View Current

Enterprise Risk Management Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose and Scope

Purpose

(1) This Policy is an integral component of the Enterprise Risk Management Framework which:

  1. establishes the principles and processes to identify, assess and manage risk;
  2. allocates responsibilities for managing risks; and
  3. aligns with the International Standard for Risk Management AS ISO 31000: 2018.

Scope

(2) This Policy applies to all areas of the University's operations, including its staff, appointees of the
University, its controlled entities and to all activities authorised and conducted by or on behalf of the
University.

Top of Page

Section 2 - Definitions

(3) For the purposes of this Policy, the following definitions apply:

  1. Consequence - An outcome of an event which could affect objectives, positively or negatively.
    There may be multiple consequences from one event.
  2. Control - Any action taken to positively alter the likelihood or consequences of a risk or
    opportunity event.
  3. Material risk - Risks which have the ability to materially impact the achievement of the
    University’s strategic objectives or the University as a whole, distinct from risk which may be
    material for only one organisational unit.
  4. Monitor - To track and evaluate risks and the effectiveness of the controls.
  5. Opportunity - An uncertain event that could have favourable impact on objectives.
  6. Residual risk - The remaining risk after controls have been implemented (action has been taken
    to alter the risk’s likelihood or impact).
  7. Risk - is the potential for an event or set of events which may impact achievement of the
    University’s strategic objectives – either favourably or unfavourably.
  8. Risk acceptance - An informed decision to accept the residual risk rating of a risk and proceed
    with the proposed course of action.
  9. Risk appetite - The amount of risk, on a broad level, the University is willing to accept in pursuit
    of value. The Risk Appetite is expressed through statements set by Council.
  10. Risk assessment - The overall process of risk identification, analysis and evaluation.
  11. Risk evaluation - The process to determine risk management priorities by comparing the level
    of risk against risk appetite and risk target risk levels.
  12. Risk identification - The process of determining what might impact on the achievement of
    objectives, why, and how.
  13. Risk management - the University’s coordinated activities directed towards realising potential
    opportunities while managing adverse effects in order to improve the University’s ability to
    achieve its strategy and business objectives.
  14. Risk management process -The systematic application of policies, procedures and practices to
    establish context, identify, analyse, evaluate, treat, monitor and communicate risk.
  15. Risk profile - the allocation of risks to risk categories with assigned risk ratings.
  16. Risk register - The summary of individual risks within a risk assessment or risk profile.
Top of Page

Section 3 - Policy Statement

(4) The University acknowledges that implementation and maintenance of a formal risk management
system is fundamental to achieving its strategic and operational objectives.

(5) The University is committed to a rigorous and structured risk management system which is:

  1. Integrated into all parts of the University's activities with risk management embedded into key
    decisions and approval processes of all major business processes and functions;
  2. Structured to provide consistent and comparable results and support a shared understanding
    with all risks managed within the boundaries defined in the Risk Appetite Statement;
  3. Dynamic, recognising that risk emerges, changes or disappears due to changes in internal and
    external forces, and that the role of risk management includes anticipating, detecting,
    acknowledging and responding to those changes in a way which helps the University to achieve
    its objectives;
  4. Supported by best available information and considering future expectations, while taking into
    account limitations and uncertainties; and
  5. Continually improved through learning and experience.
Top of Page

Section 4 - Roles and Responsibilities

Council

(6) Council holds overarching accountability for risk management and determines the University's
appetite for risk.

Audit and Risk Management Committee

(7) The Audit and Risk Management Committee is responsible for:

  1. Oversight of the University's risk management activities; and
  2. Liaising with management in monitoring key risks and, where appropriate, reporting to Council
    to provide assurance concerning the management of risks within the University.

Vice-Chancellor

(8) The Vice-Chancellor is responsible for:

  1. The overall risk management across the University;
  2. assigning Executive Risk Leads for each risk in the University's Material Risk Register;
  3. promoting an appropriate risk management culture across the University;
  4. overseeing the allocation of resources to enable effective risk management; and
  5. reporting key and emerging risks and highlighting significant changes to the risk exposure risks
    and their management to the Audit and Risk Management Committee and University Council.

The Vice Chancellor's Group

(9) The Vice Chancellor's Group have collective and individual accountability for the management of risks
as Executives of the University. They are accountable for the oversight, implementation, management and
embedding of the Enterprise Risk Management Framework across their portfolios, including:

  1. Setting the right 'tone from the top';
  2. Ensuring compliance with the Risk Appetite Statement, Enterprise Risk ManagementFramework and this Policy;
  3. Reviewing and managing exceptions to the Risk Appetite Statement, establishing and
    monitoring actions to bring risks within appetite, escalating material matters to the Audit and Risk Management Committee; and
  4. Regular identification, review and assessment of risks in achieving the University's strategic
    objectives and actions to manage the risk. Allocation of the right skills and resources to
    effectively implement the Enterprise Risk Management Framework through the University.

Academic Board

(10) The Academic Board is responsible for the oversight and monitoring of academic risks.

Material Risk Leads

(11) Material Risk Leads are responsible for managing the material risks for which they are accountable,
including:

  1. facilitating risk management processes;
  2. approving major decisions that may affect the University's risk profile or exposure; and
  3. assessing material risks against the University's risk appetite;
  4. monitoring the effectiveness of risk controls and providing regular reporting; and
  5. escalating where necessary to ensure there is sufficient support and resources to carry out
    appropriate risk management.

Heads of Work Units

(12) Heads of Work Units are responsible for:

  1. identifying risks within their operational unit;
  2. Maintaining an operational risk register;
  3. assessing the risks against the University's risk appetite and the effectiveness of controls in the
    work unit's risk register on a quarterly basis;
  4. assigning a risk lead to each risk in their operational risk register;
  5. escalating the management of any operational risks that cannot be sufficiently mitigated at the
    work unit to the relevant Executive Member;
  6. managing business as usual operational risks; and
  7. promoting an appropriate risk management culture within their areas of responsibility.

Project Managers/Leads

(13) Project Managers or Project Leads are responsible for:

  1. incorporating risk management throughout the project life cycle;
  2. identifying and managing material project risks and monitoring them throughout the life of the
    project; and
  3. incorporate risk reporting into the project reporting processes.

Manager, Insurance and Risk

(14) The Manager, Insurance and Risk provides:

  1. advice on risk management to the University community;
  2. training and resources to develop staff capability in risk assessment and management
    processes; and
  3. reviews the Enterprise Risk Management Framework, associated business processes and
    resources following a strategic refresh or significant event.

All Staff

(15) All staff are required to familiarise themselves with the Enterprise Risk Management Framework and
apply to their roles, as relevant.

Top of Page

Section 5 - Risk Reporting Requirements

(16) Risks are to be monitored and reported in accordance with the Enterprise Risk ManagementFramework.

Top of Page

Section 6 -  Associated documents

(17) This Policy should be read in conjunction with:

  1. Enterprise Risk Management Framework
  2. Work Health and Safety Policy
  3. Emergency and Crisis Management Policy
  4. Emergency Procedures
  5. Business Continuity Management Policy
  6. Compliance Policy
  7. Fraud and Corruption Prevention Policy
  8. Treasury and Investment Policy
  9. Academic Quality, Standards and Integrity Policy