Risk Management
This procedure outlines the operational activities and accountabilities required to implement Federation University’s enterprise risk management framework.
Effective engagement in risk management processes is essential to allow the University to achieve its strategic and operational objectives. Early and accurate identification of risk minimises the threat of unexpected and undesirable events and maximises the identification and delivery of opportunities.
A clear and consistent set of processes assists the University to develop an effective and transparent risk culture and builds expertise across the University.
The University’s risk management processes are delivered through the following mechanisms
- Risk appetite statement: clearly articulated risk tolerances agreed by the University Council, through the Audit and Risk Management Committee and Vice Chancellor’s Senior Team.
- Clear processes: well-defined risk management processes implemented at the strategic, enterprise and operational levels.
- Accountability: clear risk ownership and accountability at all levels.
- Dedicated resources: expert staff resources possessing contemporary risk management expertise and understanding of the strategic and operational drivers of the University.
- Tools and templates: tools, templates and guidelines to assist with consistent documentation and analysis of risk.
- Centralised administration: a centralised corporate support function that proactively drives the University’s risk agenda through continual review and improvement.
Risk management objectives will be delivered using the following processes:
- Communication and consultation: engaging the right people to capture a broad view of risk, and recording and communicating that information in a useful way.
- Analysis and action: risk identification, analysis and treatment to identify strengths and weaknesses.
- Regular review of risk registers and profiles: a cycle of activity that considers new and existing risk information on an ongoing basis.
- Reporting: a reporting cycle that reports the right information, to the right people, at the right time.
- Monitor and review: a monitoring and review cycle, which ensures regular review of critical risks to the A&RMC and VCST, to inform decision making.
Risk management practices will be applied to strategic and operational planning including business plan development, project management and day-to-day decision-making.
This procedure applies to all members of the University community and all activities under the control or direction of the university.
- The Standing Directions of the Minister for Finance, Victoria
- Federation University Australia Act 2010
- The Tertiary Education Quality and Standards Agency Act 2011 (TEQSA Act)
- Higher Education Standards Framework (Threshold Standards) 2015
- The National Vocational Education and Training Regulator Act 2011
- Australian Skills Quality Authority (ASQA) Standards for Registered Training Organisations (RTOs) 2015
- Education and Training Reform Act 2006
- Education and Training Reform Regulations 2017
| TERM | DEFINITION |
|---|---|
| Risk Management | The coordinated management of activities to direct and control an organisation with regard to risk. |
| Risk |
The effect of uncertainty on objectives:
|
| Members of the University Community | Includes staff, members of the University Council and members of any board, committee or other body established by or constituted under University Statutes and Regulations. |
| Risk Appetite | The amount and type of risk that the University is willing to take in order to meet its strategic objectives. |
| Consequence |
Outcome of a risk event or situation expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain:
|
| Likelihood | The chance or probability of a risk materialising. |
| Controls | The actions, activities or mitigation strategies in place to prevent the risk from materialising. |
| Contributing Factors | Factors internal and external that contribute to the risk existing or which could result in the risk materialising. |
| Accountability | Responsibility for ensuring that a risk is appropriately managed, including implementation of treatment plans and monitoring the effectiveness of controls |
| Risk Categories | Broad categories of risk that the University uses to identify and group risks. |
The primary purpose of the risk management framework is to provide a coordinated and managed approach to critical risks that, if they were to occur, would impact on the achievement of strategic and organisational objectives.
The University has defined three levels of risk and accountability
Strategic Risk Profile
- Strategic risks are risks that affect or are created by the University’s strategic objectives.
- The strategic risk profile is forward looking and focused on risk to and from the strategic plan. The profile will be integrated with the overall strategic planning process.
- Strategic risks are typically over the horizon, large scale or game changing scenarios. Strategic risks are often interdependent and require an integrated management approach.
- The University Council, through the Audit and Risk Management Committee (A&RMC), and in consultation with the Vice Chancellor’s Senior Team (VCST), is responsible for the strategic risk profile.
- The strategic risk profile is refreshed annually and with any change to the University’s strategic plan.
- The Associate Director Risk and Integrity is responsible for the planning and facilitation of strategic risk profile activities.
- The Chief Operating Officer is responsible for finalising the strategic risk profile and quarterly monitoring and reporting to VCST, the A&RMC and University Council.
Enterprise Risk Profile
- Enterprise risks are organisation wide risks that, if they were to materialise, have the severity or materiality to threaten the survival or existence of the University.
- The enterprise risk profile is based on risks identified in strategic reviews that relate to University operations. Enterprise risks may also be identified in operational risk reviews as critical risks.
- The VCST is responsible for the enterprise risk profile. The profile is refreshed annually with quarterly monitoring and reporting by VCST to the University Council, through the A&RMC.
- The Associate Director Risk and Integrity is responsible for the planning and facilitation of the of the enterprise risk profile activities.
- The Chief Operating Officer is responsible for finalising the enterprise risk profile and quarterly monitoring and reporting to VCST, the A&RMC and University Council.
Operational Risk Profiles
Operational risks affect a specific area of activity of the University.
- The operational risk profiles are developed based on risks to the achievement of school/division/directorate operational plans. Some risks will be similar across operational areas of the University.
- The Dean/Director or equivalent is responsible for an annual refresh of the operational risk profile within their area of responsibility.
- The Dean/Director or equivalent is responsible for ensuring that the operational management team on a quarterly basis monitor and review the risk profile. Quarterly monitoring and reporting will occur to the member of the VCST responsible for that division.
- The Associate Director Risk and Integrity is responsible for monitoring the review of the operational risk profile and facilitating an annual refresh of the risk profile.
- The VCST is responsible for monitoring the operational risk profiles and raising critical risks to the enterprise risk level if required.
University risk is considered within seven broad categories:
| CATEGORY | CONSIDERATIONS |
|---|---|
| Financial | What are the possible short, medium and long term financial impacts? |
| People |
What are the safety or health and wellbeing implications? Do we have the right people with the right skills and accountability? Do we have adequate resources? |
| Business interruption | What will the impact of this decision/project have on the operation of the school, directorate or University as a whole? |
| Environmental | What are there environmental risks associated with the project/initiative? What are the implications for our sustainability objectives? |
| Reputational and Political | What are the potential positive and negative impacts to brand and reputation? |
| Quality and Regulatory | Does the project or decision comply with regulatory and legal requirements? Will it impact compliance with standards or impact registration? |
| Fraud and cybercrime | What are the risks of internal or external fraud? Are adequate cyber security measures in place? |
| ROLE | RESPONSIBILITY |
|---|---|
| University Council |
|
| Audit and Risk Management Committee (A&RMC) |
|
| Vice-Chancellor’s Senior Team (VCST) |
|
| Chief Operating Officer (COO) |
|
| Associate Director Risk and Integrity |
|
| Deans, Directors or equivalent |
|
| All staff |
|
Federation University has developed a standard risk assessment methodology and template designed in accordance with international standards.
Some areas of the University may require a specific or customised approach to risk management to meet regulatory, industry or contractual requirements. These instances are dealt with on a case by case basis with the Associate Director Risk and Integrity.
Based on the outcome of the assessment process, risks will be evaluated to ratings of Low, Medium, High and Extreme requiring differing levels of approval and management as set out below:
| RATING | APPROVAL AND REVIEW | ACTIONS |
|---|---|---|
| Extreme | VCST approval and active management |
|
| High | DVC/COO/PVC approval and continuous review |
|
| Medium | Director or equivalent approval and annual review |
|
| Low | No formal escalation required. Annual review. |
|
A cycle of monitoring and reporting will be implemented to ensure that risks are identified, assessed and reported to the appropriate governance bodies in a timely manner. This cycle will include:
- Quarterly Audit and Risk Management Committee reports including risk heat map, new and emerging risks, strategic and enterprise risks outside risk appetite, significant changes to strategic or enterprise risks and strategic and enterprise risk treatment update.
- Annual review and refresh of strategic risk profile in line with the strategic planning process.
- Annual review and refresh of enterprise risk profile.
- Annual risk workshops to review operational risk profiles.
- Monthly review of outstanding treatment actions.
Forms
- Risk Appetite Statement (DOCX 176.7kb)
- Risk Assessment Guidelines (DOCX 334.4kb)
- Risk Assessment Template (DOCX 114.4kb)
- Risk Matrix (DOCX 176.1kb)
- The Audit and Risk Management Committee (as the Approval Authority) is responsible for the review and approval of this procedure to ensure appropriate oversight and management of University wide risk.
- The Associate Director, Risk and Integrity (as the Policy Sponsor) is responsible for maintaining the content of this procedure in consultation with the Audit and Risk Management Committee.
This procedure will be communicated throughout the University via
- an Announcement Notice via FedNews website and on the ‘Recently Approved Documents’ page on the ‘Policies, Procedures and Forms @ the University’ website to alert the University-wide community of the approved Policy; and
- distribution of e-mails to VCST, Deans, Directors or equivalent.
This procedure will be implemented throughout the University via:
- an Announcement Notice via FedNews website and on the ‘Recently Approved Documents’ page on the ‘Policies, Procedures and Forms @ the University’ website to alert the University-wide community of the approved Policy; and
- Dean/Director or equivalent operational risk assessment and training workshops.
Prev
Up
Document Index
Policy Search