Diagram 1 – Risk management process followed by the University
Instructions on applying the risk management process are included at Attachment A
, with details on the supporting tools to assist in the process included at Attachment B
Risk assessments should be undertaken to assess:
- Strategic risks – are the risks specific to the ongoing operations of the University which may impact the achievement of the Strategic Plan and objectives;
- Operational risks – are the risks specific to a single business unit, faculty, research institute or controlled entity; and
- Project risks – are the risks related to specific projects, including contracts, capital works, events, procurements, partnerships and business ventures.
A risk assessment may be undertaken at any time for any University activity. However a risk assessment should always be undertaken in any of the following circumstances:
- where required by a regulatory body, University policy or procedure (e.g. Work Health and Safety Act, international travel, field trips);
- at the commencement of any major project relevant to the University – a major project is defined as having a total value greater than $200,000, or where there is a risk that would have a potential consequence rating of Moderate or above (refer to the UC Risk Matrix for consequence ratings);
- to support decision-making, such as in determining the feasibility of a project or in supporting the requirement for additional resources or new equipment;
- prior to significant new initiatives being commenced by faculties, business units or controlled entities;
- prior to undertaking any significant new commercial activity, joint venture or partnership arrangement;
- as part of a significant procurement activity; or
- prior to the commencement of any activity where serious injury, significant property loss or adverse media attention may result.
A risk assessment for a project, procurement, contract and event can be applied across all phases of the lifecycle (i.e. from initial concept and definition through realisation to a final completion, decommissioning or disposal). It is important that consideration for a risk assessment occurs at the outset of an activity as this may assist in understanding the feasibility of the project due to the potential risks involved and ultimately, whether to proceed or not. A risk assessment can also be used to assist in determining the best option where alternative options or solutions are available.
During the design and development phase of a project/activity, a risk assessment contributes to:
- defining the risk;
- ensuring risks are understood and tolerable;
- informing decision making processes;
- cost-effectiveness studies; and
- identifying risks impacting on subsequent life-cycle phases.
As the activity proceeds, risk assessment can be used to provide information to assist in developing procedures for normal and emergency conditions.
Note: the University has specific policies and procedures for conducting risk assessments relating to work health and safety practices and international travel. Refer to the Policy Database for further details.
Developing a Risk Register
The development of a Risk Register involves risk identification and assessment where major strategic and operational risks, and potential sources of risks, are considered and identified. The University applies a five-point risk assessment scale to determine the seriousness of the resulting consequence
if the risk does occur and how likely
it is that any given risk will occur based on the consequence.. These two assessments are then brought together in a two-dimensional matrix and their interactions determine the rating of each assessed risk as Low, Medium, High
or Extreme (Risk Matrix).
The Risk Matrix is located on the UC Portal - Risk Management
In practice risks are assessed on both a Current
assessment considers the risk rating taking into account current controls that have been implemented.
assessment considers the risk rating taking into account the impact of any further controls and treatment strategies which will be implemented to mitigate the risks consequence and/or likelihood.
Assessing the risk profile
Each operating area within the University is required to develop a risk register identifying all risks that may impact on organisational activities and outcomes across the range of activities and processes undertaken. These risks are then assessed against the Risk Matrix, current and potential treatment and control actions and options are reviewed. A Residual risk rating is then applied by taking into consideration the Current risk rating and related current treatment and control action(s).
Operational risk registers are then aggregated to develop a University wide risk profile.
Developing Risk Treatment Action Plans and Risk Summary Reports
Executive Deans/Directors/Senior Managers/Managers must report on all risks currently rated as Extreme or High due to the potential impact on business activities that may result should these risks eventuate. This is done using risk treatment action plans and risk summary reports. The risk treatment action plans must include the risk reference number, detail of the risk, treatment/control measures and implementation progress of treatment/control measures. Risk treatment action plans must also indicate whether it is considered that Executive intervention is required.
The risk treatment action plans are analysed and summarised into risk summary reports. The Extreme and High level risks set out in these risk summary reports are presented to the ARMC (or relevant Boards for controlled entities) for monitoring and any further action, if required.
Risk assessment – business planning cycle
Operational and strategic level risk assessments should be undertaken as part of the University’s business planning process. These plans include the University’s Strategic Plan and operational plans. A risk assessment, including the review of existing risk registers, should be undertaken to support this process. The following diagram illustrates this business process lifecycle:
Approval, maintenance and review
All operational risk registers should be submitted to the Risk and Audit team (firstname.lastname@example.org) to monitor the level of acceptable risk and the extent of which risks are being managed appropriately.
All risk registers must be finalised and formally approved by the appropriate level of authority when developed and on completion of formal review process.
All risk management documentation is to be recorded, stored and maintained in an appropriate manner and location. A current copy of strategic and operational level risk registers is to be held with the Risk and Audit team.
The level of approving authority and frequency for review is detailed in the following table:
Vice-Chancellor’s Group (the latter for noting)
|Bi-annual reviews (i.e. every six months)
or more frequently as part of strategic planning
or at a major environmental change
||Portfolio Head, Executive Dean or Director
||Bi-annual reviews (i.e. every six months)
or more frequently as part of business planning
or at a major environmental change
||Project Manager or Project Steering Committee.
||At key milestones
or more regularly as required by project requirements.
Risk assessments and reviews should be conducted to align with development of plans (e.g. strategic, operational and project plans) and budgeting cycles where practicable.
A risk register review will entail assessing the state of each risk and updating the register to reflect the current status of the existing controls and further treatment actions to be undertaken. Reviews of the risk ratings based on any changes should also be considered. It is important that a review of the risk assessment be conducted when there is a change in context, as it may impact an existing risk or mean new risks may emerge.
Risk owners will have accountability for managing the risk and ensuring any associated risk treatment plans are implemented accordingly.
Risk register reporting allows management to monitor and review risks. Risk reports draw information from the risk registers and, depending upon the requirements, may include:
- a demonstration of the link between objectives and risks;
- priorities, based on the risk rating, accompanied by information on key controls and treatments needed to modify the risk;
- risks that are getting worse, success of treatment plans and risks that require additional attention;
- new risks that may still need to be fully considered and understood;
- potential areas that require urgent attention;
- main areas of exposure;
- systemic control analysis;
- untreated risks and risk treatments that are overdue; and
- risk owners.
The Annual Internal Audit Plan will be developed in part on the basis of the Strategic Risk Register and operational unit risk registers with a view to testing and validating the risk registers and plans to ensure that treatments and controls are adequate.
The University takes its responsibility to students, staff, partners, affiliates and the wider community seriously. To this end, its approach to managing risks to its operations can be seen to have three key focuses:
- a risk management platform of defined guidelines and accountabilities supported by risk management tools and templates;
- a business practice approach to risk management, embedded into all levels including business, project and resource planning and reporting; and
- continuous identification and management of risks, supported by regular ongoing review and monitoring.
This Plan, in conjunction with the University’s Resilience Management Framework, is one of the key governance measures designed to ensure that risks are properly identified, assessed and managed. In practice the Resilience Management Framework, and this Plan must be maintained as living documents, developing and evolving to reflect changing internal and external environments, and responding to new and previously unanticipated risks to the quality and effectiveness of its work.
It is expected that all staff will know, understand and support their defined role in the management of risks and in the development and application of this Plan.