1. Purpose
1.1 The purpose of this policy is to provide an overview of the University’s methodology and processes for guiding, directing, and supporting a consistent approach to the effective identification and management of risks and compliance obligations associated with all University activities. This policy and enabling framework supports the achievement of the university’s strategic vision and goals in accordance with its values.
1.2 Council is required to efficiently, effectively and economically manage and control the University’s operations and must establish and maintain appropriate systems of internal control and risk management in accordance with the University of the Sunshine Coast Act 1998 (Qld) and the Financial Accountability Act 2009 (Qld).
1.3 This policy must be read in conjunction with the linked Risk Management – Procedures and Compliance Management - Procedures.
2. Scope and application
2.1 This policy applies to all staff, students, contractors or consultants, strategic partners, third-party service providers, controlled entities, and members of the University governance, decision-making or advisory bodies.
2.2 This policy is consistent with the International Standard ISO 31000:2018: Risk Management Guidelines and AS ISO 37301:2023 Compliance Management Systems.
2.3 This policy, and the risk and compliance management framework applies to all categories of risk and compliance obligations across the whole of the University, including risks and obligations associated with controlled entities, and their operations. It demonstrates the commitment to and support for effective and efficient risk and compliance management.
2.4 In support of this policy and the risk and compliance management framework, more detailed risk and compliance management governance documents with additional requirements are in place to address specific risk categories, risk types and legislative/regulatory obligations. They include the following:
(a) Strategic Planning and Reporting;
(b) Business Continuity Management;
(c) Project Assessment and Management;
(d) Health, Safety and Wellbeing;
(e) Fraud Corruption and Control;
(f) Data Governance and Privacy;
(g) Procurement and Contract Management; and
(h) Information and Cyber Security.
These more detailed governance documents are consistent with and provide more detailed descriptions and guidance on their specific topics and are to be read in conjunction with this policy.
3. Definitions
3.1 Refer to the University’s Glossary of Terms for definitions as they specifically relate to policy documents.
Assurance means the degree of confidence or certainty that the University's risk and compliance management processes and controls are adequate and operating effectively.
Cause refers to a factor or condition that leads to the likelihood of a risk occurring.
Compliance Obligation means the legislative and regulatory obligations that the University must comply with and voluntary obligations that the University elects to comply with.
Compliance Owner is an individual within the University with primary responsibility for ensuring there are effective internal controls in place to identify obligations and monitor regulatory compliance within their business or functional area.
Compliance Management System means the set of interrelated or interacting elements of an organization that establish policies and objectives and processes to achieve those objectives consistent with Australian Standard AS ISO 37301:2023 Compliance Management Systems.
Consequence measures the expected level of impact on the University and its objectives, should the risk occur.
Control means any measure or mechanism that is put in place to reduce the cause, consequence and/or likelihood of identified risks and to manage compliance. The establishment of controls within business processes provides protection, and their effectiveness strengthens the ability to manage and mitigate the associated risks and compliance obligations.
Control Owner is an individual within the University with primary responsibility for managing a particular business process or control that is put in place to reduce the cause, consequence and/or likelihood of identified risks. In most cases the Risk Owner and Control Owner will be different staff members, but in some cases, they may be the same.
Culture refers to the shared attitudes, values and behaviours that shape how individuals and groups interact within the University. It influences the social and academic environment, guiding decision making, communication, and the ability to identify, discuss, escalate, and respond to opportunities, challenges, and risks.
Incident is an event or occurrence that interrupts normal operations or causes a deviation from expected outcomes and often requires investigation and corrective actions to prevent recurrence.
Incident of Non-Compliance refers to a failure to meet or adhere to legal and/or regulatory obligations or requirements, or when a process, product or service does not meet specified standards or quality specifications set by the University.
Inherent Risk means the risk that exists before any controls or mitigations are implemented.
Issue means a specific problem or concern that has negative consequences and either currently exists, has already occurred or is imminent. Unlike risks, issues are events that need immediate attention because they are currently affecting or will affect the University's ability to meet its strategic objectives, and its commitments to students, staff and third parties.
Likelihood measures the expected frequency of a risk occurring. Typically, it is a subjective judgement based on past experience and the insights of persons familiar with the activity.
Policy Owner refers to the Responsible Executive Member accountable for ensuring the development, approval, implementation and operationalisation of policy documents (policies, procedures, guidelines) within their area of responsibility.
Reportable Breach and Non-Compliance refers to the material failure to meet or adhere to mandatory legal and regulatory requirements imposed by government bodies, industry standards, laws, contracts, or agreements.
Residual Risk means the risk remaining after application of mitigations, controls and treatment plans.
Risk is the effect of uncertainty upon the University’s objectives. Risk may have a positive or negative impact.
Risk Appetite conveys the degree of risk the University is prepared to accept in pursuit of its business objectives and strategic plan.
Risk Event is an occurrence or change of particular circumstances effecting risks.
Risk Management refers to the set of coordinated activities to direct and control an organisation regarding the identification, mitigation and management of risk.
Risk and Compliance Management Framework is the totality of systems, structures, policies, processes and people that identify, measure, monitor and mitigate risk and ensure compliance with regulatory, legislative and contractual obligations.
Risk Management System is the set of interrelated or interacting elements of an organisation that establish policies and objectives and processes to achieve those objectives consistent with Australian Standard AS ISO 31000:2018: Risk Management Guidelines.
Risk Owner is an individual within the University with primary responsibility for managing a particular risk.
Risk Treatment Plan is a strategic approach used to manage and mitigate risks within a Cost Centre’s operations or a project for risks which are currently assessed as being outside of appetite or for new and emerging risks.
4. Policy statement
4.1 The Council, Audit and Risk Management Committee (ARMC) and the University Executive are committed to the effective implementation of the risk and compliance management framework throughout all operations, activities and levels of the University by staff, students and third parties. This is fundamental to making informed strategic decisions towards the achievement of the University’s Strategic Plan.
4.2 In its application of this policy, the University is committed to:
(a) ensuring that it complies with all international, national and state legislation, accountability frameworks, regulations, codes of practice, standards and similar that are applicable to the operations and governance of the University and its activities
(b) achieving its business objectives while minimising the likelihood and impact of significant risks that the (c) University can meaningfully and realistically control
(d) protecting and enhancing the University’s reputation
(e) behaving in a responsible and ethical manner, protecting staff, students and the broader community from harm and protecting physical property from loss or damage
(f) establishing the right balance between the cost of control and the risks it is willing to accept as part of the business and industry environment within which it operates
(g) recognition and exploitation of opportunities
(h) meeting its compliance and contractual obligations, and
(i) establishing resilience and increased efficiency in relation to risk and compliance management.
5. Principles
5.1 The University is guided by the following risk and compliance management principles:
(a) Risk and compliance management is designed to create and protect organisational value.
(b) Maintaining a positive organisational culture for the management of risk and compliance obligations is everyone’s responsibility.
(c) Staff with designated risk and compliance management roles described in this policy are expected to understand their responsibilities.
(d) Effective risk and compliance management helps manage uncertainty with potentially negative consequences, support compliance with regulatory, contractual and policy obligations, and improve planning and decision-making.
(e) Effective risk management also helps the University to take advantage of opportunities that arise from uncertainty.
(f) Decisions are made using a risk-based approach that balances risk and reward with achievement of short-term and long-term objectives.
5.2 These principles are implemented under the ‘Three Lines of Defence Model’ to ensure that risk and compliance management accountabilities and responsibilities are embedded across the University to enable the making of informed strategic decisions towards the achievement of the University’s Strategic Plan. The Three Lines of Defence are outlined as follows:
(i) First Line (All Staff and Management): includes all staff and management directly involved in day-to-day academic, corporate, and research activities. Risk Owners, Compliance Owners and Control Owners are responsible for the identification and effective management and mitigation of risks as well as the identification, recording, escalation and management of issues to ensure compliance obligations are met.
(ii) Second Line (Corporate and Enabling Functions): undertakes oversight of the risk and compliance activities undertaken by the first line and includes certain corporate functions which, in addition to their first line responsibilities as risk, compliance or control owners, have specialist governance, risk and compliance expertise in their respective domains to provide specific guidance, support, tools, and advice regarding the management of risks and compliance obligations (e.g. Governance and Risk Management (GRM), Finance, People & Culture (including Workplace Health & Safety), Data Governance and Privacy, and Cyber Security).
(iii) Third Line (Internal Audit): Internal Audit is responsible for independently evaluating the effectiveness of first line and second line controls, and reporting audit findings to the University Executive and the Audit and Risk Management Committee.
6. Risk and Compliance Management Framework
6.1 The Risk and Compliance Management Framework (referred to as the ‘Framework’) and related documents offer a consistent methodology and process to guide, direct, and support the effective identification and management of risks across all activities. This approach helps achieve the University’s strategic vision and goals while ensuring compliance with legislative obligations.
6.2 The Framework is outlined below in Diagram 1 and explained in Section 6.3. The Framework illustrates that risk and compliance management is an integral part of all University processes. Sound risk and compliance management principles and practices are part of the normal management strategy for all Cost Centres within the University.
Diagram 1 – Risk and Compliance Management Framework
6.3 Key components of the Risk and Compliance Management Framework
6.3.1 Governance and Oversight / Three Lines of Defence
6.3.1.1 Governance, as outlined in the University Governance – Governing Policy, directs, controls, and holds the University accountable. It includes authority, accountability, stewardship, leadership, direction, and control.
6.3.1.2 The Three Lines of Defence Model supports governance, monitoring and oversight of risk and compliance. It defines roles across operational management, risk management and internal audit, ensuring a robust framework for managing risks and achieving strategic objectives.
6.3.2 Quality, Audit and Assurance
6.3.2.1 The University’s quality, audit and assurance approach, as detailed in the Quality and Standards Framework and University Audit and Assurance – Governing Policy, establishes structured roles, responsibilities, and accountabilities for decision-making, risk and control.
6.3.2.2 While the Three Lines of Defence Model provides a structured approach to governance and oversight, quality, audit and assurance ensures these processes are effective and aligned with strategic goals through regular quality assurance, audits and assessments, fostering continuous improvement and accountability.
6.3.3 University Mission, Vision and Strategy
6.3.3.1 This component provides the guiding principles for all decision-making, operations, and activities undertaken by the University.
6.3.4 University Culture and Values
6.3.4.1 This component underpins the governance structures that support strong risk and compliance management practices.
6.3.5 Risk Appetite
6.3.5.1 The University’s Risk Appetite Statement outlines the degree of risk the University is prepared to accept in pursuit of its business objectives and strategic plan. Risk appetite is reviewed and approved annually by Council, and is detailed in Appendix A.
6.3.6 Governance, Risk & Compliance Management Systems
6.3.6.1 The University maintains appropriate systems, processes and technologies to enable the effective management of risks as well as internal and external compliance obligations.
6.3.7 Risk & Compliance Assessment Processes
6.3.7.1 The University’s risk assessment process involves risk identification, analysis, evaluation and treatment. The processes that support this are outlined in the Risk Management – Procedures which includes the Risk Classification Table, Risk Matrix and Assessment Tables. These tools provide guidance on how to identify and then assess the cause, consequence and/or likelihood of a risk occurring.
6.3.7.2 The University’s compliance management processes involve commitment, implementation, and monitoring. The processes that support this are outlined in the Compliance Management - Procedures which includes identification and reporting of breaches.
6.3.8 Risk & Compliance Reporting & Analytics
6.3.8.1 Reporting and analytics enable the University to maintain transparent oversight and assess its ability to fulfil its obligations and meet strategic objectives. It also enables appropriate escalation of issues and trends to accountable Executives for action.
6.4 Risk and Compliance Reporting
6.4.1 The preparation of risk and compliance reporting is facilitated by the Director, Governance and Risk Management (DGRM) through the biannual risk management and quarterly compliance management processes.
6.4.2 This reporting is performed in conjunction with, and using the data provided by, the Cost Centre Managers and the University Executive, and is provided to the University Executive Committee (ExCom), Academic Board (AB), the Audit and Risk Management Committee (ARMC), and the University Council on the following basis:
Report Title | Report Content | Report Producer | Report Recipient | Frequency * (At least) |
University Compliance Exception and Incident/Breach Report | Compliance performance is monitored quarterly as part of the quarterly compliance attestation process, and throughout the year as part of ongoing oversight | DGRM | ExCom ARMC Council | Quarterly (March/June/ Sept/Dec) |
University Risk Profile and Key Risk Indicator Report | The qualitative and quantitative assessment of Risk by the University Executive and Cost Centre Managers for each Risk Class, Category and Type and the accompanying Key Risk Indicators for their respective areas of responsibility. Includes details of: (a) Risk Assessment vs Risk Appetite measuring compliance with the Risk Appetite Statement (b) Key controls and treatment plans for managing High Rated Risks and Risks out of Appetite to acceptable levels, on a so far as reasonably practical basis. (c) Emerging Risks, and what preparatory work or pre-emptive actions (if any) management has decided to take. | DGRM | ExCom AB ARMC Council | Bi-Annual (March/Sept) |
* The frequency of the above reporting timeframes is the minimum threshold of reporting provided to the named committees (e.g. bi-annual risk reporting is submitted to the committee meetings following the quarters ending 31 March and 30 September each year), noting that when there is a significant event or a material change in circumstances, then appropriate notification and reporting is provided to the relevant committees, as necessary.
6.5 Controls
6.5.1 The University aims to effectively manage its risks and compliance obligations by designing, developing, and implementing efficient business processes and controls. These controls operate with a view to ensuring that all risks are managed with a strategic focus in respect of financial, cost/benefit, and business-related outcomes. The University’s goal is to reduce risks to a level as low as reasonably practicable, in alignment with our stated risk appetite and compliance obligations.
6.5.2 The function of controls can be categorised into four types:
(a) Preventative controls are designed to limit the possibility of an undesirable outcome being realised. The more important it is that an undesirable outcome should not arise, the more important it becomes to implement appropriate preventive controls. Examples of preventive controls include segregation of duties, installing security cameras to deter criminal activity, training, the use of contract terms to enable recovery of overpayment or to safeguard against potential breaches of contracted project milestones.
(b) Corrective controls are designed to correct undesirable outcomes which have been realised. Examples of corrective controls include insurance, rotating staff positions, data recovery procedures to replace lost data, performance management of staff, or a change to management procedures.
(c) Directive controls are designed to ensure that a particular outcome is achieved. They are particularly important when it is critical that an undesirable event is avoided, particularly in the area of health and safety. Examples of directive controls include a requirement for protective clothing to be worn, or that staff be appropriately trained before working unsupervised.
(d) Detective controls are designed to identify unfavourable events after they have occurred. As they are “after the event” controls, they are only appropriate when it is possible to accept the loss or damage incurred. Examples of detective controls include approval processes, governance committees, audits, asset stocktakes, reconciliations, or exception reporting and other such monitoring activities which detect changes or events where a response may be required.
6.5.3 Assessment of controls is done against the following guiding criteria:
Control Assessment | Guiding Description | |
Control Adequacy | Inadequate |
|
Adequate |
| |
Control Effectiveness | Effective |
|
Partially Effective |
| |
Ineffective |
|
6.5.4 Assessing the effectiveness of controls is in accordance with the Risk Management – Procedures.
6.6 Regulatory, policy and legal compliance
6.6.1 The University is subject to a wide range of compliance obligations, including compliance requirements under applicable laws, regulations, industry standards, and contractual arrangements.
6.6.2 The University’s compliance activities are risk-based and weighted towards those obligations with the highest risk, and compliance activity effort is proportional to the degree of compliance risk. The risk rating of the compliance obligation is determined on the basis of consequence and reviewed annually by the Compliance Owner in accordance with the Compliance Management - Procedures.
6.2.3 The University’s policy documents help facilitate compliance with regulatory obligations by communicating how those obligations are applied across the University, outlining expectations of staff, students and other members of the University community, and setting out associated roles and responsibilities.
6.2.4 All staff, students and third parties are responsible for adhering to policies in accordance with the scope of policies relevant to the University operations and activities in which they are involved.
6.2.5 All staff are responsible for reporting any incident of non-compliance or systemic issue to the relevant Policy Owner.
6.2.6 Each person with delegated authority to sign a contract has ultimate accountability for compliance with any contract signed by them in accordance with the University Delegations – Governing Policy, and supporting schedules, and the Management of Contracts and Memoranda of Understanding (MOUs) – Operational Policy. The appointed Agreement Manager for each contract has operational responsibility for assessing the risks related to the relevant activity before contracting for the goods and/or services, managing compliance with the contractual obligations set out in the contract, and reporting breaches or non-compliances to the contract’s delegated authority.
7. Authorities and responsibilities
7.1 As the Approval Authority, Council approves this policy in accordance with the University of the Sunshine Coast Act 1998 (Qld) upon endorsement from ARMC.
7.2 As the Responsible Executive Member the Vice-Chancellor and President can approve procedures and guidelines to operationalise this policy. All procedures and guidelines must be compatible with the provisions of this policy.
7.3 As the Designated Officer the Director, Governance and Risk Management can approve associated documents to support the procedures and guidelines to operationalise this policy. All associated documents must be compatible with the provisions of the policy.
7.4 This policy operates from the last amended date, with all previous iterations of policy documents related to university risk and compliance are replaced and no longer operating from this date.
7.5 All records relating to the University Risk and Compliance Management – Governing Policy must be stored and managed in accordance with the Records Management - Procedures.
7.6 This policy must be maintained in accordance with the University Policy Documents – Procedures and reviewed on an annual policy review cycle.
7.7 Any exception to this policy to enable a more appropriate result must be approved in accordance with the University Policy Documents – Procedures prior to deviation from the policy.
7.8 Refer to Schedule C of the Delegations Manual in relation to the approved delegations detailed within this policy.
Authorities | |
Council | Ultimate accountability for the effective and efficient governance of the University under the University of the Sunshine Coast Act 1998 (Qld) and the Financial Accountability Act 2009 (Qld), including and approving the University’s risk appetite, in line with its Terms of Reference. |
Audit and Risk Management Committee (ARMC) | Oversight of the University’s governance, risk, compliance and internal control activities, including tone from the top, the application of risk appetite across the University, and risk reporting. Oversight and monitoring of key risks and compliance obligations across the University, where appropriate, reporting to Council to provide assurances concerning the management of risks and compliance obligations within the University. |
Academic Board | Responsibility for the oversight and monitoring of academic and research related risks and compliance obligations under the Tertiary Education Quality and Standards Agency Act 2011 and Higher Education Standards Framework (Threshold Standards) 2021. |
Vice-Chancellor and President | Accountable to Council for risk and compliance management and is responsible for ensuring that risk and compliance management activities are carried out effectively within the University, including promoting a culture that encourages strong risk and compliance management, allocating adequate resources to enable effective risk and compliance management, and driving continuous improvement across the University. |
University Executive | Responsible for managing the University's activities: (a) supports the Vice-Chancellor and President by embedding and reinforcing a strong culture and accountability for managing risk and compliance within the organisation. (b) within the boundaries set out in the Risk Appetite Statement, owning and managing risks in their area(s) of responsibility, including routinely identifying, assessing, treating, monitoring and reporting risks in line with the Risk Management – Procedures. (c) owning and managing controls in their area(s) of responsibility, including routinely identifying, assessing, monitoring and reporting the adequacy and effectiveness of controls in line with the Risk Management – Procedures.
|
Director, Governance and Risk Management | Responsible to the Vice-Chancellor and President for reviewing, maintaining and overseeing implementation of the Risk and Compliance Management Framework across the University and ongoing risk reporting to ARMC, including: (a) providing governance, risk and compliance advice and guidance across portfolios. (b) facilitating risk and control self-assessments across portfolios reporting on the University's risk profile and compliance exposure to the Executive Committee, ARMC, Academic Board and Council. (c) providing information, education, and training to staff on risk and compliance management processes. |
Senior Staff/Cost Centre Managers | Responsible for incorporating risk, compliance and assurance activities into their day-to-day management practices by: (a) supporting the Vice-Chancellor and President and Executive Committee by embedding and reinforcing a strong culture and accountability for managing risk and compliance within their area of responsibility. (b) owning and managing risks in their area(s) of responsibility, including routinely identifying, assessing, treating, monitoring and reporting risks in line with the Risk Management – Procedures. (c) owning and managing controls in their area(s) of responsibility, including routinely identifying, assessing, monitoring and reporting the adequacy and effectiveness of controls in line with the Risk Management – Procedures. (d) owning and managing compliance obligations in their area(s) of responsibility including routinely identifying new and changed obligations, monitoring compliance performance and reporting incidents of non-compliance in line with the Compliance Management - Procedures. (e) complying with obligations, including completion the annual attestations of obligations in line with the Compliance Management - Procedures. (f) upward reporting of risk, compliance and assurance issues to their respective Executive Leadership Team member and the Director, Governance & Risk Management. (g) Maintaining their risk profiles and reporting and escalating risks. Responsibility for ensuring staff, students and third parties are adequately acquainted with relevant risk and compliance policies and procedures, and where appropriate, trained in risk identification and assessment. |
Project Managers | Project managers are responsible for: (a) incorporating risk and compliance management into project management methodology (b) identifying, assessing, treating, monitoring and reporting project risks, and (c) escalating significant and emerging risks in line with project governance arrangements. |
Internal Audit | Responsible for objectively examining and evaluating the adequacy, effectiveness and efficiency of risk and compliance management activities and key controls |
All Staff | Diligently identify, assess risks and implement mitigating actions to reduce the risk, and, where required, bringing risk and compliance issues to the attention of their supervisors and Governance and Risk Management. The risk and compliance management responsibilities of all staff include managing:
Responsible for any other risks and obligations specified in policies relevant to the operations and activities which they undertake. |
8. Appendices and supporting documents
Appendix A – UniSC Risk Appetite Statement