This is the current version of this document. To view historic versions, click the link in the document's navigation bar.
Section 1 - Purpose and Scope
Purpose
(1) This Policy is an integral component of the Enterprise Risk Management Framework which:
- establishes the principles and processes to identify, assess and manage risk;
- allocates responsibilities for managing risks; and
- aligns with the International Standard for Risk Management AS ISO 31000: 2018.
Scope
(2) This Policy applies to all areas of the University's operations, including its staff, appointees of the
University, its controlled entities and to all activities authorised and conducted by or on behalf of the
University.
Top of PageSection 2 - Definitions
(3) For the purposes of this Policy, the following definitions apply:
- Consequence - An outcome of an event which could affect objectives, positively or negatively.
There may be multiple consequences from one event.
- Control - Any action taken to positively alter the likelihood or consequences of a risk or
opportunity event.
- Material risk - Risks which have the ability to materially impact the achievement of the
University’s strategic objectives or the University as a whole, distinct from risk which may be
material for only one organisational unit.
- Monitor - To track and evaluate risks and the effectiveness of the controls.
- Opportunity - An uncertain event that could have favourable impact on objectives.
- Residual risk - The remaining risk after controls have been implemented (action has been taken
to alter the risk’s likelihood or impact).
- Risk - is the potential for an event or set of events which may impact achievement of the
University’s strategic objectives – either favourably or unfavourably.
- Risk acceptance - An informed decision to accept the residual risk rating of a risk and proceed
with the proposed course of action.
- Risk appetite - The amount of risk, on a broad level, the University is willing to accept in pursuit
of value. The Risk Appetite is expressed through statements set by Council.
- Risk assessment - The overall process of risk identification, analysis and evaluation.
- Risk evaluation - The process to determine risk management priorities by comparing the level
of risk against risk appetite and risk target risk levels.
- Risk identification - The process of determining what might impact on the achievement of
objectives, why, and how.
- Risk management - the University’s coordinated activities directed towards realising potential
opportunities while managing adverse effects in order to improve the University’s ability to
achieve its strategy and business objectives.
- Risk management process -The systematic application of policies, procedures and practices to
establish context, identify, analyse, evaluate, treat, monitor and communicate risk.
- Risk profile - the allocation of risks to risk categories with assigned risk ratings.
- Risk register - The summary of individual risks within a risk assessment or risk profile.
Top of PageSection 3 - Policy Statement
(4) The University acknowledges that implementation and maintenance of a formal risk management
system is fundamental to achieving its strategic and operational objectives.
(5) The University is committed to a rigorous and structured risk management system which is:
- Integrated into all parts of the University's activities with risk management embedded into key
decisions and approval processes of all major business processes and functions;
- Structured to provide consistent and comparable results and support a shared understanding
with all risks managed within the boundaries defined in the Risk Appetite Statement;
- Dynamic, recognising that risk emerges, changes or disappears due to changes in internal and
external forces, and that the role of risk management includes anticipating, detecting,
acknowledging and responding to those changes in a way which helps the University to achieve
its objectives;
- Supported by best available information and considering future expectations, while taking into
account limitations and uncertainties; and
- Continually improved through learning and experience.
Top of PageSection 4 - Roles and Responsibilities
Council
(6) Council holds overarching accountability for risk management and determines the University's
appetite for risk.
Audit and Risk Management Committee
(7) The Audit and Risk Management Committee is responsible for:
- Oversight of the University's risk management activities; and
- Liaising with management in monitoring key risks and, where appropriate, reporting to Council
to provide assurance concerning the management of risks within the University.
Vice-Chancellor
(8) The Vice-Chancellor is responsible for:
- The overall risk management across the University;
- assigning Executive Risk Leads for each risk in the University's Material Risk Register;
- promoting an appropriate risk management culture across the University;
- overseeing the allocation of resources to enable effective risk management; and
- reporting key and emerging risks and highlighting significant changes to the risk exposure risks
and their management to the Audit and Risk Management Committee and University Council.
The Vice Chancellor's Group
(9) The Vice Chancellor's Group have collective and individual accountability for the management of risks
as Executives of the University. They are accountable for the oversight, implementation, management and
embedding of the Enterprise Risk Management Framework across their portfolios, including:
- Setting the right 'tone from the top';
- Ensuring compliance with the Risk Appetite Statement, Enterprise Risk ManagementFramework and this Policy;
- Reviewing and managing exceptions to the Risk Appetite Statement, establishing and
monitoring actions to bring risks within appetite, escalating material matters to the Audit and Risk Management Committee; and
- Regular identification, review and assessment of risks in achieving the University's strategic
objectives and actions to manage the risk. Allocation of the right skills and resources to
effectively implement the Enterprise Risk Management Framework through the University.
Academic Board
(10) The Academic Board is responsible for the oversight and monitoring of academic risks.
Material Risk Leads
(11) Material Risk Leads are responsible for managing the material risks for which they are accountable,
including:
- facilitating risk management processes;
- approving major decisions that may affect the University's risk profile or exposure; and
- assessing material risks against the University's risk appetite;
- monitoring the effectiveness of risk controls and providing regular reporting; and
- escalating where necessary to ensure there is sufficient support and resources to carry out
appropriate risk management.
Heads of Work Units
(12) Heads of Work Units are responsible for:
- identifying risks within their operational unit;
- Maintaining an operational risk register;
- assessing the risks against the University's risk appetite and the effectiveness of controls in the
work unit's risk register on a quarterly basis;
- assigning a risk lead to each risk in their operational risk register;
- escalating the management of any operational risks that cannot be sufficiently mitigated at the
work unit to the relevant Executive Member;
- managing business as usual operational risks; and
- promoting an appropriate risk management culture within their areas of responsibility.
Project Managers/Leads
(13) Project Managers or Project Leads are responsible for:
- incorporating risk management throughout the project life cycle;
- identifying and managing material project risks and monitoring them throughout the life of the
project; and
- incorporate risk reporting into the project reporting processes.
Manager, Insurance and Risk
(14) The Manager, Insurance and Risk is reponsible for:
- providing advice on risk management to the University community;
- providing training and resources to develop staff capability in risk assessment and management
processes;
- reviewing the Enterprise Risk Management Framework, associated business processes and
resources following a strategic refresh or significant event; and
- facilitating maintenance of the Material Enterprise Risk Register, Academic Risk Register and Educational Partnership Risk Register.
All Staff
(15) All staff are required to familiarise themselves with the Enterprise Risk Management Framework and
apply to their roles, as relevant.
Top of PageSection 5 - Risk Reporting Requirements
(16) Risks are to be monitored and reported in accordance with the Enterprise Risk ManagementFramework.
Top of PageSection 6 - Associated documents
(17) This Policy should be read in conjunction with:
- Enterprise Risk Management Framework
- Work Health and Safety Policy
- Emergency and Crisis Management Policy
- Emergency Procedures
- Business Continuity Management Policy
- Compliance Management Policy
- Fraud and Corruption Prevention Policy
- Treasury and Investment Policy
- Academic Quality, Standards and Integrity Policy