Please refer to the University’s Glossary of Terms for policies and procedures. Terms and definitions identified below are specific to these procedures and are critical to its effectiveness:
Risk management: For the University, risk management refers to the culture, processes and structures developed to effectively manage potential opportunities and adverse effects for any activity, function or process undertaken by the University. The process of managing risk is achieved through the systematic application of policies, procedures and practices to establish the context, identify, analyse, evaluate, treat, monitor and communicate risk (see the Australian/New Zealand Standard for Risk Management, AS/NZS 31000: 2009).
Risk: Within the University, a risk to the business is any threat of an action/in action or event to our industry or activities that has the potential to threaten the achievement of our business objectives. Business risk arises as much from the possibility that opportunities will not be realised as it does from the possibility that threats will materialise or that errors will be made.
Likelihood: Likelihood measures the expected frequency of a risk occurring. Typically, a subjective judgement based on past experience and the insights of persons familiar with the activity.
Consequence: Consequence measures the expected level of impact on the University and its objectives, should the risk occur.
Risk owner: Risk owners are individuals within the University with primary responsibility for managing a particular risk.
1. Purpose of procedures
In accordance with the University’s Enterprise Risk Management and Resilience – Governing Policy, these procedures describe the University’s standard process for risk management, including:
- Risk identification
- Risk analysis
- Risk evaluation
- Risk treatment
A standard approach to risk management allows risks to be correctly prioritised across all of the University’s operations, which in turns means that effective controls can be put in place to ensure the University is able to manage its operations effectively now and into the future.
The procedure applies to all activities undertaken in the course of university business, whether on the university campuses or other locations.
2.1 Council retains the ultimate responsibility for risk management and for determining the appropriate level of risk that the University is willing to accept.
2.2 The Audit and Risk Management Committee is delegated by Council with responsibility for: overseeing the risk management activities at the University; and approving appropriate risk management procedures and measurement methodologies throughout the organisation. The Audit and Risk Management Committee will liaise with management in monitoring key risks and where appropriate will report to Council to provide assurances concerning the management of risks within the University.
2.3 The Vice-Chancellor and President is responsible for ensuring that risk management activities are carried out effectively within the University. On a quarterly basis, and upon request, an up-to-date register of risks across the University is presented to the Vice-Chancellor and President.
2.4 The University Risk Manager is responsible for managing and maintaining the Risk Management Framework across the University. The Risk Manager is responsible for overseeing risk across the University to determine whether the University is operating within its risk appetite.
The Risk Manager is responsible for providing information to the Audit and Risk Management Committee, Vice Chancellor and President and Executive regarding the status of risk management.
2.5 Risk Owners will be assigned for each risk that has been identified within the University. A Risk Owner is the most senior staff member within an organisational unit, which is responsible, or should be responsible, for the management of the particular risk.
Where the situation arises where it is unclear as to who should be the Risk Owner for a particular risk, the Risk Manager shall assign a Risk Owner. It is the Risk Owner’s responsibility to provide the Vice-Chancellor and President with information to report to the Audit and Risk Management Committee on progress against mitigation plans and the results of risk assessments performed on new initiatives.
2.6 All University Staff shall diligently identify risks and report them to their supervisor, especially during periods of change to processes or operational practice. Staff shall comply with all risk treatments.
2.7 The assurance providers play a role in monitoring and reporting to the Council and Audit and Risk Management Committee on the University’s management of its risks, by assessing the internal controls in place to mitigate risks and recommendations to enhance the University’s risk management framework.
In accordance with the University’s Enterprise Risk Management and Resilience – Governing Policy and adapted from the standard AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines, the following principles have been identified:
3.1 Risk management is an integral part of all organisational processes and part of structured decision making
Risk management applies to all areas of University activity and as such is an integral part of the University’s organisational processes including strategic planning, operational planning, project management and change management. It is to inform decision making and is the responsibility of everyone within their work activity.
3.2 Risk management explicitly addresses uncertainty, while creating and protecting value
Risk is the effect of uncertainty and may have both positive and/or negative impacts on the outcome, which should be considered when identifying the risk management required to explicitly addresses this uncertainty. Risk management is expected to create and protect organisational value and as such, resources expended to mitigate risk should be less than the perceived consequences of inaction.
3.3 Risk management is tailored to USC
As risk is an inherent part of the University’s activity to achieve its organisational goals, risk events will be considered within the context of the University’s identified risk appetite when identifying mitigation strategies.
3.4 Risk management is based on the best available information and dynamically responsive to change
For any potential risk event, the risk will be managed in accordance with available information on the perceived consequence should the event occur and the likelihood of that occurrence. As the internal and external environment changes, current risks are to be reviewed and new risks identified and appropriately managed.
3.5 Risk management is inclusive, transparent and accommodates human and cultural factors
Risk management is to involve stakeholders in the process to reflect representative views, assure accountability in decision-makers and to facilitate the change required to meet organisational goals.
4. Risk management process
4.1 Process Overview
The University’s Enterprise Risk Management and Resilience - Governing Policy identifies that the risk management process and procedures will be consistent with AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines. The table below is adopted from this standard.
Figure 1: AS/NZS ISO 31000:2009 risk management process
4.2 Establishing the Context
By establishing the context, the University will be able to articulate its objectives and define the external and internal parameters to be considered when managing risk, as well as set the scope and risk criteria for the remaining process.
4.3 Risk Identification
Risk identification requires reasonably foreseeable risks that have the potential to meaningful impact on the University to be identified. A risk is any event or action that has an uncertain effect that may impact on the University’s objectives. Business risks arise as much from the possibility that opportunities will not be realised as they do from the possibility that threats will materialise, errors be made, or damage/injury occur.
Within the University, risk identification occurs at various levels with the major ones being as follows:
Strategic risk identification: Strategic risks are identified as part of the strategic planning process, through structured enterprise risk management workshops or through escalation from departmental/faculty Risk Registers. They are required to be documented in the University’s Risk Register. Identification at this level is aimed to inform strategic decision making to allow the University to improve outcomes while minimising adverse impacts on the University’s goals and objectives.
Departmental/Faculty risk identification: Risks associated with each Cost Centre are identified in the annual planning process and are required to be documented in the Departmental/Faculty Risk Register. Regular revision of the Risk Register is coordinated by the Office of the Chief Operating Officer to ensure that the identification and treatment of risks are managed on a timely basis.
Project risk identification: These risks are generally associated with significant change or project activity and are normally identified at the commencement of the new activity or project. These risks are also reviewed in a formal manner as part of the hand over to operations. When operationalised, residual project risks should be incorporated into appropriate Department / Faculty Risk Registers.
Ad-hoc risk identification: Risks may be identified by staff during their normal University work. When risks are identified in this manner, staff must:
- Determine whether immediate action is necessary to reduce the risk, and if safe to do so, carry out this action. For example, where there is a safety risk and immediate action is necessary to prevent injury.
- Discuss the risk with your Cost Centre Manager to determine whether the risk is new and warrants action and if the risk is a responsibility within your Cost Centre.
- If the risk is considered to be within your Cost Centres area of responsibility, document the risk as a Departmental/Faculty risk within the University’s Risk Register.
- If the risk is not considered to be within your Cost Centres area of responsibility, report the risk to the Risk Manager.
On receipt of a reported risk, the Risk Manager is to:
- Assess the risk in consultation with appropriate staff
- Initiate any immediate action that is required
- Escalate the issue to an appropriate Cost Centre Manager or a member of the USC Executive
All identified risks are to be entered in the University’s Risk Register, either by the person with responsibility for managing Cost Centre risks or by the Risk Manager. As a minimum, the following information must be included.
- The description of the risk: this is a short, meaningful title so that the risk can readily be referred to in the future
- A long description of the risk, including information on how the risk impacts on the University
- The causes of the risk
- The assigned risk owner
In addition, the following information if known, is to be included.
- The category of the risk, together with its primary link to the Strategic Plan and any Strategic Risks
- Details of the existing controls in place to manage the risk, including temporary controls that are being used to manage the risk until further action is taken
- The inherent risk rating determined from the assessment of the potential consequences and likelihood for the risk
- Details of any proposed controls, including a due date for implementation
- The residual risk rating after consideration of the controls in place
4.4 Risk Analysis
Risk analysis involves developing an understanding of the risk and provides an input to risk evaluation and to decisions on whether risks need to be treated, and if so, on the most appropriate risk treatment methods. This analysis can also provide input into the options to address risks and inform the decision making required across different types and levels of risk.
Risk analysis should seek to identify potential causes and sources of risk in order to analyse their consequence and the likelihood that the consequence will occur.
All risks within the University are assessed using a common scale that considers:
- The potential consequences if the risk were to occur, and
- the likelihood of the University being impacted in that way
The consequence and likelihood are then used to rank the risk in accordance with the following four categories:
This analysis which is undertaken based on the existing status of the risk, with consideration of the controls that may already be in place, identifies the inherent risk (i.e. the risk prior to the implementation of any controls) and residual risk (the risk rating after the application of controls). This common approach to risk rating is necessary to ensure that the most significant risks to the University can be readily identified and prioritised in a way that has the greatest overall benefit to the University.
4.5 Risk Evaluation
The purpose of risk evaluation is to assist in making decisions, based on the outcome of risk analysis, about which risks need treatment and the priority for treatment implementation.
Decisions should take account of the wider context of the risk and include consideration of the University’s risk appetite and tolerances across categories of University activity. Legal, regulatory and other requirements may also impact on the evaluation.
The rating of a risk, together with the categories of University activity and the related risk appetite as identified within the USC Risk Appetite Statement, are used to determine:
- The urgency with which action should be undertaken
- The nature of the action that is required
- The reporting requirements for the risk
- How the risk is to be monitored
That is, risk evaluation identified those risks where the inherent risk is greater than risk tolerances and therefore where risk treatment is required to further manage the risk.
4.6 Risk Treatment
Where risk treatment is required, it involves selecting one or more options for modifying the risk and implementing those options. Once implemented, treatments provide or modify the controls. Risk treatment involves a cyclical process of:
- Assessing a risk treatment
- Deciding whether residual risk levels are within risk appetite and tolerances
- If not tolerable, generating new risk treatment(s)
Risk treatment options are not necessarily mutually exclusive. Nor may they be appropriate in all circumstances when giving due consideration of current risk appetite. The purpose of this step is to put in place one or more options (controls) to reduce the level of residual risk to a level that is considered acceptable by the University.
Selection of the most appropriate treatment option involves:
- balancing the costs and efforts of implementation against the benefits derived (Cost/Benefit analysis)
- considering the values and perceptions of the stakeholders (Stakeholder analysis)
- considering the secondary risks that may occur as a result of the treatment options (Control effectiveness)
Treatment options include:
Avoid the risk: by deciding not to proceed or continue with the activity or choosing an alternative approach to achieve the same outcome. The aim is risk management, not aversion.
Mitigate: Reduce the likelihood by improving management controls and procedures. Reduce the consequence by putting in place strategies to minimise adverse consequences, e.g. contingency planning, Business Continuity Plan, liability cover in contracts.
Transfer the risk: Shifting responsibility for a risk to another party by contract or insurance. It can be transferred as a whole or shared.
Accept the risk: Controls are deemed appropriate. These must be monitored and contingency plans developed where appropriate.
A common approach to risk rating is necessary to ensure that the largest risks to the University can readily be identified and management of risks can be prioritised in a way that has the greatest overall benefit to the University. Further guidance on risk rating including assigning a consequence and likelihood can be obtained within the Risk Tables (Refer to Appendix A).
Further staff resources are available on MyUSC.