Please refer to the University’s Glossary of Terms for policies and procedures. Terms and definitions identified below are specific to these procedures and are critical to its effectiveness:
Risk management: refers to the set of coordinated activities to direct and control an organisation with regard to risk.
Risk: is the effect of uncertainty upon the University’s objectives. Risk may have a positive or negative impact.
Likelihood: Likelihood measures the expected frequency of a risk occurring. Typically, a subjective judgement based on past experience and the insights of persons familiar with the activity.
Consequence: Consequence measures the expected level of impact on the University and its objectives, should the risk occur.
Risk owner: Risk owners are individuals within the University with primary responsibility for managing a particular risk.
1. Purpose of procedures
In accordance with the University’s Enterprise Risk Management – Governing Policy, these procedures describe the University’s standard process for risk management, including:
- Risk identification
- Risk analysis
- Risk evaluation
- Risk mitigation and control (including risk treatment)
A standard approach to risk management allows risks to be correctly prioritised across all of the University’s operations, which in turns means that effective controls can be put in place to ensure the University is able to manage its operations effectively now and into the future.
The procedure applies to all activities undertaken in the course of university business, whether on the university campuses or other locations.
2.1 Council retains the ultimate responsibility for risk management and for setting the University’s risk appetite.
2.2 The Audit and Risk Management Committee is responsible for the monitoring of internal control and risk management for the University.
2.3 The Vice-Chancellor and President is responsible for ensuring that risk management activities are carried out effectively within the University and for promoting a culture that encourages strong risk management.
2.4 The Chief Operating Officer is the Executive responsible and accountable to the Vice-Chancellor and President for the implementation of the Risk Management Framework across the University.
2.5 The Director, Governance and Risk Management is responsible for managing and maintaining the University’s Risk Management Framework. The Director, Governance and Risk Management is responsible for overseeing risk across the University to determine whether the University is operating within its risk appetite. The Director, Governance and Risk Management, through the Chief Operating Officer, is responsible for reporting to University Committees on risk management matters.
2.6 Risk Owners are identified for all risks that are included in the risk registers. A Risk Owner is a senior staff member within an organisational unit, which is responsible, or should be responsible, for the management of the particular risk.
2.7 All University Staff shall diligently identify risks and report them to their supervisor, especially during periods of change to processes or operational practice. Staff shall comply with all risk treatments.
2.8 Assurance play a role in monitoring and reporting to the Council and Audit and Risk Management Committee on the University’s management of its risks, by assessing the internal controls in place to mitigate risks and recommendations to enhance the University’s risk management framework.
In accordance with the University’s Enterprise Risk Management – Governing Policy and adapted from the standard ISO 31000: 2018 Risk Management – Guidelines, the following principles have been identified:
3.1 Risk management is an integral part of all organisational activities
Risk management applies to all areas of University activity and as such is an integral part of the University’s organisational processes including strategic planning, operational planning, project management and change management. It is to inform decision making and is the responsibility of everyone within their work activity.
3.2 A structured and comprehensive approach to risk management contributes to consistent and comparable results
The approach to risk management across the University is consistent. All areas of the University are required to identify and assess risks and identify controls using consistent processes with reference to the University Risk Tables.
3.3 The risk management framework and processes are customised and proportionate to the organisation’s external and internal context related to its objectives.
Risk management is tailored to the University. The tools and processes for managing risks are aligned with the strategic and business planning process and are reviewed on a regular basis. The risk management framework is dynamic, such as when there are changes internally or to the external environment, the risk management framework is updated to reflect these changes.
3.4 Appropriate and timely involvement of stakeholders enables their knowledge, views and perceptions to be considered. This results in improved awareness and informed risk management.
The University takes a collaborative approach to risk management. Risks and controls are discussed with each area, the risk profile is circulated for feedback and at the Risk Management Committees and forums, there is open dialogue on risk management, including emerging risk issues.
3.5 Risks can emerge, change or disappear as an organisation’s external and internal context changes. Risk management anticipates, detects, acknowledges and responds to those changes and events in an appropriate and timely manner.
The University’s approach to risk management is dynamic. When changes occur, these are considered as part of the updates to the risk profiles, the Risk Management Strategy, and the policy, processes and procedures supporting risk management.
3.6 The inputs to risk management are based on historical and current information, as well as on future expectations.
Risk management explicitly takes into account any limitations and uncertainties associated with such information and expectations. Information should be timely, clear and available to relevant stakeholders.
The University’s risk management practices are forward looking, and include both leading and lagging indicators of risk.
3.7 Human behaviour and culture significantly influence all aspects of risk management at each level and stage
The University aims to promote a culture which encourages strong risk management. This is reinforced through the University’s risk appetite and by training and communications.
3.8 Risk management is continually improved
The University’s Risk Management is continually improved to reflect best practice.
4. Risk management process
4.1 Process Overview
The University’s Enterprise Risk Management - Governing Policy identifies that the risk management process and procedures will be consistent with ISO 31000:2018 Risk Management – Guidelines. The table below is adopted from this standard.
Figure 1: ISO 31000:2018 risk management process
4.1.1 Scope, Context, Criteria
By establishing the scope, context and criteria, the University will be able to articulate its objectives and define the external and internal parameters to be considered when managing risk, as well as set the scope and risk criteria for the remaining process.
4.1.2 Risk Identification
Risk identification requires reasonably foreseeable risks that have the potential to have a meaningful impact on the University to be identified. A risk is any event or action that has an uncertain effect that may impact on the University’s objectives. Risks arise as much from the possibility that opportunities will not be realised as they do from the possibility that threats will materialise, errors be made, or damage/injury occur.
Within the University, risk identification occurs at various levels:
Strategic risk identification: Strategic risks are identified as part of the strategic planning process. They are documented in the University’s Strategic Risk Register. Identification at this level is aimed to inform strategic decision making to allow the University to improve outcomes while minimising adverse impacts on the University’s goals and objectives.
Enterprise risk identification: Enterprise risks are identified on an ongoing basis and are documented in the Enterprise Risk Register (note that enterprise risks are sometimes referred to as the ‘corporate risks’ of the university).
Departmental/School risk identification: Risks associated with Departments and Schools are identified on an ongoing basis are required to be documented in the Departmental/School Risk Registers. These risks are the risks at the operational levels of the University. Risk registers are reviewed on a quarterly basis to ensure that the identification and treatment of risks is managed on a timely basis.
Project risk identification: These risks are generally associated with significant change or project activity and are normally identified at the commencement of the new activity or project and updated over the life of the project. Project Managers are responsible for documenting these risks and the mitigating actions in place to manage the project risks. When operationalised, residual project risks should be incorporated into appropriate Department / Faculty Risk Registers.
Ad-hoc or activity-based risk identification: Risks can be identified by staff during their normal University work. A risk assessment is required to be undertaken by for all relevant university activities. This risk assessment is completed by the relevant area undertaking the activity.
All identified risks are to be entered in the relevant Risk Register or completed as part of a risk assessment. Risk are owned by each area. As a minimum, the following information must be included.
- The description of the risk.
- The causes and implications of the risk.
- The assigned risk owner.
In addition, the following information if known, is to be included.
- Details of the existing controls in place to manage the risk.
- The inherent risk rating determined from the assessment of the potential consequences and likelihood for the risk.
- Details of any proposed controls, including a due date for implementation.
- The residual risk rating after consideration of the controls in place.
4.1.3 Risk Analysis
Risk analysis involves developing an understanding of the risk and provides an input to risk evaluation and to decisions on whether risks need to be treated, and if so, on the most appropriate risk treatment methods. This analysis can also provide input into the options to address risks and inform the decision making required across different types and levels of risk.
Risk analysis should seek to identify potential causes and sources of risk in order to analyse their consequence and the likelihood that the consequence will occur.
All risks within the University are assessed using a common scale that considers:
- The potential consequences if the risk were to occur, and
- the likelihood of the University being impacted in that way
The consequence and likelihood are then used to rank the risk in accordance with the following four categories:
This analysis which is undertaken based on the existing status of the risk, with consideration of the controls that may already be in place, identifies the inherent risk (i.e. the risk prior to the implementation of any controls) and residual risk (the risk rating after the application of controls). This common approach to risk rating is necessary to ensure that the most significant risks to the University can be readily identified and prioritised in a way that has the greatest overall benefit to the University.
4.1.4 Risk Evaluation
The purpose of risk evaluation is to assist in making decisions, based on the outcome of risk analysis, about which risks need treatment and the priority for treatment implementation.
Decisions should take account of the wider context of the risk and include consideration of the University’s risk appetite and tolerances across categories of University activity as well as the actual and perceived consequences to external and internal stakeholders. Legal, regulatory and other requirements may also impact on the evaluation.
The rating of a risk, together with the categories of University activity and the related risk appetite as identified within the USC Risk Appetite Statement, are used to determine:
- The urgency with which action should be undertaken
- The nature of the action that is required
- The reporting requirements for the risk
- How the risk is to be monitored
That is, risk evaluation identified those risks where the inherent risk is greater than risk tolerances and therefore where risk treatment is required to further manage the risk.
4.2.5 Risk Treatment
Controls and mitigating actions are required for all risks. Where risk treatment is required, it involves selecting one or more options for modifying the risk and implementing those options. Risk treatment is required when the residual risks remain unacceptably high, or where there is a desire to bring this risk down, with regard to the University’s risk appetite. Once implemented, treatments provide or modify the controls.
Risk treatment involves an iterative process of:
- formulating and selecting risk treatment options;
- planning and implementing risk treatment;
- assessing the effectiveness of that treatment;
- deciding whether the remaining risk is acceptable; and
- if not acceptable, taking further treatment.
Risk treatment options are not necessarily mutually exclusive. Nor may they be appropriate in all circumstances when giving due consideration of current risk appetite. The purpose of this step is to put in place one or more options (controls) to reduce the level of residual risk to a level that is considered acceptable by the University.
Selection of the most appropriate treatment option involves balancing the potential benefits derived in relation to the achievement of the objectives against costs, effort or disadvantages of implementation.:
Treatment options include:
Avoid the risk: by deciding not to proceed or continue with the activity or choosing an alternative approach to achieve the same outcome. The aim is risk management, not aversion.
Mitigate: Reduce the likelihood by improving management controls and procedures. Reduce the consequence by putting in place strategies to minimise adverse consequences, e.g. contingency planning, Business Continuity Plan, liability cover in contracts.
Transfer the risk: Shifting responsibility for a risk to another party by contract or insurance. It can be transferred as a whole or shared.
Accept the risk: Controls are deemed appropriate. These must be monitored and contingency plans developed where appropriate.
A common approach to risk rating is necessary to ensure that the largest risks to the University can readily be identified and management of risks can be prioritised in a way that has the greatest overall benefit to the University. Further guidance on risk rating including assigning a consequence and likelihood can be obtained within the Risk Tables.
The risk management process and its outcomes are reported to the University Executive and the Audit and Risk Management Committee. Outcomes are also made available to staff where appropriate. This assists with decision making, improving risk management and transparency and the monitoring of risks against the University’s stated risk appetite.