Welcome to the University Policy Library.
If you are unable to find what you are looking for please use the 'search' function below.
Delegations of Authority Policy is the key document for who is responsible to exercise a delegation – Note: Policies and procedure documents may not reflect the current delegations. Please refer to the Delegations of Authority Policy to identify who the delegate is.
Risk Management Plan
Purpose:
The University of Canberra (University) is committed to effective and efficient identification, treatment and monitoring of risks that may affect the achievement of the University’s strategic and business objectives. The Audit and Risk Management Committee (ARMC) and Council oversee the implementation and operation of risk management at the University.
The University pursues an effective risk management philosophy and culture through a governance framework that integrates its risk management activities with its Strategic Plan and supporting business and operational plans.
The objectives of the University’s Risk Management Plan (Plan) are to:
The University pursues an effective risk management philosophy and culture through a governance framework that integrates its risk management activities with its Strategic Plan and supporting business and operational plans.
The objectives of the University’s Risk Management Plan (Plan) are to:
- provide a detailed guide to support the implementation of risk management at the University;
- outline the risk management process to be followed by all members of the University, including controlled entities and contractors, where applicable;
- minimise the University’s exposure to significant risks through the identification, assessment, management and reporting of risk; and
- enhance the University’s ability to capitalise on opportunities through risk management and overall performance improvement.
Scope:
The Plan establishes the processes for risk management across the University. This Plan applies to the UC Group (i.e. all members of the University, including controlled entities), unless otherwise agreed by the governing board and the Vice-Chancellor.
The risk management process is designed to ensure that risk management decisions are based on a robust approach, assessments are conducted in a consistent manner, and a common language is used and understood across the University.
This Plan is consistent with the Australian and New Zealand Risk Management Standard - ISO 31000:2018 Risk Management –Guidelines.
The risk management process is designed to ensure that risk management decisions are based on a robust approach, assessments are conducted in a consistent manner, and a common language is used and understood across the University.
This Plan is consistent with the Australian and New Zealand Risk Management Standard - ISO 31000:2018 Risk Management –Guidelines.
Procedure:
The risk management process consists of the following:
- Communication and consultation with relevant stakeholders;
- Defining the scope of the process and understanding the external and internal context
- Risk assessment which includes the process for identifying, analysing and evaluating risks;
- Treating the identified risks;
- Monitoring and review which includes determining whether the risk profile has changed and whether new risks have emerged. Checking control effectiveness and progress of the treatment plans; and
- Recording and reporting to relevant stakeholders.
Diagram 1 – Risk management process followed by the University
Instructions on applying the risk management process are included at Attachment A, with details on the supporting tools to assist in the process included at Attachment B.
Risk assessments should be undertaken to assess:
During the design and development phase of a project/activity, a risk assessment contributes to:
Note: the University has specific policies and procedures for conducting risk assessments relating to work health and safety practices and international travel. Refer to the Policy Database for further details.
Developing a Risk Register
The development of a Risk Register involves risk identification and assessment where major strategic and operational risks, and potential sources of risks, are considered and identified. The University applies a five-point risk assessment scale to determine the seriousness of the resulting consequence if the risk does occur and how likely it is that any given risk will occur based on the consequence.. These two assessments are then brought together in a two-dimensional matrix and their interactions determine the rating of each assessed risk as Low, Medium, High or Extreme (Risk Matrix).
The Risk Matrix is located on the UC Portal - Risk Management website.
In practice risks are assessed on both a Current and Residual basis.
The Current assessment considers the risk rating taking into account current controls that have been implemented.
The Residual assessment considers the risk rating taking into account the impact of any further controls and treatment strategies which will be implemented to mitigate the risks consequence and/or likelihood.
Assessing the risk profile
Each operating area within the University is required to develop a risk register identifying all risks that may impact on organisational activities and outcomes across the range of activities and processes undertaken. These risks are then assessed against the Risk Matrix, current and potential treatment and control actions and options are reviewed. A Residual risk rating is then applied by taking into consideration the Current risk rating and related current treatment and control action(s).
Operational risk registers are then aggregated to develop a University wide risk profile.
Developing Risk Treatment Action Plans and Risk Summary Reports
Executive Deans/Directors/Senior Managers/Managers must report on all risks currently rated as Extreme or High due to the potential impact on business activities that may result should these risks eventuate. This is done using risk treatment action plans and risk summary reports. The risk treatment action plans must include the risk reference number, detail of the risk, treatment/control measures and implementation progress of treatment/control measures. Risk treatment action plans must also indicate whether it is considered that Executive intervention is required.
The risk treatment action plans are analysed and summarised into risk summary reports. The Extreme and High level risks set out in these risk summary reports are presented to the ARMC (or relevant Boards for controlled entities) for monitoring and any further action, if required.
Risk assessment – business planning cycle
Operational and strategic level risk assessments should be undertaken as part of the University’s business planning process. These plans include the University’s Strategic Plan and operational plans. A risk assessment, including the review of existing risk registers, should be undertaken to support this process. The following diagram illustrates this business process lifecycle:
Approval, maintenance and review
All operational risk registers should be submitted to the Risk and Audit team (risk.management@canberra.edu.au) to monitor the level of acceptable risk and the extent of which risks are being managed appropriately.
All risk registers must be finalised and formally approved by the appropriate level of authority when developed and on completion of formal review process.
All risk management documentation is to be recorded, stored and maintained in an appropriate manner and location. A current copy of strategic and operational level risk registers is to be held with the Risk and Audit team.
The level of approving authority and frequency for review is detailed in the following table:
Risk assessments and reviews should be conducted to align with development of plans (e.g. strategic, operational and project plans) and budgeting cycles where practicable.
A risk register review will entail assessing the state of each risk and updating the register to reflect the current status of the existing controls and further treatment actions to be undertaken. Reviews of the risk ratings based on any changes should also be considered. It is important that a review of the risk assessment be conducted when there is a change in context, as it may impact an existing risk or mean new risks may emerge.
Risk owners will have accountability for managing the risk and ensuring any associated risk treatment plans are implemented accordingly.
Reporting
Risk register reporting allows management to monitor and review risks. Risk reports draw information from the risk registers and, depending upon the requirements, may include:
CONCLUSION
The University takes its responsibility to students, staff, partners, affiliates and the wider community seriously. To this end, its approach to managing risks to its operations can be seen to have three key focuses:
It is expected that all staff will know, understand and support their defined role in the management of risks and in the development and application of this Plan.
Instructions on applying the risk management process are included at Attachment A, with details on the supporting tools to assist in the process included at Attachment B.
Risk assessments should be undertaken to assess:
- Strategic risks – are the risks specific to the ongoing operations of the University which may impact the achievement of the Strategic Plan and objectives;
- Operational risks – are the risks specific to a single business unit, faculty, research institute or controlled entity; and
- Project risks – are the risks related to specific projects, including contracts, capital works, events, procurements, partnerships and business ventures.
- where required by a regulatory body, University policy or procedure (e.g. Work Health and Safety Act, international travel, field trips);
- at the commencement of any major project relevant to the University – a major project is defined as having a total value greater than $200,000, or where there is a risk that would have a potential consequence rating of Moderate or above (refer to the UC Risk Matrix for consequence ratings);
- to support decision-making, such as in determining the feasibility of a project or in supporting the requirement for additional resources or new equipment;
- prior to significant new initiatives being commenced by faculties, business units or controlled entities;
- prior to undertaking any significant new commercial activity, joint venture or partnership arrangement;
- as part of a significant procurement activity; or
- prior to the commencement of any activity where serious injury, significant property loss or adverse media attention may result.
During the design and development phase of a project/activity, a risk assessment contributes to:
- defining the risk;
- ensuring risks are understood and tolerable;
- informing decision making processes;
- cost-effectiveness studies; and
- identifying risks impacting on subsequent life-cycle phases.
Note: the University has specific policies and procedures for conducting risk assessments relating to work health and safety practices and international travel. Refer to the Policy Database for further details.
Developing a Risk Register
The development of a Risk Register involves risk identification and assessment where major strategic and operational risks, and potential sources of risks, are considered and identified. The University applies a five-point risk assessment scale to determine the seriousness of the resulting consequence if the risk does occur and how likely it is that any given risk will occur based on the consequence.. These two assessments are then brought together in a two-dimensional matrix and their interactions determine the rating of each assessed risk as Low, Medium, High or Extreme (Risk Matrix).
The Risk Matrix is located on the UC Portal - Risk Management website.
In practice risks are assessed on both a Current and Residual basis.
The Current assessment considers the risk rating taking into account current controls that have been implemented.
The Residual assessment considers the risk rating taking into account the impact of any further controls and treatment strategies which will be implemented to mitigate the risks consequence and/or likelihood.
Assessing the risk profile
Each operating area within the University is required to develop a risk register identifying all risks that may impact on organisational activities and outcomes across the range of activities and processes undertaken. These risks are then assessed against the Risk Matrix, current and potential treatment and control actions and options are reviewed. A Residual risk rating is then applied by taking into consideration the Current risk rating and related current treatment and control action(s).
Operational risk registers are then aggregated to develop a University wide risk profile.
Developing Risk Treatment Action Plans and Risk Summary Reports
Executive Deans/Directors/Senior Managers/Managers must report on all risks currently rated as Extreme or High due to the potential impact on business activities that may result should these risks eventuate. This is done using risk treatment action plans and risk summary reports. The risk treatment action plans must include the risk reference number, detail of the risk, treatment/control measures and implementation progress of treatment/control measures. Risk treatment action plans must also indicate whether it is considered that Executive intervention is required.
The risk treatment action plans are analysed and summarised into risk summary reports. The Extreme and High level risks set out in these risk summary reports are presented to the ARMC (or relevant Boards for controlled entities) for monitoring and any further action, if required.
Risk assessment – business planning cycle
Operational and strategic level risk assessments should be undertaken as part of the University’s business planning process. These plans include the University’s Strategic Plan and operational plans. A risk assessment, including the review of existing risk registers, should be undertaken to support this process. The following diagram illustrates this business process lifecycle:
Approval, maintenance and review
All operational risk registers should be submitted to the Risk and Audit team (risk.management@canberra.edu.au) to monitor the level of acceptable risk and the extent of which risks are being managed appropriately.
All risk registers must be finalised and formally approved by the appropriate level of authority when developed and on completion of formal review process.
All risk management documentation is to be recorded, stored and maintained in an appropriate manner and location. A current copy of strategic and operational level risk registers is to be held with the Risk and Audit team.
The level of approving authority and frequency for review is detailed in the following table:
| Level | Approving Authority | Frequency |
|---|---|---|
| Strategic | Vice-Chancellor and Vice-Chancellor’s Group (the latter for noting) |
Bi-annual reviews (i.e. every six months) or more frequently as part of strategic planning or at a major environmental change |
| Operational | Portfolio Head, Executive Dean or Director | Bi-annual reviews (i.e. every six months) or more frequently as part of business planning or at a major environmental change |
| Project/Event | Project Manager or Project Steering Committee. | At key milestones or more regularly as required by project requirements. |
A risk register review will entail assessing the state of each risk and updating the register to reflect the current status of the existing controls and further treatment actions to be undertaken. Reviews of the risk ratings based on any changes should also be considered. It is important that a review of the risk assessment be conducted when there is a change in context, as it may impact an existing risk or mean new risks may emerge.
Risk owners will have accountability for managing the risk and ensuring any associated risk treatment plans are implemented accordingly.
Reporting
Risk register reporting allows management to monitor and review risks. Risk reports draw information from the risk registers and, depending upon the requirements, may include:
- a demonstration of the link between objectives and risks;
- priorities, based on the risk rating, accompanied by information on key controls and treatments needed to modify the risk;
- risks that are getting worse, success of treatment plans and risks that require additional attention;
- new risks that may still need to be fully considered and understood;
- potential areas that require urgent attention;
- main areas of exposure;
- systemic control analysis;
- untreated risks and risk treatments that are overdue; and
- risk owners.
CONCLUSION
The University takes its responsibility to students, staff, partners, affiliates and the wider community seriously. To this end, its approach to managing risks to its operations can be seen to have three key focuses:
- a risk management platform of defined guidelines and accountabilities supported by risk management tools and templates;
- a business practice approach to risk management, embedded into all levels including business, project and resource planning and reporting; and
- continuous identification and management of risks, supported by regular ongoing review and monitoring.
It is expected that all staff will know, understand and support their defined role in the management of risks and in the development and application of this Plan.
Implementation and Reporting:
Implementation Officer
The Associate Director, Risk and Audit is responsible for the promulgation and implementation of this procedure. Enquires about the above process should be directed to the implementation officer by emailing risk.management@canberra.edu.au.
The Associate Director, Risk and Audit is responsible for the promulgation and implementation of this procedure. Enquires about the above process should be directed to the implementation officer by emailing risk.management@canberra.edu.au.
Supporting Information:
Further Information
To access ISO 31000:2018 Risk Management –Guidelines standard go to http://www.canberra.edu.au/library/research-gateway/databases select ‘standards on-line’ and enter ‘risk management’ into the search field.
For further advice and assistance please contact the risk management team within the University’s Risk and Audit team by emailing risk.management@canberra.edu.au.
Refer to tools and templates on the Risk and Resilience Management website on the UC Portal.
Review
This procedure will be reviewed every three years.
References
Australian and New Zealand Standard ISO 31000:2018 – Risk Management Guidelines.
Australian Capital Territory Insurance Authority (ACTIA) Risk Management Guide and Toolkit ACT Government.
University of the Sunshine Coast (2013) Risk Management Procedures. Maroochydore, Queensland.
Griffith University (2013) Risk Management Framework, Queensland.
ATTACHMENT A - Risk Management Process
Instructions on how to undertake risk management activities are detailed below.
ATTACHMENT B - Tools and Templates
The following tools will be used consistently by all business areas across the University, including faculties, research institutes, controlled entities and key administrative business units, for conducting risk assessment and the ongoing management of risks.
The tools and templates are located on the UC Portal - Risk and Resilience Management website.
To access ISO 31000:2018 Risk Management –Guidelines standard go to http://www.canberra.edu.au/library/research-gateway/databases select ‘standards on-line’ and enter ‘risk management’ into the search field.
For further advice and assistance please contact the risk management team within the University’s Risk and Audit team by emailing risk.management@canberra.edu.au.
Refer to tools and templates on the Risk and Resilience Management website on the UC Portal.
Review
This procedure will be reviewed every three years.
References
Australian and New Zealand Standard ISO 31000:2018 – Risk Management Guidelines.
Australian Capital Territory Insurance Authority (ACTIA) Risk Management Guide and Toolkit ACT Government.
University of the Sunshine Coast (2013) Risk Management Procedures. Maroochydore, Queensland.
Griffith University (2013) Risk Management Framework, Queensland.
ATTACHMENT A - Risk Management Process
Instructions on how to undertake risk management activities are detailed below.
| Process Step | Purpose & Process | Tools |
|---|---|---|
| 1. Communication and consultation – involves stakeholders (internal and external) and information sharing throughout the risk management process, at all levels across the University. |
The objective of this step is to ensure that all relevant stakeholders are adequately engaged in the risk management process, therefore not limiting the opinions, insights and expertise to achieve the best outcome. Other advantages of communicating and consulting include:
|
|
| 2. Scope, Context, Criteria – defining the scope of the process and understanding the external and internal context. | The risks being identified should relate to the activity being undertaken e.g. business operations, a project, a procurement or an event. Developing a Risk Context Statement will assist in defining the activity and understanding the risk. Defining the scope As the risk management process may be applied at different levels (strategic, operational, project etc.), it is important to be clear about the scope under consideration, the relevant objectives to be considered and their alignment with organisational objectives. When planning the approach, considerations include:
The external and internal context is the environment in which the University seeks to define its objectives. The context of the risk assessment process should be established from understanding the external and internal environment in which the University operates and activity(s) is being performed.
Define the risk criteria to ensure risks are assessed in a consistent manner (i.e. nature and types, timeframes, level of risk, stakeholder reviews and perceptions). The University defines risk criteria using the Risk Matrix. What information is available? Gather any relevant documents that may assist in identifying risks relevant to the activity you are assessing, these may include:
|
|
| 3, Risk assessment – this is the overall process for identifying, analysing and evaluating risks. The purpose of the risk assessment is to provide information and analysis to support decisions on how to treat particular risks and how to choose between options where there is uncertainty. Risk assessments for the operational and strategic levels should be conducted as part of the University’s business planning cycle. Further information is provided in the Risk assessment – business planning cycle section. |
||
| Process Step | Purpose & Process | Tools |
|---|---|---|
| a. Identify the risks “Finding, recognising and describing risks.” A risk has not occurred and may not happen. An issue is a risk that has occurred or ‘been realised’. |
The objective of this step is to identify and document all significant risks that could potentially have an impact on the University’s strategies and operational activities. To undertake this process, consider the use of focus groups (using brainstorming approaches, SWOT/PESTLE analysis techniques, project categories or broad business categories), workshops and interviews, and conduct research activities internally and across the industry. To identify relevant risks follow the below process:
Damage to… Loss of… Inadequate… Insufficient… Inability to… Lack of… Exceeding (authority, delegations, contract price etc.)…
Natural disasters (e.g. earthquake) Flood Fire e.g. the source of the risks Breach of legislation could be:
The consequence should be described in its most usual form and not the extreme form. e.g. the consequence of A paper cut is:
|
|
| b. Analyse the risks – comprehending the nature of the risk and determining the level of risk exposure (consequence and the likelihood of that consequence). |
The objective of this step is to sort the major risks from the minor ones and determine where resource effort should be focussed. A risk control is what is currently being done to manage the risk. Controls include any process, policy, device or practice or other actions, which modify risk. Controls may not always operate as intended and may potentially result in additional risks arising. In order to analyse risks it is necessary need to determine:
4-Major x C-Possible = High |
|
| c. Evaluate the risks – comparing the results of the risk analysis with the risk criteria to determine whether the risk is acceptable or tolerable. | This part of the process is required:
These can be evaluated as (refer to the UC Risk Matrix for definitions):
|
|
| 4.Treat the risks selecting one or more options for modifying the risk. Reassessing the level of risks with controls and treatments in place (residual risk), preparing treatment plans and implementing them. | The objective of this step is to identify treatments for risks that fall outside the University’s risk tolerance. If the CER is rated as ‘Inadequate’ or ‘Room for Improvement’ it is necessary to determine what else could be done to manage the risk.
3-Moderate x C-Possible = Medium
|
|
| 5. Monitoring and review – determining whether the risk profile has changed and whether new risks have emerged. Checking control effectiveness and progress of the treatment plans. | Risk registers should be reviewed every six months, at key project/event milestones or more frequently when there is a major environmental change e.g. implementation of a new policy. The monitoring and review process should encompass all aspects of the risk management process for the purposes of:
|
|
| 6. Recording and Reporting - outcomes should be documented and reported through appropriate mechanisms. | Recording and reporting aims to:
|
|
ATTACHMENT B - Tools and Templates
The following tools will be used consistently by all business areas across the University, including faculties, research institutes, controlled entities and key administrative business units, for conducting risk assessment and the ongoing management of risks.
| Tool | Description |
|---|---|
| 1. Context Statement | This is an overarching statement document to support the risk assessment process. It will:
|
| 2. Risk Registers | Information from the risk assessment process is recorded, reported and monitored using the Risk Register. The Risk Register enables staff to document, manage, monitor, review and update strategic, corporate and operational risk information. For each risk the following will be captured:
|
| 3. Risk Matrix | Tool used to assess the level of risk based on the consequence and likelihood of the risk occurring. The Risk Matrix is located on the UC Portal - Risk and Resilience Management website. |
| 4. Risk Treatment Action Plans | A Risk Treatment Action Plan will be prepared for all Extreme and High rated risks. A Risk Treatment Action Plan contains:
|
| 5. Risk Summary Reports | Risk reports draw information from the risk registers and enable management to monitor and review risks in alignment with the Strategic Plan, business and operational plans, programs of change and other cascading plans. Risk Summary Reports are completed for the strategic, operational and project risks and used to report to ARMC, Academic Board, controlled entity boards, project control groups/steering committees, faculty visits and other university reporting requirements. Refer to Reporting section for details. |
| 6. University of Canberra Website and Portal | Access to policy, guidelines and template documents are available on the University of Canberra staff portal. |
| 7. Training and risk workshop facilitation | Risk management training courses are available to equip relevant University stakeholders with sound risk management knowledge and skills. These courses include:
|
