• Section 1 - Purpose and Scope
• Section 2 - Definitions 
• Section 3 - General Principles 
• Section 4 - Roles and Responsibilities 
• Section 5 - Records of Documentation   
• Section 6 - Revision and Approval History  
• Section 7 - References  
• Section 8 - Related Documents  

Section 1 - Purpose and Scope

(1) The purpose of this standard is to establish the requirements for the management of WHS Critical Risk Assurance at Southern Cross University (SCU). It outlines how SCU attains reasonable assurance over its system of internal control for WHS Critical Risk and forms part of the broader WHS Critical Risk Management Framework. 

(2) This standard serves as the foundation for an integrated WHS assurance approach, setting forth guiding principles and minimum requirements to ensure consistency across SCU. 

(3) This standard applies to all management of SCU. 

(4) This document outlines the minimum standards and provides guidance to be considered to ensure that WHS Critical Risk Assurance is appropriately managed.  

(5) Corporate and Enterprise Risk Assurance is outside the scope of this procedure, and assurance specific documents, where developed, will enhance this assurance process.  

Section 2 - Definitions 

Section 3 - General Principles 

(6) The WHS Critical Risk Assurance activities are a systematic and proactive approach to providing assurance to SCU and ensure the protection of employees and others as well as reduce reputational risk to SCU. It is centred on the activity of Critical Control Verification across three lines of defence and relies on numerous data sources including task and site inspections, review of documentation, and discussions with employees.  

(7) SCU has identified eighteen critical fatality risks based on university wide consultation: 

(8) Psychosocial critical risk management differs significantly from physical critical risk management due to the nature of the risks involved. Psychosocial risks are less visible than physical risks and stem from factors like design or management of work, workplace interactions and behaviours, plant and work environment.The process for determining psychosocial critical risks involves a more nuanced approach compared to physical risks. SCU has gathered qualitative and quantitative data, such as employee surveys, interviews, and incident reports, to identify areas of risk. The risks  and controls identified were then verified through consultation . This collaborative and iterative process that SCU has adopted will ensure that the controls implemented—such as leadership training, support systems, or changes to job design— effectively address the systemic causes. 

Risk Management 

(9) This Standard supports the management of WHS Critical risk through targeted and fit for purpose assurance activities that provides a level of confidence that objectives will be achieved within an acceptable level of risk. WHSMP15 Audit, Assurance and Action Management Procedure outlines the broader regime across all WHS risks at SCU. 

Assurance Principles 

(10) Assurance is an opportunity to learn, refocusing back to continuous improvement, and investigating success. 

(11) Assurance is an integral part of all organisational processes, not a stand-alone activity.  

(12) Assurance should add value and is part of risk management.  

(13) Assurance is aligned with the organisations external and internal context and risk profile.  

(14) Assurance is systematic, structured and timely, and contributes to efficiency and to consistent, comparable and reliable results.  

(15) Assurance is transparent and inclusive and involves appropriate and timely inclusion of relevant stakeholders to ensure that assurance remains relevant and up-to-date.  

(16) Assurance is an ongoing process that facilitates continuous improvement. It consists of assurance providers and management incorporating consistent and systematic processes into their day-to-day activities to monitor and assess control effectiveness.  

(17) Assurance activities are interdependent and inter-related and contribute to the application of the Three Lines of Defence model.  

(18) Effective assurance relies on a high-quality information environment, which means information about risk and levels of safety flows upwards to senior management to ensure they are fully informed. 

Three Lines of Defence model “the what”  

(19) The Three Lines of Defence model is applied to enable SCU to obtain assurance across the organisation in an efficient and effective manner. 

(20) Through the use of the Three Lines of Defence model, SCU has established an integrated model for assurance that facilitates a balance between control and assurance activities.  

1st Line of Defence: Operational Management 

(21) The 1st Line Assurance is made up of management and operational teams that directly oversee and are responsible for the day-to-day activities and the risks that arise from them. 

(22) 1st Line Assurance is so named because the employees are the first line of defence against risk and the most essential line of defence that addresses risk, and implements and verifies WHS critical controls continuously.  

(23) 1st Line Assurance teams record the verification of the control in RiskWare to confirm the presence and integrity of critical risk controls. This information forms the basis for critical control assurance by providing evidence that critical risks are being effectively managed. 

(24) For example, in the Remote and Isolated Work Critical Risk, one of the critical controls is ‘Issued Personal Location Beacons and Emergency Position-Indicating Radio Beacons are maintained as per Original Equipment Manufacturers (OEM) specifications and AS/NZS 4280’. For this control, 1st line assurance is achieved via critical control verification activity of reviewing records of employee training in the use of the equipment. Verification is conducted at a frequency of 6-monthly by the control owner. 

2nd Line of Defence: Risk Oversight 

(25) 2nd Line Assurance is comprised of the functions that provide WHS expertise, support and oversight to ensure effective risk management and control. These functions are independent from operations but remain part of the SCU management framework, working closely with the first line to monitor and improve WHS risk management processes.  

(26) 2nd Line Assurance is a process of forming and informing the existence, design, and application of controls and is completed by conducting a 12-monthly annual effectiveness test. 2nd Line Assurance should concentrate efforts on providing assurance around key controls which will include both the design and operation of the control.  

(27) 2nd Line Assurance must also support and guide the Head of Work Unit or control owner on their 1st Line Assurance activities. In turn, 2nd Line Assurance will rely on and leverage off the assurance activities conducted by 1st Line Assurance providers.  

3rd Line of Defence: Independent Assurance  

(28) 3rd Line Assurance is an independent (i.e., with separate reporting lines or are an external third-party expert) assurance function that evaluates the effectiveness of risk management and control. These functions are independent from operations but remain part of SCU’s management framework, working closely with the 1st Line Assurance teams to monitor and improve WHS risk management processes. 

(29) 3rd Line Assurance, through inspections and workforce consultation, checks and monitors the implementation and effectiveness of critical risk controls being tested by 1st Line Assurance teams, as well as the quality of assurance activities conducted by the 2nd Line Assurance teams. Separate reports and information about critical risk gives senior management insights regarding how well 1st Line Assurance activities are performing. 

(30) 3rd Line Assurance will be an external provider (for an additional level of independence and objectivity). 3rd Line Assurance provide assurance that the required controls to mitigate risks are effectively designed and operating as intended.  

(31) In order to be classified as 3rd Line Assurance activity, the following characteristics must be present:  

1. The auditor must be independent of the area audited  
2. A three-party relationship (auditor, responsible party, intended user of the report) must exist e.g. WHS procure an external auditor to conduct 3rd Line activities and an opening meeting is held with the Vice-Chancellor and Heads of Work Units. The final report is issued to the WHS team, Vice-Chancellor group and Heads of Work Units. 
3. Appropriate subject matter expertise and suitable criteria to audit against must exist  
4. Sufficient and appropriate evidence must exist  
5. A written assurance report must be produced and debriefed with the relevant 1st and/or 2nd Line Assurance teams 

Assurance activities “the how” 

(32) Assurance activities are “how” assurance is obtained and consist of performing a critical control verification or critical control audit (internal or external). . Each assurance activity provides a mechanism to assure controls. Each activity must be selected appropriately commensurate with the need, resources and time available. 

1st Line of Defence Assurance Activity 

(33) 1st Line of Defence assurance activities are primarily focused on verifying control application at the point of risk, and regular open and constructive conversations about WHS controls in the work unit. They are not designed to be as formally structured as 2nd and 3rd Lines of Defence and should be undertaken more frequently as stipulated in each of the Critical Risk Cause and Control Assessment documents. 1st Line of Defence assurance activities are the responsibility of line management. The outputs of 1st Line of Defence assurance activities are generally focused on verification at a site or workplace level with resultant actions managed locally in collaboration with the person/s completing the assurance activity. 1st Line of Defence assurance activities can also be related to 2nd Line of Defence activities by promoting key focus areas for the SCU to pay attention to, in preparation for 2nd Line of Defence activity such as the Annual Effectiveness Test. 

(34) For example, when employees engage in confined space entry activities, they must be issued all necessary equipment to lockout and retain control of isolations made to machinery or equipment they will be working on or in the vicinity of. In this instance, line management (as a 1st Line Defence assurance team) would check and verify that processes to issue such equipment are functioning as intended through periodic review of ‘records of issue’. 

Critical Control Verification Audits Interactions  

(35) Critical Control Verifications (CCV) are completed by the critical control owner, and are underpinned by open and constructive conversations examining both the failure and success with the control implementation. 

(36) The principles of an effective interactions are: 

1. Identify and reinforce positive safety behaviours; 
2. Observe activity-do not avoid the action; 
3. Develop a curious and inquisitive mindset; 
4. Check awareness of the control; 
5. Explore ideas for improvement. 

(37) For WHS Critical Risk Assurance, 1st Line of Defence assurance critical control verification activities include, but are not limited to: 

1. Task and Activity Inspections 
2. Review of training records 
3. Site inspections 

(38) RiskWare has the critical control verification activities for each of the SCU Critical Risks, specific to the 1st Line of Defence. The critical control verification audit can be via: 

1. V – Visual confirmation; 
2. D – Document confirmation; 
3. C – Conversation with person/s for confirmation.  

(39) The outcome of the Critical Control Verification will be assessed according to the following criteria in RiskWare: 

1. Green: Effectively implemented 
2. Amber: Partially implemented 
3. Red: Not implemented  

2nd Line of Defence Assurance Activity 

(40) Similar to the 1st Line of Defence critical control verification, the 2nd Line of Defence also conducts critical control verification activities including: 

1. WHS inspections (Line 1 audit conducted by WHS) 
2. SCU WHSMS verification e.g. in the Remote and Isolated Work Critical Risk, for the control ‘SCU employee medical assessments’, the 2nd line of defence can verify that the SCU sponsored medical health assessment program is referenced in the WHSMS as part of the annual effectiveness test. 
3. Reviews of WHS incident records/reports (mapped against Critical Controls) 
4. Annual Effectiveness Test (see Appendix A)  

3rd Line of Defence Assurance Activity 

(41) The 3rd Line of Defence Assurance Activity consists of performing Critical Control Audits via an independent internal auditing function or by an external provider. 

(42) The audit process has two main components: 

1. (43) Desktop Review: This involves examining the WHSMS and its records to confirm adherence to the Critical Controls. Relevant documents should be noted on the audit form and attached as necessary for reference. 

1. (44) Field Observation: This checks operational activities on-site to ensure procedures are being followed.  

(45) During the field observation, use the Critical Control audit form in RiskWare to record compliance status (compliant, non-compliant, or not applicable). 

(46) All issues, corrective actions, and notifications should be documented in RiskWare. Results of audits including Line 1, 2 and 3 Defences will be included in reports to SCU Executive and Council.  

(47) If a serious safety breach is observed, stop the audit and report it as an incident via WHSMP17 Incident Management Reporting and Investigation Procedure. 

Critical Control Verification Tools 

(48) WHS have developed a number of supporting tools aimed at obtaining critical control verification, as outlined below: 

1. RiskWare Critical Control Verification Checklist/Forms 
2. RiskWare contains each Critical Control Verification checklist according to the line of defence, frequency and owner. All assurance activity must be recorded in RiskWare. 

(49) Examples of verification for each Line of Defence: 

1. Line 1 – Critical Control Verification Audits (completed by Work Units) 
2. Line 2 – Annual Effectiveness Test (completed by WHS Work Unit) 
3. Line 3 – External audit including desktop review and field observation 

Reporting and Escalation Process 

(50) During the verification process, if there has been a significant non-conformance, a critical control is identified as missing or ineffective (i.e., it has failed or could fail), if there is an event that did or could have resulted in a serious or life-threatening injury, or the assessed performance of the WHS critical controls are below an acceptable threshold: 

1. Increased verification activities;  
2. Triggering formal audit assurance activity (Audit) through consultation with WHS; 
3. Investigation into the systemic causes of ineffective critical control performance, which is then used to continuously improve the control. 

(51) If any unsafe acts that expose employees to uncontrolled critical risks, one or more critical controls have failed, missing critical controls are identified, or there is an event where a serious or life-threatening injury could have occurred but did not, then take immediate action in stopping the activity and discussing with the onsite supervisor/team leader. 

(52) Where a critical control has or could have failed (resulting in the actual or potential for serious injury or fatality to occur), the nature of the failure(s) shall be investigated using a structured and systematic process. When a control has performed inadequately or failed, the following investigation questions can be asked: 

1. What critical control(s) were involved? 
2. How did these critical controls fail or perform ineffectively? 
3. Why were the critical controls ineffective (what are the causes of failure or inadequate performance)? 

(53) Investigations of critical control performance should also consider whether the design of the control system could be improved. The design could be improved by considering: a) the incident situation and its characteristics, b) the performance requirements for the critical control(s), c) the appropriateness of the management and verification activities, and d) were employees adequately trained and familiar with the critical control implementation and verification activities? 

Reporting  

(54) A crucial component of the Assurance process is the regular reporting on the status of each critical control. This ‘health check’ provides assurance to those with Officer obligations (i.e. the SCU Executive and Council) as to the whether the control is implemented and effective in preventing and mitigating the critical risk.  

Assurance Implementation 

(55) In ensuring effective implementation of the WHS Critical Risk Assurance, the following aspects are recommended: 

1. Critical Risk Management Training: All employees will be trained in foundational concepts and skills relating to critical risk management via Safety Essentials. Ensuring a consistent understanding of critical risk management is vital to achieve a successful implementation.  

Evaluation and Improvement 

Control Effectiveness 

(56) An existing control is a current measure that is modifying a risk, i.e. reducing the consequence and/or likelihood of an uncertain event or condition. In this context, the WHS Critical Controls predominately include an act, object or technology.  

(57) Control Effectiveness is a relative assessment of actual level of control that is currently present and effective, compared with that which is reasonably achievable for a particular risk.  

(58) In the 1st and 2nd Line of Defence, existing controls must be analysed to assess whether control/s are being implemented and are effective in operation. In the 2nd Line of Defence Annual Effectiveness test and in the 3rd Line of Defence, existing controls are analysed to assess whether control/s are appropriate (valid), designed correctly and effective in operation.  

(59) The control qualities (design and operation) are used to determine the level of Control Effectiveness; with definitions of effectiveness levels replicated below. These are to be used for rating Annual Effectiveness Test and 3rd Line of Defence audits.  

Records 

(60) All three lines of defence activities shall be recorded in RiskWare where appropriate.  

(61) A summary of the assurance and auditing activities and corrective actions are to be presented to the SCU Executive and Council.  

Section 4 - Roles and Responsibilities 

(62) Refer to WHS Responsibility and Accountability Statements.     

Section 5 - Records of Documentation   

(63) All relevant documentation will be recorded and kept in accordance with WHS Legislation and other legislative obligations including:   

1. Internal audits  
2. External audits  
3. Training  
4. Incident reports 
5. Inspections  

Section 6 - Revision and Approval History  

(64) This procedure will be reviewed as per nominated review dates or because of other events, such as:  

1. Internal and external audit outcomes.  
2. Legislative changes.  
3. Outcomes from management reviews.  
4. Incidents.  

Section 7 - References  

Section 8 - Related Documents  

 Appendix A  

(65) Annual Effectiveness Test (see Figure 1)