(1) This Policy is effective from 12 July 2022. (2) This Policy includes: (3) This Policy sets out how the University embeds effective risk management practices into its operations, activities and day to day decision making. (4) This Policy applies to all staff and associates. (5) Managing risk is fundamental to how the University is managed at all levels. The University will foster a positive risk-aware culture which recognises that controlled risk-taking is acceptable and appropriate to foster growth, innovation, competitiveness and efficient business practices. (6) The University will maintain a Risk Appetite Statement which: (7) The University’s risk management practices will be based on AS ISO 31000:2018, Risk Management – Principles and Guidelines and includes a consistent approach for the identification, treatment and monitoring of risk. (8) Staff and associates are expected to apply sound and informed risk management principles to their work related decision making, practices and operations. The University will support staff and associates to recognise and understand their risk obligations by providing education, training and information. (9) Staff and associates who have a concern regarding the management of risk must contact the Risk, Compliance and Business Continuity Unit. (10) Risk management activities are implemented and coordinated by the Risk, Compliance and Business Continuity Unit, including the communication of advice, guidance and support across the University. (11) Faculty, Institutes and Portfolios will develop risk profiles in accordance with the University’s Risk Appetite, Headline Risks and the strategic priorities of the University. Risk profiles must include all information relating to the risks, including the contributing factors and consequences, ratings, control and treatment activities, alignment with key risk indicators and risk appetite. (12) Risk assessments must be undertaken before commencing a new project or activity in accordance with clause 26 and reviewed at least annually, or more frequently as required by changes or project milestones. (13) Risks can be identified using various methods. Staff and associates are encouraged to contact the Risk, Compliance and Business Continuity Unit to discuss the most suitable method. (14) When a risk is identified, a Risk Owner is assigned by the relevant member of the Senior Executive Team or nominee. The Risk Owner must assess risk, controls and treatment measures in accordance with Schedule A: Risk Matrix. (15) Risk Owners must review and update their risk profiles at least every three months to ensure all current and emerging risks are captured, controls identified, and risk treatment (action) plans are implemented effectively. (16) The Risk, Compliance and Business Continuity Unit will monitor Faculty, Institute and Portfolio Risk Profiles to identify new and changed risks and will recommend action as appropriate. Risk Profiles will inform the Headline Risk Report. (17) Headline Risks are reported at least quarterly to the Senior Executive Team, the Audit and Risk Committee and Council. (18) The University Headline Risk Report informs the University’s annual Internal Audit Plan and strategic priorities. (19) Risk Owners must escalate the following risk items to the relevant member of the Senior Executive Team, and the Director Audit, Risk and Business Continuity or nominee: (20) The relevant member of the Senior Executive Team, and the Director Audit, Risk and Business Continuity or nominee will assess escalated matters to determine actions required to reduce the risk to an acceptable level. (21) The University Council is responsible for: (22) The Audit and Risk Committee is responsible for: (23) The Academic Board has oversight of academic risks. (24) The Vice-Chancellor and Senior Executive Team are responsible for: (25) Senior leaders are responsible for: (26) Project and Executive Sponsors are responsible for: (27) The Risk, Compliance and Business Continuity Unit is responsible for: (28) For the purpose of this policy:Risk Management policy
Section 1 - Preamble
Section 2 - Purpose
Section 3 - Scope
Section 4 - Policy
Section 5 - Procedure
Coordination and communication
Risk assessment and treatment
Reporting and monitoring
Risks outside acceptable levels and escalation
Roles and responsibilities
Top of PageSection 6 - Definitions
View Current
This is not a current document. To view the current version, click the link in the document's navigation bar.