1. Purpose of policy
The purpose of this Policy is to provide the structural framework to effectively manage the risks involved in all University activities in order to maximise opportunities and minimise adversity and to achieve improved University outcomes and outputs based on informed decision making and organisational resilience.
2. Application of policy
This policy applies to all workers of, and visitors to, the University including staff, students and members of University decision-making or advisory bodies, including the University Council and its Committees.
3. Regulatory background
3.1 Under the University of the Sunshine Coast Act 1998 and the Financial Accountability Act 2009, Council is required to efficiently, effectively and economically manage and control the University’s operations and must establish and maintain appropriate systems of internal control and risk management.
Please refer to the University’s Glossary of Terms for policies and procedures. Terms and definitions identified below are specific to this policy and are critical to the effectiveness of it:
Business Continuity means maintaining the uninterrupted availability of all key business resources required to support essential University functions.
Business Continuity Management (BCM) means that part of risk management that establishes cost-effective treatments should an outage occur that would interrupt essential University functions. The primary output of BCM is a Business Continuity Plan that comprises many elements which, collectively, define the approach to deal with a break in business continuity, and which prescribes the steps an organisation should take to recover lost business functions.
Cost Centre Risk Register means the register that records information about the operational risks faced by individual cost centres and relevant controls being put in place to mitigate against them.
Incident Management means systems and processes that provide for an organisational structure capable of responding to all levels of emergency from simple to complex.
Risk is the effect of uncertainty upon the University’s objectives. Risk may have a positive or negative impact.
Risk Appetite means the amount of risk the University is willing to accept in pursuit of stakeholder value.
Risk Management refers to the culture, processes and structures developed to effectively manage potential opportunities and adverse effects for any activity, function or process undertaken by the University. The process of managing risk is achieved through the systematic application of policies, procedures and practices to establish the context, identify, analyse, evaluate, treat, monitor and communicate risk.
University Risk Register means the register that records information about the corporate risks faced by the University and relevant controls being put in place to mitigate against them. The University Risk Register will aggregate information from Cost Centre Risk Registers.
Visitor Any person who visits the University and is not classified as a worker of the University. Visitors to the University may include, but are not limited to: students, family and friends of staff and students, users of University facilities, attendees at conferences and functions, tenants.
Worker Any person who carries out work for the University. Workers may include, but are not limited to: staff, volunteers, visiting and honorary fellows, work experience students, contractors, sub-contractors and staff of a contractor or sub-contractor.
5. Policy statement
5.1 The Council and Management of the University are committed to the implementation and maintenance of a formal risk management system, including the integration of risk management throughout all levels of the University as fundamental to achieving the University’s strategic and operational objectives.
5.2 In its application of this policy, the University of the Sunshine Coast is committed to:
- achieving its business objectives while minimising the impact of significant risks that the University can meaningfully and realistically control;
- protecting and enhancing the University’s reputation;
- behaving as a responsible and ethical corporate citizen, protecting staff, students and the broader community from harm and protecting physical property from loss or damage;
- establishing the right balance between the cost of control and the risks it is willing to accept as part of the business and industry environment within which it operates;
- recognition and exploitation of opportunities; and
- establishing resilience and increased efficiency in relation to risk management.
5.3 The University considers health, safety and wellbeing management, business continuity and incident management and IT disaster recovery as crucial components of its Enterprise Risk Management Framework.
5.2 All staff are required to be responsible and accountable for managing risk, in so far as is reasonably practicable within their area of responsibility. Sound risk management principles and practices must become part of the normal management strategy for all organisational units within the University.
6. Enterprise Risk Management Framework
6.1 General outline
6.1.1 The University’s approach to Enterprise Risk Management (ERM) is based on a holistic, enterprise-wide model that seeks to articulate the main components, responsibilities and relationships of the University’s key risk management controls in order to develop organisational resilience and achieve effective governance and assurance. This is detailed in the Enterprise Risk Management Framework (the Framework), as illustrated in Diagram 1 below.
Diagram 1 – Enterprise Risk Management Framework
6.1.2 The Framework recognises that risk management is an integral part of all University processes. It is embedded in all elements of the University’s core business, and is not a standalone activity.
6.1.3 The Framework identifies four levels of key risk management arrangements at the University:
a. Council has the overall fiduciary accountability to establish and maintain an appropriate risk management framework, with oversight provided by the Audit and Risk Management Committee;
b. Vice-Chancellor and President is accountable to Council for implementation of the Framework;
c. Senior management is responsible for developing and administering programs and systems to address key components of the Framework; and
d. All management and staff have a responsibility to be “risk aware”, to: comply with risk management processes and practices; cooperate with designated University risk management specialists; and identify, assess, manage and report risks and opportunities in day-to-day processes.
6.1.4 Underpinning the Framework are various plans, policies and processes that act as significant mitigation strategies for some of the University’s key risks.
6.1.5 The Framework also identifies five key components that are critical to the successful implementation of ERM at the University. These are risk management, health, safety and wellbeing management, business continuity management, incident management and IT disaster recovery. The relationship and timing of activation of these components are further illustrated in Diagram 2 below.
Diagram 2 – Relationship of risk management components
6.1.6 The key components of the Enterprise Risk Management Framework are as follows:
6.2 Risk Management Program
6.2.1 All organisations face a variety of risks. These may be sourced externally, and therefore largely out of the immediate control of the organisation, or internally. Internal risks arise both at the strategic (organisation-wide) level and at the operational (business process) level. The University will maintain processes and procedures to provide a systematic view of the risk faced in the course of its academic, administrative and business activities.
6.2.2 These processes and procedures will be consistent with the Australian/New Zealand Standard IS0 31000:2009 - Risk Management – Principles and guidelines and will be documented in the University’s Risk Management Program - Procedures.
6.2.3 The processes described in the risk management procedures, are to be applied in all the University’s activities to ensure that risks associated with the University’s strategic and operational objectives are identified and effectively integrated into the University’s annual planning process. Reviews of controls and mitigating strategies that link with University plan objectives will be demonstrated in Cost Centre Risk Registers.
6.5.4 The administration of the Risk Management Program component of the Enterprise Risk Management Framework is the responsibility of the Chief Operating Officer.
6.3 Business Continuity Management
6.3.1 The University will develop a documented process that provides for events which might threaten the on-going operations of critical functions of the University.
6.3.2 These processes and procedures will be consistent with the Australian/New Zealand Standard 5050:2010 - - Business continuity – Managing disruption-related risk and will be documented in the University’s Business Continuity Management - Procedures.
6.3.3 This procedure will enable key management staff to plan and manage both the immediate and longer-term consequences of incidents that impact on Cost Centres and the University.
6.3.4 The administration of the Business Continuity Management component of the Enterprise Risk Management Framework is the responsibility of the Chief Operating Officer.
6.4 Incident Management
6.4.1 The University will develop and implement systems and processes for appropriate, effective and speedy responses to, and management of, incidents.
6.4.2 These systems and processes will form part of the University’s Protection, Resilience and Sustainability System and will be developed in line with: the Australian Standard 3745- 2010: Planning for emergencies in facilities; Building Fire Safety Regulations 2008; and Work Health and Safety Act 2011.
6.4.3 The University will aim for best practice in incident management responses and procedures, requirements for which will be documented in the University’s Critical Incident Management - Procedures.
6.4.4 The administration of the Incident Management component of the Enterprise Risk Management Framework is the responsibility of the Director, Asset Management Services, reporting through the Chief Operating Officer.
6.5 IT Disaster Recovery
6.5.1 The University will develop a documented process to recover and protect the University’s IT infrastructure in the event of an incident.
6.5.2 The IT Disaster Recovery Plan (IT-DRP) will be a comprehensive statement of consistent actions that are to be taken before, during and after an event.
6.5.3 The primary objective of the IT-DRP is to minimise the effects on the University including downtime and data loss, in the event that all or part of its operations and/or computer services are rendered unusable. Requirements for the IT-DRP will be documented in the University’s Business Continuity Management Procedures.
6.5.4 The administration of the IT Disaster Recovery component of the Enterprise Risk Management Framework is the responsibility of the Director, Information Technology Services reporting through the Chief Operating Officer.
6.6 Health, Safety and Wellbeing
6.6.1 The University recognises Health, Safety and Wellbeing (HSW) as a critical component of its Enterprise Risk Management Framework, the requirements for which are managed under the University’s Health Safety and Wellbeing - Governing Policy and administered by the Director, Human Resources reporting through the Chief Operating Officer.
6.6.2 The HSW policy and procedures will be developed in line with the Work Health and Safety Act 2011 and associated regulations.
7. Risk appetite
7.1 University Council, management and staff will have regard to the University’s stated Risk Appetite in both strategic and operational decision making. The University is expected to be able to identify and manage the risks associated with activities and opportunities in an effective manner.
7.2 Council has determined that the University of the Sunshine Coast will be a regionally relevant institution focused on excellence and valuing innovation while undertaking significant expansion, this necessitates that it maintains a relatively low risk profile.
7.3 The key challenges are to:
a. ensure ethical and effective governance practices including responsible stewardship of resources and
b. realisation of opportunities while allowing innovation and avoiding unnecessary bureaucracy, and avoid the creation of a risk averse corporate culture by correct assessment and management of risks.
7.4 To achieve its objectives it is acknowledged that the University must at times undertake activities that carry significant risks. To that end the University’s risk appetite will often be different at an activity level from that at a whole-of-institution level.
7.5 The University’s whole-of-institution appetite for risk in the following areas is:
a. Human resources, health, safety and environment
The University’s appetite for risks related to management of human resources, health, safety and the environment is limited - it puts the wellbeing of people and the environment above all other considerations.
b. Reputation, quality, integrity, stakeholder and student responsibilities
The University’s appetite for risks affecting its academic quality and integrity, students, stakeholders and reputation is limited - it will not compromise its reputation and values by either short term or long term expediency.
c. Physical and electronic resources, infrastructure and business disruption
The University’s risk appetite is limited with respect to the operation of key university systems and services. These systems are understood to underpin the ongoing delivery of critical services to a scale, scope and quality necessary for the University to compete in a rapidly changing environment.
d. Strategic, financial viability and safeguards
The University’s appetite for financial and strategic risk is modest - it recognises its financial viability as being critical to its future. Financial viability risks and rewards are to be weighed against both short and long term strategic and operational priorities.
e. Provider standing, corporate and academic governance issues
Within these risk categories, the University’s risk appetite is limited. As a good corporate citizen, the University seeks to comply with relevant statutory requirements and contractual obligations to the best of its endeavours. This statement is made with the understanding that the seriousness of particular compliance requirements may vary depending upon the relationship of the requirement with the risk areas listed above. The University will look to satisfy compliance requirements in the simplest and most effective way possible.
|Overarching accountability for risk management and determining the University’s risk appetite||Council|
|Oversight of the University’s risk management activities and provide advice on appropriate risk management related procedures and measurement methodologies throughout the University||Audit and Risk Management Committee (ARMC)|
|Liaise with management in monitoring key risks and, where appropriate, report to Council to provide assurances concerning the management of risks within the University|
|Responsible for ensuring that risk management activities are carried out effectively within the University||Vice-Chancellor and President|
|Present on an annual basis, and upon request, to the ARMC an up-to-date register of the key risks for the University i.e. the University Risk Register|
|Approve changes to the University Risk Register|
|Approve policies and/or procedures relating to risk management, business continuity management, incident management and IT disaster recovery|
|Responsible for compiling regular reports for the Vice-Chancellor and President to forward to the ARMC regarding risk management issues||Chief Operating Officer|
|Responsible for ensuring that risk management activities are carried out in the University in accordance with the Risk Management - Procedures|
|Responsible for the development of systems, policies, processes and procedures that promote effective business continuity management|
|Responsible for development of systems, processes and procedures that promote effective health safety and wellbeing management||Director, Human Resources|
|Responsible for the development of systems, processes and procedures that promote effective responses to Critical Incidents||Director, Asset Management Services|
|Responsible to act as the Incident Director, during an Incident, unless the role is otherwise appointed by the Vice-Chancellor and President|
|Responsible for development of systems, processes and procedures that promote effective IT Disaster Recovery||Director, Information Technology Services|
|Responsible to develop and maintain risk registers and report on risks in line with the Risk Management – Procedures||Cost Centre Managers|
|Responsible to ensure staff are adequately trained in risk assessment and are acquainted with relevant policies and procedures|
|Responsible for examining and evaluating the adequacy, effectiveness and efficiency of risk management activities||Internal Audit|
|Diligently identify risks and report them to their supervisor, especially during periods of change to processes or operational practice||All workers and visitors|
|Comply with all risk treatments|
The University of the Sunshine Coast acknowledges policies and assistance from the following universities’ in the preparation of this policy and its associated procedures:
Australian Catholic University
Central Queensland University
Charles Sturt University
Queensland University of Technology
Southern Cross University
University of Ballarat
University of New England
University of Newcastle
University of Tasmania