Critical incident 21/09/21
Ballarat and Berwick campuses are closed until Thursday 23 September. Click here for more information.

Risk Management

Risk Management Procedure

Policy Code: CG2029

Purpose

This procedure outlines the operational activities and accountabilities required to implement Federation University’s enterprise risk management framework.

Effective engagement in risk management processes is essential to allow the University to achieve its strategic and operational objectives.  Early and accurate identification of risk minimises the threat of unexpected and undesirable events and maximises the identification and delivery of opportunities.

A clear and consistent set of processes assists the University to develop an effective and transparent risk culture and builds expertise across the University. 

The University’s risk management processes are delivered through the following mechanisms

  • Risk appetite statement:  clearly articulated risk tolerances agreed by the University Council, through the Audit and Risk Management Committee and Vice Chancellor’s Senior Team.
  • Clear processes: well-defined risk management processes implemented at the strategic, enterprise and operational levels.
  • Accountability: clear risk ownership and accountability at all levels.
  • Dedicated resources: expert staff resources possessing contemporary risk management expertise and understanding of the strategic and operational drivers of the University.
  • Tools and templates: tools, templates and guidelines to assist with consistent documentation and analysis of risk.
  • Centralised administration: a centralised corporate support function that proactively drives the University’s risk agenda through continual review and improvement.

Risk management objectives will be delivered using the following processes:

  • Communication and consultation: engaging the right people to capture a broad view of risk, and recording and communicating that information in a useful way.
  • Analysis and action: risk identification, analysis and treatment to identify strengths and weaknesses.
  • Regular review of risk registers and profiles: a cycle of activity that considers new and existing risk information on an ongoing basis.
  • Reporting: a reporting cycle that reports the right information, to the right people, at the right time.
  • Monitor and review: a monitoring and review cycle, which ensures regular review of critical risks to the A&RMC and VCST, to inform decision making.

Risk management practices will be applied to strategic and operational planning including business plan development, project management and day-to-day decision-making.

Scope

This procedure applies to all members of the University community and all activities under the control or direction of the university.

Definitions

TERM DEFINITION
Risk Management The coordinated management of activities to direct and control an organisation with regard to risk.
Risk

The effect of uncertainty on objectives:

  • An effect is a deviation from the expected – positive or negative and can create or result in opportunities or threats.
  • Objectives can have different aspects such as financial, health and safety or environmental and can apply at different levels such as strategic, enterprise wide, project or operational.
  • Risk is often characterised by reference to sources of risk, potential events, their consequences and likelihood of occurrence.

    

Members of the University Community Includes staff, members of the University Council and members of any board, committee or other body established by or constituted under University Statutes and Regulations.
Risk Appetite The amount and type of risk that the University is willing to take in order to meet its strategic objectives.
Consequence

Outcome of a risk event or situation expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain:

  • An event can lead to a range of consequences. 
  • A consequence can be certain or uncertain and can have positive or negative effects on objectives.
  • Consequences can be expressed qualitatively or quantitatively. 
  • Initial consequences can escalate through knock-on effects.
Likelihood The chance or probability of a risk materialising.
Controls The actions, activities or mitigation strategies in place to prevent the risk from materialising.
Contributing Factors Factors internal and external that contribute to the risk existing or which could result in the risk materialising.
Accountability Responsibility for ensuring that a risk is appropriately managed, including implementation of treatment plans and monitoring the effectiveness of controls
Risk Categories Broad categories of risk that the University uses to identify and group risks.

Risk Management Framework

The primary purpose of the risk management framework is to provide a coordinated and managed approach to critical risks that, if they were to occur, would impact on the achievement of strategic and organisational objectives.

The University has defined three levels of risk and accountability

Strategic Risk Profile 

  • Strategic risks are risks that affect or are created by the University’s strategic objectives. 
  • The strategic risk profile is forward looking and focused on risk to and from the strategic plan.  The profile will be integrated with the overall strategic planning process.
  • Strategic risks are typically over the horizon, large scale or game changing scenarios. Strategic risks are often interdependent and require an integrated management approach. 
  • The University Council, through the Audit and Risk Management Committee (A&RMC), and in consultation with the Vice Chancellor’s Senior Team (VCST), is responsible for the strategic risk profile.
  • The strategic risk profile is refreshed annually and with any change to the University’s strategic plan.
  • The Associate Director Risk and Integrity is responsible for the planning and facilitation of strategic risk profile activities.
  • The Chief Operating Officer is responsible for finalising the strategic risk profile and quarterly monitoring and reporting to VCST, the A&RMC and University Council.   

Enterprise Risk Profile 

  • Enterprise risks are organisation wide risks that, if they were to materialise, have the severity or materiality to threaten the survival or existence of the University. 
  • The enterprise risk profile is based on risks identified in strategic reviews that relate to University operations.  Enterprise risks may also be identified in operational risk reviews as critical risks.
  • The VCST is responsible for the enterprise risk profile.  The profile is refreshed annually with quarterly monitoring and reporting by VCST to the University Council, through the A&RMC.
  • The Associate Director Risk and Integrity is responsible for the planning and facilitation of the of the enterprise risk profile activities.
  • The Chief Operating Officer is responsible for finalising the enterprise risk profile and quarterly monitoring and reporting to VCST, the A&RMC and University Council. 

Operational Risk Profiles 

Operational risks affect a specific area of activity of the University.

  • The operational risk profiles are developed based on risks to the achievement of school/division/directorate operational plans.  Some risks will be similar across operational areas of the University. 
  • The Dean/Director or equivalent is responsible for an annual refresh of the operational risk profile within their area of responsibility. 
  • The Dean/Director or equivalent is responsible for ensuring that the operational management team on a quarterly basis monitor and review the risk profile.  Quarterly monitoring and reporting will occur to the member of the VCST responsible for that division.
  • The Associate Director Risk and Integrity is responsible for monitoring the review of the operational risk profile and facilitating an annual refresh of the risk profile.
  • The VCST is responsible for monitoring the operational risk profiles and raising critical risks to the enterprise risk level if required.  

Risk Categories

University risk is considered within seven broad categories:

CATEGORY CONSIDERATIONS
Financial What are the possible short, medium and long term financial impacts?
People

What are the safety or health and wellbeing implications?

Do we have the right people with the right skills and accountability?  Do we have adequate resources?

Business interruption What will the impact of this decision/project have on the operation of the school, directorate or University as a whole?
Environmental What are there environmental risks associated with the project/initiative?  What are the implications for our sustainability objectives?
Reputational and Political What are the potential positive and negative impacts to brand and reputation? 
Quality and Regulatory Does the project or decision comply with regulatory and legal requirements?  Will it impact compliance with standards or impact registration?
Fraud and cybercrime What are the risks of internal or external fraud?  Are adequate cyber security measures in place?

Roles/Responsibilities

ROLE RESPONSIBILITY
University Council
  • Sets the strategic direction and manages the performance of the University.
  • Through the A&RMC, oversees the assessment and management of risk across the University.
  • Through the A&RMC, is responsible for the strategic risk profile.
Audit and Risk Management Committee (A&RMC)
  • Responsible for the appropriate oversight and management of risk across the University.
  • Reviews and approves the risk management policy and procedure and the risk appetite statement within which risks are managed.
  • Undertakes an annual refresh of the strategic risk profile in consultation with VCST.
  • Undertakes quarterly monitoring and review of the University’s strategic, enterprise and critical operational risks.
Vice-Chancellor’s Senior Team (VCST)
  • Leads the risk management process and implements the risk management framework within their portfolio.
  • Responsible for the enterprise risk profile and the development and implementation of risk treatment plans and controls.
  • Refreshes the enterprise risk profile annually with quarterly monitoring and reporting to the University Council, through the A&RMC.
  • Responsible for monitoring operational risk profiles within each member’s portfolio and raising critical risks to the enterprise risk level if required.
Chief Operating Officer (COO)
  • Development and implementation of the risk management framework.
  • Ensuring adequate resources are provided for the management and administration of risk functions.
  • Finalising the strategic and enterprise risk profiles and quarterly monitoring and reporting to VCST and the A&RMC.
Associate Director Risk and Integrity
  • Development and enhancement of risk management processes and systems.
  • Raising the profile of risk management across the organisation and embedding risk into decision making processes. 
  • Maintaining the strategic and enterprise risk registers and identify risks which fall outside the agreed risk appetite.
  • Escalating new and emerging risks to appropriate decision makers.
  • Planning and facilitation of risk profile activities.
Deans, Directors or equivalent
  • Identifying and managing risk within their school, directorate or division in accordance with the framework.
  • Participating in risk reviews and updating of risk registers.
  • Managing implementation of identified treatment plans and controls.
  • Conducting an annual refresh of the operational risk profile within their area of responsibility and ensuring that the operational management team on a quarterly basis monitors and reviews the risk profile.
  • Quarterly monitoring and reporting on the operational risk profile to the member of VCST responsible for that division.
All staff
  • Escalating identified risks to appropriate supervisors.
  • Undertaking and documenting risk assessments to support decision making processes.

Risk Assessment

Federation University has developed a standard risk assessment methodology and template designed in accordance with international standards.

Some areas of the University may require a specific or customised approach to risk management to meet regulatory, industry or contractual requirements. These instances are dealt with on a case by case basis with the Associate Director Risk and Integrity. 

Based on the outcome of the assessment process, risks will be evaluated to ratings of Low, Medium, High and Extreme requiring differing levels of approval and management as set out below:

RATING APPROVAL AND REVIEW ACTIONS
Extreme VCST approval and active management
  • Consideration should be given to ceasing or delaying the activity until treatments can be implemented to reduce the risk.
  • Approval to proceed must be obtained from the VCST prior to commencement.
  • Ongoing review of risk treatments must be undertaken by the appropriate member of VCST.
  • On identification the risk must be reported to the Chancellor for Council awareness and consideration.
  • Reported quarterly to the A&RMC.
High DVC/COO/PVC approval and continuous review
  • Risk owner to regularly monitor application of controls.
  • Treatment plans to be implemented and updated quarterly.
  • Changes in risk to be notified to approver as soon as practical
  • A&RMC review on request.
Medium Director or equivalent approval and annual review
  • Review controls for potential improvement.
  • Monitor risk treatment plans and update quarterly.
  • Quarterly review of risk analysis and controls.
Low No formal escalation required.  Annual review.
  • Dean, Director or equivalent oversight to identify changing circumstances that may increase the level of risk.
  • Quarterly review of risk and controls.

Review and Reporting

A cycle of monitoring and reporting will be implemented to ensure that risks are identified, assessed and reported to the appropriate governance bodies in a timely manner.  This cycle will include:

  • Quarterly Audit and Risk Management Committee reports including risk heat map, new and emerging risks, strategic and enterprise risks outside risk appetite, significant changes to strategic or enterprise risks and strategic and enterprise risk treatment update.
  • Annual review and refresh of strategic risk profile in line with the strategic planning process.
  • Annual review and refresh of enterprise risk profile.
  • Annual risk workshops to review operational risk profiles.
  • Monthly review of outstanding treatment actions.

Responsibility

  • The Audit and Risk Management Committee (as the Approval Authority) is responsible for the review and approval of this procedure to ensure appropriate oversight and management of University wide risk.
  • The Associate Director, Risk and Integrity (as the Policy Sponsor) is responsible for maintaining the content of this procedure in consultation with the Audit and Risk Management Committee.

Promulgation

This procedure will be communicated throughout the University via

  • an Announcement Notice via FedNews website and on the ‘Recently Approved Documents’ page on the ‘Policies, Procedures and Forms @ the University’ website to alert the University-wide community of the approved Policy; and
  • distribution of e-mails to VCST, Deans, Directors or equivalent.

Implementation

This procedure will be implemented throughout the University via:

  • an Announcement Notice via FedNews website and on the ‘Recently Approved Documents’ page on the ‘Policies, Procedures and Forms @ the University’ website to alert the University-wide community of the approved Policy; and
  • Dean/Director or equivalent operational risk assessment and training workshops.