1. Purpose of policy
The purpose of this Policy is to provide the structural framework to effectively manage the risks involved in all University activities in order to maximise opportunities and minimise adversity and to achieve improved University outcomes and outputs based on informed decision making and organisational resilience.
2. Application of policy
This policy applies to all workers of, and visitors to, the University including staff, students and members of University decision-making or advisory bodies, including the University Council and its Committees.
3. Regulatory background
3.1 Under the University of the Sunshine Coast Act 1998 and the Financial Accountability Act 2009, Council is required to efficiently, effectively and economically manage and control the University’s operations and must establish and maintain appropriate systems of internal control and risk management.
Please refer to the University’s Glossary of Terms for policies and procedures. Terms and definitions identified below are specific to this policy and are critical to the effectiveness of it:
Business Continuity means maintaining the uninterrupted availability of all key business resources required to support essential University functions.
Business Continuity Management (BCM) means that part of risk management that establishes cost-effective treatments should an outage occur that would interrupt essential University functions. The primary output of BCM is a Business Continuity Plan that comprises many elements which, collectively, define the approach to deal with a break in business continuity, and which prescribes the steps an organisation should take to recover lost business functions.
Faculty/Department Risk Register means the register that records information about the operational risks faced by individual departments or faculties and relevant controls being put in place to mitigate against them.
Incident Management means systems and processes that provide for an organisational structure capable of responding to all levels of emergency from simple to complex.
Risk is the effect of uncertainty upon the University’s objectives. Risk may have a positive or negative impact.
Risk Appetite means the amount of risk the University is willing to accept in pursuit of stakeholder value.
Risk Management refers to the culture, processes and structures developed to effectively manage potential opportunities and adverse effects for any activity, function or process undertaken by the University. The process of managing risk is achieved through the systematic application of policies, procedures and practices to establish the context, identify, analyse, evaluate, treat, monitor and communicate risk.
University Risk Register/s means the register/s that records information about the strategic and corporate risks faced by the University and relevant controls being put in place to mitigate against them. The University Risk Register/s will aggregate information from Department/Faculty Risk Registers.
5. Policy statement
5.1 The Council and Management of the University are committed to the implementation and maintenance of a formal risk management system, including the integration of risk management throughout all levels of the University as fundamental to achieving the University’s strategic and operational objectives.
5.2 In its application of this policy, the University of the Sunshine Coast is committed to:
- achieving its business objectives while minimising the impact of significant risks that the University can meaningfully and realistically control;
- protecting and enhancing the University’s reputation;
- behaving as a responsible and ethical corporate citizen, protecting staff, students and the broader community from harm and protecting physical property from loss or damage;
- establishing the right balance between the cost of control and the risks it is willing to accept as part of the business and industry environment within which it operates;
- recognition and exploitation of opportunities; and
- establishing resilience and increased efficiency in relation to risk management.
5.3 The University considers health, safety and wellbeing management, business continuity and incident management and IT disaster recovery as crucial components of its Enterprise Risk Management Framework.
5.2 All staff are required to be responsible and accountable for managing risk, in so far as is reasonably practicable within their area of responsibility. Sound risk management principles and practices must become part of the normal management strategy for all organisational units within the University.
6. Enterprise Risk Management Framework
6.1 General outline
6.1.1 The University’s approach to Enterprise Risk Management (ERM) is based on a holistic, enterprise-wide model that seeks to articulate the main components, responsibilities and relationships of the University’s key risk management controls in order to develop organisational resilience and achieve effective governance and assurance. This is detailed in the Enterprise Risk Management Framework (the Framework), as illustrated in Diagram 1 below.
Diagram 1 – Enterprise Risk Management Framework
6.1.2 The Framework recognises that risk management is an integral part of all University processes. It is embedded in all elements of the University’s core business, and is not a standalone activity.
6.1.3 The Framework identifies four levels of key risk management arrangements at the University:
a. Council has the overall fiduciary accountability to establish and maintain an appropriate risk management framework, with oversight provided by the Audit and Risk Management Committee;
b. Vice-Chancellor and President is accountable to Council for implementation of the Framework;
c. Senior management is responsible for developing and administering programs and systems to address key components of the Framework; and
d. All management and staff have a responsibility to be “risk aware”, to: comply with risk management processes and practices; cooperate with designated University risk management specialists; and identify, assess, manage and report risks and opportunities in day-to-day processes.
6.1.4 Underpinning the Framework are various plans, policies, manuals and processes that act as significant mitigation strategies for some of the University’s key risks.
6.1.5 The Framework also identifies five key components that are critical to the successful implementation of ERM at the University. These are risk management, health, safety and wellbeing management, business continuity management, incident management and IT disaster recovery. The relationship and timing of activation of these components are further illustrated in Diagram 2 below.
Diagram 2 – Relationship of risk management components
6.1.6 The key components of the Enterprise Risk Management Framework are as follows:
6.2 Risk Management Program
6.2.1 All organisations face a variety of risks. These may be sourced externally, and therefore largely out of the immediate control of the organisation, or internally. Internal risks arise both at the strategic (organisation-wide) level and at the operational (business process) level. The University will maintain processes and procedures to provide a systematic view of the risk faced in the course of its academic, administrative and business activities.
6.2.2 These processes and procedures will be consistent with the Australian/New Zealand Standard IS0 31000:2009 - Risk Management – Principles and guidelines and will be documented in the associated Risk Management - Procedures and/or practices manual.
6.2.3 The processes described in the Risk Management - Procedures and manual, are to be applied in all the University’s activities to ensure that risks associated with the University’s strategic and operational objectives are identified and effectively integrated into the University’s annual planning process. Reviews of controls and mitigating strategies that link with University plan objectives will be demonstrated in Cost Centre Risk Registers.
6.5.4 The administration of the Risk Management Program component of the Enterprise Risk Management Framework is the responsibility of the Chief Operating Officer.
6.3 Business Continuity Management
6.3.1 The University will develop a documented process that provides for events which might threaten the on-going operations of critical functions of the University.
6.3.2 These processes and procedures will be consistent with the Australian/New Zealand Standard 5050:2010 - - Business continuity – Managing disruption-related risk and will be documented in the University’s Business Continuity Management – Managerial Policy and associated procedures or practices manual.
6.3.3 This procedure will enable key management staff to plan and manage both the immediate and longer-term consequences of incidents that impact on Cost Centres and the University.
6.3.4 The administration of the Business Continuity Management component of the Enterprise Risk Management Framework is the responsibility of the Chief Operating Officer.
6.4 Incident Management
6.4.1 The University will develop and implement systems and processes for appropriate, effective and speedy responses to, and management of, incidents.
6.4.2 These systems and processes will form part of the University’s Protection, Resilience and Sustainability System and will be developed in line with: the Australian Standard 3745- 2010: Planning for emergencies in facilities; Building Fire Safety Regulations 2008; and Work Health and Safety Act 2011.
6.4.3 The University will aim for best practice in incident management responses and procedures, requirements for which will be documented in the University’s Critical Incident Management – Managerial Policy and associated procedures or practices manual.
6.4.4 The administration of the Incident Management component of the Enterprise Risk Management Framework is the responsibility of the Director, Asset Management Services, reporting through the Chief Operating Officer.
6.5 ICT Disaster Recovery
6.5.1 The University will develop a documented process to recover and protect the University’s ICT infrastructure and records in the event of an incident.
6.5.2 The IT Disaster Recovery Plan (IT-DRP) and the University Records Disaster Recovery Plan (R-DRP) will be comprehensive statements of consistent actions that are to be taken before, during and after an event.
6.5.3 The primary objective of the DRPs are to minimise the effects on the University including downtime and data loss, in the event that all or part of its operations and/or computer services are rendered unusable. Requirements for the DRPs will be documented in the University’s Business Continuity Management – Managerial Policy.
6.5.4 The administration of the IT Disaster Recovery component of the Enterprise Risk Management Framework is the responsibility of the Director, ICT Performance and Director, ICT Solutions reporting through the Chief Operating Officer.
6.5.4 The administration of the Records Disaster Recovery component of the Enterprise Risk Management Framework is the responsibility of the Director, Information Services reporting through the Senior Deputy Vice-Chancellor.
6.6 Health, Safety and Wellbeing
6.6.1 The University recognises Health, Safety and Wellbeing (HSW) as a critical component of its Enterprise Risk Management Framework, the requirements for which are managed under the University’s Health Safety and Wellbeing - Governing Policy and administered by the Director, Human Resources reporting through the Chief Operating Officer.
6.6.2 The HSW policy and procedures will be developed in line with the Work Health and Safety Act 2011 and associated regulations.
7. Risk appetite
7.1 University Council, management and staff will have regard to the University’s stated Risk Appetite in both strategic and operational decision making. The University is expected to be able to identify and manage the risks associated with activities and opportunities in an effective manner.
7.2 Council has determined that the University of the Sunshine Coast will be a university of international standing, a driver of capacity building in the Sunshine Coast and broader region, and an unsurpassed community asset. To realise this vision the University has articulated three strategic goals and aims to be:
- a comprehensive university of 20,000 students by 2020;
- positioned in the global tertiary education community as a top-100 university under 50 years of age
- a primary engine of capacity building in the broader Sunshine Coast region, from Brisbane to the Fraser Coast.”
7.3 The key challenges are to ensure:
a. ethical and effective governance practices including responsible stewardship of resources,
b. realisation of opportunities while allowing innovation and avoiding unnecessary bureaucracy, and
c. avoidance of a risk averse corporate culture which stifles innovation rather than supports it through the correct assessment and management of risks.
7.4 The University’s goals set out above will necessitate that the University accept those risks that accompany growth and are commensurate with the potential reward. While overall the University has limited appetite for risk in many of its activities, it is acknowledged that the University must at times undertake activities that inherently carry greater risks. To that end the University’s risk appetite will often be different at an activity level from that at a whole-of-institution level.
7.5 The University’s risk appetite is detailed in full in Appendix A: University of the Sunshine Coast Risk Appetite Statement.
|Overarching accountability for risk management and determining the University’s risk appetite||Council|
|Oversight of the University’s risk management activities and provide advice on appropriate risk management related procedures and measurement methodologies throughout the University||Audit and Risk Management Committee (ARMC)|
|Liaise with management in monitoring key risks and, where appropriate, report to Council to provide assurances concerning the management of risks within the University|
|Responsible for ensuring that risk management activities are carried out effectively within the University||Vice-Chancellor and President|
|Present on an annual basis, and upon request, to the ARMC an up-to-date register of the key risks for the University i.e. the University Risk Register|
|Approve changes to the University Risk Register|
|Approve policies, procedures and/or practices manual relating to risk management, business continuity management, incident management and IT disaster recovery|
|Responsible for compiling regular reports for the Vice-Chancellor and President to forward to the ARMC regarding risk management issues||Chief Operating Officer|
|Responsible for ensuring that risk management activities are carried out in the University in accordance with the Risk Management - Procedures|
|Responsible for the development of systems, policies, processes and procedures that promote effective business continuity management|
|Responsible for development of systems, processes and procedures that promote effective health safety and wellbeing management||Director, Human Resources|
|Responsible for the development of systems, processes and procedures that promote effective responses to Incidents||Director, Asset Management Services|
|Responsible to act as the Incident Controller, during an Incident, unless the role is otherwise appointed by the Vice-Chancellor and President|
|Responsible for development of systems, processes and procedures that promote effective IT Disaster Recovery||Director, ICT Performance Director, ICT Solutions|
|Responsible for development of systems, processes and procedures that promote effective Records Disaster Recovery||Director, Information Services|
|Responsible to develop and maintain risk registers and report on risks in line with the Risk Management – Procedures||Senior Staff|
|Responsible to ensure staff are adequately trained in risk assessment and are acquainted with relevant policies and procedures|
|Responsible for examining and evaluating the adequacy, effectiveness and efficiency of risk management activities||Internal Audit|
|Diligently identify risks and report them to their supervisor, especially during periods of change to processes or operational practice||All Workers and Visitors|
|Comply with all risk treatments|
The University of the Sunshine Coast acknowledges policies and assistance from the following universities’ in the preparation of this policy and its associated procedures:
Australian Catholic University
Central Queensland University
Charles Sturt University
Queensland University of Technology
Southern Cross University
University of Ballarat
University of New England
University of Newcastle
University of Tasmania
Appendix A - University of the Sunshine Coast Risk Appetite Statement (PDF)