View Current

Risk and Compliance Management policy

This is the current version of this document. To view historic versions or versions that have not yet come into effect, click on the Historic or Future version links in the navigation bar.

Section 1 - Preamble

(1) This Policy was approved by Council on 29 October 2014 and came into effect on 23 January 2015.

(2) This Policy includes the following schedule:

  1. Schedule A: Risk Matrix Table.
Top of Page

Section 2 - Purpose

(3) This Policy establishes risk and compliance management practices that are consistent with Australian and International Standards and that are integrated into the University's governance, management and planning activities.

(4) The Risk Management procedure and Compliance Management procedure document how to comply with this Policy.

Top of Page

Section 3 - Scope

(5) This Policy applies to all staff and associates of the University.

Top of Page

Section 4 - Policy

(6) The University embeds risk and compliance management practices in its governance, management, planning and decision making, consistent with national and international standards and practices including AS 3806-2006 Australian Standard: Compliance Programs and AS/NZS ISO 31000: 2009 Australian/New Zealand Standard: Risk management - Principles and guidelines. This enables the University to achieve its strategic objectives in a risk aware environment and ensure operations are conducted in a risk-based and compliant manner.

(7) The University's Risk Management Framework and Compliance Management Framework are implemented consistently, but proportionately across all areas of the University.

(8) Risk assessments are undertaken bi-annually for wholly owned entities.

(9) The University mandates standards of personal, professional, responsible and ethical behaviours of its staff in the Code of Conduct. Staff are required to report concerns about risk and compliance at the earliest possible opportunity, providing for risk assessment, early escalation, management and intervention.

(10) Risk and compliance activities across the University are coordinated by the Risk and Compliance Office. Project risks are identified (before project approval) and monitored by project managers. All business case risks are validated by the Risk and Compliance Manager. The Deakin Portfolio Office has oversight of business case risks including receiving updates arising from the monitoring of business case risks. Where appropriate, these projects may also be included in the Strategic Risk Register and Key Compliance Obligation Register and/or the Faculty or Portfolio operational risk and compliance registers.

(11) University risks are split into two categories; strategic and operational. The University's strategic risks are aligned to Deakin's LIVE the future: Agenda 2020 and owned by the Executive collectively. Operational risks are owned by the relevant member of Executive with portfolio responsibility.

(12) The strategic risk and the key compliance obligation registers consisting of all high-level risks and compliance obligations affecting the University as a whole is developed by the University Executive which also has oversight of Faculty and Portfolio risks.

(13) Staff must assess risk in accordance with the Risk Management Framework, which includes tools for:

  1. identifying, analysing and evaluating risks (Risk Matrix Table)
  2. developing and implementing risk treatment strategies
  3. monitoring and reviewing the effectiveness of strategies.

(14) Assurance is the monitoring and review of risk management, both by internal and external parties. Assurance activities, such as periodic reviews and audits, ensure that established controls are implemented effectively, areas requiring further improvement are determined and new and emerging risks are identified.

Responsibility and accountability

(15) The University Council oversees and monitors the assessment and management of risk across the University.

(16) The Audit and Risk Committee reports to Council on:

  1. all risk assessment and risk controls to ensure that an appropriate program of risk management is maintained by the University
  2. the adequacy of University compliance management.

(17) The Academic Board has oversight of academic risks.

(18) The Vice-Chancellor and the Executive provide leadership and demonstrate commitment to the University's Risk and Compliance Management programs. The University Executive will review the Risk Matrix Table (at Schedule A) annually.

(19) The Risk and Compliance Manager is responsible for the University's risk and compliance management programs, and the provision of technical risk management and compliance support including training and associated tools.

(20) Both risk and compliance management are strategic whole-of-University activities and are therefore the responsibility of management and staff at all levels. Staff are expected to apply sound risk management and compliance principals to their work related decision making, practices and operations.

Top of Page

Section 5 - Procedure

(21) Refer to the Risk Management procedure.

Top of Page

Section 6 - Definitions

(22) For the purpose of this Policy:

  1. Associates: contractors, consultants, volunteers, visiting appointees and visitors to the University.
  2. Compliance: adhering to the requirements of laws, industry and organisational standards (including University policies and procedures) and codes. It can also include principles of good governance and accepted community and ethical standards.
  3. Compliance management program: the totality of structures, including methodology, training, procedures and website that provide the foundation for the University's implementation, review and improvement of compliance management.
  4. Risk: is the 'effect of uncertainty on objectives', as defined by Standards Australia and Standards New Zealand (AS/NZS ISO 31000: 2009 Australian/New Zealand Standard: Risk management - Principles and guidelines). Risk is typically characterised by reference to potential events, and measured in terms of a combination of the likelihood of the event occurring and the consequence if it was to occur.
  5. Risk management program: the totality of structures, including methodology, training, procedures and website that provide the foundation for the University's implementation, review and improvement of risk management.