Skip Navigation

Risk Management Policy

This is the current version of this document. To view historic versions of this document click the link in the main navigation (grey) bar above or contact policies@scu.edu.au for versions that expired pre August 2012.

Section 1 - Purpose, Scope and Definitions

Purpose

(1) The purpose of this Policy is to ensure that Risks to the University, its strategic plan or its objectives are identified, analysed and appropriately managed. It does this by creating a framework based on the Australia/New Zealand Standard for Risk Management (AS/NZS ISO 31000:2009) that includes:

  1. processes for the identification and management of University risks;
  2. accountabilities and responsibilities for Risk Management activities; and
  3. communication, monitoring and review mechanisms to ensure that the University's Risk Management activities continuously improve and are responsive to change.

(2) The framework established by this Policy is not intended to eliminate Risk but rather provide structures to support the management of Risks to the University in order to:

  1. maximise opportunities;
  2. minimise adversity;
  3. inform decision making and achieve improved outcomes and outputs;
  4. assist in safeguarding the University's assets, staff, students, finances, property and reputation;
  5. improve the quality of decision making; and
  6. reduce costs through better targeted and more effective controls.

Scope

(3) This Policy applies to:

  1. Council members;
  2. staff of the University and its Controlled Entities and partnerships;
  3. contractors; and
  4. adjuncts.

Definitions

(4) This Policy uses the following definitions:

  1. Major Project means a project deemed by the Vice Chancellor to have the capacity to materially affect the University's operations or ability to achieve its objectives.
  2. Risk is the effect of uncertainty on objectives. The level of Risk is measured in terms of Consequence and Likelihood.
  3. Risk Management means a coordinated activity (or activities) to direct and control the University with regard to Risk.
  4. Risk Management Action Plan means a document maintained by the Risk Manager on behalf of the Audit and Risk Management Committee through with the Committee can retain oversight of Risk issues that are not already reported to the Committee through the reporting processes established by this Policy, as described in Appendix C.
  5. Risk Management Framework means all of the policy, governance and practical structures put in place by the University to manage Risk and includes this Policy, the documentation established by it, the University's policies for managing disruption-related risk (such as the Critical Incident Policy and Business Continuity Management Policy) and Work Health and Safety-related policies.

Section 2 - Policy Statement

(5) Risk, and Risk Management, is considered in decision-making at all levels of the University.

(6) The University's management of Risk is proportionate to the ability of the Risk to cause harm to or promote the University and its objectives, regardless of the level of financial exposure associated with it. This means that all of the following must be tailored to the Risk being managed:

  1. the seniority at which decisions are made about managing the Risk and at which oversight occurs;
  2. the comprehensiveness of investigation and consideration of the context, and assessment of the Risk;
  3. the volume of resources (human and otherwise) allocated to managing the Risk;
  4. the number and level of detail of records to be made and kept to document management of the Risk; and
  5. the formality of the monitoring and review processes, and the internal and external communication required.

(7) The Risk Management Framework will be reviewed at least every 5 years to ensure it is fit for purpose.

Section 3 - Responsibilities

General

(8) All staff are responsible for University Risk Management and will comply with the Risk Management Framework, including this Policy. This includes:

  1. understanding the University's objectives and the role that their work unit (or controlled entity) plays in achieving those objectives;
  2. understanding their role in the University and the Risk context relevant to that role;
  3. conducting proportionate Risk Management (see clause 6) appropriate to one's role; and
  4. escalating and reporting significant Risks, or significant changes to the Risk context, to their line manager or, if there is a specific area of the University responsible for oversight of the Risk, to that area.

(9) If a Risk or Risk Management matter is escalated to a staff member in accordance with this Policy, that staff member must provide timely feedback to the reporter about any action intended or taken on that matter.

(10) All staff with line management responsibilities must ensure that Risk Management plays a role in performance management of direct reports.

Council

(11) Council is responsible for overseeing University Risk Management. This includes:

  1. developing and endorsing the University's Risk Management Framework;
  2. approving major decisions that may affect the University's risk profile or exposure; and
  3. annually endorsing the Strategic Risk Register.

Audit and Risk Management Committee

(12) The Audit and Risk Management Committee's role and obligations are outlined in its Terms of Reference. Among other things, this involves:

  1. satisfying itself that the University and any controlled entities have appropriate strategies in place to manage their Risks, and reporting its findings back to Council;
  2. considering reports and information from various sources about Risk and Risk Management at the University and reporting on those to Council;
  3. overseeing planning of internal audit activity, including approving the internal audit schedule; and
  4. providing strategic advice to the Vice Chancellor about the University's Risk Management.

Vice Chancellor

(13) The Vice-Chancellor is responsible for:

  1. ensuring that the Risk Management Framework is implemented, communicated and complied with;
  2. ensuring that a Strategic Risk Register is developed each time Council approves a new Strategic Plan and that the Register is reviewed, at least annually;
  3. overseeing management of Strategic Risks by members of the Executive Group and reporting on that to each Audit and Risk Management Committee meeting;
  4. proposing an internal audit schedule to the Audit and Risk Committee for consideration, having mind to the University's objectives and Risks; and
  5. designating projects to be Major Projects and informing the Executive, the Major Project Manager and the Risk Manager of that designation.

Vice Chancellor's Executive Group

(14) Members of the Vice Chancellor's Executive Group are responsible for:

  1. managing, and reporting to the Vice Chancellor on, any strategic Risks that they own;
  2. responding to, and actioning (if appropriate), internal (and external) audit recommendations and items recorded in the Risk Management Action Plan; and
  3. ensuring that key strategic, operational and Major Project Risks within their areas of responsibility are identified, documented and communicated internally.

Heads of Work Units and Directors of Controlled Entities

(15) Heads of work unit and directors of University controlled entities are responsible for Risk Management by their work unit or controlled entity including:

  1. implementing, and ensuring compliance with, this Policy within the work unit or controlled entity; and
  2. maintaining an Operational Risk Register for their work unit or controlled entity, that is reviewed at least annually and sent to the Risk Manager annually for collation.

Project Managers

(16) Managers of Major Projects are responsible for Risk Management of their Major Projects including:

  1. building appropriate Risk Management into their project planning, activities and documentation; and
  2. maintaining a Risk register for the Major Project that is regularly reviewed and sent to the Risk Manager annually for collation.

Manager, Insurance and Risk

(17) The Manager Insurance and Risk is responsible for:

  1. managing the Strategic Risk Register process, as directed by the Vice Chancellor;
  2. collating Operational and Major Project Risk Registers annually, providing register owners with feedback to ensure standardisation and making recommendations to the Vice Chancellor about any Risks that the Risk Manager believes should be escalated to the Strategic Risk Register;
  3. providing tools, advice and support to facilitate effective Risk Management including:
    1. monitoring and distributing information about the University's risk environment to the Executive Group, Audit and Risk Management Committee and other internal stakeholders; and
    2. maintaining Risk registers, Risk assessments and Risk Management plan templates on the University's Risk website;
  4. compiling, on behalf of the Vice Chancellor, the Executive Group's update to each Audit and Risk Management Committee meeting about management of strategic Risks;
  5. reporting to the Audit and Risk Management Committee on the Risk Management Action Plan (if in existence) and about any other relevant Risk matters; and
  6. reviewing this Policy and the Risk Management Framework in accordance with clause 7.

Section 4 - Procedures

(18) The University assesses Risk using the Risk Matrix and Descriptors approved by Council (Appendix B).

(19) Risks with the potential to affect the University's ability to achieve its objectives must be managed using the Risk Management process (Appendix A). Less significant Risks may be managed using the whole or part of that process, provided that management of the Risk is proportionate to the ability of the Risk to cause harm to or promote the interests of the University, as described in clause 6.

(20) Information about Risks and Risk Management must be reported to decision makers, advisers and oversight bodies through regular and ad hoc reporting channels as described in Appendix C.

Risk Assessments and Management Plans

(21) Wherever an activity, function or decision has the capacity to affect the University's operations or ability to achieve its objectives, a Risk assessment is required before a decision can be made on whether to proceed with or withdraw from the activity, or to escalate the Risk.

(22) The person or body responsible for the activity, function or decision must ensure that the Risks involved are assessed, documented and managed in accordance with clause 6. In the case of Strategic Risks, Major Project Risks and other Risks with the potential to affect the University's ability to achieve its strategic objectives, this must also involve developing a written plan on how Risks will be managed.

(23) The Risk Manager will publish template Risk assessments and management plans on the University's Risk website.

Operational and Major Project Risk Registers

(24) Each work unit, and each controlled entity, will maintain an Operational Risk Register comprised of Risks to the work unit or controlled entity's operations. Each Risk in the Operational Risk Register must be allocated a Risk owner responsible for managing, monitoring and reporting on the Risk.

(25) The project manager of each Major Project will maintain a register of Risks to the Major Project, each allocated to a Risk owner responsible for managing, monitoring and reporting on the Risk.

(26) The Risk Manager annually collates all Operational and Major Project Risk Registers. The Risk Manager will provide feedback to Register-owners to ensure consistency in University documentation and make recommendations to the Vice Chancellor about any Risks they believes should be elevated to the Strategic Risk Register.

Strategic Risk Register

(27) The University will maintain a Strategic Risk Register comprised of Risks to the University achieving its strategic objectives. Each Risk in the Strategic Risk Register will be owned by a member of the Vice Chancellor's Executive Group who will be responsible for managing, monitoring and reporting on the Risk.

(28) The University's Strategic Risk Register will be developed as per the process in Appendix D.

Risk Management Action Plan

(29) The Risk Manager will maintain a Risk Management Action Plan on behalf of the Audit and Risk Management Committee of Risk issues of interest to the Committee that are not already reported on through the processes described in C. The Committee may specify, from time to time, any items to be added or removed from the Plan.