.

Remember, these are key documents that RHEBs have to submit to the OfS, and which any RHEB may be required to produce on request for example as part of a Prevent Review Meeting (PRM).

An image of slide 8: capture everything you can

Things change

Another important and essential issue that you will need to think about is the dynamic nature of risk that we have mentioned already. Each of the risks will change and develop over time and the assessment, management, and action plans that you put in place will require constant and regular review and updating.

Examples of issues that would likely affect changes to your risk profile may include:

  • changes to your own organisational profile
  • workforce and student cohort changes – this may depend upon your location, operating environment or even the type of course or programme that you deliver
  • a change in the general terrorist threat level and local, national and international incidences of radicalisation and terrorist incidents and events
An image of slide 9: things change

Risk assessment drivers

As noted in slide 9, the Prevent Duty HE guidance outlines some areas that may be considered potential and relevant drivers of risk. While each institution will be different and your risk register may be configured in your own idiosyncratic way, the following areas provide a useful risk register framework. For example:

  • effective partnerships
  • external speakers and events
  • IT including the viewing, retention and dissemination of terrorism related material
  • staff training
  • welfare, pastoral support and faith facilities

These are broad risk register headings under which you will be able to develop the detailed consideration of risk indicators, the level of the risk itself, as well as the controls, mitigation targets, and ‘ownership’ responsibility for its management. They are not the only areas that you may identify.

An image of slide 10: risk assessment drivers

Risk: effective partnerships

Refer to paragraphs 16 to18 of the HE guidance. The HE guidance recognises the importance of effective partnerships, both internal and external. Whilst internal partnerships are usually easier to define and their inclusion represents a whole organisation approach, external partnerships may not always be so clear.

Whilst recognising that areas and regions may differ, external partnerships will often include:

Department for Education regional Prevent co-ordinators

DfE regional Prevent co-ordinators understand local issues and can provide links to local and regional networks as well as Prevent boards, where they exist. They will have access to important local or regional contextual information including threat picture and important interpretation of how this may impact RHEBs. They will also be able to provide a way for you to ask further questions and to obtain clarity on issues that you do not understand. In addition, regional co-ordinators host sector specific networks providing a range of opportunities for sharing good practice and highlighting issues of concern.

Local authority Prevent co-ordinators

Local authority Prevent co-ordinators support communities to understand the local risks of radicalisation. Co-ordinators may be engaged in the management of Prevent Boards and the Channel support scheme.

Local police Prevent teams

Local police Prevent teams often provide access to briefings regarding terrorism threat and associated events. They work to increase understanding of how this may impact upon local communities and RHEBs.

An image of slide 11: risk - effective partnerships

Risk: external speakers and events

Refer to paragraphs 7 to 15 of the HE guidance, stating that:

  • RHEBs are required to have in place policies and procedures for the assessment and management of RHEB or student union branded events held on and off campus, as well as online, where the event features an external speaker. It may surprise colleagues to learn that this requirement is not new and has been an expectation of higher education bodies since the Education (No.2) Act 1986
  • such policies should consider events and activities for staff, students, visitors, and any other stakeholders. Recognising the many stakeholder groups, RHEBs may require different processes for different groups and event types. For example, commercial bookings, academic bookings
  • as previously noted, RHEBs need to balance their legal duties both in terms of ensuring freedom of speech and academic freedom, and also protecting student and staff welfare. The Prevent Duty requirements do not outweigh any other responsibilities and should be carefully considered alongside those other requirements. It is for this reason that RHEBs need to have effective systems for identifying events where there is a need to carry out due regard to Prevent people from being drawn into terrorism and carry out proportionate due diligence to assess the nature and extent of risks
  • regional Prevent co-ordinators can be useful contacts for identifying and assessing risks as well as advising on practical considerations that may assist in holding events safely
  • the increasing prevalence of external speaker events held online should form an important part of a RHEBs risk assessment and the development and sharing of effective practices in this regard is important in ensuring that free speech opportunities are safely maximised
  • the Students’ Union whilst not directly subject to the Prevent Duty is an important stakeholder in this regard. RHEBs and student bodies need to consult and work together to ensure policies and processes are aligned and that events are effectively managed. Remember, policies should set out what is expected from the student unions and societies in relation to Prevent including making clear the need to challenge extremist ideas which risk drawing people into terrorism

Please note that paragraph 11 of the HE guidance, which talks about balancing and mitigating risks, was subject to a judicial review decision in March 2019 – Butt v Secretary of State for the Home Department [2019] EWCA Civ. 256.

The statements in paragraph 11 that ‘an event must not be allowed to proceed if the RHEB is not entirely convinced that the risk, however small, of people being drawn into terrorism cannot be fully mitigated’, was considered unlawful by the Court of Appeal. This is because the statements are unconditional and do not permit RHEB’s to balance fairly their freedom of speech and prevent duties. The government is considering the ruling and will announce its next steps in due course, but for now being unable to fully mitigate risks should not mean an event is automatically cancelled.

An image of slide 12: risk - external speakers and events

Refer to paragraphs 27 to 28 of the HE guidance.

RHEBs are expected to:

  • have policies in place to manage the use of their IT equipment and online access. This usually takes the form of IT user acceptability policies or statements that explain to staff and students their responsibilities and limits on such use. Reference should be made in these materials to the statutory Prevent Duty
  • consider the use of filtering to restrict access to harmful online material. There is no firm requirement for this to be introduced only, that it be considered and decision making for or against recorded
  • have clear policies and procedures for students and staff working on sensitive or extremism-related research. When supporting and authorising research of this nature providers are expected to evidence adequate understanding and mitigations of potential risks, usually through ethics committees (or similar) consideration
An image of slide 13: risk - IT

Risk: staff training

Refer to paragraphs 22 to 24 of the Prevent Duty in HE guidance, stating that:

  • appropriate members of RHEB staff should be identified to undertake Prevent awareness training to help prevent against vulnerable individuals being drawn into terrorism
  • this training should provide staff with:
    • an understanding of the factors that make people support terrorist ideologies or engage in terrorist-related activity
    • be sufficient to enable them to recognise vulnerability to being drawn into terrorism
    • be aware of what action to take in response – this is usually a clear understanding of how to share any concerns internally within the RHEB
  • the RHEB must have clear pathways for consideration and referral of concerns regarding vulnerable individuals for external support to the Channel programme
  • the Channel programme is a multi-agency, local authority led programme of support for individuals assessed to be at risk. Individuals engaging with this scheme must always consent to do so
An image of slide 14: risk - staff training

Risk: welfare, pastoral support and faith facilities

Refer to paragraphs 25 to 26 of the Prevent Duty in HE guidance, stating that:

  • the HE guidance outlines an expectation that there will be provision of adequate and effective welfare and pastoral support and that this will be signposted and accessible to all students. It is therefore important that the risk assessment and action captures the likely demand for such facilities which will be intrinsically linked to a clear understanding of the student demographic
  • the Prevent Duty does not create a mandate for the provision of facilities for any faith where they do not already exist or are not required. Where prayer and other faith related facilities are available, organisations must have policies and practices to ensure effective oversight of their use. Anecdotal evidence suggests that it is ineffective supervision of the use of such premises that has led to risks relevant to the Prevent Duty. Staff tasked with such roles require a clear understanding of their role and how they should carry this out
  • when designing processes to manage issues that might arise from the use of such facilities, it is common for organisations to utilise the specialist knowledge that an oversight committee can provide
An image of slide 15: risk - welfare, pastoral support and chaplaincy services

Consequential risk

The further issue to consider when putting in place and compiling risk registers, management, and action plans, is to ensure that consequential risks are also limited.

Consequential risks are those which affect either us or others around us as a result of the initial risk having a further impact, or because we have failed to mitigate that initial risk effectively.

Consequential risks can be caused by our own process failures, changes in the risk itself, or as a result of the actions we take when attempting to manage primary risks. For that reason, it is important to give serious consideration to what consequential risks may be present and how to mitigate them. It is equally important that once these consequential risks and appropriate mitigations have been identified that you make the relevant stakeholders aware. Therefore, it is necessary to move away from the concept of Prevent risk management as a simple, one-dimensional, or once only activity, and to one which acknowledges a range of associated risks to be managed.

Prevent risk management involves a significant degree of thought, anticipation, and planning, as well as an ability to follow processes and procedures that are well thought out and practised. Adequate anticipation of the challenges that identified risks bring, will ensure that your processes are designed in such a way as to maintain a degree of flexibility.

An image of slide 16: consequential risk

Issues of consequential risk

Consider the effect of actions that you do or do not take on your:

  • students and employees – suspicion, fear, mistrust, increasingly vociferous activism, campaigns, breakdown of tutor/student relationships, increased adverse publicity
  • local community – mistrust, especially if you recruit regionally or locally, targeting for campaigns or activism
  • business partners – wish to become disassociated, withdrawal from partnerships, attitude to interns and work placement students
  • educational partners – impact on their Prevent Duty compliance
  • student and staff recruitment – including internationally
  • overly bureaucratic and burdensome approach – implementation of policies and processes which stifle work and effectiveness. This is especially important in relation to freedom of speech and academic freedom requirements which could unwittingly be suppressed due to confusing and unnecessarily complex policy requirements
An image of slide 17: issues of consequential risk, slide 1 of 2

Issues of consequential risk

Risk of failure to comply with CTSA:

Government sanctions

There may be issues that arise in the medium and long term from failure to comply with the CTSA, and to assure the OfS or HEFCW (in Wales) that the institution has taken the appropriate approach to implementation of the Prevent Duty throughout the organisation. This may also include circumstances where an RHEB has made a deliberate decision to avoid compliance (rather than one that has been caused by an inability to comply due to resource or other problems). Where such failings are recognised, and in the absence of corrective action, the OfS will ultimately notify the Secretary of State for Education. In Wales, HEFCW may inform the Home Office and the Welsh government if a provider is found to not be demonstrating due regard to the Duty.

Litigation

Where the organisation could and should have prevented extremist activity from taking place and failed to do so through negligence, it is possible that individuals affected could litigate against the institution.

It may also be the case that implementation of poorly thought through policies and processes results in litigation due to their impact on individuals and organisations. Section 26(1) of the CTSA sets out the legal requirement for RHEBs to have due regard to the need to prevent people from being drawn into terrorism and the Prevent Duty guidance for higher education institutions in England and Wales provides information on how to meet this requirement. However, neither is prescriptive and institutions are free to decide how best to implement the Prevent Duty in their own setting. This leaves for the possibility of a failing to comply with the CTSA in full by giving inadequate attention to what is needed in your organisation, or through deviation from the guidance and legislation. A failing of this nature may open the organisation to litigation from those affected by the poor implementation. For example, those who feel they have been unduly targeted by policy.

An image of slide 18: issues of consequential risk, slide 2 of 2

Summary

Every organisation is different, and the Prevent related actions required to comply with the need to have due regard to prevent people from being drawn into terrorism will vary accordingly.

In summary, providers should:

  • understand the law, compliance requirements, the threat (local, national, international), and your own institution
  • conduct a thorough, dynamic risk analysis (and repeat this as agreed) which fits with point a)
  • check the in-place structures and policies and consult across the organisation on capability and responsibilities
  • put in place a thorough, dynamic action plan, communicate this and other requirements internally and externally, and ensure it is timebound with specified review or completion dates
  • maintain a balanced view – do not dramatise issues (but don’t downplay the importance of critical ones either)
  • match your risk analysis and action plan and be sure to make sure these align with the broader, institutional risk register
  • balance risk against proportionality

From here, you will be able to consider the construction of your own risk assessment and action plan in line with the Prevent Duty.

An image of slide 19: summary

Questions and discussion

Trainers should use this section to discuss and clarify questions and issues. It is useful to have the relevant guidance documents to hand.

With this component there is also a slide set providing practical advice on the creation of a Prevent risk assessment and action plan (again these can be and often are a single document).