View Current

Risk Management Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose and Context

(1) This policy confirms the commitment of the University to good corporate governance through risk management. It defines the broad accountabilities and structures the University will maintain in order to manage risks.

(2) Risk is inherent in all academic, projects, administrative and commercial activities and every member of the University community is continually managing risk. Risk may be potentially advantageous or harmful. The University recognises the primary objective of risk management is to eliminate exposure to adverse risk, but where its elimination is not possible to provide a structured approach to its identification and treatment by:

  1. prioritising risks so that appropriate resources can be directed towards their mitigation; and
  2. obtaining leverage from risk management by converting risks into opportunities.

(3) The purpose of this policy is to:

  1. affirm the University's commitment to risk management;
  2. enhance the University's ability to seize opportunities while reducing impacts of risk to the desired acceptable level;
  3. establish the principles by which the University will identify, assess and manage risks;
  4. foster an environment where staff take responsibility for managing risks;
  5. provide a consistent risk management framework in which the risks concerning business processes and functions of the University will be identified, considered, and addressed in key approval, review and control processes;
  6. encourage a pro-active rather than re-active management;
  7. provide assistance to improve the quality of decision making throughout the University; and
  8. assist in safeguarding the University’s assets – people, finance, property and reputation.


(4) A structured risk management program will provide a number of beneficial outcomes by:

  1. enhancing strategic planning through the identification of threats to the University's mission and addressing uncertainty associated with its operations;
  2. encouraging a pro-active approach to risk issues likely to impact on the strategic and operational objectives of the University; and
  3. improving the quality of decision making by providing structured methods and approaches for the exploration of threats, opportunities and resource allocations.


(5) This policy applies to all staff and to all current and future activities of the University.

(6) Detailed risk management policies or procedures should be developed to cover specific areas of the University's operations (i.e. insurance, work health and safety, research, commercial activities, campus safety and security, information technology, business continuity, and project management).

Top of Page

Section 2 - Definitions

(7) For the purposes of this Policy, the following definitions apply:

  1. Business Unit Risk Register - A register of locally identified risks is established and maintained by a school, institute or business unit for their operations including any a major project or commercial activity.
  2. Risk - The effect of uncertainty on the University's objectives. Risk is measured in terms of consequence and likelihood and the outcome or effect can be a positive or negative deviation from what is expected.
  3. Risk Assessment - A process used to determine risk management priorities by evaluating and comparing the level of risk associated with an activity against predetermined tolerances or generally acceptable levels of risk (formulated in consultation with key stakeholders).
  4. Risk Management - Coordinated activities to direct and control an organisation with regard to risk.
  5. Risk Management Framework - The accountabilities and organisational structures that are directed towards the management of risks associated with opportunities and adverse events within the University environment.
  6. Risk Management Process - The systematic application of risk management policies, procedures and practices to the activities of identifying, analysing, assessing, evaluating, treating monitoring and communicating risk.
  7. Risk Owner - Person or entity with the accountability and authority to manage a risk. At the University, a Risk Owner will usually be a Director, Executive Director, School Dean or Manager, Project Manager or a member of the Senior Executive.
  8. Risk Profile - A representation of a set of risks according to their likelihood and consequence. Profiles are used to promote discussion and prioritise actions or responses to risk.
  9. University Strategic Risk Register - A University-wide risk Strategic Risk Register is established and maintained by the Chief Audit and Risk Officer as required by Internal Audit Charter.
Top of Page

Section 3 - Policy Statement

Part A - Risk Management Principles

(8) The University is committed to making risk management an integral part of all the University processes and embedding risk management into the key decisions and approval processes of all major business processes and functions of the University.

(9) The University will embrace well-managed risk-taking in pursuit of its vision and strategic objectives, while:

  1. protecting the wellbeing, health and safety of students, staff, affiliates and the public; and
  2. minimising exposure to:
    1. any potential damage to the culture of excellence in research and education;
    2. long-term brand and reputation damage; and
    3. health and safety, compliance and financial solvency related risks.

(10) All risks should be managed within the boundaries defined in the University’s Risk Appetite Statement.

Part B - Risk Management Framework

(11) The University has adopted a methodology consistent with the Risk Management Standard (ISO 31000:2018) for identifying, assessing and managing risks. This methodology is the basis of the University's risk management framework.

(12) The framework helps to ensure a consistent approach to the same risk by different business units of the University. It also provides a structure for:

  1. communicating, mitigating and escalating major risk issues; and
  2. incorporating risk management principles and objectives into strategic, operational, project management and commercial activities.

(13) The University's Risk Management Framework is a set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the University.

(14) The University should evaluate its existing risk management practices and processes, evaluate any gaps and address those gaps within the framework.

(15)  A major element of the framework is an ongoing program of risk assessment across the University. The objective of risk assessments is to establish a prioritised list of risk issues for further consideration or action by senior management and executives.

(16) The assessments are facilitated by the Office of Audit and Risk Assessment and involve:

  1. an assessment of the extent, consequence and likelihood of risk; and
  2. the development of risk register, risk profiles and risk mitigation strategies.

Risk Appetite Statement

(17)  The University's Risk Appetite Statement sets out the University's desired level of risk taking for its most significant risks. The University's management is aware of the high standards that the community expects of the University.

Risk Management Guidelines

(18) The University has adopted the principles of risk management as set out in the International, Risk Management Standard ISO 31000:208 Risk Management – guidelines.

(19) The Risk Policy formally affirms the University's strategic commitment to building a risk management culture in which risks and opportunities are identified and managed effectively. The University recognises that, in pursuing its strategic objectives, measured risk-taking is both acceptable and appropriate.

Risk Registers

(20) The University's Senior Executive team must establish a Strategic Risk Register for the University which will be coordinated and maintained by the Chief Audit and Risk Officer.

(21) The University Risk Registers comprises of strategic risk register, operational risk register and projects and commercial activities risk registers.

(22) The University Risk Register must document key risk events that would likely impact the University as a whole, in the manner and with the detail set out in the Risk Management Framework.

(23) The following risk registers must also be established:

  1. the head of a business unit, in relation to the operations of that unit; and
  2. the executive sponsor, in relation to a project.

(24) Business Unit or Project risk registers must document key risk events that would impact the unit or projects, in the manner and with the details set our in the Risk Management Framework.

Part C - Responsibility for Risk Management

Board of Trustees

(25) The Board has overall responsibility for risk management and in exercising this function delegates:

  1. responsibility for the implementation of risk management frameworks to the Vice-Chancellor and President;and 
  2. responsibility for oversight of risk management activities to its Audit and Risk Committee (ARC).

Audit and Risk Committee

(26) The ARC will provide oversight to risk management activities across the University and its related entities and monitor the implementation of remedial actions to minimise or eliminate adverse risk.

(27) The Committee will report at least quarterly to the Board of Trustees on the performance of risk management activities (this may form part of a broader report on the work of the Committee).

Vice-Chancellor and President

(28) The Vice-Chancellor and President is responsible for:

  1. ensuring that risk management practices are established and maintained in accordance with this policy;
  2. communicating significant risk issues to the Board of Trustees and Audit and Risk Committee as appropriate; and
  3. the risk management function is appropriately resourced and funded.

Senior Management and Executive (DVCs/VPs, PVCs, Chief Officers, Deans, Campus Provosts, Executive Directors, Directors)

(29) Senior management and executive are responsible for reporting regularly to the Vice-Chancellor and President on risk immediately in instances where a significant new risk is identified.

(30) Senior management and executive are to ensure that all major proposals (involving significant financial or reputational risk for example) are submitted to the Board of Trustees or any of its Committees for endorsement, indicate if a risk assessment has been undertaken (and if so whether contingency plans have been developed for any significant risk issues identified).

(31) Senior management and executive are also responsible to the Vice-Chancellor and President for the implementation of this policy within their respective areas of responsibility, specifically:

  1. periodical reporting on the status of risk mitigation strategies within their portfolio as articulated in the University's Strategic Risk Register (a process that will be facilitated by the Office of Audit and Risk Assessment and oversighted by the Vice-President, People and Advancement);
  2. undertaking risk assessments for all major commercial ventures (refer also Commercial Activities Guidelines); and
  3. making training opportunities in risk management available to staff as appropriate to their position and role within the University.

Chief Audit and Risk Officer

(32) The Chief Audit and Risk Officer is responsible for the implementation and ongoing maintenance of the Risk Management Policy. Its responsibilities also include:

  1. facilitating a formal process for identifying, assessing, recording and communicating strategic risks that may impact on the University;
  2. establishing supporting processes, tools and advice to facilitate effective risk management;
  3. ongoing development of strategic risk profiles for the University;
  4. facilitating the annual update of the University's Strategic Risk Register;
  5. continuously monitoring action undertaken by the University to address strategic risk issues;
  6. providing guidance and assistance to senior management and executive in fulfilling the responsibilities defined in this policy;
  7. reporting key risks to the Vice-Chancellor and President, University Executives, Audit and Risk Committee;
  8. reviewing other risk management functions of the University to ensure these functions have applied this policy appropriately.

Line Manager and Project Managers

(33) Managers of the University are responsible for incorporating risk management into their standard management practices by:

  1. understanding the University's risk management principles and foster a risk aware culture within their areas of responsibility;
  2. identifying and determining appropriate actions to address risks within their area of responsibility in accordance with University policies and procedures;
  3. documenting their risk management processes by developing and maintaining a register of risks;
  4. upward reporting of significant emerging or residual risks; and
  5. ensuring the inclusion of risk management responsibilities in duty statements, induction, professional development and performance management processes for all staff within their area of responsibility.

All Staff

(34) All staff are required to be aware of this policy, support and participate in the risk management processes adopted by the University.

Top of Page

Section 4 - Procedures

(35) Nil.

Top of Page

Section 5 - Guidelines

(36) Refer to the Risk Management Guidelines.