Risk Management

Document Currently Under Review

Current Status: Under Review - With Editor 30 November 2017

Risk Management Framework

Policy Code: CG1844


The University's Risk Management Framework is intended for use by the University community to ensure consistent application of risk management processes to the wide range of activities undertaken by the University.

The Risk Management Framework brings together information on policies, accountabilities and roles and responsibilities for all those involved in risk management. The Framework provides a structured approach to the identification and management of risks which are likely to adversely impact on the performance and continued growth of the University.

The analysis and management of risks and mitigation strategies enables the achievement of strategic goals. The University’s risk management program is based on the International Organisation for Standardisation’s Risk Management Standard ISO/FDIS 31000:2009 , which provides a rigorous approach to identifying, assessing and managing risks. This Standard establishes a number of principles that are required to be satisfied before risk management will be effective.

The strategic planning process is integral to identifying, communicating and focussing on those factors that are critical to the University achieving its fundamental purpose. This process forms one of the key elements of this Risk Management Framework, as it is through effective planning that management identifies, analyses and documents risks and risk management strategies.


The University recognises that risk is inherent in all academic, administrative and business activities and that every member of the University community manages risk. The University continues to evolve in how it manages risk and does so through formal and systematic processes that are regarded as good management practice. The University promotes the adoption of a culture, which integrates a strategic and formal approach to risk management to improve decision-making and enhancing outcomes and accountability.

For the University’s risk management to be effective, it needs to:

  • Create and protect value;
  • Be an integral part of all University processes;
  • Be part of decision making;
  • Explicitly address uncertainty;
  • Be systematic, structured and timely;
  • Be based on the best available information;
  • Be tailored;
  • Take human and cultural factors into account;
  • Be transparent and inclusive;
  • Be dynamic, iterative and responsive to change; and,
  • Facilitate continual improvement of the University.

Legislative Context

Risk Management Policy


Term Definition
Consequence outcome of an event.
Establishing the context defining the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria for the risk management policy.
Level of Risk magnitude of a risk, expressed in terms of the combination of consequences and their likelihood.
Likelihood chance of something happening.
Operational Risk an event that may adversely impact on a School's or Directorate's ability to achieve its key objectives
Risk the effect of uncertainty that may impact upon the University's objectives. It is measured in terms of the consequence of an event and the associated likelihood of occurrence.
Risk Analysis process to comprehend the nature of risk and to determine the level of risk.
Risk Assessment overall process of risk identification, risk analysis and risk evaluation.
Risk Criteria terms of reference against which the significance of a risk is evaluated.
Risk Evaluation process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable.
Risk Management coordinated activities to direct and control an organisation with regard to risk.
Risk Management Framework set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation.
Risk Management Plan scheme within the risk management framework specifying the approach, the management components and resources to be applied to the management of risk.
Risk Management Policy statement of the overall intentions and direction of an organisation related to risk management.
Risk Management Process systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing the risk.
Risk Source element which alone or in combination has the intrinsic potential to give rise to risk.
Risk Treatment process to modify risk.

Risk Management Roles & Responsibilities

Governance Level

University Council

The Federation University Australia Council (“Council”), as the governing body of Federation University Australia, is ultimately responsible for overseeing the overall risk profile of the University.

The Federation University Australia Act 2010 as amended by the University of Ballarat Amendment (Federation University Australia) Act 2013, establishes the following as responsibilities of the Council:

“Part 2 – Constitution and Governance of the University (Division 2 – The Council)

(e)   approving and monitoring systems of control and accountability of the

       University, including those required to maintain a general overview of

       any entity over which the University has control within the meaning of

       section 3 of the Audit Act 1994;

(f)  overseeing and monitoring the assessment and management of risk across

       the University, including university commercial activities.”

Audit & Risk Committee

The Federation University Australia Audit and Risk Committee (A&RC)  assists the Council in fulfilling its oversight responsibilities for the system of internal control, the audit process (both internal and external) and the University’s process for monitoring compliance with laws and regulations.

The Charter of the Audit & Risk Committee establishes the following risk management responsibilities for the Committee:

  • Oversee management’s overall risk management strategy/framework and ensure the required actions are appropriately resourced;
  • Oversee the establishment and implementation of the University’s risk management system;
  • Ensure that the University has identified, reviews and regularly updates the profile of the principal strategic, operational and financial risks to which it is exposed and assessed the appropriateness of the steps management has taken to manage these risks;
  • Review trends on the University’s risk profile, reports on specific risks and the status of the risk management process;
  • Review the University’s policy for the oversight and management of business risks;
  • Monitor performance of management in implementing risk management responses and internal control rectification activities and ensure that there are appropriate systems for identifying and monitoring risks in place and that these are operating as intended;
  • Review the proposed internal audit plan for the coming year, ensure that it covers key risks and that there is appropriate co-ordination with the external auditor;
  • Ensure that the annual work plan of internal audit includes an analysis of the effectiveness of the University’s risk management, internal compliance and control system; and,
  • Receive and consider the annual audited financial statements and provide comment to the Finance Committee, where appropriate.

The A&RC receives monthly financial management reports (including financial Key Performance Indicator data with trend analysis), Strategic Capital Infrastructure Project reports, quarterly Risk Management Reports and online access to the Strategic Risk Register. The Committee also receive specific reports annually or bi-annually, including Purchase Card reporting, Controlled Entities, FedUni Compliance Legislation and the FedUni Compliance Policies & Procedures report.

Internal Audit

The A&RC has oversight of the scope of work of Internal Audit. Internal Audit is established to provide independent, objective and consultancy functions to Senior Management to assist the University in achieving its mission and accomplishing its objectives by evaluating and monitoring the effectiveness of the University’s risk management processes, internal controls and governance processes. Internal Audit functions to assist the University to achieve sound managerial review and control over all of its operations to ensure these activities can be carried out effectively and efficiently (FedUni Internal Audit Charter).

Internal Audit services may be provided either by suitably qualified member(s) of the University or outsourced to a third party professional services or auditing firm.

In consultation with the Vice-Chancellor and other Senior Managers, the appointed Internal Auditor, and/or the external audit agency, shall recommend a Strategic Internal Audit Plan for approval by the Audit and Risk Committee. The Committee shall determine by whom the audits will be undertaken.

  • The Internal Audit function: monitors and evaluates the effectiveness of the University’s  risk management processes, internal controls and governance processes;
  • Provides independent and confidential advice to Council and Senior Management on remedial action to improve the effectiveness and efficiency of the use of resources; and,
  • Provides progress reports regarding remedial action taken by Management.

The Internal Auditor must review the policies, procedures, systems, records, accounts and plans of the University and consider and report upon the effectiveness by which the University meets its objectives.

The following tables describe the core roles of Internal Audit (Table 1), as well as those roles and activities which Internal Audit should not fulfil (Table 3) or only do so when adequate safeguards are in place to ensure a conflict of interest does not arise or the independence of the audit function is not compromised (Table 2).

Table 1: Core Roles of Internal Audit
CORE ROLES Core Roles of Internal Audit

Giving Assurance:

  • Control systems effectiveness
  • Risk management processes
  • That risks are correctly evaluated


  • Risk management processes
  • Reporting of material risks
  Reviewing the management of material risks
Table 2: Possible Roles of Internal Audit with Safeguards in Place

The functions in Table 2 below should only be performed by the Internal Auditor if the following safeguards are in place and approval of A&RC is obtained:

  • Segregation of duties;
  • Membership of the Institute of Internal Auditors, that requires strict professional and ethical standards to be adhered to;
  • Appropriate Audit & Risk Management qualifications, for example CIA (Internal Audit), CISA (IT Audit) and CRM (Risk Management);
  • Appropriate skill level and knowledge of the University; and
  • Council review and approval of risk management outcomes.
WITH SAFEGUARDS Possible Roles of Internal Audit with Safeguards in Place
  Advice on Risk Identification and Evaluation
  Championing establishment of Enterprise-wide Risk Management (ERM)


  • Risk workshops
  • Management risk response
  Central co-ordination point for ERM
  Risk monitoring across the University
  Holistic reporting on risk
  Operating the ERM framework
  Assisting in the development of a Risk Management strategy/procedure for Council approval
Table 3: Activities Internal Audit should not perform

The activities outlined in Table 3 below should never be performed by the Internal Auditor:

DO NOT Activities Internal Audit should NOT perform
  Set risk appetite
  Impose risk management processes or procedures
  Make decisions on risk response
  Manage risks on behalf of Management or Council
  Take accountability for risks and controls

Finance Committee

The Finance Committee will assist the Council in fulfilling its statutory and fiduciary responsibilities in accordance with the requirements of the Federation University Australia Act 2010 and the Statutes and Regulations of Federation University Australia.

The Terms of Reference for the Finance Committee establishes the following risk management responsibilities for the Committee:

  • Assess whether management has appropriate controls in place for unusual types of transactions and/or any particular transactions that may carry more than an acceptable degree of risk;
  • Receive and report to Council on the annual audited financial statements including making appropriate enquiries to satisfy itself that all regulatory compliance matters related to the business of the University have been appropriately considered in the preparation of the financial statements.

Infrastructure Committee

The Infrastructure Committee’s responsibilities are to advise Council on and make recommendations for the development of the physical and technological infrastructure of the University.

The Terms of Reference for the Infrastructure Committee establishes the following risk management responsibilities for the Committee:

  • To make recommendations to Council on major physical and technological projects, which involves expenditure that exceeds the financial delegation granted to University officers; or where the project has been recommended to the Infrastructure Committee for consideration as part of the University's Integrated Infrastructure Management Plan; or where responsibility for the project has been designated to the Infrastructure Committee under the University's Integrated Infrastructure Management Plan ("the project");
  • Be responsible for the oversight of the approval process for the major infrastructure: design and construction of new projects; appointment of architects, designers and consultants; and selection of contractors and sub-contractors for the purpose of tendering or submitting prices.

All advice and recommendations made by the Committee should be based upon consideration of: the report received from the University’s Probity Advisor; a risk and benefit assessment; and an examination of the fit of the proposed project with issues of educational, cultural, community and economic significance.

Academic Board

Statute 2.2 – Academic Board highlights the following responsibilities of the Board:

2.         (1) The Academic Board will be responsible for the supervision and development of

academic activities of the University, including the maintenance of high standards in teaching and research, and communication with the academic community through the Schools and Portfolios.

(2)  In addition to the powers and duties conferred or imposed upon it by the Act, the

Academic Board, subject to the Statutes and Regulations of the University and any resolution of the Council shall:

a)   provide advice to Council on matters pertaining to academic strategic issues;

b)   make recommendations to Council on matters pertaining to teaching and learning;

c)   make recommendations to Council on matters pertaining to research and research training;

d)   establish policies and procedures for approval of programs and TAFE courses and monitor compliance with such policies and procedures;

e)   programs, content, assessment and student progress;

f)    make recommendations to Council on the approval of programs;

g)   make recommendations to Council on requirements for conferral or granting of degrees, diplomas and certificates for undergraduate, honours and postgraduate coursework programs offered by the University;

h)   communicate with the academic community through the Schools and Portfolios.

Management Level

The Vice-Chancellor

  • Accountable to the University Council for ensuring a risk management program is in place as part of the University’s Corporate Governance framework and compliance with national and state government protocols;
  • Ensure that risk management processes are established, implemented and maintained.

Vice-Chancellor's Budget Advisory Committee

The Vice-Chancellor’s Budget Advisory Committee (VC’s BAC) shall have oversight of the financial monitoring and control cycle for the University and is an advisory committee to the Vice-Chancellor.

The Terms of Reference for the VC’s BAC establishes the following risk management responsibility for the Committee:

  • Review and approve the earned income activities of the University to ensure they are conducted in a fiscally responsible manner, including: monitoring of financial risk; review of attribution of expenses; examination of operational budgets for “stand alone” earned income activities and fee return from international programs.

The Vice-Chancellor's Senior Team (VCST)

  • The VCST receive reports from the Risk, Health and Safety Manager consisting of the updated University-wide Strategic Risk Register and specialist risk reports;
  • Manage risk by identifying, evaluating and treating risks across the organisation and within each member’s particular management portfolio; and,
  • Establish, oversee and support risk management policy and framework.


  • Manage risk by identifying, reporting, monitoring, evaluating and treating risks within the relevant area;
  • Each School/Directorate is required to submit an Occupational Health and Safety Plan for the forthcoming year to the Dean/Director, with a copy to the Manager of Risk, Health and Safety.  The Plan must be based on the Annual OHS Plan Template (docx, 210kb), and should be submitted by the end of December. The Schools/Directorates then implement their Plan throughout the year, ensuring compliance with the University’s Risk Management Framework.

University Health & Safety Policy Committee (UHSPC)

The role of the UHSPC is to consider and make recommendations to the Vice-Chancellor for compliance and improvement on university-wide health and safety matters relating to:

  • The prevention of injuries and illnesses among members of the University Community;
  • Employee consultation regarding health and safety issues and workplace change;
  • The management of incidents and emergencies arising in the context of University-endorsed activities;
  • The rehabilitation and compensation of injured university employees;
  • Legislative compliance, auditing programs and monitoring the implementation of actions incorporated in Health and Safety Plans; and
  • The performance of the University in relation to health and safety.

To support its approach to the provision of a safe working and learning environment, the University of Ballarat has three levels of teams to address health and safety issues. These are:

International and Partners Committee

In addition to the contractual arrangements between the University and the Partner Provider, the UB and Partner Provider Responsibilities Manual has been developed to provide a statement of Partner Provider and University responsibilities. The Manual is designed to assist staff of both Partner Providers and the University by providing clarity of responsibilities. 

Partner Approval Process

Partner Approval Process Flowchart PDF link


No. Task Notes
1. Potential Third Party Provider Identified VCST, PVC, Dean, Director CUP
2. Initial strategic approval to proceed Obtain advice on the viability of the proposed partnership including matching with the universities strategic intent and business needs.
3. Raise MOU Where appropriate an MOU may be prepared (Legal Office)


No. Task Notes
1. Proposed Third Party Provider completes Due Diligence Checklist Proposed Partner to complete and forward to PVC office for review. Partner/country check obtained.
2. School completes Business Case Dean of Faculty completes Business Case with Director CUP assistance. Business Case to include consultation and approval from administrative areas and a preliminary site visit.
3. Due Diligence Check Due Diligence report obtained and any follow-up undertaken by PVC office.
4. International & partners Committee & Academic Board Dean of Faculty present the Business Case to I&PC for discussion including: an analysis against the University’s strategic direction; examination of the business plan and the financials; and, the fit of academic direction. The I&PC makes a determination. Any partnership arrangement that involves changes to existing admission and English language requirements or credit arrangements shall be referred to Academic Board.
5. DVC & VC Budget Advisory Committee The proposal is accepted by VC on advice from I&PC/AB. Where the financial arrangements are outside the (former Earned Income Committee) guidelines they will be presented to the VC Budget Advisory Committee for approval. IF approved, the Legal Office proceeds to draft the contract on instruction from the PVC.


No. Task Notes
1. Site Inspection Prior to the official signing of the contract, site inspections will be conducted by the Director CUP or nominee.
2. Contract Negotiation The contract will be negotiated through the PVC/Legal Office in consultation with the relevant Dean of Faculty (including start date, teaching location(s), financial arrangements and approved programs for delivery).
3. Contract and associated documents ready for signature The Legal Office will arrange signature of the Contract. The executed contract will be entered on the Partner data-base, filed in the Legal Office & CUP, the relevant Dean will be provided with a copy and Council notified.
4. Operational notifications and registration Once the contract has been signed, the Director CUP will notify relevant sections for CRICOS registration, Finance for accounts, Registrar Services for Provider locations on systems.

In addition to the contractual arrangements between the University and the Partner Provider, the Operational Requirements for Partner Provider Agreements Procedure has been developed to provide a statement of Partner Provider and University responsibilities. The Procedure is designed to assist staff of both Partner Providers and the University by providing clarity of responsibilities.

Project Steering Committees - Strategic Capital and Infrastructure Projects

The Project Management Framework is based on the universal principles of the PMBOK® guide and PRINCE-II® methodology, in conjunction with the University's policies, procedures and guidelines. This framework for Project Management is based on the generic process flows of Initiating, Planning, Executing, Controlling & Monitoring and Closing (IPECC).

All projects that are considered to be of ‘medium’ or above risk level, at an institutional level via the Audit & Risk Committee, as defined in the Risk Management Policy.

A Risk Management Plan must be submitted detailing risks identified in the planning process and those risks inherent in a project, prescribing the likelihood, consequences and mitigation strategy for each risk.

The Project Management Framework Policy describes the University's policy regarding the essential elements in the management of all projects. The objectives of this policy are to ensure that:

  • Projects are effectively managed within the limitations of Scope, Quality, Resources (Time and Budget) and Risk;
  • Appropriate governance and control is established;
  • Communication, quality and risk management plans are developed and executed throughout a project's life;
  • Appropriate authorisation and acceptance is established throughout the life of a project;
  • Stakeholder communication is inclusive; and,
  • Post implementation reviews are conducted and actively used to improve the conduct of project delivery.

In order to achieve these objectives the elements of this Project Management Policy must be included in the initiation, planning, and execution of all major projects.

The Project Management Framework Procedure defines the processes that are performed throughout the life of a Project to ensure the Project Management Framework Policy is adhered to.

The Project Register is a central reporting and tracking tool for all physical and virtual projects being planned, conducted and completed within the University.

Refer to:

Appendix B – Responsibilities of Various Bodies – Risk Identification, Treatment and Monitoring; and

Appendix C – Risk Management Committee Structure

Risk Management Process

Step 1: Establish Context

Establish the context within which the School/Directorate operates, considering both the internal and the external environments of the School/Directorate (the University, the industry sector, stakeholders, etc). The following should be clearly defined:

  • the objectives of the School/Directorate;
  • the criteria that must be met to achieve these objectives;
  • the purpose and scope of this risk management plan; and
  • the consultative methods that will be employed for the development and implementation of this plan.

The objectives of the School/Directorate must be consistent with the key objectives of the University, and reference to the relevant key objective must be included when identifying an operational risk.

Step 2: Risk Identification

Risk identification is the process of finding, recognising and recording risks. The purpose is to identify what might happen or what situation might exist that may have an effect on the University achieving its objectives.

In the educational sector, risks can be classified under the following headings:

  1. Commercial and financial (e.g. loss of commercial income streams, loss of University funds through fraud, mismanagement or theft, breach of contract);
  2. Human (e.g. injury or illness to members of the University community);
  3. Business continuity (e .g. interruption to or downgrading of delivery of programs or services through loss of physical assets [fire, flood], essential services [water, power, information technology], labour [strike, resignation], etc);
  4. Environmental (e.g. contamination of air, water, land by a chemical or other substance);
  5. Reputation or public relations (e.g. allegations of academic fraud, of misuse of public resources, of mistreatment of staff/students, etc);
  6. Political or economic (e.g. UB's activities being jeopardised through political decision or intervention, loss of research grant or other public income stream); and,
  7. Legal or management (e.g. prosecution against FedUni, loss of key personnel).

Refer to Appendix A – Risk Management in accordance with Risk Identification

Step 3: Risk Analysis

Risk analysis is the process of understanding risk to determine the most appropriate forms of treatment and its acceptability. Risk analysis consists of determining contributing factors and consequences and taking into account the presence and effectiveness of current controls. During the process the likelihood and consequence of a risk occurring are determined and an inherent risk rating is applied. Consequence and likelihood are combined to produce an estimated level of risk. Controls are then considered and a residual risk rating is determined.

Likelihood Definition
Almost Certain Imminent or will occur within 12 months
Probably Will probably occur between 1 to 5 years
Possible May occur after 3 years

Example table: Determine the consequence rating for each adverse event and its severity

Human Business Continuity Environmental Reputation
Public Relations

Loss > $20m of revenue

Extreme loss of market share

Large programs terminated

Multiple loss of life or permanent impairment

Pandemic or epidemic

Extensive loss of essential services for longer than 1 month affecting a Campus Long term environmental damage affecting a Campus

Substantial loss of reputation/loss of confidence by media/public

International/National media coverage

Parliamentary enquiry/ loss of Govt/Minister's support

Administrators appointed

Unexpected loss of several key personnel/ extensive staff turnover

Critical compliance error

High Loss < $20m of revenue
Major loss of market share
Major program delayed > 12 months
Competition from new providers
Student numbers declining
Single loss of life or permanent impairment Extensive loss of essential service for longer than a month affecting a School Environmental damage affecting a Campus and requiring extensive remediation Major loss of reputation
Loss of stakeholder support
Major complaints by stakeholders on program management
Extended national/local media coverage

Ministerial attention: matters reported in Parliament / Departmental oversight

Significant public concern raised

Unexpected loss of a key senior manager, or significant staff turnover

Major commitment made without authorisation


Financial loss

< $5m of revenue

Some loss of market share

Student numbers low

Health impairments to students and staff requiring rehabilitation Critical service loss for more than a week affecting a program Local environmental damage affecting a School/Directorate and requiring minor works

Significant complaints about programs

Inability to provide quality and consistent service

Adverse local media coverage

Decrease in support from Government or stakeholders

Unexpected loss of  key manager, or moderate staff turnover in key area

Inadequate records of a commercial negotiation


Financial loss

< $1m of revenue

Student numbers stable

Minor health incident with local treatment Local only, service loss for a small number of days Brief pollution with remediation/ damage to small area  Minor complaints about programs resolves locally Performance concerns resolved by Vice-Chancellor Inadequate consultation with program stakeholders

Step 4: Risk Evaluation

Risk evaluation is the process of prioritising risks due to the level of risk found during the analysis process, the need for treatment and the priority for treatment implementation. Decisions on how to prioritise risks are made based on determining whether a risk is acceptable or unacceptable.

Combine likelihood and consequence rating to arrive at a risk rating.

Likelihood Consequence Rating
  Extreme High Medium Low
Almost Certain Extreme Extreme High Moderate
Probable Extreme High Moderate Low
Unlikely High Moderate Low Low

The level of risk corresponds to the priority level for each of the risk treatment actions and the level of resources that may be invested in them.

Step 5: Risk Treatment

Risk treatment involves selecting and agreeing on one or more relevant options to change the likelihood or consequence of the risk and then implementing these options appropriately.

A risk treatment plan needs to include:

  1. One or several risk treatment actions for each risk identified;
  2. Responsibilities, schedules, expected outcomes, performance measures and budgets for each action;
  3. Mechanisms for assessing and monitoring the progress of the implementation of the actions and their effectiveness against objectives.

Risk treatment actions can be classified under the following headings:

  • Avoiding the risk (e.g. ceasing an activity, disposing of assets).
  • Reducing the likelihood of the risk (e.g. modifying work practices to prevent incidents, implementing stricter controls).
  • Reducing the consequences of the risk (e.g. reducing inventory, improving early detection mechanisms, physically protecting assets, implementing incident management measures).
  • Sharing the risk (e.g. insurance, partnerships).
  • Retaining the risk.

When determining what treatment options are appropriate for a given risk, you should consider:

Acceptability Is the option likely to be accepted by relevant stakeholders?
Administrative efficiency Is this option easy to implement or will it be neglected because of difficulty of administration or lack of expertise?
Authority Does your School/Directorate have the authority to apply this option? If not, can higher levels be encouraged to do so?
Compatibility How compatible is the treatment with others that may be adopted?
Continuity of effects Will the effects be continuous or only short term? Will the effects of this option be sustainable? At what cost?
Cost effectiveness Is it cost-effective, could the same results be achieved at lower cost by other means?
Economic and social effects What will be the economic and social impacts of this option?
Effects on the environment What will be the environmental impacts of this option?
Equity Are risks and benefits distributed fairly e.g. do those responsible for creating the risk pay for its reduction?
Individual freedom Does the option deny any basic rights?
Leverage Will the treatment options lead to additional benefits in other areas?
Objectives Are organisational objectives advanced by this option?
Political acceptability Is it likely to be endorsed by the relevant government authority? Will it be acceptable to communities?
Regulatory Does the treatment (or lack of treatment) breach any regulatory requirements?
Risk creation Will this treatment introduce new risks?
Timing Will the beneficial effects be realized quickly?

Step 6: Monitor and Review

This is the oversight and review of the risk management process in any given context and changes that might affect it. Monitoring and reviewing occurs concurrently throughout the risk management process.

Actions for Extreme and High risks are monitored regularly and require quarterly reporting to the VCST. Actions for lower risks require annual reporting.

Step 7: Communicate & Consult

Appropriate communication and consultation with internal and external stakeholders should occur at each stage of the risk management process.

Communication efforts must be focussed on consultation, rather than a one-way flow of information from decision-makers to stakeholders, especially those outside the University.

Consequently, communication and consultation are critical to ensure that stakeholders have access to relevant information. It is also critical that this information be presented in a manner that the recipients understand.

Refer to Appendix D – Relationship between the Risk Management Framework & Process

Associated Documents

Risk Management Standard ISO/FDIS 31000:2009

Partner Approval Flowchart

Policies & Procedures



Parking Procedure FN1498


Appendix A - Risk Management in accordance with Risk Identification

Educational Sector Risks Managing the Risks
Commercial and Financial

Commercial Income Streams

  • University International & Partners Committee
  • Vice-Chancellor's Budget Committee
  • Commercial Guidelines (FedUni Act 2010)

Fraud, Mismanagement or Theft

  • University Fraud & Corrupt Control Policy & Procedure
  • Protected Disclosure Procedure
  • University Project Management Framework
  • Whistleblowers Protection Act 2001

Breach of Contract

  • University Lawyers

Injury or illness

  • Health & Safety Policy Committee
  • FedUni Employee Representation and Consultation Policies (refer to appendix B)
 Business Continuity

Interruption to or downgrading of delivery of programs or services through loss of physical assets, essential services or labour

  • Business Continuity Plans
  • Information Communication & Technology Framework
  • Critical Incident Management Procedure


  • Ballarat Technology Park Advisory Committee
  • Health & Safety Policy Committee
  • UB Hazard Management Policies (refer to appendix B)
 Reputation or Public Relations

Allegations of Academic Fraud

  • International & Partners Committee (International and on-shore Partner Providers)
  • Academic Board

Misuse of Public Resources

  • Audit & Risk Committee
  • Internal & External Audit
  • Whistleblowers Protection Act 2001

Mistreatment of Staff/Students

 Political or Economic

FedUni's Activities being Jeopardised through Political Decision or Intervention

  • Vice-Chancellor's Senior Team
  • Vice-Chancellor's Budget Advisory Committee
 Legal or Management

Prosecution against UB

  • FedUni Lawyers

Loss of Key Personnel

  • Performance Review and Development Program (PRDP)
  • Human Resources and Search Companies

The Audit and Risk Committee is informed of any high or extreme risks through the Committee Structure.

Appendix B - Responsibilities of Various Bodies - Risk Identification, Treatment & Monitoring



Identify Define risk level Treat Report Review Monitor/oversee
Extreme and High



Internal Audit

External Audit



Internal Audit

External Audit

Corp Governance


Internal Audit

Finance Committee

Moderate and Low
Corp Governance


Internal Audit

Finance Committee

Extreme and High
Deans/Directors VCST
Corp Governance
Internal Audit
Moderate and Low
Projects Project Manager Project Manager Project Manager Manager – Major Projects
Manager – SCI&P
Project Manager
International and on-shore Partner Providers Partner Provider/Director, CUP



International & Partners Committee Council  

Appendix C - Risk Management Committee Structure

* There is some overlap between strategic and operational risks. For instance, a very serious adverse event taking place within a School or Directorate will often impede the achievement of University-wide strategic objectives. In reverse, a strategic risk will often have a serious impact on individual Schools or Directorates.

Appendix D - Relationship between the Risk Management Framework & Process


Specific responsibilities under this procedure are shown under Actions.

The Manager - Risk, Health and Safety is responsible for the maintenance of this procedure.


The Risk Management Procedure will be communicated throughout Federation University Australia via:

  1. an Announcement Notice under ‘FedUni Communicate’ on the ‘FedUni Gateway’ website and through the Federation University Australia Policy - ‘Recently Approved Documents’ webpage to alert the University-wide community of the approved Policy;
  2. inclusion on the Federation University Australia Policy, Procedure and Forms website; and/or
  3. distribution of e-mails to Head of School / Head of Department / University staff; and/or
  4. documentation distribution, eg. posters, brochures.
  5. Other - please describe


The Risk Management Procedure will be implemented throughout the Federation University Australia via:

  1. An Announcement Notice under 'FedUni News' on the University website
  2. Inclusion in the University's Policy Library;
  3. Information sessions, provided by the Manager - Risk, Health & Safety, with senior managers.