Risk Management - Governing Policy | UniSC | University of the Sunshine Coast, Queensland, Australia

Accessibility links

Risk Management - Governing Policy

Download PDF
Approval authority
Responsible Executive member
Vice-Chancellor and President
Designated officer
Director, Governance and Risk Management
First approved
14 October 2008
Last amended
30 October 2023
Review date
30 October 2024
Related documents
Linked documents
Superseded documents
  • Risk Management Framework - Governing Policy
  • Enterprise Risk Management and Resilience - Governing Policy
Related legislation / standards
  • University of the Sunshine Coast Act 1998 (Qld)
  • Financial Accountability Act 2009 (Qld)
  • Work Health & Safety Act 2011 (Qld)
  • Building Fire Safety Regs 2008

1. Purpose of policy

1.1 The purpose of this policy is to provide a framework for the management of risks associated with all University activities.

1.2 Under the University of the Sunshine Coast Act 1998 (Qld) and the Financial Accountability Act 2009 (Qld), Council is required to efficiently, effectively and economically manage and control the University’s operations and must establish and maintain appropriate systems of internal control and risk management.

1.3 This policy must be read in conjunction with the linked Risk Management - Procedures.

2. Policy scope and application

2.1 This policy applies to all staff, contractors/consultants and members of the University decision-making or advisory bodies.

2.2 This policy is consistent with the International Standard ISO 31000:2018: Risk Management Guidelines.

3. Definitions

Please refer to the University’s Glossary of Terms for policies and procedures. Terms and definitions identified below are specific to this policy and are critical to the effectiveness of it:

Risk is the effect of uncertainty upon the University’s objectives. Risk may have a positive or negative impact.

Risk Appetite conveys the degree of risk the University is prepared to accept in pursuit of its business objectives and strategic plan.

Risk Appetite Framework is the overall approach, including policies, processes, controls and systems through which appetite is established, communicated and monitored.

Risk Management refers to the set of coordinated activities to direct and control an organisation regarding risk.

Risk Management Framework is the totality of systems, structures, policies, processes and people that identify, measure, monitor and mitigate risk.

Risk Management Strategy is the strategy for managing risk and the key elements of the Risk Management Framework that give effect to this Strategy.

Likelihood measures the expected frequency of a risk occurring. Typically, it is a subjective judgement based on past experience and the insights of persons familiar with the activity.

Consequence measures the expected level of impact on the University and its objectives, should the risk occur.

Risk Owner is an individual within the University with primary responsibility for managing a particular risk.

Risk Event is an occurrence or change of particular circumstances.

Control is a measure that maintains, modifies or mitigates a risk.

Risk Source is an element which, alone or in combination, has the potential to give rise to risk.

4. Risk management objectives

4.1 The University is committed to a Risk Management Framework which:

(a) enables a strong risk culture and management function, overseen by Council, and undertaken by staff across the University in all operations and activities; and

(b) is practical, and clearly articulates the University’s risk appetite, to enable staff to make strategic decisions in the achievement of the University’s Strategic Plan.

5. Policy statement

5.1 The Council and the Executive Committee are committed to the implementation and maintenance of a formal risk management system, including the integration of risk management throughout all levels of the University. This is fundamental to achieving the University’s strategic and operational objectives.

5.2 In its application of this policy, the University is committed to:

(a) achieving its business objectives while minimising the impact of significant risks that the University can meaningfully and realistically control;

(b) protecting and enhancing the University’s reputation;

(c) behaving in a responsible and ethical manner, protecting staff, students and the broader community from harm and protecting physical property from loss or damage;

(d) establishing the right balance between the cost of control and the risks it is willing to accept as part of the business and industry environment within which it operates;

(e) recognition and exploitation of opportunities; and

(f) establishing resilience and increased efficiency in relation to risk management.

5.3 All staff are required to be responsible and accountable for managing risk. Sound risk management principles and practices must become part of the normal management strategy for all organisational units within the University.

6. Principles

6.1 Overview of the Enterprise Risk Management Framework

6.1.1 The Council approves the University’s Enterprise Risk Management Framework.

6.1.2 The University’s Enterprise Risk Management Framework must be consistent with the Risk Management Standard, ISO 31000:2018 (Risk Management - Guidelines).

6.1.3 The University’s Enterprise Risk Management Framework is outlined below:

Diagram 1 – Enterprise Risk Management Framework

6.1.4 The Enterprise Risk Management Framework recognises that risk management is an integral part of all University processes.

6.1.5 Underpinning the Enterprise Risk Management Framework are policies, procedures, manuals and processes that act as significant mitigation strategies for the University’s key risks.

6.1.6 The administration of the Enterprise Risk Management Framework is the responsibility of the Director, Governance and Risk Management.

6.2 Key components of the Enterprise Risk Management Framework

6.2.1 Governance and culture - the University’s governance structures support strong risk management practices. Risk governance and the risk management roles and responsibilities are outlined in the University’s Risk Management Strategy (RMS). The RMS is reviewed and updated on an annual basis.

6.2.2 Risk appetite – the University’s Risk Appetite Statement conveys the degree of risk the University is prepared to accept in pursuit of its business objectives and strategic plan. Risk appetite is reviewed annually with the process for establishing and reporting on risk appetite outlined in the Risk Appetite Framework. The University’s risk appetite is established by the Council and is set out in Appendix A.

6.2.3 Policy documents – the University maintains policies and procedures for managing risk. These policies and procedures are maintained in the Policy Repository and current versions are displayed on the Policies and Procedures Library within the UniSC website. The policies and procedures cover all areas of the University.

6.2.4 Risk assessment – The University’s risk assessment process involves risk identification, risk analysis, risk evaluation and risk treatment. The processes to support risk assessment are outlined in the Risk Management - Procedures which includes the Risk Rating Tables to assess the likelihood and consequence of a risk occurring.

6.2.5 Risk reporting – Risk reporting occurs at least quarterly to the Executive Committee and the Audit and Risk Management Committee.

6.2.6 The University maintains appropriate Management Information Systems to enable the effective management of risks.

7. Authorities/Responsibilities


University Officer/s

Overarching accountability for risk management and determining the University’s risk appetite


Oversight of the University’s risk management activities including tone from the top and application of risk appetite across the University

Oversee, with management in monitoring key risks and, where appropriate, report to Council to provide assurances concerning the management of risks within the University

Audit and Risk Management Committee (ARMC)

Responsibility for the oversight and monitoring specifically of academic risks

Academic Board

Responsibility for ensuring that risk management activities are carried out effectively within the University and for promoting a culture that encourages strong risk management

Vice-Chancellor and President

Responsible a to the Vice-Chancellor and President to oversee implementation of the Risk Management Framework across the University and ongoing risk reporting to ARMC

Director, Governance and Risk Management

Responsibly for development and maintenance risk registers and reporting and escalating risks in line with the Risk Management – Procedures

Responsibility for ensuring staff are adequately trained in risk assessment and are acquainted with relevant policies and procedures

Senior Staff

Responsibility for examining and evaluating the adequacy, effectiveness and efficiency of risk management activities

Internal Audit

Diligently identify, assess risks and implement mitigating actions to reduce the risk where required

All Staff

Appendix A – Risk Appetite Statement (PDF)