View Current

Risk Management policy

This is not a current document. To view the current version, click the link in the document's navigation bar.

Section 1 - Preamble

(1) This Policy is effective from 12 July 2022.

(2) This Policy includes:

  1. Schedule A: Risk Matrix.
Top of Page

Section 2 - Purpose

(3) This Policy sets out how the University embeds effective risk management practices into its operations, activities and day to day decision making.

Top of Page

Section 3 - Scope

(4) This Policy applies to all staff and associates.

Top of Page

Section 4 - Policy

(5) Managing risk is fundamental to how the University is managed at all levels. The University will foster a positive risk-aware culture which recognises that controlled risk-taking is acceptable and appropriate to foster growth, innovation, competitiveness and efficient business practices.

(6) The University will maintain a Risk Appetite Statement which:

  1. is reviewed annually and approved by Council
  2. provides guidance on the management of risk within acceptable levels of tolerance
  3. informs the assessment of risk in accordance with Schedule A: Risk Matrix
  4. underpins the identification of the University’s Headline Risks.

(7) The University’s risk management practices will be based on AS ISO 31000:2018, Risk Management – Principles and Guidelines and includes a consistent approach for the identification, treatment and monitoring of risk.

(8) Staff and associates are expected to apply sound and informed risk management principles to their work related decision making, practices and operations. The University will support staff and associates to recognise and understand their risk obligations by providing education, training and information.

(9) Staff and associates who have a concern regarding the management of risk must contact the Risk, Compliance and Business Continuity Unit. 

Top of Page

Section 5 - Procedure

Coordination and communication

(10) Risk management activities are implemented and coordinated by the Risk, Compliance and Business Continuity Unit, including the communication of advice, guidance and support across the University.

Risk assessment and treatment

(11) Faculty, Institutes and Portfolios will develop risk profiles in accordance with the University’s Risk Appetite, Headline Risks and the strategic priorities of the University. Risk profiles must include all information relating to the risks, including the contributing factors and consequences, ratings, control and treatment activities, alignment with key risk indicators and risk appetite.

(12) Risk assessments must be undertaken before commencing a new project or activity in accordance with clause 26 and reviewed at least annually, or more frequently as required by changes or project milestones.

(13) Risks can be identified using various methods. Staff and associates are encouraged to contact the Risk, Compliance and Business Continuity Unit to discuss the most suitable method.

(14) When a risk is identified, a Risk Owner is assigned by the relevant member of the Senior Executive Team or nominee. The Risk Owner must assess risk, controls and treatment measures in accordance with Schedule A: Risk Matrix.

Reporting and monitoring

(15) Risk Owners must review and update their risk profiles at least every three months to ensure all current and emerging risks are captured, controls identified, and risk treatment (action) plans are implemented effectively.

(16) The Risk, Compliance and Business Continuity Unit will monitor Faculty, Institute and Portfolio Risk Profiles to identify new and changed risks and will recommend action as appropriate. Risk Profiles will inform the Headline Risk Report.

(17) Headline Risks are reported at least quarterly to the Senior Executive Team, the Audit and Risk Committee and Council.

(18) The University Headline Risk Report informs the University’s annual Internal Audit Plan and strategic priorities.

Risks outside acceptable levels and escalation

(19) Risk Owners must escalate the following risk items to the relevant member of the Senior Executive Team, and the Director Audit, Risk and Business Continuity or nominee:

  1. all actions and activities that fall outside the relevant risk appetite set down in the University’s Risk Appetite Statement
  2. all risks rated Very High in accordance with Table 5 of Schedule A: Risk Matrix.

(20) The relevant member of the Senior Executive Team, and the Director Audit, Risk and Business Continuity or nominee will assess escalated matters to determine actions required to reduce the risk to an acceptable level.

Roles and responsibilities

(21) The University Council is responsible for:

  1. overseeing and monitoring the assessment and management of risk across the University
  2. approving the University’s Risk Appetite Statement
  3. setting the tone for a risk aware University culture.

(22) The Audit and Risk Committee is responsible for:

  1. ensuring that an appropriate program of risk management is maintained by the University
  2. monitoring the assessment, evaluation and treatment of risk
  3. reporting and providing advice to Council as appropriate.

(23) The Academic Board has oversight of academic risks.

(24) The Vice-Chancellor and Senior Executive Team are responsible for:

  1. leading and implementing the risk management culture across the University
  2. leadership and commitment to the application of the University's Risk Management programs into business practices
  3. overseeing the allocation of resources to enable effective risk management practices.

(25) Senior leaders are responsible for:

  1. promoting a mature risk management risk culture within areas of responsibility
  2. effective management, mitigation and reporting of risk exposures
  3. maintaining a clear understanding of risk management practices required to support activities in their areas of responsibility.

(26) Project and Executive Sponsors are responsible for:

  1. conducting, prior to the establishment of the project, an assessment of risks that the project is intended to address, risks to the undertaking of the project, and risks that the project may introduce to the University
  2. proposing, implementing and monitoring risk treatment plans and any emerging risks to the project
  3. reporting and escalating any identified risk as appropriate.

(27) The Risk, Compliance and Business Continuity Unit is responsible for:

  1. working with areas across the University to identify, monitor and report on risks
  2. the dissemination of information and tools on the University's approach to managing risk and the actions to ensure the University's overall risk profile is managed and maintained within the tolerable risk ratings
  3. providing risk management training to increase risk aware behaviour as part of the Risk Management program implementation
  4. reporting of risk activity to the Vice-Chancellor, University Senior Executive Team, Audit and Risk Committee and Council.
Top of Page

Section 6 - Definitions

(28) For the purpose of this policy:

  1. Associates: contractors, consultants, volunteers, visiting appointees and visitors to the University
  2. Control: a measure that maintains and/or modifies risk. Controls include, but are not limited to, any process, policy, device, practice, or other conditions and/or actions which maintain and/or modify risk.
  3. Headline Risk Report: report setting out university–wide risk management priorities, exposures and target risk levels.
  4. Key Risk Indicator: metrics used to provide an early signal of a risk exceeding risk appetite.
  5. Risk: is the 'effect of uncertainty on objectives', (ISO 31000: 2018 Risk management - Principles and Guidelines). Risk is characterised by reference to a potential event or circumstance occurring, and measured in terms of a combination of the likelihood of the event occurring and the consequence if the event was to occur.
  6. Risk appetite: a statement of the most significant risk categories to which the University is exposed and sets out the amount and type of risk that the University is prepared to accept for each risk category in order to meet its strategic objectives.
  7. Risk assessment: the overall process of risk identification, analysis and evaluation.
  8. Risk management: the coordinated activities to direct and control the University with regard to risk.
  9. Risk management practices: the totality of structures, including methodology, training, and procedures that provide the foundation for the University's implementation, review and improvement of risk management.
  10. Risk matrix table: a matrix that facilitates the consistent application, definition, assessment and measurement of risk impact, likelihood, consequence, control effectiveness, overall risk ratings and responses across the University. It allows for the prioritisation of assessed risks and the determination of appropriate risk control measures and their importance in managing risk.
  11. Risk Owner: The individual who is accountable for ensuring the risk is managed appropriately.
  12. Risk treatment: the process of selecting and implementing measures to modify risk. Measures can include avoiding, optimising, transferring or accepting the risk.