View Current

Risk Management procedure

This is the current version of this document. To view historic versions or versions that have not yet come into effect, click on the Historic or Future version links in the navigation bar.

Section 1 - Preamble

(1) This Procedure was approved by University Council on 29 October 2014 and came into effect on 23 January 2015.

(2) This Procedure is pursuant to the Risk and Compliance Management policy and includes the following schedule:

  1. Schedule A: Risk Matrix Table.
Top of Page

Section 2 - Purpose

(3) This Procedure outlines a systematic process for risk management that is aimed at managing adverse effects on the University achieving its objectives while realising opportunities.

Top of Page

Section 3 - Scope

(4) This Procedure applies to all staff and associates of the University.

Top of Page

Section 4 - Policy

(5) Refer to the Risk and Compliance Management policy.

Top of Page

Section 5 - Procedure

Risk management

(6) The University applies a comprehensive risk management program to its operations based on the AS/NZS ISO 31000: 2009 Australian/New Zealand Standard: Risk management - Principles and guidelines.

Consultation, communication

(7) The Risk and Compliance Office will communicate and consult extensively with all areas and at all stages of the risk management process to integrate the principles of sound risk management into University practice.

(8) The Risk and Compliance Manager will oversee:

  1. the dissemination of information on the University's approach to risk and the actions necessary to ensure the University's overall risk profile is managed and maintained within the tolerable risk ratings
  2. that risk management training is provided to increase risk aware behaviour as part of the Risk Management program implementation.

Risk assessment

(9) Risk must be a consideration in all University activities including projects and ventures. Risk assessments will be done at least annually, but more frequently as required. Risk assessments are undertaken bi-annually for wholly owned entities.

(10) Risks are identified through a number of methods, including risk identification workshops, audit reports, stakeholder analysis and scenario analysis.

(11) Once a risk has been identified, a Risk Owner must be assigned in accordance with the Risk Management Framework. Staff must assess risk in accordance with the Risk Management Framework and the Risk Matrix Table.

(12) All information relating to the risks, including the contributing factors and consequences, ratings, controls and treatment plans, are to be stored in risk registers in the risk software. Each Faculty and Portfolio will have its own risk register, which will be proactively managed.

(13) The Risk Matrix Table is used to measure the likelihood and the associated consequences of a risk, providing the inherent, residual and tolerable risk ratings for a risk. These ratings allow the University to prioritise risks.

Treatment and review

(14) The residual risk ratings are to be reviewed and analysed to determine if further action is required to mitigate the risk. If the tolerable risk rating and the residual risk ratings are the same then no further action is required. However, if the residual risk rating has a higher rating than the tolerable risk rating then the residual risk will need to be reduced through implementing a treatment plan/s.

(15) When deciding on the appropriate treatment plan it is important to assess the cost and effort required for each possible option, ensuring that the most effective and efficient treatment for managing the risk is selected.

(16) All treatment plans will require a person to be assigned in the software as the "Action Responsible" role and the "Owner" role (this cannot be the same person), ensuring that treatment plans are completed within the timeframe or providing an explanation if the schedule or scope is to be changed.

(17) All risks and associated ratings, controls and treatment plans will be reviewed and their progress monitored by the Risk and Compliance Office and reflected in the appropriate risk register.

(18) In addition to the Directors/Faculty General Managers and the Executive completing their own regular self-assessments/reviews, quarterly updates and detailed annual reviews will be undertaken by the Risk and Compliance Office. This information is outlined in the Risk Management Framework.

Assurance review

(19) Assurance reviews will be regularly conducted by the Risk and Compliance Office to review controls in place and assess their effectiveness in mitigating the associated risk. Findings from assurance reviews will be discussed with relevant stakeholders and reflected in risk registers.

(20) An annual assurance review plan will be developed to determine which risks will require a more extensive assessment of controls. The plan will be created in consultation with Internal Audit and their annual plan to ensure proportional coverage of all risks across the University. Assurance reviews may also be requested by University management.

Escalations

(21) If a stakeholder disagrees with the contents in their risk register or any relevant risk report then they can escalate their concerns to the Director, Corporate Governance, Risk and Compliance Services as appropriate.

(22) The Risk and Compliance Office will ensure that treatment plans in progress are completed in accordance with the conditions and timeframe discussed. Failure to do so will require escalation to the Director, Corporate Governance, Risk and Compliance Servicesand the Executive in the first instance, and if required further escalated to the Audit and Risk Committee.

(23) Risks with a very high risk rating are to be escalated to both the Vice-Chancellor and to the responsible Executive member and risks with a high risk rating are to be escalated to the responsible Executive member. Medium rated risks are to be escalated to the responsible Director or Faculty General Manager.

Top of Page

Section 6 - Definitions

(24) For the purpose of this Procedure:

  1. associates: contractors, consultants, volunteers, visiting appointees and visitors to the University.
  2. control: a measure, which could be one of or a combination of process, policy, device, barrier, practice, or other actions established to alter the level of likelihood and/or consequence of the risk event.
  3. residual risk rating: the level of risk once controls have been established to alter the risk's likelihood or consequence.
  4. risk: is the 'effect of uncertainty on objectives', as defined by Standards Australia and Standards New Zealand (AS/NZS ISO 31000: 2009 Australian/New Zealand Standard: Risk management - Principles and guidelines.). Risk is typically characterised by reference to potential events, and measured in terms of a combination of the likelihood of the event occurring and the consequence if it was to occur.
  5. risk assessment: the overall process of risk identification, risk analysis and risk evaluation.
  6. Risk Matrix Table: a matrix that facilitates the consistent assessment and measurement of risk across the University. It allows for the prioritisation of assessed risks and the determination of appropriate risk control measures and their importance in managing the risks.
  7. Risk/Compliance Obligation Owner: Risk/Compliance Obligation Owners are responsible for:
    1. New and current risks and compliance issues being managed with the appropriate controls and treatment plans.
    2. Ensuring controls to manage risks and compliance obligations are operating as expected, including performance of self-assessment reviews
    3. Actioning breaches reported to them by their staff - identifying root cause and implementing appropriate corrective action (in consultation with the Risk and Compliance Office)
    4. Ensuring that recorded information regarding risk and compliance is completed and accurate.
    5. Approve all changes made to risk registers, ensuring that the information is accurate. Please note that the risk 'owner' and the 'approver' are two separate roles in the risk and compliance software. The 'approver' function may be delegated to another senior member of staff by the risk owner for operational risks.
  8. risk/compliance owners are to approve treatment plans, ensuring that they are implemented correctly and any changes made to them have been explained.
  9. Risk management framework: a document outlining all the relevant components and processes for risk management across the University to ensure consistency of risk management application.
  10. risk management program: the totality of structures, including methodology, training, procedures and website that provide the foundation for the University's implementation, review and improvement of risk management.
  11. risk register: each Faculty and Portfolio has a risk register which is stored in the risk management software (BWise), containing information on all the risks belonging to the Faculty or Portfolio.
  12. risk tolerance: the level of risk that is acceptable to the University to achieve its objectives. This is set by University Council and reflected in the Risk Matrix Table.
  13. tolerable risk rating: a risk rating indicating the maximum level of risk the University will accept for the associated risk. This is based on the University's risk tolerance.
  14. treatment plan: treatment plans require actions that will reduce/mitigate the risk. It can involve avoiding activities that cause the risk, removing the source of the risk, changing factors driving either the likelihood and/or consequence, sharing or transferring the risk.