Risk Management Policy
Responsible officer: Vice-Chancellor
Designated officer: Director, Finance
Approved: Council C04/51, 5 October 2004 [effective 2005]
Last amended: Council C07/88, 28 August 2007
Related policies:
1. Overview
1.1 The Council and Management of the University are committed to the implementation and maintenance of a formal risk management system, including the integration of risk management throughout all levels of the organisation as fundamental to achieving the University’s strategic and operational objectives.
1.2 The risk management process is to include opportunities as well as threats.
1.3 The University will ensure that all employees who are responsible and accountable for risks:
- are aware of, and share, the University’s commitment to risk management
- understand their risk management obligations
- are provided with the means for identifying and reporting risks and exposures, and
- are supported and resourced by the University sufficiently to enable them to carry out these obligations
1.5 The Australia/New Zealand Risk Management Standard AS/NZS 4360:2005 (or any successors thereof) is to be used as the University’s risk management methodology.
2. Scope
2.1 This policy applies to the Council, relevant Committees and to all staff at the University. Anyone connected with the University with a responsibility for the achievement of the University’s objectives is also responsible for the risks associated with those objectives and the controls to manage those risks.
3. Risk management and planning
3.1 The AS/NZS 4360 risk management process is to be applied in all the University’s activities to ensure that risks associated with the University’s strategic and operational objectives are identified and effectively integrated into the enterprise-wide process. Additionally, controls and strategies that link with these objectives are to be incorporated.
3.2 Opportunities are to be evaluated in terms of:
- the risks resulting from not taking up the opportunity
- the risk involved in taking up the opportunity, and
- the risk involved in managing the opportunity
Back to top
4. Risk appetite
4.1 Risk appetite is the amount of risk, on a broad level, that the University is willing to accept in pursuit of value, and should reflect:
- risk management philosophy per location, project, process, etc
- capacity to take on risk
- University objectives, business plans and respective stakeholder demands
- evolving industry and market conditions
- tolerance for failures with quantitative values, where applicable
4.2 The University’s risk appetite will be reassessed by Management on an annual basis.
4.3 It is acknowledged that the University must at times undertake activities that carry significant risks.
5. Definitions
5.1 Risk – a risk to the business is any threat of an action or event to our industry or activities that has the potential to threaten the achievement of our objectives. Business risk arises as much from the possibility that opportunities will not be realised as it does from the possibility that threats will materialise or that errors will be made.
5.2 Risk management – refers to the culture, processes and structures developed to effectively manage potential opportunities and adverse effects for any activity, function or process undertaken by the University. The process of managing risk is achieved through the systematic application of policies, procedures and practices to establish the context, identify, analyse, evaluate, treat, monitor and communicate risk.
5.3 Residual risk – is the level of risk that remains after assessing the effectiveness of the controls, management strategies and other mechanisms currently in place to mitigate a particular risk.
6. Risk categories
6.1 The key categories of risk to the University of the Sunshine Coast are:
- physical risks: risk relating to harm of people or tangible assets
- financial risks: risk of negative financial impact to the University
- structure and services: operational risks within cost centres
- stakeholder partnerships: risks relating to partnering with external stakeholders
- international profile risks: risks relating to international profile and status
- academic profile risks: risks relating to the University’s academic performance
- governance risks: risks relating to processes by which the University is directed and controlled
- reputation risks: risks relating to the University’s reputation and standing, and
- environmental risks: risks relating to harm of the environment
7. Risk management policy statement
7.1 The University of the Sunshine Coast is committed to:
7.1.1 Achieving its business objectives while minimising the impact of significant risks that the University can meaningfully and realistically control.
7.1.2 Protecting and enhancing the University’s reputation.
7.1.3 Behaving as a responsible and ethical corporate citizen, protecting staff, students and the broader community from harm; this includes protection of physical property from loss or damage.
7.1.4 Establishing the right balance between the cost of control and the risks it is willing to accept as part of the business and industry environment within which it operates.
7.1.5 Recognition and exploitation of opportunities.
7.1.6 Establishing resilience and increased efficiency in relation to risk management.
Back to top
8. The risk management process
8.1 The University of the Sunshine Coast will utilise a risk management process that consists of the following key stages:
8.1.1 Risk identification: Identifying all reasonably foreseeable risks associated with its activities, using the risk assessment methodology detailed in the Risk Management Procedures.
8.1.2 Risk rating: Quantifying those risks (residually) using the criteria detailed in the Risk Management Procedures.
8.1.3 Risk controls: Assessing the risk, identifying options to treat risks and developing mitigation plans using the criteria detailed in the Risk Management Procedures.
8.1.4 Risk monitoring and reporting: Reporting risk management activities and risk specific information to the Vice-Chancellor and the Audit and Risk Management Committee, as detailed in the Risk Management Procedures.
9.1 Risk identification
9.1.1 A key mechanism for the identification of risks at the University is the development and maintenance of the University’s Risk Register.
9.1.2 The Risk Register identifies the key strategic risks that may potentially prevent the University from achieving its objectives. The register outlines the key risks, residual risk rating, controls currently in place to manage the risk and action plans to address those risks.
9.1.3 Risks will also be added to the Risk Register on a periodic basis throughout the year.
9.1.4 All new initiatives undertaken by the University, such as IT, capital expenditure and commercial ventures, will require a risk assessment as part of the project development phase.
9.1.5 An updated Risk Register will be reported to the Audit and Risk Management Committee by the Vice-Chancellor on an annual basis, together with a graphic representation of the University’s risk profile.
9.2 Risk rating
9.2.1 Risks will be assessed and rated in terms of the potential consequence of the risk and the likelihood of the risk occurring. This assessment should include consideration of the controls in place to mitigate those risks. A standard and uniform approach and rating scales are necessary in order to be able to correctly prioritise risk management activities within the university.
9.2.2 All identified risks will be rated consistently using the criteria and rating scales contained in the Risk Management Procedures. The consequence rating should be assigned to a risk when considering the consequences to the University as a whole.
9.2.3 Any recommended changes to the risk ratings outlined in the Risk Register will require approval of the Vice-Chancellor.
9.3 Risk controls
9.3.1 Options for treating each risk will be identified. The options will be evaluated and accountability for the risk will be assigned. Risk treatment plans will be prepared and implemented.
9.3.2 The following options may be used for treating risks and will be determined in the light of risk appetite and risk assessment:
- avoid the risk
- mitigate the risk
- transfer the risk, and
- accept the risk
9.3.3 Risk mitigation, or risk treatment, involves putting in place controls to reduce the level of residual risk to a level that is considered acceptable by the University. This is also known as the target risk rating.
9.3.4 Risk mitigation plans will be developed for all risks that are rated residually as High, Significant or Moderate, and these will be detailed as ‘Action Items’ in Risk Owner’s Reports.
9.4 Risk monitoring and reporting
9.4.1 All corporate risks will be reported annually to the Audit and Risk Management Committee by the Vice-Chancellor, via a revised Risk Register.
9.4.2 The Audit and Risk Management Committee will also receive quarterly reports on the management of risk control issues, including any new areas of risk.
9.4.3 Updates will also be provided on current mitigating activities (action items) for specific risks as requested from time-to-time.
9.4.4 Additionally, the Vice-Chancellor will receive outputs from risk assessments conducted during the development of new initiatives or for major projects (such as IT, new courses, Capital Expenditure etc).
Back to top
10. Risk management responsibilities
10.1 Council
10.1.1 Council retains the ultimate responsibility for risk management and for determining the appropriate level of risk that the University is willing to accept.
10.2 Audit and Risk Management Committee
10.2.1 The Audit and Risk Management Committee is delegated by Council with responsibility for:
10.2.1.1 Overseeing the risk management activities at the University; and
10.2.1.2 Providing advice on appropriate risk management procedures and measurement methodologies throughout the University.
10.2.2 The Audit and Risk Management Committee will liaise with management in monitoring key risks and, where appropriate, will report to Council to provide assurances concerning the management of risks within the University.
10.3 Vice-Chancellor
10.3.1 The Vice-Chancellor is responsible for ensuring that risk management activities are carried out effectively within the University.
10.3.2 On an annual basis, and upon request, the Vice-Chancellor will present to the Audit and Risk Management Committee an up-to-date register of the key risks for the University ie. the Risk Register.
10.3.3 The Vice-Chancellor will approve changes to the Risk Register.
10.3.4 The Vice-Chancellor will appoint the Risk Manager.
10.4 Risk Manager
10.4.1 The Risk Manager may be a dedicated role, or may be additional responsibilities to an existing position.
10.4.2 The Risk Manager is responsible for ensuring that risk management activities are carried out in the University in accordance with the Risk Management Policy and Procedures.
10.4.3 The Risk Manager will provide regular reports to the Vice-Chancellor on key risks to the University and the control and monitoring activities in place to manage those risks.
10.4.4 The Risk Manager is responsible for providing information to the Vice-Chancellor to forward to the Audit and Risk Management Committee regarding new areas of risk.
10.5 Risk Owners
10.5.1 A Risk Owner will be assigned for each risk area within the University.
10.5.2 A Risk Owner is the most senior staff member within a Cost Centre, who is responsible, or should be responsible, for the management of the particular risk.
10.5.3 Where the situation arises where it is unclear as to who should be the Risk Owner for a particular risk, the Risk Manager will assign a Risk Owner.
10.5.4 It is the Risk Owner’s responsibility to provide the Vice-Chancellor with information to report to the Audit and Risk Management Committee on progress against mitigation plans (via Risk Owner’s Reports) and the results of risk assessments performed on new initiatives.
10.6 All University Staff
10.6.1 All staff will diligently identify risks and report them to their supervisor, especially during periods of change to processes or operational practice.
10.6.2 Staff will comply with all risk treatments.
Back to top