Risk Management Framework Procedure

Policy code: CG2029
Policy owner: Director, Office of the Chief Operating Officer
Approval authority: Chief Operating Officer
Approval date: 11 November 2024
Next review date: 09 May 2026

1. Introduction and Scope

The Risk Management Framework of Federation University Australia is aligned with ISO 31000:2018 (International Standard for Risk Management) and the VGRMF (Victorian Government Risk Management Framework).

Effective risk management protects and creates value through a process-oriented approach for planning and management of resources.  Effective risk management involves the identification, assessment, evaluation, treatment and monitoring of risks in a continuous cycle.  Over time, it improves decision making, enhances overall performance and confidence in compliance with regulatory requirements.

In a modern business environment, adverse risks can never be completely eliminated. Hence a Risk Management Framework enables an organisation to manage risks in a calculated, proportional and consistent manner.

This Framework applies to all areas of the University’s operations, including its staff, appointees of the University, its controlled entities, and to all activities authorised and conducted by or on behalf of the University locally, interstate or overseas.

This Framework equally applies to contribution towards the management of state significant risks and shared risk, where Federation University Australia will provide support, expertise and leadership, if and as required, by establishing effective channels with relevant parties to communicate information and agree upon key responsibilities. This Framework equally applies to contribution towards the management of state significant risks and shared risk, where Federation University Australia will provide support, expertise and leadership, if and as required, by establishing effective channels with relevant parties to communicate information and agree upon key responsibilities.

2. Purpose

The purpose of this Risk Management Framework is to support Federation University Australia to achieve its strategic objectives as set out in the Strategic Plan 2021-2025 and to demonstrate compliance with its obligations effectively, efficiently and within the parameters established by the University Council through Risk Appetite Statements.

The inherent nature of risk management within the education sector is complex due to many regulatory requirements across areas of TAFE, Higher Education, Research and Commercial Operations.

The purpose of this document is to provide an overarching structure and tools aimed at identifying and managing the University’s risk obligations. It sets out the University’s commitment to creating an integrated approach to risk management that can be applied consistently to all areas of the University’s operations. It enables the University to achieve its strategic and operational objectives and creates an environment where all staff members assume a level of responsibility for risk and compliance objectives.

Federation University’s Risk Management Framework fulfils the regulatory compliance and reporting requirements within both academic and non-academic (i.e. corporate services) areas of its operations. Through this approach, it provides a standard operating mechanism for risk management across the organisation.

3. Legislative and Regulatory Context

Some of the key legislative compliance requirements and annual declarations (including risk attestations) included annual reporting around effective management of risks are:

Academic

Corporate Services / Business Management

  • The Standing Directions 2018 under the Financial Management Act 1994 (Vic) (incorporating the Victorian Government Risk Management Framework where applicable)
  • Financial Management Compliance attestation – SD 5.1.4
  • Responsible bodies declaration – SD 5.2.3
  • Data Integrity Declaration, Victorian Privacy and Data Protection Act
  • Conflict of Interest Declaration
  • Integrity, Fraud and Corruption Declaration
  • Environmental Performance
  • Federation University Act 2010 (Vic)
  • Public Administration Act 2004,
  • Foreign Interference Act
  • Critical Infrastructure Act (which also includes Cyber Security)

4. Governance

Federation University Australia is established under the Federation University Australia Act 2010. Under the Act, the decision-making powers of the University lie with Council as its governing body, Academic Board and the Vice-Chancellor. Additionally, under section 13 A of the Public Administration Act 2004,  Federation University Australia has legal obligations in terms of monitoring and reporting significant risks to the relevant department head (i.e., Secretaries) including the Department of Treasury and Finance.

The University is responsible for complying with the statutory requirements as listed under Legislative and Regulatory Context in Section 3 above. In line with the Higher Education Standards Framework HESF this tripartite governance structure, as outlined below, ensures a clear distinction between governance and management responsibilities and clear separation between corporate and academic governance.

5. Definitions

Term Definition
Accountability Responsibility for ensuring that a risk is appropriately managed, including implementation of treatment plans and monitoring the effectiveness of controls.
Assurance A positive declaration intended to give confidence
Continuous improvement The ongoing process of change for the purpose of improvement to practices and processes.
Controls The actions, activities or mitigation strategies in place to prevent the risk from materialising.
Consequence

Outcome of a risk event or situation expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain impacting value:

  • An event can lead to a range of consequences. 
  • A consequence can be certain or uncertain and can have positive or negative effects on objectives.
  • Consequences can be expressed qualitatively or quantitatively. 

Initial consequences can escalate through knock-on effects.

Compliance The act of obeying an order, rule, or request
Crisis A difficult or dangerous situation that needs serious attention
Governance Governance encompasses the system by which an organisation is controlled and operates, and the mechanisms by which it, and its people, are held to account. Ethics, risk management, compliance and administration are all elements of governance.
Incident Incidents are mostly of a smaller magnitude compared to crises. They require quick responses. A sequence of incidents occurring one after the other, or one incident leading to the next, could turn into a crisis
Likelihood The chance or probability of a risk materialising.
Risk

The effect of uncertainty on objectives:

  • An effect is a deviation from the expected – positive or negative and can create or result in opportunities or threats.
  • Objectives can have different aspects such as value, financial, health and safety or environmental and can apply at different levels such as strategic, enterprise wide, project or operational.

The level of risk is measured in terms of consequence and likelihood of occurrence.

Risk Appetite A statement or series of statements that describe the amount and type of risk that the University is willing to accept in order to meet its strategic objectives.
Risk Categories Broad categories of risk that the University uses to identify and group risks.
Risk Culture Risk culture is the set of shared attitudes, values and behaviours that characterise how an entity considers risk and compliance in its day-to-day activities.
Risk Management Approach The coordinated management of activities to direct and control an organisation with regard to risk.
Risk Management Framework Risk Management Framework is the policy, governance and practical structures put in place by the University to manage risk and includes this policy and related documentation.
Risk Register Risk Registers are repositories for recording and documenting identified risks.  
Shared risks Shared risks are those risks are where multiple agencies are impacted by the risk and/or effective management of the risk requires the efforts of multiple agencies.
State significant risks State significant risks are those risks deemed by the Government’s Risk Interdepartmental Committee (Risk IDC) as having potential consequences or impacts on the community, the Government and the private sector that are material at the state-wide level.

6. Key Enablers of the Risk Management Framework

The key enablers of the risk management framework as prescribed within ISO 31000:2018 are as follows:

Leadership and commitment – To ensure ongoing effectiveness of risk management within, VCST and the Council should ensure that risk management is integrated into all organisational activities. This commitment should be reinforced through communicating the value of risk management and its impact within the organisation.

IntegrationRisk should be managed in every part of the Federation University structure. The integration of risk management should be a dynamic and iterative process, customised to Federation University needs and culture and be included as part of the purpose, governance, leadership and commitment, strategy, objectives and operations.

Design – The design of risk management system and processes should consider an understanding of the organisation and its context, an articulation of the risk management commitment, assigning of roles, responsibilities and accountabilities, allocation of resources and establishment of communication and consultation.

Implementation – The Risk Management Framework is applied through a risk management plan at all relevant levels and functions of Federation University as part of its practices and processes. Investment in resources and capabilities should enable Federation University to effectively and efficiently apply its risk management activities throughout the organisation.

Evaluation – Federation University should periodically evaluate the effectiveness of the risk management process against its purpose, implementation plans, indicators and expected behaviours to ensure it is suitable in supporting the achievement of its objectives.

Improvement – Federation University should continuously look to adapt and improve their risk management process. To ensure the effectiveness of the framework, relevant gaps and improvement opportunities should be identified and implemented.

The University’s, risk and compliance framework is based on the following principles: 

 Principles Means of Application
1 Creates and protects value 
  • Risk culture is fostered as part of the organisation’s culture
  • Integrated in strategic and business planning processes and decision making and into the design of all systems
  • Linked to assessing objectives and assists in identifying vulnerabilities and opportunities through the risk management procedure and risk tools 
  • Built into approval processes for key activities e.g. projects, decision papers, change management and resource allocation including staff recruitment and employment
2 Facilitates continual improvement 
  • The risk strategy supports growth in the organisations maturity and capability in the area of risk management and is based on best available information
  • Stakeholder feedback and the results of internal audit are used to inform continual improvement of the risk framework 
3 Is transparent and inclusive 
  • Identifies the role of stakeholders in the risk management process
  • Advice and support for risk management is available
  • Audit outcomes are shared appropriately for future improvements 
  • Proactively removes biases within decision making and promotes risk sharing through collaborations
4 Explicitly addresses uncertainty 
  • Specifies the functional requirements of risk management systems and helps staff understand the scope and method for risk monitoring and reporting to stakeholders 

7. Process of Risk Management Framework

7.1 Overview

Federation University operates in a highly regulated environment, requiring the identification and management of  legal and regulatory obligations across various jurisdictions. This Risk Management Framework (RMF) is the mandate from Council for risk management (including specific commitment to compliance with quality requirements) and sets out the purpose, scope, principles, and roles and responsibilities for risk management across the University.

The Risk Management Framework consists of elements of both risk and assurance management and as such it:

  • Supports the achievement of the University’s strategic objectives and priorities.
  • Provides the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk and compliance management and opportunity engagement practices and
  • Provides the structure, direction and oversight for the systematic, disciplined and consistent identification and assessment of legal and regulatory compliance obligations and for their effective and efficient management.
  • Defines a positive risk culture
  • The processes and tools used for the identification, assessment and evaluation of risks include:
    • Risk Assessment templates: Risk Assessment templates are tools to document how those risks will be actioned, treated and managed. 
    • University Risk Appetite Statements: The Risk Appetite Statements provides the details of the appetite that the University is willing to pursue, retain, accept, or tolerate in pursuit of our strategic and operational objectives and act as tools for agile decision-making. The Risk Appetite and Statements are approved by the University Council. 
    • Risk Registers: Risk Registers are repositories for recording and documenting identified risks.  

7.2 Risk Assurance and Three Lines of Defence Model

Within the Risk Management Framework the University adopts an augmented ‘three lines of defence’ model to support accountability in risk governance through a layered defence approach that incorporates contemporary assurance-by-design principles.   Developing an assurance-by-design approach for a project’s entire implementation life cycle can give organisations a proactive approach to achieving risk and controls readiness while limiting potential challenges post-implementation.   In addition, building in controls with these assurance-by-design considerations may increase the focus on strategic priorities, improve risk insights, levels of risk exposure, costs, and potential disruptions.

7.2.1 Risk Culture

Risk and compliance culture refers to the systems of beliefs, values and behaviours throughout an organisation that shapes the collective approach to making decisions and to create and measure value within management and planning of resources.  A positive risk and compliance culture is one where every person in the organisation believes that thinking about and managing risk is part of their job, where compliance to legislative, regulatory and quality standards is accepted as the responsibility of all staff. The culture promotes pride and accountability among workers and develops an individualised sense of commitment to act with integrity and is a culture in which key stakeholders (including but not limited to students, graduates, partners, research investors, staff and managers at all levels) are encouraged and supported to raise and respectfully discuss obligations, issues and opportunities for improvement.

7.2.2 Risk Management and Strategic Resilience

A risk is the potential (future) effect of an activity or event on objectives. An effect is a deviation from the expected – positive or negative and can create or result in opportunities for, or threats to, the organisation’s value through finances, reputation, market position and capacity to deliver services. Risks can be strategic or operational in nature.

For opportunities, the outcome of risk management being embedded into the University investment and decision-making processes is to increase the likelihood of an opportunity occurring or maximising the value (impact) should the opportunity occur. Risk management in this context is the planned and systematic approach to the identification, prioritisation, assess and pursuit of viable opportunities in a systematic and disciplined manner to achieve strategic objectives and build strategic business resilience.

For threats, the outcome of risk management is the reduced likelihood (probability) of a risk occurring or limiting the consequences (impact) should the risk occur by implementing appropriate methods of control (risk mitigations).

Risk management in this context is the planned and systematic approach to the identification, evaluation, and control (including the selection, design, implementation, communication, and documentation of risk mitigation strategies) of risk in a calculated, proportional and consistent manner. In a modern business environment, negative risks can never be completely eliminated. Federation University will manage its risks at a level as low as reasonably practicable and on a legally justifiable and cost/benefit basis with a financial and business outcome focus through the design, development and implementation of effective and efficient controls. Selected mitigation strategies will be monitored to ensure continued relevance, appropriate application, effectiveness, and efficiency.

7.2.3 Risk Assessment Process

The Federation University has developed the following resources for standardised risk assessment, at both operational and enterprise levels:

  • Risk Appetite Statement 
  • Risk Assessment Guideline
  • Risk Management Plan
  • Risk Matrix 

The Risk Appetite Statements, Risk Assessment, Risk Management Plan and Risk Matrix together create an understanding of the Managed Risk and provide indicative recommended actions to act as guidance in decision making. Based on the outcome of the assessment process, risks will be evaluated to ratings of Low, Medium, High and Extreme requiring differing levels of approval and management as set out in the Risk Assessment Guideline. Risk owners will record pertinent information and data relating to their risks and controls in the relevant risk register.

Some areas of the University may require a specific or customised approach to risk management to meet regulatory, industry or contractual requirements. These instances are dealt with on a case-by-case basis with the Risk Function.

7.2.4 Risk Assurance Program - Cycle Continuous Improvement

A cycle of monitoring and reporting will be implemented to ensure that risks are identified, assessed and reported to the appropriate governance bodies in a timely manner.  This cycle will include:

  • Quarterly Audit and Risk Management Committee reports including risk heat map, new and emerging risks, strategic and enterprise risks outside risk appetite, significant changes to strategic or enterprise risks and strategic and enterprise risk treatment update.
  • Annual review and refresh of strategic risk profile in line with the strategic planning process.
  • Annual review and refresh of enterprise risk profile.
  • Annual risk workshops to review operational risk profiles.
  • Quarterly review of outstanding treatment actions.

7.2.5 Risk Event and Incident/Crisis Management Reporting

Federation University will utilise the data generated by Risk Assessments and reviews in evidence-based decision making to build business resilience and requisite capabilities to anticipate, prepare, respond, rapidly recover and/or minimise adverse impacts from critical incidents and crises.

An incident or crisis is a risk event that occurs at a specific point in time (past/present).  Incident management at Federation University requires escalation of incident risk events via business-as-usual organisational hierarchy and functional communication processes, with referral to the Federation Incident and Emergency Management Procedure , Health and Safety Management Procedure, and/or Critical Incident Management - International Students Procedure for relevant incident management processes and protocols. Where the impact on the University is rated as ‘Major’ or ‘Extreme’, as per the Risk Matrix and Risk Management Framework Procedure, the identifying officer must promptly inform the Risk Function.

A crisis is usually something that is unforeseen, public in nature and has the potential to cause great harm to an organisation in terms of finances, revenues, reputation, market positioning and service delivery.  Crisis management is concerned with responding to, managing, and recovering from such an event. Crisis management at Federation University requires escalation of crisis risk events promptly via a business-as-usual organisational hierarchy and functional communication processes, which will act to trigger the Federation University Crisis Management Plan. After conducting the Threat and Impact Assessment within the Crisis Management Plan the responsible Crisis Management Team Leader is to inform the Senior Manager Planning and Reporting if the (actual or potential) impact on the University is rated as ‘Major’ or ‘Extreme’ as per the Risk Matrix and Risk Management Framework Procedure.

Actively monitor and follow up negatively trending or adverse movements in key risk indicators and take appropriate steps to remedy unfavourable variances and trends including any systemic issues. Such monitoring follow-up and remediation will be undertaken by central functions and central divisions. The Senior Manager Planning and Reporting will be promptly informed of unfavourable variances, trends, and systemic issues when the actual or probable impact on Federation University is rated ‘Major’ or ‘Extreme, as per the Risk Matrix and Risk Management Framework Procedure.

7.3 Three Lines of Defence

Effective risk management, as with any protective measure, needs to have in place contingencies should one element fail for any reason.  That is why three lines of defence have been established to support the Risk Management Framework.

First line: The first line of defence lies with the business and process owners.  Operational management is responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis. This consists of identifying and assessing controls and mitigating risks.

Second line: The second-line function enables the identification of emerging risks in daily operation of the business by providing compliance and oversight in the form of frameworks, policies, tools, and techniques to specifically support risk and compliance management. The second line supports management to help ensure risk and controls are effectively managed and operates with a collaborative, business-focused, advisory mindset.

Typical second line of defence includes:

  • A risk management function (and/or committee) that facilitates and monitors the implementation of effective risk management practices by operational management and assists risk owners in defining the target risk exposure and reporting adequate risk-related information throughout the organisation.  For the University this is its Audit and Risk Committee.
  • A controllership function that monitors financial risks and financial reporting issues.

Third line: The third-line function provides objective and independent assurance. While the third line’s key responsibility is to assess whether the first- and second-line functions are operating effectively and consistent with expectations, it is charged with the duty of reporting to the board and audit committee, in addition to providing assurance to regulators and external auditors that the control culture across the organisation is effective in its design and operation.

The third-line function may not direct or implement processes, but they can provide advice and recommendations regarding processes.  Additionally, the third-line function may support enterprise risk management but may not implement or perform risk management other than inside of its own function.  The third-line function accomplishes their objectives by bringing a systematic approach to evaluating and improving the effectiveness of risk management, control, and governance processes.

7.3.1 Roles and Responsibilities

9. Responsibility

  • The Chief Operating Officer (as the Approval Authority) is responsible for the review and approval of this procedure to ensure appropriate oversight and management of University wide risk.
  • The Director, Office of the Chief Operating Officer (as the Document Owner) is responsible for maintaining the content of this procedure in consultation with the Approval Authority.

Promulgation

This procedure will be communicated throughout the University via

  • an Announcement Notice via FedNews website and on the ‘Recently Approved Documents’ page on the ‘Policies, Procedures and Forms @ the University’ website to alert the University-wide community of the approved Policy; and
  • distribution of e-mails to VCST, Deans, Directors or equivalent.

Implementation

This procedure will be implemented throughout the University via:

  • an Announcement Notice via FedNews website and on the ‘Recently Approved Documents’ page on the ‘Policies, Procedures and Forms @ the University’ website to alert the University-wide community of the approved Policy; and
  • Dean/Director or equivalent operational risk assessment and training workshops.