Risk Management Framework - Governing Policy

 

Breadcrumbs

Main Content

Risk Management Framework - Governing Policy

Responsible officer: Vice-Chancellor
Designated officer: Chief Financial Officer
Approving authority: Council
Approval: C08/83(i), 14 October 2008
Last amended:
Effective starting date: 15 October 2008
Any policies replaced by this policy: Risk Management Policy
Policy number: G17.
Related policies:

Due date for next review: 14 October 2013

Part A: Preliminary

1. Purpose of Policy

1.1 The Council and Management of the University are committed to the implementation and maintenance of a formal risk management system, including the integration of risk management throughout all levels of the University as fundamental to achieving the University’s strategic and operational objectives. This policy outlines the framework that reflects that commitment.

1.2 The University’s Risk Management Framework is based on the Australia/New Zealand Risk Management Standard AS/NZS 4360:2007 and uses Business Continuity Management, Critical Incident Management and IT Disaster Recovery as crucial components of risk mitigation.

2. Application of Policy

2.1 This policy applies to all staff, students and members of University decision-making or advisory bodies, including the University Council and its Committees.

3. Risk Management Policy Statement

3.1 In its application of this policy, the University of the Sunshine Coast is committed to:
  • Achieving its business objectives while minimising the impact of significant risks that the University can meaningfully and realistically control;
  • Protecting and enhancing the University’s reputation;
  • Behaving as a responsible and ethical corporate citizen, protecting staff, students and the broader community from harm and protecting physical property from loss or damage;
  • Establishing the right balance between the cost of control and the risks it is willing to accept as part of the business and industry environment within which it operates;
  • Recognition and exploitation of opportunities; and
  • Establishing resilience and increased efficiency in relation to risk management.
4. Risk Management and Planning

4.1 The processes described in the risk management procedures, are to be applied in all the University’s activities to ensure that risks associated with the University’s strategic and operational objectives are identified and effectively integrated into the University’s annual planning process.

4.2 Reviews of controls and mitigating strategies that link with University plan objectives will be demonstrated in Cost Centre Risk Registers.

5. Risk appetite

5.1 Risk appetite is the amount of risk, on a broad level, that the University is willing to accept in pursuit of value, and should reflect:
  • risk management philosophy per location, project, process, etc.
  • capacity to take on risk.
  • University objectives, business plans and respective stakeholder demands.
  • evolving industry and market conditions.
  • tolerance for failures with quantitative values, where applicable.

 5.2 The University’s risk appetite will be reassessed by Management on a regular basis.

5.3 It is acknowledged that the University must at times undertake activities that carry significant risks.

6. Definitions

Business Continuity Planning (BCP) means a medium to long-term activity undertaken to foresee, mitigate, and provide planning for events which might threaten the on-going operations of the University.

Critical Incident means the term used to refer to a particular incident, episode or crisis that may result in a ‘high’ level of risk, directly or indirectly to the core operations of the University. For consistency, the term critical incident is preferred to crisis, emergency or other similar expressions. Critical Incidents are the highest level of incident which may affect the operations of the University. A ‘high’ level of risk would be determined using the risk management process, as outlined in the Risk Management Procedures.

Critical Incidents are distinguished from Significant or Routine Incidents in that Critical Incidents require the creation of a Critical Incident Management Team (CIMT) for special purpose management and recovery under the direction of the designated Critical Incident Director.

Critical Incidents can be further distinguished from Significant and Routine incidents in that a Critical Incident:
  • has the potential to significantly disrupt the operations of the University, or a major part of it, putting at risk the University’s ability to efficiently and effectively continue its teaching, learning and research activities
  • may bring the University into disrepute
  • crosses over the responsibilities of several Cost Centres
  • may impact on critical IT service availability to the University, with a potential down time of greater than 2 hours
  • is likely to bring negative media coverage to the University
  • may incur a significant cost to rectify the situation promptly; and/or
  • may result in critical injuries or death to staff, students or members of the public.

Critical Incidents may include:

Direct Critical Incidents, such as:
  • loss of a building (fire, earthquake, storm, etc)
  • loss of key utilities such as electricity, gas or water
  • a pandemic outbreak
  • extreme climatic conditions causing closure of the University
  • major demonstration or protest
  • telecommunications failure
  • server and Local Area Network failure of greater than 2 hours; and/or
  • serious industrial action, strikes or riots.

Indirect Critical Incidents to individuals, such as:

  • serious accident or injury
  • acts of self-harm
  • serious sexual assault
  • serious assault, robbery, and armed hold-up
  • event or threat that causes extreme stress, fear or injury; and/or
  • kidnapping or attempted kidnapping.

Residual Risk means the level of risk that remains after assessing the effectiveness of the controls, management strategies and other mechanisms currently in place to mitigate a particular risk.

Risk means a risk to the University that has the potential to threaten the achievement of our objectives.

Risk Management refers to the culture, processes and structures developed to effectively manage potential opportunities and adverse effects for any activity, function or process undertaken by the University. The process of managing risk is achieved through the systematic application of policies, procedures and practices to establish the context, identify, analyse, evaluate, treat, monitor and communicate risk.

Routine Incident means incidents that are managed within individual Cost Centres as part of their normal operations. Routine incidents are the lowest level of incident management as defined by this policy.

Characteristics of a Routine Incident include, but are not limited to:

  • an incident managed by a Cost Centre utilising normal day-to-day University operating procedures.

Routine Incidents may include:

  • minor building repairs, eg. blocked sink/toilet
  • minor injury requiring minimal first aid treatment; and/or
  • minor IT issue, requiring routine logging of issue with IT Service Desk eg. PC failure.

Significant Incident means an incident managed by Cost Centre Managers as part of their normal business as usual operations. Assistance to manage this level of incident would normally be obtained from one or more of the Specialist Support Teams.

Characteristics of a Significant Incident include, but are not limited to:

  • incident requiring management by a senior member of staff to allow appropriate, prompt decisions to be made
  • minor injuries to staff, students or other members of the general public
  • potential trauma to staff and/or students
  • potential for external media to become aware of the situation
  • impact on critical IT service availability to the University with a potential down time of up to 2 hours.

Significant Incidents may include:
  • staff or student injuries that may require medical attention
  • staff/student violence
  • repairable damage to office
  • IT outage up to 2 hours; and/or
  • temporary telephone system outage.

University Risk Register means the register that records information about the corporate risks faced by the University and relevant controls being put in place to mitigate against them. The University Risk Register will aggregate information from Cost Centre Risk Registers.

7. Risk Categories

7.1 The key categories of risk to the University of the Sunshine Coast are:

  • physical risks: Risk relating to harm of people or tangible assets
  • financial risks: Risk of negative financial impact to the University
  • structure and services: Operational risks within Cost Centres
  • stakeholder partnerships: Risks relating to partnering with external stakeholders
  • international profile risks: Risks relating to international profile and status
  • academic profile risks: Risks relating to the University’s academic performance
  • governance risks: Risks relating to processes by which the University is directed and controlled
  • reputation risks: Risks relating to the University’s reputation and standing; and
  • environmental risks: Risks relating to harm of the environment.

Part B: Policy

8. The Risk Management Process

8.1 The University of the Sunshine Coast will utilise a risk management process that consists of the following key stages:

8.2 Risk Identification: Identifying all reasonably foreseeable risks associated with its activities, using the risk assessment methodology detailed in the Risk Management Procedures.

8.3 Risk Rating: Quantifying those risks (residually) using the criteria detailed in the Risk Management Procedures.

8.4 Risk Controls: Assessing the risk, identifying options to treat risks and developing mitigation plans using the criteria detailed in the Risk Management Procedures.

8.5 Risk Monitoring and Reporting: Reporting risk management activities and risk specific information to the Vice-Chancellor and the Audit and Risk Management Committee, as detailed in the Risk Management Procedures.

9. Risk Identification

9.1 A key mechanism for the identification of risks at the University is the development and maintenance of the University’s Risk Register.

9.2 The Risk Register identifies the key strategic risks that may potentially prevent the University from achieving its objectives. The register outlines the key risks, residual risk rating, controls currently in place to manage the risk and action plans to address those risks.

9.3 Risks may also be added to the University's Risk Register on a periodic basis throughout the year.

9.4 All new initiatives undertaken by the University, such as IT, capital expenditure and commercial ventures, will require a risk assessment as part of the project development phase.

9.5 An updated Risk Register will be reported to the Audit and Risk Management Committee by the Vice-Chancellor on an annual basis, together with a graphic representation of the University’s risk profile.

10. Risk Rating

10.1 Risks will be assessed and rated in terms of the potential consequence of the risk and the likelihood of the risk occurring. This assessment should include consideration of the controls in place to mitigate those risks, ie. the residual risk.

10.2 All identified risks will be rated consistently using the criteria and rating scales contained in the Risk Management Procedures. The consequence rating should be assigned to a risk when considering the consequences to the University as a whole.

10.3 Any recommended changes to the risk ratings outlined in the University Risk Register will require approval of the Vice-Chancellor.

11. Risk Controls

11.1 Options for treating each risk will be identified. The options will be evaluated and accountability for the risk will be assigned. Risk treatment plans will be prepared and implemented.

11.2 The following options may be used for treating risks and will be determined in the light of risk appetite and risk assessment:
  • avoid the risk
  • mitigate the risk
  • transfer the risk; and
  • accept the risk.

11.3 Risk mitigation, or risk treatment, involves putting in place controls to reduce the level of residual risk to a level that is considered acceptable by the University. This is also known as the target risk rating.

11.4 Risk mitigation plans will be developed for all risks that are rated residually as High, Significant or Moderate, and these will be detailed as ‘Action Items’ in Risk Owner’s Reports.

12. Risk Monitoring and Reporting

12.1 All corporate risks will be reported annually to the Audit and Risk Management Committee.

12.2 The Audit and Risk Management Committee will also receive regular reports on the management of risk control issues, including any new areas of risk.

12.3 Updates will also be provided on current mitigating activities (action items) for specific risks as requested from time-to-time.

12.4 The reporting of Critical Incidents is outlined in the Critical Incident Management Procedures. As outlined in the procedures, all Critical Incidents should be reported to either Security or IT Service Desk. It is their role to initiate any immediate response action, and to contact the Director, Capital Programs and Operations, or delegate (see Critical Incident Management Procedures, Appendix G: Critical Incident Response Leaders Contact Details).

13. Risk Management Responsibilities

13.1 Council

13.1.1 Council retains the ultimate responsibility for risk management and for determining the appropriate level of risk that the University is willing to accept.

13.2 Audit and Risk Management Committee

13.2.1 The Audit and Risk Management Committee is delegated by Council with responsibility for:
  • overseeing the risk management activities at the University; and
  • providing advice on appropriate risk management related procedures and measurement methodologies throughout the University.

13.2.2 The Audit and Risk Management Committee will liaise with management in monitoring key risks and, where appropriate, will report to Council to provide assurances concerning the management of risks within the University.

13.3 Vice-Chancellor

13.3.1 The Vice-Chancellor is responsible for ensuring that risk management activities are carried out effectively within the University.

13.3.2 On an annual basis, and upon request, the Vice-Chancellor will present to the Audit and Risk Management Committee an up-to-date register of the key risks for the University ie. the University Risk Register.

13.3.3 The Vice-Chancellor will approve changes to the University Risk Register.

13.3.4 The Vice-Chancellor may approve policies and/or procedures relating to Business Continuity Management, Critical Incident Management and IT Disaster Recovery. The Vice-Chancellor may also approve any Risk Management procedures.

13.4 Chief Financial Officer

13.4.1 The Chief Financial Officer is responsible for the development of systems, policies, processes and procedures that promote effective Business Continuity Management.

13.4.2 The Chief Financial Officer is responsible for ensuring that risk management activities are carried out in the University in accordance with the Risk Management Policy and Procedures.

13.4.3 The Chief Financial Officer is responsible for compiling regular reports for the Vice-Chancellor to forward to the Audit and Risk Management Committee regarding risk management issues.

13.5 Director, Capital Programs and Operations

13.5.1 The Director, Capital Programs and Operations is responsible for the development of systems, policies, processes and procedures that promote effective responses to Critical Incidents.

13.5.2 During a Critical Incident, the Director, Capital Programs and Operations will act as the Critical Incident Director, unless the role is otherwise appointed by the Vice-Chancellor.

13.5.3 The Director, Capital Programs and Operations (or delegate) is responsible for ensuring that the Vice-Chancellor is advised of any Critical Incident as soon as practicable after initial assessment and/or implementation of any risk treatment.

13.6 Director, Information Technology Services

13.6.1 The Director, Information Technology Services is responsible for IT Disaster Recovery.

13.7 Cost Centre Managers

13.7.1 Cost Centre Managers will provide updated risk registers through the University's Planning Framework and report on risks in line with the Risk Management Procedures.

13.7.2 Cost Centre Managers will ensure their staff are adequately trained in risk assessment and are acquainted with the University’s risk management policies and procedures.

13.8 Risk Owners and Risk Delegates

13.8.1 A Risk Owner will be assigned for each risk area within the University, as detailed in the University Risk Register. These risk areas may be broken down into more specific sub-risks that will be detailed in Cost Centre Risk Registers.

13.8.2 A Risk Owner will generally be the most senior staff member of the University, who is responsible for the management of the particular risk.

13.8.3 A Risk Delegate will generally be a Cost Centre Manager who is responsible for risks detailed in a Cost Centre Risk Register.

13.8.4 Where the situation arises where it is unclear as to who should be the Risk Owner for a particular risk, the Chief Financial Officer will assign a Risk Owner or Risk Delegate.

13.8.5 It is the Risk Owner’s responsibility to provide the Chief Financial Officer with information to report to the Audit and Risk Management Committee on progress against mitigation plans (via Risk Owner’s Reports) and the results of risk assessments performed on new initiatives.

13.9 All University Staff

13.9.1 All staff will diligently identify risks and report them to their supervisor, especially during periods of change to processes or operational practice.

13.9.2 Staff will comply with all risk treatments.

END

Back to top