Critical incident 21/09/21
Ballarat and Berwick campuses are closed until Thursday 23 September. Click here for more information.

Risk Management

Risk Management Policy

Policy Code: CG2028

Purpose

This policy establishes Federation University’s commitment to enterprise risk management and outlines the principles that will be used to guide this process.

Scope

This policy establishes Federation University’s commitment to enterprise risk management and outlines the principles that will be used to guide this process.

Definitions

Term Definition
Risk Management The coordinated management of activities to direct and control an organisation with regard to risk.
Risk

The effect of uncertainty on objectives:

  • An effect is a deviation from the expected – positive or negative and can create or result in opportunities or threats.
  • Objectives can have different aspects such as financial, health and safety or environmental and can apply at different levels such as strategic, enterprise wide, project or operational.
  • Risk is often characterised by reference to sources of risk, potential events, their consequences and likelihood of occurrence.
Members of the University Community Includes staff, members of the University Council and members of any board, committee or other body established by or constituted under University Statutes and Regulations.
Risk Appetite The amount and type of risk that the University is willing to take in order to meet its strategic objectives.
Consequence

Outcome of a risk event or situation expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain:

  • An event can lead to a range of consequences. 
  • A consequence can be certain or uncertain and can have positive or negative effects on objectives.
  • Consequences can be expressed qualitatively or quantitatively. 
  • Initial consequences can escalate through knock-on effects.
Likelihood The chance or probability of a risk materialising.
Controls The actions, activities or mitigation strategies in place to prevent the risk from materialising.
Contributing Factors Factors internal and external that contribute to the risk existing or which could result in the risk materialising.
Accountability Responsibility for ensuring that a risk is appropriately managed, including implementation of treatment plans and monitoring the effectiveness of controls
Risk Categories Broad categories of risk that the University uses to identify and group risks.

Policy Statement

Managing risk is an essential component of good governance and leadership.  Effective risk management both creates and protects value in an organisation by improving decision making. 

In order to achieve its strategic goals the University must accept a measured degree of risk.  Through identification and analysis of risk the University is able to innovate and deliver a successful and sustainable future.

This policy and the accompanying procedure are based upon the International Standard for Risk Management (AS/NZS ISO31000:2018).

The University’s risk management program is underpinned by the following principles:

PRINCIPLE DEMONSTRATED BY:
A positive risk culture

•   creating a culture where risk identification and management is acknowledged as a driver of positive outcomes.

•   driving excellence in corporate governance by increasing accountability, awareness and a positive attitude to risk management.

Risk based decision making •   decision making and responsiveness which is prioritised and informed by risk analysis.
Embedded risk management

•   all operational functions and processes should include a linkage to risk.

•   risk analysis and identification will include broad stakeholder consultation.

Strategic safeguards •   assisting the University to operate safely and securely.
Accountability •   clear accountability for each category of risk, individual risk and treatment plan to ensure action and monitoring is implemented.
Transparency •   providing transparency and oversight to senior management and the University Council that strategic, enterprise and critical operational risks are managed effectively.
Informed investment •   the consideration of the balance between risk and benefit in the development of investment strategies.
Informed resource allocation •   adoption of risk based approach to the allocation of resources to mitigate future risks.
Fraud risk identification and prevention •   all operational areas actively identifying fraud risks and implementing appropriate treatment plans to reduce the risk to an acceptable level.

Risk Management Framework

The primary purpose of the risk management framework is to provide a coordinated and managed approach to critical risks that, if they were to occur, would impact on the achievement of strategic and organisational objectives.

The University has defined three levels of risk and accountability. 

Strategic Risk Profile 

  • Strategic risks are risks that affect or are created by the University’s strategic objectives. 
  • The strategic risk profile is forward looking and focused on risk to and from the strategic plan.  The profile will be integrated with the overall strategic planning process.
  • Strategic risks are typically over the horizon, large scale or game changing scenarios. Strategic risks are often interdependent and require an integrated management approach. 
  • The University Council, through the Audit and Risk Management Committee (A&RMC), and in consultation with the Vice Chancellor’s Senior Team (VCST), is responsible for the strategic risk profile.
  • The Associate Director Risk and Integrity is responsible for the planning and facilitation of strategic risk profile activities.
  • The Chief Operating Officer is responsible for finalising the strategic risk profile and quarterly monitoring and reporting to VCST, the A&RMC and University Council.   

Enterprise Risk Profile 

  • Enterprise risks are organisation wide risks that, if they were to materialise, have the severity or materiality to threaten the survival or existence of the University. 
  • The enterprise risk profile is based on risks identified in strategic reviews that relate to University operations.  Enterprise risks may also be identified in operational risk reviews as critical risks.
  • The VCST is responsible for the enterprise risk profile.  The profile is refreshed annually with quarterly monitoring and reporting by VCST to the University Council, through the A&RMC.
  • The Associate Director Risk and Integrity is responsible for the planning and facilitation of the of the enterprise risk profile activities.
  • The Chief Operating Officer is responsible for finalising the enterprise risk profile and quarterly monitoring and reporting to VCST, the A&RMC and University Council. 

Operational Risk Profiles 

  • Operational risks affect a specific area of activity of the University.
  • The operational risk profiles are developed based on risks to the achievement of school/division/directorate operational plans.  Some risks will be similar across operational areas of the University. 
  • The Dean/Director or equivalent is responsible for an annual refresh of the operational risk profile within their area of responsibility. 
  • The Dean/Director or equivalent is responsible for ensuring that the operational management team on a quarterly basis monitor and review the risk profile.  Quarterly monitoring and reporting will occur to the member of the VCST responsible for that division.
  • The Associate Director Risk and Integrity is responsible for monitoring the review of the operational risk profile and facilitating an annual refresh of the risk profile.
  • The VCST is responsible for monitoring the operational risk profiles and raising critical risks to the enterprise risk level if required.   

Supporting Documents

Risk Management Procedure

Risk Matrix

Audit and Risk Management Committee Terms of Reference

Forms

Responsibility

•  The Audit and Risk Management Committee (as the Approval Authority) is responsible for the review and approval of this policy to ensure appropriate oversight and management of University wide risk.

•  The Associate Director, Risk and Integrity (as the Policy Sponsor) is responsible for maintaining the content of this policy in consultation with the Audit and Risk Management Committee.

Promulgation

This policy will be communicated throughout the University via:

•  an Announcement Notice via FedNews website and on the ‘Recently Approved Documents’ page on the ‘Policies, Procedures and Forms @ the University’ website to alert the University-wide community of the approved Policy; and

•  distribution of e-mails to VCST, Deans, Directors or equivalent.

Implementation

This policy will be implemented throughout the University via:

•  an Announcement Notice via FedNews website and on the ‘Recently Approved Documents’ page on the ‘Policies, Procedures and Forms @ the University’ website to alert the University-wide community of the approved Policy; and

•  Dean/Director or equivalent operational risk assessment and training workshops.