Skip Navigation

Risk Management Policy

This is the current version of this document. To view historic versions of this document click the link in the main navigation (grey) bar above or contact policies@scu.edu.au for versions that expired pre August 2012.

Section 1 - Purpose and Scope

(1) This Policy seeks to embed a Risk Management philosophy as part of the University's everyday working environment, by:

  1. implementing the Risk Management approach and general methodology specified in the Australia/New Zealand Standard for Risk Management AS/NZS ISO 31000:2009 ("the Standard");
  2. establishing a consistent approach to Risk Management in which Risks related to the objects and functions of the University will be identified, evaluated, managed, reviewed and addressed in approval, review and control processes;
  3. ensuring the University's compliance with relevant legislation;
  4. establish authorities and accountabilities of staff in relation to Risk Management activities;
  5. providing an agreed and structured basis for strategic planning; and
  6. requiring proactive rather than reactive Risk Management.

(2) This Policy and Procedure does not provide a means to eliminate Risk, but rather it provides the structural framework to effectively manage the Risks involved in all University activities in order to:

  1. maximise opportunities;
  2. minimise adversity;
  3. achieve improved University outcomes and outputs based on informed decision making;
  4. assist in safeguarding the University's assets, staff, students, finances, property and reputation;
  5. improve the quality of decision making throughout the University; and
  6. reduce costs through better targeted and more effective controls.

Scope

(3) This Policy applies to decision making through all levels of the University and in relation to any function or activity likely to have any significant impact on the University's operations, irrespective of the level of financial exposure.

(4) This Policy is applicable to all areas of the University and its Controlled Entities.

(5) All staff members of the University and its Controlled Entities must comply with this Policy in planning and when decisions are made including, but not limited to, the following:

  1. contracting (whether for goods, services or research) for an amount requiring Tender Board approval;
  2. academic consulting through the University, or its Controlled Entities;
  3. capital procurement including strategic IT initiatives;
  4. outsourcing, partnering or shared service arrangements of functions;
  5. new academic arrangements, whether onshore or offshore;
  6. community events held on University property or those sponsored by the University;
  7. undertaking University business in public places;
  8. co-operative research agreements and commercial and/or research arrangements with third parties;
  9. conducting clinical research and other clinical work;
  10. major fundraising activities;
  11. commercialisation of intellectual property;
  12. when developing new strategies, Rules, Policies and Procedures;
  13. when reviewing existing strategies, Rules, Policies and Procedures;
  14. when managing products;
  15. when introducing significant change; and
  16. in the management of sensitive issues.

Section 2 - Definitions

(6) The key definitions for this Policy are as follows:

  1. "Consequence" is the outcome of an event or situation affecting objectives, expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain. There may be a range of possible outcomes associated with an event (refer to the Risk Consequence Descriptors for examples).
  2. "Likelihood" is a qualitative description or synonym for probability or frequency; the chance of something happening (refer to the Risk Likelihood Descriptors for examples).
  3. "Operational Risk Register" means the central repository/record for all operational risks identified by an organisational unit or project.
  4. "Risk" is the effect of uncertainty on objectives. It is measured in terms of consequence and likelihood.
  5. "Risk Analysis" is the process used to comprehend the nature of risk and to determine the level of risk
  6. "Risk Evaluation" is the process of comparing the results of Risk Analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable. It is used to determine risk management priorities by comparing the level of risk against predetermined standards, target risk levels or other criteria (refer to the University's Risk Rating Matrix for example). Individual risks are rated according to a scale determined by the organisation and the rating is then compared against the organisation's predetermined risk rating matrix. The need for action and the urgency of such action is directed by this process.
  7. "Risk Management" means coordinated activities to direct and control an organisation with regard to risk.
  8. "Risk Management Process" is the systematic application of management policies, procedures and practices to the activities of:
    1. communicating;
    2. consulting;
    3. establishing the context; and
    4. identifying, analysing, evaluating, treating, monitoring and reviewing risks.
  9. "Risk Treatment" is the selection and implementation of appropriate options for modifying the risk which may involve one or more of the following strategies:
    1. avoiding the risk;
    2. taking or increasing risk in order to pursue an opportunity;
    3. removing the risk source;
    4. changing the likelihood of occurrence;
    5. changing the consequence of occurrence;
    6. transferring or sharing the risk (e.g. through contracts or insurance); and/or
    7. retaining the risk by informed decision.
  10. "Strategic Risk Register" means the central repository/record for all strategic risks identified by the University.

Section 3 - Policy Statement

(7) The University will manage Risks continuously using a step-by-step process involving the identification, analysis and evaluation, treatment, monitoring and review of risks as outlined in this Policy and the Risk Management Procedures.

(8) All University business processes, Commercial Activities and functions must adopt a Risk Management approach consistent with this Policy and Risk Management Procedures.

(9) Risk will be identified, assessed and managed by all employees, through supervisors and managers, appropriate to the level, and impact, of the risk.

Section 4 - Risk Management Procedures

Communication and Consultation

(10) Communication and consultation with external and internal stakeholders should take place during all stages of the risk management process.

Establish the Context

(11) Criteria against which Risk will be evaluated must be established at the outset. The criteria will relate to the objectives of the area being assessed, however, the criteria must include at a minimum:

  1. Minimising Adverse Financial Impact;
  2. Maximising Students and Staffs' Health and Safety
  3. Minimising Operational Interruption;
  4. Protecting Reputation and Image;
  5. Realising University Objectives.

(12) Where applicable, some criteria will be imposed by, or derived from:

  1. legal and regulatory requirements and/or other requirements to which SCU subscribes;
  2. external factors such as the economic and competitive environment;
  3. internal factors such as SCU policies, culture, objectives and governance.

(13) Initial consideration must also be given to:

  1. how likelihood will be defined and measured;
  2. what level of risk is acceptable or tolerable.

Identification

(14) Once the context is identified, the following must be identified:

  1. risks (refer to the Guidelines for examples);
  2. significant causes of risk;
  3. significant areas of risk impact(s) (refer Guidelines for examples).

(15) Where appropriate, persons with appropriate or specialist knowledge should be co-opted to participate in identification process.

Preliminary Risk Analysis

(16) The range of potential consequences and how likely those consequences are to occur in the absence of any treatment plans or controls must be estimated and assessed. Staff may use the Risk Worksheet for this purpose.

Preliminary Risk Evaluation

(17) Using the Risk Worksheet , an Inherent Risk Rating must be assigned to each identified risk by multiplying the Risk Likelihood by the Risk Consequences (refer the Risk Likelihood Descriptors, Risk Consequence Descriptors and Risk Rating Matrix and compare against the criteria established at the outset of this process). At this stage, do not account for any treatment plan or controls.

  1. Where multiple Risk Consequences are identified, the highest Risk Consequence score must be used when determining the Risk Rating.

Risk Treatment and Controls

(18) Identify existing controls/treatment plans (using the Risk Worksheet) . One or more of the following options for treating identified risks may be considered:

  1. avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
  2. taking or increasing the risk in order to pursue an opportunity;
  3. removing the risk source;
  4. changing the likelihood of the risk occurring;
  5. changing the consequences should the risk occur;
  6. sharing the risk with another party or parties (including contracts and risk financing);
  7. retaining the risk by informed decision; and/or
  8. any other treatment deemed appropriate in the circumstances.

(19) The most appropriate Risk Treatment will be that which balances the costs and efforts of implementation against the benefits to be derived from an activity.

(20) Depending on the residual Risk Rating, treatment options may be applied individually or in combination.

Final Risk Analysis

(21) The range of potential consequences and how likely those consequences are to occur when treatment plans or controls are applied must be estimated and assessed using the Risk Worksheet.

Final Risk Evaluation

(22) Using the Risk Worksheet, a Residual Risk Rating must be assigned to each identified risk by multiplying the Risk Likelihood score by the Risk Consequences score (accounting for any treatment plan or controls (refer clause (18)).

  1. Where multiple Risk Consequences are identified, the highest Risk Consequence score must be used when determining the Risk Rating.

(23) If the Residual Risk Rating remains unacceptably high, additional treatment or controls may be applied in accordance with clause (18).

Records Management

(24) Work Units must record identified risks in an Operational Risk Register.

(25) The Manager, Insurance and Risk Management will maintain a central Strategic Risk Register which records University wide risks and treatment plans.

(26) For each risk recorded within the Strategic Risk Register, the following must be recorded:

  1. Likelihood;
  2. Consequences; and
  3. Controls.

(27) For each risk recorded within an Operational Risk Register, the following must be recorded:

  1. Likelihood;
  2. Consequences;
  3. Controls; and
  4. Risk Owner.

Monitoring and Review

(28) Staff must continually monitoring risks in the workplace.­­­­­­­

(29) Work Units must systematically review risks contained in the Operational Risk Register every 6 - 12 months, to assess whether risks remain current and treatment plans remain effective.

(30) The Manager, Insurance and Risk Management must coordinate the University's review of the Strategic Risk Register on an annual basis.

Responsibilities

General

(31) Every staff member of the University is responsible for effective management of Risk including the identification of potential Risks. Risk Management Processes should be integrated with other planning processes and management activities. All staff should actively participate in identifying potential Risks in their area of responsibility and operations and contribute to the implementation of appropriate treatment actions. This Policy is not to relieve the University's responsibility to comply with other legislation and/or regulations.

Vice Chancellor

(32) The Vice-Chancellor will be responsible on behalf of the University Council in ensuring that a Risk Management system is established, implemented and maintained in accordance with this Policy.

Audit and Risk Management Committee

(33) The Audit and Risk Management Committee of the University Council will be responsible for risk management as prescribed in its Terms of Reference .

Internal Audit

(34) The University's Internal Auditors will undertake reviews to ensure compliance against this Policy and provide regular reports to Executive and to Council through the Audit and Risk Management Committee.

Senior Executive

(35) The Executives of the University are accountable to the Vice Chancellor for strategic Risk Management within areas under their control. The Senior Executives of the University will ensure Risk Management is embedded into the key controls and approval processes of all major business processes and functions of the University.

Heads of Work Units

(36) Heads of Work Units are accountable to their relevant Executive for:

  1. implementing and ensuring compliance with this Policy and associated Procedures within their respective areas of responsibility; and
  2. annually reporting on their risk management activities.
Manager, Insurance and Risk

(37) The Manager Insurance and Risk will:

  1. provide ongoing professional development and educational support to accompany the implementation of this Policy; and
  2. ensure the Risk Management Procedures remain up to date and operationally effective.

Section 5 - Guidelines

Risk Examples

(38) In a tertiary institution context such as SCU, risks might include, but not be limited to:

  1. failure of an education program to attract and retain students;
  2. failure of a research or business project to reach objectives;
  3. student, staff or client dissatisfaction;
  4. a threat to the environment of the institution or elsewhere;
  5. a threat to the physical safety of persons within the campus;
  6. breaches of security;
  7. criminal, fraudulent or corrupt activities;
  8. poor management practices;
  9. damage to property;
  10. failure of essential services or business/administrative systems;
  11. changes to government funding and other policies;
  12. currency fluctuations;
  13. market competition, trade practices implications;
  14. legal risk, breach of contract;
  15. academic and research reputation;
  16. clinical trials and other clinical work;
  17. third party providers;
  18. community engaged learning;
  19. joint ventures, partnerships;
  20. intellectual property rights and copyright; and
  21. employment practices (e.g. tenure, casual employment etc.).