Enterprise Risk Management - Governing Policy - University of the Sunshine Coast, Queensland, Australia

Accessibility links

Enterprise Risk Management - Governing Policy

Download PDF
Approval authority
Responsible officer
Vice-Chancellor and President
Designated officer
Director, Governance and Risk Management
First approved
14 October 2008
Last amended
6 February 2020
Review date
25 September 2020
Related documents
Audit and Assurance Framework - Governing Policy
Compliance Management Framework - Governing Policy
Critical Incident Management - Governing Policy
Fraud and Corruption Control - Governing Policy
Governance Framework - Governing Policy
Health, Safety and Wellbeing - Governing Policy
Risk Management - Procedures
Linked documents
Risk Management - Procedures
Superseded documents
Risk Management Framework - Governing Policy|Enterprise Risk Management and Resilience - Governing Policy
Related legislation / standards
Work Health & Safety Act 2011
University of the Sunshine Coast Act 1998
Financial Accountability Act 2009 (Qld)
Building Fire Safety Regs 2008

1. Purpose of policy

The purpose of this Policy is to provide a framework for the management of risks associated with all university activities.

Under the University of the Sunshine Coast Act 1998 and the Financial Accountability Act 2009, Council is required to efficiently, effectively and economically manage and control the University’s operations and must establish and maintain appropriate systems of internal control and risk management.

2. Policy scope and application

This policy applies to all staff and members of the University decision-making or advisory bodies.

This policy is consistent with the International Standard ISO 31000:2018: Risk Management Guidelines.

3. Definitions

Please refer to the University’s Glossary of Terms for policies and procedures. Terms and definitions identified below are specific to this policy and are critical to the effectiveness of it:

Risk is the effect of uncertainty upon the University’s objectives. Risk may have a positive or negative impact.

Risk Appetite conveys the degree of risk the University is prepared to accept in pursuit of its business objectives and strategic plan.

Risk Appetite Framework The overall approach, including policies, processes, controls and systems through which appetite is established, communicated and monitored.

Risk Management refers to the set of coordinated activities to direct and control an organisation with regard to risk.

Risk Management Framework is the totality of systems, structures, policies, processes and people that identify, measure, monitor and mitigate risk.

Risk Management Strategy the strategy for managing risk and the key elements of the risk management framework that give effect to this strategy.

4. Policy statement

4.1 The Council and the University Executive are committed to the implementation and maintenance of a formal risk management system, including the integration of risk management throughout all levels of the University. This is fundamental to achieving the University’s strategic and operational objectives.

4.2 In its application of this policy, the University of the Sunshine Coast is committed to:

  • achieving its business objectives while minimising the impact of significant risks that the University can meaningfully and realistically control;
  • protecting and enhancing the University’s reputation;
  • behaving in a responsible and ethical manner, protecting staff, students and the broader community from harm and protecting physical property from loss or damage;
  • establishing the right balance between the cost of control and the risks it is willing to accept as part of the business and industry environment within which it operates;
  • recognition and exploitation of opportunities; and
  • establishing resilience and increased efficiency in relation to risk management.

4.3 All staff are required to be responsible and accountable for managing risk. Sound risk management principles and practices must become part of the normal management strategy for all organisational units within the University.

5. Enterprise Risk Management Framework

5.1 Overview of the Enterprise Risk Management Framework

5.1.1 The University Council approves the University’s Enterprise Risk Management Framework.

5.1.2 The University’s Enterprise Risk Management Framework must be consistent with the Risk Management Standard, ISO 31000:2018 (Risk Management - Guidelines).

5.1.3 The University’s Enterprise Risk Management Framework is outlined below:

Diagram 1 – Enterprise Risk Management Framework

5.1.4 The Enterprise Risk Management Framework recognises that risk management is an integral part of all University processes.

5.1.5 Underpinning the Enterprise Risk Management Framework are policies, procedures, manuals and processes that act as significant mitigation strategies for the University’s key risks.

5.1.6 The administration of the Enterprise Risk Management Framework is the responsibility of the Director, Governance and Risk Management.

5.2 Key components of the Enterprise Risk Management Framework

5.2.1 Governance and culture - the University’s governance structures support strong risk management practices. Risk governance and the risk management roles and responsibilities are outlined in the University’s Risk Management Strategy (RMS). The RMS is reviewed and updated on an annual basis.

5.2.2 Risk appetite – the University’s Risk Appetite Statement conveys the degree of risk USC is prepared to accept in pursuit of its business objectives and strategic plan. Risk appetite is reviewed annually with the process for establishing and reporting on risk appetite outlined in the Risk Appetite Framework. The University’s risk appetite is established by the University Council and is set out in Appendix A.

5.2.3 Policies and procedures – the University maintains policies and procedures for managing risk. These policies and procedures are maintained on the Policies and Procedures Library on the USC website. The policies and procedures cover all areas of the University.

5.2.4 Risk assessment – The University’s risk assessment process involves risk identification, risk analysis, risk evaluation and risk treatment. The processes to support risk assessment are outlined in the Risk Management Procedures which includes the Risk Rating Tables to assess the likelihood and consequence of a risk occurring.

5.2.5 Risk reporting – Risk reporting occurs at least quarterly to the University Executive and Audit and Risk Management Committee.

5.2.6 The University maintains appropriate Management Information Systems to enable the effective management of risks.

6. Authorities/Responsibilities

Activity University Officer/s
Overarching accountability for risk management and determining the University’s risk appetite Council
Oversight of the University’s risk management activities Audit and Risk Management Committee (ARMC)
Responsibility for the oversight and monitoring specifically of academic risks Academic Board
Liaise with management in monitoring key risks and, where appropriate, report to Council to provide assurances concerning the management of risks within the University Audit and Risk Management Committee (ARMC)
Responsible for ensuring that risk management activities are carried out effectively within the University and for promoting a culture that encourages strong risk management Vice-Chancellor and President
Responsible and accountable to the Vice-Chancellor and President to oversee implementation of the Risk Management Framework across the University and ongoing risk reporting to ARMC. Director, Governance and Risk Management
Responsible to develop and maintain risk registers and report on risks in line with the Risk Management – Procedures Senior Staff
Responsible to ensure staff are adequately trained in risk assessment and are acquainted with relevant policies and procedures Senior Staff
Responsible for examining and evaluating the adequacy, effectiveness and efficiency of risk management activities Internal Audit
Diligently identify, assess risks and implement mitigating actions to reduce the risk where required. All Staff

Appendix A Risk Appetite Statement (PDF)