1. Purpose of procedures
1.1 In accordance with the Enterprise Risk Management Framework – Governing Policy, these procedures describe the University’s standard process for risk management, including:
- Risk identification
- Risk analysis
- Risk evaluation
- Risk mitigation and control (including risk treatment)
1.2 A standard approach to risk management allows risks to be correctly prioritised across all of the University’s operations, which in turns means that effective controls can be put in place to ensure the University is able to manage its operations effectively now and into the future.
1.3 The procedure applies to all activities undertaken in the course of university business, whether on university campuses or other locations.
2. Scope and application
2.1 These procedures applies to all staff and members of the University decision-making or advisory bodies.
Please refer to the University’s Glossary of Terms for policies and procedures. Terms and definitions identified below are specific to these procedures and are critical to its effectiveness:
Risk management: refers to the set of coordinated activities to direct and control an organisation with regard to risk.
Risk: is the effect of uncertainty upon the University’s objectives. Risk may have a positive or negative impact.
Likelihood: Likelihood measures the expected frequency of a risk occurring. Typically, a subjective judgement based on past experience and the insights of persons familiar with the activity.
Consequence: Consequence measures the expected level of impact on the University and its objectives, should the risk occur.
Risk owner: Risk owners are individuals within the University with primary responsibility for managing a particular risk.
4.1 In accordance with the University’s Enterprise Risk Management – Governing Policy and adapted from the standard ISO 31000: 2018 Risk Management – Guidelines, the following principles have been identified:
(a) Risk management is an integral part of all organisational activities
Risk management applies to all areas of University activity and as such is an integral part of the University’s organisational processes including strategic planning, operational planning, project management and change management. It is to inform decision making and is the responsibility of everyone within their work activity.
(b) A structured and comprehensive approach to risk management contributes to consistent and comparable results
The approach to risk management across the University is consistent. All areas of the University are required to identify and assess risks and identify controls using consistent processes with reference to the University Risk Tables.
(c) The risk management framework and processes are customised and proportionate to the organisation’s external and internal context related to its objectives.
Risk management is tailored to the University. The tools and processes for managing risks are aligned with the strategic and business planning process and are reviewed on a regular basis. The risk management framework is dynamic, such as when there are changes internally or to the external environment, the risk management framework is updated to reflect these changes.
(d) Appropriate and timely involvement of stakeholders enables their knowledge, views and perceptions to be considered. This results in improved awareness and informed risk management.
The University takes a collaborative approach to risk management. Risks and controls are discussed with each area, the risk profile is circulated for feedback and at the Risk Management Committees and forums, there is open dialogue on risk management, including emerging risk issues.
(e) Risks can emerge, change or disappear as an organisation’s external and internal context changes. Risk management anticipates, detects, acknowledges and responds to those changes and events in an appropriate and timely manner.
The University’s approach to risk management is dynamic. When changes occur, these are considered as part of the updates to the risk profiles, the Risk Management Strategy, and the policy, processes and procedures supporting risk management.
(f) The inputs to risk management are based on historical and current information, as well as on future expectations.
Risk management explicitly takes into account any limitations and uncertainties associated with such information and expectations. Information should be timely, clear and available to relevant stakeholders.
The University’s risk management practices are forward looking and include both leading and lagging indicators of risk.
(g) Human behaviour and culture significantly influence all aspects of risk management at each level and stage
The University aims to promote a culture which encourages strong risk management. This is reinforced through the University’s risk appetite and by training and communications.
(h) Risk management is continually improved
The University’s Risk Management is continually improved to reflect best practice.
5. Risk management process
5.1 Process Overview
5.1.1 The Enterprise Risk Management - Governing Policy identifies that the risk management process and procedures will be consistent with ISO 31000:2018 Risk Management – Guidelines. The table below is adopted from this standard.
Figure 1: ISO 31000:2018 risk management process
5.2 Scope, Context, Criteria
5.2.1 By establishing the scope, context and criteria, the University will be able to articulate its objectives and define the external and internal parameters to be considered when managing risk, as well as set the scope and risk criteria for the remaining process.
5.3 Risk Identification
5.3.1 Risk identification requires reasonably foreseeable risks that have the potential to have a meaningful impact on the University to be identified. A risk is any event or action that has an uncertain effect that may impact on the University’s objectives. Risks arise as much from the possibility that opportunities will not be realised as they do from the possibility that threats will materialise, errors be made, or damage/injury occur.
5.3.2 Within the University, risk identification occurs at various levels:
(a) Strategic risk identification: Strategic risks are identified as part of the strategic planning process. They are documented in the University’s Strategic Risk Register. Identification at this level is aimed to inform strategic decision making to allow the University to improve outcomes while minimising adverse impacts on the University’s goals and objectives.
(b) Enterprise risk identification: Enterprise risks are identified on an ongoing basis and are documented in the Enterprise Risk Register (note that enterprise risks are sometimes referred to as the ‘corporate risks’ of the university).
(c) Departmental/School risk identification: Risks associated with Departments and Schools are identified on an ongoing basis and are required to be documented in the Departmental/School Risk Registers. These risks are the risks at the operational levels of the University. Risk registers are reviewed on a quarterly basis to ensure that the identification and treatment of risks is managed on a timely basis.
(d) Project risk identification: These risks are generally associated with significant change or project activity and are normally identified at the commencement of the new activity or project and updated over the life of the project. Project Managers are responsible for documenting these risks within project risk registers, with mitigating actions in place to manage the project risks. When operationalised, any remaining residual risks should be incorporated into the appropriate Department / School Risk Registers.
(e) Ad-hoc or activity-based risk identification: Risks can be identified by staff during their normal University work. A risk assessment is required to be undertaken for all relevant university activities. This risk assessment is completed by the relevant area undertaking the activity.
5.3.3 All identified risks are to be entered in the relevant Risk Register or completed as part of a risk assessment. Risks are owned by each relevant area. As a minimum, the following information must be included:
(a) the description of the risk;
(b) the causes and implications of the risk; and
(c) the assigned risk owner.
5.3.4 In addition, the following information if known, is to be included:
(a) details of the existing controls in place to manage the risk;
(b) the inherent risk rating determined from the assessment of the potential consequences and likelihood for the risk;
(c) details of any proposed controls, including a due date for implementation; and
(d) the residual risk rating after consideration of the controls in place.
5.4.1 Risk analysis involves developing an understanding of the risk and provides an input to risk evaluation and to decisions on whether risks need to be treated, and if so, on the most appropriate risk treatment methods. This analysis can also provide input into the options to address risks and inform the decision making required across different types and levels of risk.
5.4.2 Risk analysis should seek to identify potential causes and sources of risk in order to analyse their consequence and the likelihood that the consequence will occur.
All risks within the University are assessed using a common scale that considers:
(a) the potential consequences if the risk were to occur; and
(b) the likelihood of the University being impacted in that way.
5.4.3 The consequence and likelihood are then used to rank the risk in accordance with the following four categories:
5.4.4 This analysis which is undertaken based on the existing status of the risk, with consideration of the controls that may already be in place, identifies the inherent risk (i.e. the risk prior to the implementation of any controls) and the residual risk (the risk rating after the application of controls in the below sections). This common approach to risk rating is necessary to ensure that the most significant risks to the University can be readily identified and prioritised in a way that has the greatest overall benefit to the University.
5.5 Risk Evaluation
5.5.1 The purpose of risk evaluation is to assist in making decisions, based on the outcome of risk analysis, about which risks need treatment and the priority for treatment implementation.
5.5.2 Decisions should take account of the wider context of the risk and include consideration of the University’s risk appetite and tolerances across categories of University activity as well as the actual and perceived consequences to external and internal stakeholders. Legal, regulatory and other requirements may also impact on the evaluation.
5.5.3 The rating of a risk, together with the categories of University activity and the related risk appetite as identified within the USC Risk Appetite Statement, are used to determine:
(a) the urgency with which action should be undertaken;
(b) the nature of the action that is required;
(c) the reporting requirements for the risk; and
(d) how the risk is to be monitored
5.5.4 That is, this risk evaluation identifies risks where the inherent risk is greater than risk tolerances and therefore also identifies where risk treatment is required to further manage the risk.
5.6 Risk Treatment
5.6.1 Controls and mitigating actions are required for all risks. Where risk treatment is required, it involves selecting one or more options for modifying the risk and implementing those options. Risk treatment is required when the residual risks remain unacceptably high, or where there is a desire to bring this risk down, with regard to the University’s risk appetite. Once implemented, treatments provide or modify the controls.
5.6.2 Risk treatment involves an iterative process of:
(a) formulating and selecting risk treatment options;
(b) planning and implementing risk treatment;
(c) assessing the effectiveness of that treatment;
(d) deciding whether the remaining risk is acceptable; and
(e) if not acceptable, taking further treatment.
5.6.3 Risk treatment options are not necessarily mutually exclusive. Nor may they be appropriate in all circumstances when due consideration is given of the current risk appetite. The purpose of this step is to put in place one or more options (controls) to reduce the level of residual risk to a level that is considered acceptable by the University.
5.6.4 Selection of the most appropriate treatment option(s) involves balancing the potential benefits derived in relation to the achievement of the objectives against costs, effort or disadvantages of implementation.
5.6.5 Treatment options include:
Avoid the risk: by deciding not to proceed or continue with the activity or choosing an alternative approach to achieve the same outcome. The aim is risk management, not aversion.
Mitigate: Reduce the likelihood by improving management controls and procedures. Reduce the consequence by putting in place strategies to minimise adverse consequences.
Transfer the risk: Shifting responsibility for a risk to another party by contract or insurance. It can be transferred as a whole or shared.
Accept the risk: Controls are deemed appropriate. These must be monitored and contingency plans developed where appropriate.
5.6.6 A common approach to risk rating is necessary to ensure that the highest rated risks to the University can readily be identified and management of risks can be prioritised in a way that has the greatest overall benefit to the University. Further guidance on risk rating including assigning a consequence and likelihood can be obtained within the Risk Tables.
6. Recording and Reporting
6.1 The risk management process and its outcomes are reported to the USC Executive and the Audit and Risk Management Committee. Outcomes are also made available to staff where appropriate. This assists with decision making, improving risk management and transparency and the monitoring of risks against the University’s stated risk appetite.