1. Purpose
1.1 These procedures support the operationalisation of the University Risk and Compliance Management – Governing Policy by outlining the University’s standard approach to identifying and managing risk across all activities.
1.2 These procedures describe the following risk management and control self-assessment processes:
(a) Risk
(i) establishing context
(ii) identifying
(iii) analysing
(iv) evaluating
(v) treating (including avoidance, mitigation, transfer and acceptance)
(b) Control
(i) identifying
(ii) assessing
1.3 These procedures must be read in conjunction with the University Risk and Compliance Management – Governing Policy and related supporting documents.
2. Scope and application
2.1 These procedures apply to all staff, students, contractors or consultants, strategic partners, third-party service providers, controlled entities, and members of the University governance, decision-making or advisory bodies.
2.2 Risk management is a shared responsibility across the University community. All staff, students and third parties must follow relevant policies based on the operations and activities in which they are involved
2.3 These procedures apply to all risks across the University and its activities, including those related to controlled entities. They reflect the University’s commitment to effective and efficient risk and compliance management.
3. Definitions
3.1 Refer to the University’s Glossary of Terms for definitions as they specifically relate to policy documents.
Agreement Manager refers to an individual nominated by the Agreement Owner and who is responsible for managing a contract across its lifecycle, including negotiation, monitoring, compliance, and reporting.
Agreement Owner refers to an individual who is responsible for appointing an Agreement Manager and holds overall accountability for the business need, outcomes, and performance of the contract.
Assurance means the degree of confidence or certainty that the University's risk and compliance management processes and controls are adequate and operating effectively.
Cause refers to a factor or condition that leads to the possibility of a risk occurring.
Consequence measures the expected level of impact on the University and its objectives, should the risk occur.
Control means any measure or mechanism that is put in place to reduce the consequence and/or likelihood of identified risks and to manage compliance. The establishment of controls within business processes provides protection, and their effectiveness strengthens the ability to manage and mitigate the associated risks and compliance obligations.
Control Owner is an individual within the University with primary responsibility for managing a particular business process or control that is put in place to reduce the consequence and/or likelihood of identified risks. In most cases the Risk Owner and Control Owner will be different staff members, but in some cases, they may be the same.
Incident is an event or occurrence that interrupts normal operations or causes a deviation from expected outcomes and often requires investigation and corrective actions to prevent recurrence.
Inherent Risk means the risk that exists before any controls or mitigations are implemented.
Likelihood measures the expected frequency of a risk occurring. Typically, it is a subjective judgement based on past experience and the insights of persons familiar with the activity.
Residual Risk means the risk remaining after application of mitigations, controls and treatment plans.
Risk is the effect of uncertainty upon the University’s objectives. Risk may have a positive or negative impact.
Risk Appetite conveys the degree of risk the University is prepared to accept in pursuit of its business objectives and strategic plan.
Risk Event is an occurrence or change of particular circumstances effecting risks.
Risk Management refers to the set of coordinated activities to direct and control an organisation regarding the identification, mitigation and management of risk.
Risk and Compliance Management Framework is the totality of systems, structures, policies, processes and people that identify, measure, monitor and mitigate risk and ensure compliance with regulatory, legislative and contractual obligations.
Risk Management System is the set of interrelated or interacting elements of an organisation that establish policies and objectives and processes to achieve those objectives consistent with Australian Standard AS ISO 31000:2018: Risk Management Guidelines.
Risk Owner is an individual within the University with primary responsibility for managing a particular risk.
Risk Treatment Plan is a strategic approach used to manage and mitigate risks within a Cost Centre’s operations or a project for risks which are currently assessed as being outside of appetite or for new and emerging risks.
4. Risk and Compliance Management Framework
4.1 The Risk and Compliance Management Framework (Diagram 1) provides a consistent approach to help identify and manage risks across all University activities.
Diagram 1 – Risk and Compliance Management Framework
4.2 The Framework is supported by the Risk and Compliance Management Operating Model (Diagram 2). The Operating Model shows how roles and responsibilities are embedded within business-as-usual risk and compliance management activities.
Diagram 2 – Risk and Compliance Management Operating Model
5. Risk Assessment Process
5.1 The University’s risk assessment process (Diagram 3) involves establishing the context, identifying, analysing, evaluating and treating risk. The University’s Appendix 012 - UniSC Risk Classification Table, and Appendix 013 – Risk Matrix and Assessment Tables provide guidance on how to identify and then assess the likelihood and consequence of a risk.
5.2 All risks at UniSC are assessed using the Appendix 013 – Risk Matrix and Assessment Tables. These tools consider the likelihood and consequence of a risk to determine its rating. Risk ratings are classified as:
(a) extreme
(b) high
(c) medium
(d) low
5.3 The University Appendix 012 - UniSC Risk Classification Table provides a structured way to classify risks. This helps ensure consistent identification and management of risks across the University. At the core of the table are five risk classes, each with underpinning risk categories and risk types. These are:
(a) strategic risks
(b) academic risks
(c) financial risks
(d) health safety and wellbeing risks
(e) operational risks
More detail on this classification is provided in 5.9.2.
5.4 Risks associated with Departments, Schools, Research Centres and Institutes are identified and reviewed on an ongoing basis, and at least quarterly. These risks are documented in a risk profile maintained by Governance and Risk Management.
5.5 Project Risks relate to significant change or project activities. They are normally identified at the commencement of a project and updated throughout its lifecycle. Project Managers are responsible for documenting these risks within Project Risk Registers, and ensuring appropriate mitigating actions are in place. When a project is complete and operationalised, any remaining residual risks should be transferred to the appropriate risk profile of the Department, School, Research Centre or Institute. Specific procedures for identifying and assessing of project risk are outlined in the UniSC Project Management Manual.
5.6 Legal and Contract Risks arise from contractual arrangements and related agreement activities, which are common in both business as usual and strategic initiatives. These risks are normally identified during procurement and contract negotiation, or as part of the contract renewal process, in accordance with Management of Contracts and Memoranda of Understanding (MOUs) – Operational Policy. Agreement Owners and Agreement Managers are responsible for identifying, assessing, documenting and monitoring these risks, including documenting the mitigating actions required to manage them. Any residual risks that require specific business processes to manage, should be incorporated into the appropriate risk profile of the Department, School, Research Centre or Institute.
5.7 Staff are also required to be undertake activity-based risk assessments are as part of their regular University work. These activities may include, but are not limited to:
(a) work integrated learning (WIL) placements
(b) field and laboratory work
(c) clinical trials
(d) research projects
(e) contracts/agreements
(f) major events
These assessment are undertaken by the relevant business area in consultation with subject matter experts such as Health Safety Wellbeing, the Academic Support Unit, Privacy, Cyber Security, and Governance and Risk Management. Specific procedures and guidelines relevant to the activity being undertaken must be followed in addition to this procedure.
Diagram 3 – Risk Assessment Process
5.8 Establish the context
5.8.1 To begin the risk assessment process, the context must be clearly established. This involves defining the objectives of the department or activity under review and identifying the internal and external factors that may influence the achievement of those objectives.
5.8.2 Stakeholders and their expectations should be identified. The scope of the assessment, including its boundaries, timeframe, and resources, must be documented to ensure clarity and alignment.
5.9 Identify the risk
5.9.1 Potential risks that could hinder the achievement of objectives should be identified across various dimensions, including strategic, academic, financial, health safety and wellbeing, and operational.
5.9.2 The University uses a risk hierarchy to ensure consistent risk identification and management across the University. This hierarchy is outlined in Appendix 012 - UniSC Risk Classification Table and includes:
(a) Risk Class: This top-level classification groups risks into broad classes aligned with the University’s core mission and strategic objectives. These include Strategic, Academic, Financial, Health, Safety and Wellbeing, and Operational risks. Identifying risks at this level supports high-level decision-making and helps the University enhance outcomes while minimising threats to its goals.
(b) Risk Category: Each risk class is further divided into categories that represent key areas contributing to the broader class. For example, the Academic Risk Class includes categories such as Learning and Teaching and Research. This level enables prioritisation of risks within each Class and helps identify those that may exceed UniSC’s risk appetite.
(c) Risk Type: At the most detailed level, risk types identify specific risks within core business and operational processes. For instance, risks related to student experience, support services, and course offerings fall under the Teaching and Learning Category. This granularity supports effective risk management at the operational level and ensures alignment with strategic risk oversight.
5.9.3 Risk identification may also be dependent on the nature of the activity as more bespoke or activity-based risks may not be contained within Appendix 012 - UniSC Risk Classification Table. Those developing a risk assessment should exercise reasonable judgement when identifying risks that sit outside of the Appendix 012 - UniSC Risk Classification Table, and wherever possible remain consistent with the risk classification table.
5.10 Analyse the risk
5.10.1 Each risk must be assessed at two distinct levels:
(a) inherent risk - the level of risk that exists before any controls or mitigation actions are implemented
(b) residual risk - the level of risk that remains after controls or mitigation actions have been implemented
These definitions are used throughout the University’s risk assessment process to help determine how exposed the University is to a particular risk, both before and after management strategies are in place.
5.10.2 To assess inherent risk, the following elements should be considered:
(a) causes of the risk
(b) likelihood that the risk may occur
(c) potential impacts or consequences if the risk were realised
5.10.3 Understanding the cause of risk enables the identification and evaluation of likelihood and potential impact or consequence.
5.10.4 To assess residual risk, staff must identify business processes and controls that are already in place, or that need to be introduced or improved, to mitigate the risk. These controls must then be assessed for their design adequacy and control effectiveness to determine the level of residual risk. Refer to section 6. Control Identification and Assessment Process for further information.
5.11 Evaluate the risk
5.11.1 The purpose of risk evaluation is to assist in making decisions about which risks need treatment and the priority for treatment implementation.
5.11.2 The evaluation should consider the wider context of the risk which can include:
(a) how the risk might affect both internal and external stakeholders (actual and/or perceived)
(b) any legal or regulatory obligations (actual and/or perceived)
(c) whether the cost of further treatment is reasonable compared to the potential financial impact if the risk occurs (actual and/or perceived).
5.11.3 To support risk evaluation and decision-making, the University’s stated risk appetite settings (identified via relevant Risk Type in the Appendix 011 – Risk Appetite Statement) should be applied to each risk. This helps determine whether the residual risk rating is inside or outside of the University’s acceptable level of risk.
5.11.4 A risk’s residual risk rating, together with the stated risk appetite, are used to determine:
(a) the urgency with which action should be undertaken
(b) the nature of the action that is required
(c) the reporting requirements for the risk
(d) how the risk is to be monitored
5.11.5 If a residual risk rating is assessed as being outside of risk appetite (for example, if the risk rating is higher than the acceptable level), or if a risk is identified as High or Extreme, a risk treatment is required to bring the risk within appetite.
5.12 Treat the risk
5.12.1 Treating a risk involves selecting one or more of the options outlined below to modify the risk, and implementing those options within a specific timeframe. Once implemented, any new or modified controls form part of the control system for that risk and are included in ongoing control assessments as described in clause 6.3 Controls Assessment.
5.12.2 Treatment options include:
(a) Avoiding the risk - deciding not to proceed with the activity or choosing an alternative approach to achieve the same outcome.
(b) Mitigating the risk - reducing the likelihood and/or consequence by improving controls and implementing relevant strategies and business processes.
(c) Transferring the risk - shifting responsibility for the risk to another party, such as through a contract or insurance. The risk may be transferred entirely or shared.
(d) Accepting the risk - where controls are deemed appropriate, the risk has been reduced to as low as reasonably practicable, or the cost of treatment outweighs the expected consequence. If the residual risk is accepted, it must continue to be monitored, and contingency plans developed where appropriate.
(i) Acceptance of risk inside appetite: the residual risk level aligns with the University's stated risk appetite and is considered ‘inside appetite’. In this case, no further treatment is required beyond existing controls, though the risk should continue to be monitored as part of routine oversight. As demonstrated in Diagram 4, a risk with an Averse or Cautious risk appetite and Low residual risk rating would be considered inside appetite.
(ii) Acceptance of risk outside appetite - the residual risk exceeds the University's defined appetite but is accepted due to specific circumstances, for example, strategic necessity, lack of viable treatment options, or disproportionate treatment cost. In these cases, the acceptance must be justified, documented, approved by the appropriate authority (see section 8. Roles and Responsibilities), and subject to enhanced monitoring and contingency planning. Further details are provided in section 7. Risk Reporting, Notification and Acceptance. As shown in Diagram 4, a risk with an Averse or Cautious risk appetite and either an Extreme, High or Medium residual risk rating would be considered outside appetite.
Diagram 4 – Example Inside versus Outside Risk Appetite
5.12.3 Treatment options are not necessarily mutually exclusive and may not be appropriate in all circumstances. Selection should consider the University’s current risk appetite. The purpose of this step is to apply one or more controls to reduce the residual risk to a level considered acceptable.
5.12.4 Selecting the most appropriate treatment options involves balancing the potential benefits against the costs, effort, or disadvantages of implementation, in relation to the achievement of objectives.
5.12.5 Risk treatment is a collaborative process. It requires agreement between the Risk Owner and relevant Control Owners on the treatment options to be undertaken, who is responsible for each action, and the timeframes required for completion.
5.12.6 Risk Owners are responsible for overseeing the implementation of treatment plans. Where a plan has not been fully implemented and the residual risk remains outside of risk appetite, formal risk acceptance must be undertaken.
5.12.7 Like risk assessment, risk treatment (Diagram 5) is an iterative process.
Diagram 5 – Risk Treatment Process
5.13 Monitor and review
5.13.1 Risk assessments must be regularly monitored and reviewed to ensure they remain effective.
5.13.2 Activity-based risk assessments must be reviewed and approved by the responsible person as identified in 8. Roles and Responsibilities. Depending on the nature of the activity, this may include Senior Staff/Cost Centre Managers or a member of the Executive. Exceptions include:
(a) contractual risk assessments: the Agreement Manager is responsible for developing the risk assessment and presenting it to the Agreement Owner for review and approval.
(b) project risk assessments: the Project Manager is responsible for developing the risk assessment and presenting it to the Project Sponsor and Project Lead for review and approval.
5.13.3 Changes in the internal or external environment should prompt updates to the assessment. Examples include:
(a) Internal:
(i) introduction of new technology or systems
(ii) organisational restructuring or leadership changes
(iii) changes to operational processes or procedures
(iv) significant staff turnover or changes in key personnel
(v) findings from internal audits or compliance reviews
(b) External:
(i) regulatory updates or new legislation
(ii) market or economic shifts impacting operations
(iii) emerging industry risks or trends
(iv) changes in stakeholder expectations or public sentiment
(v) cybersecurity threats or geopolitical developments
Mechanisms such as audits, performance metrics, and incident tracking should be used to inform reviews and support continuous improvement.
5.13.4 As outlined in the University Risk and Compliance Management – Governing Policy, the University Risk Profile and Key Risk Indicator reporting is submitted to the Executive Committee, Audit and Risk Management Committee (ARMC) and Council at least bi-annually.
5.13.5 To facilitate the bi-annual reporting, Senior Staff/Cost Centre Managers must complete a quarterly review of their Risk Profile at the end of March, June, September and December. This process is facilitated by Governance and Risk Management, with review outputs moderated in consultation with subject matter experts such as People and Culture, Data Governance, Health Safety and Wellbeing, Finance, Projects, and Procurement, as well as the responsible portfolio Executive.
5.14 Communication and consultation
5.14.1 Communication and consultation with stakeholders must occur throughout all stages of the risk assessment process. This ensures relevant information is shared, decisions are understood, and feedback is incorporated. Engaging stakeholders supports collaboration and informed decision-making.
6. Control Identification and Assessment Process
6.1 As part of the evaluation and treatment of risk (refer to 5.1.4 and 5.1.5), it is important to identify and assess the design adequacy and operating effectiveness of business processes and controls. This helps determine how well controls are working to mitigate the causes and consequences of a risk and support effective risk and compliance management.
6.2 Regular identification, assessment and review of controls enables the University to prioritise resources, strengthen risk mitigation, and maintain a responsive and accountable risk and compliance management framework.
6.3 Control Identification
6.3.1 To support consistency in control identification and assessment, controls are considered across two dimensions:
(a) impact on the risk (Control Type)
(b) how they are operationalised and functional (Control Activity)
6.3.2 In identifying a control, there are four Control Types to consider. They are:
(a) Preventative controls - aim to stop undesirable outcomes by implementing safeguards such as segregation of duties, security measures, training, and protective contract terms
(b) Corrective controls - address and rectify undesirable outcomes after they occur, using measures such as insurance, data recovery, staff rotation, and procedural changes
(c) Directive controls - ensure specific outcomes are achieved, particularly in critical areas like health and safety, through requirements such as mandatory training or use of protective equipment
(d) Detective controls - identify issues after they happen, using tools like audits, reconciliations, exception reporting, and governance reviews to trigger appropriate responses
6.3.3 Control Activities are considered in respect of whether they are:
(a) Management controls - used by senior management to mitigate identified risks. These controls have a broad impact and are used to establish the overall risk and control environment. Examples include planning and budgeting, maintaining delegations, establishing frameworks and policies, implementing effective governance and committee structures, conducting staff performance management reviews, implementing quality assurance activities, conducting internal audits and reviews, and promoting a positive risk and compliance management culture.
(b) Process controls - manual or automated controls performed by first and/or second line business units, specific to the processes they manage. For example, Governance and Risk Management have a first line responsibility for reporting on risks relating to their operations, and a second line responsibility for ensuring the Risk and Compliance Management Framework is designed and operating effectively across the University.
(i) Manual process controls - performed by individuals and generally require judgement or discretion. These controls may be performed outside of an IT system or within an IT system where user decisions are required, such as approving or rejecting a travel expenditure claim. Examples of manual process controls include verification and monitoring, IT backup and recovery procedures, supervision and review, oversight of third-party vendors and staff training.
(ii) Automated process controls - embedded in IT systems and operate without user intervention. Examples include IT network monitoring, automated workflows based on delegations and approval authorities, physical access controls, security permissions limiting access to transactions, generation of exception reports based on established criteria.
6.3.4 Depending on the nature of the control, the Control Type and Control Activity may address either the cause or consequence of a risk. These classifications are not intended to be exclusive and may vary depending on the risk. An example is outlined in Diagram 6.
Diagram 6 – Example Control Identification: Type and Activity
6.4 Control Assessment
6.4.1 The assessment of control adequacy and effectiveness should inform both the evaluation and treatment of risk as outlined in clauses 5.11 and 5.12.
6.4.2 As outlined in 6.5.3 of the University Risk and Compliance Management – Governing Policy, controls should be assessed against the following criteria:
Control Assessment | Guiding Description | |
Control Adequacy | Inadequate |
|
Adequate |
| |
Control Effectiveness | Effective |
|
Partially Effective |
| |
Ineffective |
|
7. Risk Reporting, Notification and Acceptance
7.1 As outlined in clause 5.12.2(ii), there may be situations where a decision must be made to accept a risk outside of appetite. This may occur when the risk cannot be sufficiently mitigated to an acceptable level within the following 12 months. For example, an Extreme or High level of risk may need to be accepted in the short term, before effective controls can be fully implemented. In such cases, the process of risk reporting, notifying and accepting the risk must be followed, in accordance with the table below:
Residual Risk Rating | Authority to Accept Risk | Notification / Communication Requirements | Formal Recording / Reporting | Risk Review and Treatment Plan/Control Requirements |
Extreme | Council | Audit and Risk Management Committee | As required OR Bi-Annual (March/Sept) University Risk Profile and Key Risk Indicator Report | Reviewed quarterly (March, June, Sept, Dec) Treatment plans/controls implemented to reduce risk to Medium or below within 12 months |
High | Audit and Risk Management Committee | Council | Bi-Annual (March/Sept) University Risk Profile and Key Risk Indicator Report | |
Medium | Vice-Chancellor and President | Executive Committee, Audit and Risk Management Committee, Council | Bi-Annual (March/Sept) University Risk Profile and Key Risk Indicator Report Quarterly Cost Centre Risk Profile reporting (e.g. Financial Services Risk Profile) | Reviewed biannually Treatment plans/controls to be identified and actions to reduce risk actively pursued |
7.2 If a risk is expected to remain outside of the University’s risk appetite for a period exceeding 12 months, even after treatment plans have been identified or are underway, the process for reporting, notifying, and accepting the risk must be followed. In these cases, the acceptance of the risk is considered temporary and applies only until the treatment plans are fully implemented and operational.
7.3 Risk Owners, Agreement Owners and Project Sponsors or Leads are responsible for submitting proposals to accept a risk that is outside the University’s appetite. Approval must be obtained from the relevant authority as in the above table.
7.4 As outlined in 5.13.3, changes to risks may be prompted by internal and external factors. Senior Staff and Cost Centre Managers (who are considered Risk Owners) must take the following actions as part of their quarterly risk profile reporting:
(a) document accepted risks
(b) identify any improvement or deterioration in the assessed residual risk
Any deterioration in the residual risk must be reported to Governance and Risk Management through the quarterly reporting process. This will determine whether the risk acceptance requires a review or re-approval.
7.5 In respect of activity-based risk assessments (contract/agreement, project etc.), Agreement Owners, Project Sponsors and/or Project Leads (also considered Risk Owners) must ensure treatment plans are developed and implemented for risks that are outside appetite during the lifetime of the activity. If the risk cannot be brought within appetite by the time the activity is completed, it must be transferred into business-as-usual processes, and the requirement outlines above will apply.
7.6 In exceptional cases, a risk may remain outside the University's risk appetite due to limited treatment options. When this occurs, the following steps may be necessary:
(a) Re-evaluate the activity and its risk treatment options (as outlined in clauses 5.12.2 (a), (b), and (c)) to explore alternative approaches that could bring the risk within appetite.
(b) Review the risk appetite setting for the activity to determine whether:
(i) the University is willing to accept the risk and continue the activity as is, or
(ii) the activity should be modified (for example, by changing its scope) to reduce the risk.
(c) If no further treatment options are available, consider recommending a change to the risk appetite setting. This must follow the approval process described in the University Risk and Compliance Management – Governing Policy.
8. Roles and Responsibilities
8.1 The following roles and responsibilities are specific to these procedures and have been aligned to the authorities and responsibilities in the University Risk and Compliance Management – Governing Policy.
Roles | Responsibilities |
Council | Responsible authority for accepting Extreme risks. It provides governance oversight and monitoring of risks outside of the University’s appetite. |
Audit and Risk Management Committee | Responsible authority for accepting High risks. It provides governance oversight and monitors of risks outside of appetite and, where appropriate, reports those risks to Council. |
Vice-Chancellor and President | Responsible authority for accepting Medium risks. This role also includes governance oversight and monitors risks outside of appetite, and, where appropriate, reports those risks to ARMC and Council. |
University Executive | Owning and managing risks in their areas of responsibility, in accordance with the boundaries set out in the Appendix 011 – Risk Appetite Statement. This includes identifying, assessing, treating, monitoring and reporting risks in accordance with this procedure. Owning and managing controls in their areas of responsibility including routinely identifying, assessing, monitoring and reporting the adequacy and effectiveness of controls in accordance with this procedure. Oversees the management and oversight of risks and associated treatment plans for risks outside of appetite, and escalates proposals made by Risk Owners within their portfolios to accept risks. Where required, responsible for reviewing and approving activity-based risk assessments within their areas of responsibility. |
Director, Governance and Risk Management | Reporting to the University Executive, the Vice-Chancellor and President, ARMC and Council on all risks via the Bi-Annual University Risk Profile and Key Risk Indicator Report. Facilitating and supporting risk and control self-assessments across cost centres and various University activities in accordance with these procedures. |
Senior Staff / Cost Centre Managers | Owning and managing risks in their area of responsibility, in accordance with the Appendix 011 – Risk Appetite Statement. This includes identifying, assessing, treating, monitoring and reporting risks in accordance with this procedure. Owning and managing controls including routinely identifying, assessing, monitoring and reporting the adequacy and effectiveness of controls in accordance with this procedure. Formally documenting, via their quarterly risk profile, any risks and associated treatment plans for risks accepted as outside of appetite within their area(s) of responsibility. Maintaining their risk profiles, reporting and escalating risks and ensuring staff, students and third parties are familiar with relevant risk and compliance policies and procedures. Also responsible for ensuring individuals are trained in risk identification and assessment. Reviewing and approving activity-based risk assessments within their area(s) of responsibility. |
Agreement Owners | Hold overall accountability for the business need, outcomes, and performance of the contract. They remain responsible for ensuring the contract delivers its intended value, aligns with the University’s strategic objectives, and is actively managed through its lifecycle. Appoints the Agreement Manager (where not already appointed by the Authorised Delegate) and maintains oversight of contract risks. Responsible for developing, maintaining and implementing treatment plans for risks outside of appetite during the lifetime of the agreement. |
Agreement Managers | Owning and managing risks in their contract in accordance with Appendix 011 – Risk Appetite Statement. This includes identifying, assessing, treating, monitoring and reporting risks in accordance with this procedure. Owning and managing controls in their contract including routinely identifying, assessing, monitoring and reporting the adequacy and effectiveness of controls in accordance with this procedure. Responsible for reviewing and approving activity-based risk assessments within their area(s) of responsibility. |
Project Sponsors / Project Leads | Reviewing and approving project risk assessments within their areas of responsibility. Developing, maintaining and implementing treatment plans for risks outside of appetite during the lifetime of the project. |
Project Managers | Owning and managing risks in their project in accordance with the Appendix 011 – Risk Appetite Statement. This includes identifying, assessing, treating, monitoring and reporting risks in accordance with this procedure. Owning and managing controls in their project including routinely identifying, assessing, monitoring and reporting the adequacy and effectiveness of controls in accordance with this procedure. |
Internal Audit | Examining and evaluating the adequacy, effectiveness and efficiency of risk management activities and key controls. |
All Staff | Identifying, assessing, evaluating and treating risks to reduce exposure. Where required, bringing risk issues to the attention of their supervisors and Governance and Risk Management. |
9. Appendices and supporting documents
Appendix 011 – Risk Appetite Statement