View Current

Risk Management Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose and Context

(1) This policy confirms the commitment of the University to good corporate governance through risk management. It defines the broad accountabilities and structures the University will maintain in order to manage risk.

(2) Risk is inherent in all academic, administrative and commercial activities and every member of the University community is continually managing risk. Risk may be potentially advantageous or harmful. The University recognises the primary objective of risk management is to eliminate exposure to adverse risk, but where its elimination is not possible to provide a structured approach to its identification and treatment by:

  1. prioritising risks so that appropriate resources can be directed towards their mitigation; and
  2. obtaining leverage from risk management by converting risks into opportunities.

(3) The purpose of this policy is to:

  1. affirm the University's commitment to risk management;
  2. integrate risk management practices across the University; and
  3. foster an environment where staff assume responsibility for managing risks.


(4) A structured risk management program will provide a number of beneficial outcomes by:

  1. enhancing strategic planning through the identification of threats to the University's mission and addressing uncertainty associated with its operations;
  2. encouraging a pro-active approach to risk issues likely to impact on the strategic and operational objectives of the University; and
  3. improving the quality of decision making by providing structured methods and approaches for the exploration of threats, opportunities and resource allocations.


(5) This policy applies to all staff and to all current and future activities of the University.

(6) Where more detailed risk management policies or procedures are developed to cover specific areas of the University's operations (i.e. insurance, work health and safety, research, commercial activities) they should comply with the broad directions detailed in this policy.

Top of Page

Section 2 - Definitions

(7) For the purposes of this Policy, the following definitions apply:

  1. Risk - The effect of uncertainty on the University's objectives. Risk is measured in terms of consequence and likelihood and the outcome or effect can be a positive or negative deviation from what is expected.
  2. Risk Assessment - A process used to determine risk management priorities by evaluating and comparing the level of risk associated with an activity against predetermined tolerances or generally acceptable levels of risk (formulated in consultation with key stakeholders).
  3. Risk Management - The systematic application of practices and methods to identify, assess, evaluate, treat, monitor and communicate risk. It is undertaken with the objective of minimising losses or maximising opportunities for the University.
  4. Risk Management Framework - The accountabilities and organizational structures that are directed towards the management of risks associated with opportunities and adverse events within the University environment.
  5. Risk Profile - A representation of a set of risks according to their likelihood and consequence. Profiles are used to promote discussion and prioritise actions/ responses to risk.
Top of Page

Section 3 - Policy Statement

Part A - Risk Management Framework

(8) The University has adopted a methodology consistent with the Risk Management Standard (AS/NZS ISO 31000:2009 ) for identifying, assessing and managing risks. This methodology is the basis of the University's risk management framework.

(9) The framework helps to ensure a consistent approach to the same risk by different sections of the University. It also provides a structure for:

  1. communicating, mitigating and escalating major risk issues; and
  2. incorporating risk management principles and objectives into strategic, operational and resource planning activities.

(10) A major element of the framework is an ongoing program of risk assessments across the University. The objective of risk assessments is to establish a prioritised list of risk issues for further consideration/action by senior management and executive.

(11) The assessments are facilitated by the Office of Audit and Risk Assessment and involve:

  1. an assessment of the extent, consequence and likelihood of risk; and
  2. the development of risk registers, risk profiles and risk mitigation strategies.

Part B - Responsibility for Risk Management

Board of Trustees

(12) The Board has overall responsibility for risk management and in exercising this function delegates:

  1. responsibility for the implementation of risk management frameworks to the Vice-Chancellor and President; and b. responsibility for oversight of risk management activities to its Audit and Risk Committee.

Audit and Risk Committee

(13) The Committee will provide oversight to risk management activities across the University and its related entities and monitor the implementation of remedial actions to minimise or eliminate adverse risk.

(14) The Committee will report at least quarterly to the Board of Trustees on the performance of risk management activities (this may form part of a broader report on the work of the Committee).

All Staff

(15) All staff are required to support and participate in the risk management processes adopted by the University .

Vice-Chancellor and President

(16) The Vice-Chancellor and President is responsible for:

  1. ensuring that risk management practices are established and maintained in accordance with this policy; and
  2. communicating significant risk issues to the Board of Trustees and Audit and Risk Committee as appropriate.

Senior Management and Executive (DVCs, VPs, PVCs, Deans, Campus Provosts, Directors)

(17) Senior management and executive are responsible for reporting regularly to the Vice-Chancellor and President on risk - immediately in instances where a significant new risk is identified.

(18) Senior management and executive are to ensure that all major proposals (involving significant financial or reputational risk for example) submitted to the Board of Trustees or any of its Committees for endorsement, indicate if a risk assessment has been undertaken (and if so whether contingency plans have been developed for any significant risk issues identified).

(19) Senior management and executive are also responsible to the Vice-Chancellor and President for the implementation of this policy within their respective areas of responsibility, specifically:

  1. periodical reporting on the status of risk mitigation strategies within their portfolio as articulated in the Western Sydney University Strategic Risk Register (a process that will be facilitated by the Office of Audit and Risk Assessment and oversighted by the Vice-President, People and Advancement);
  2. undertaking risk assessments for all major commercial ventures (refer also Commercial Activities Guidelines); and
  3. making training opportunities in risk management available to staff as appropriate to their position and role within the University.

Director, Audit and Risk Assessment

(20) The Director, Audit and Risk Assessment is responsible for:

  1. facilitating a formal process for identifying, assessing, recording and communicating strategic risks that may impact on the University;
  2. ongoing development of strategic risk profiles for the University;
  3. facilitating the biannual update of the Western Sydney University Strategic Risk Register;
  4. continuously monitoring action undertaken by the University to address strategic risk issues; and
  5. providing guidance and assistance to senior management and executive in fulfilling the responsibilities defined in this policy.

Policy Not Applicable to the University's Related Entities

(21) The University is not responsible for developing Risk Management Policy for its related entities. The Boards of University Related Entities will be responsible for establishing their own risk management policy framework and processes and will provide reports to the Vice-Chancellor and President and the Audit and Risk Committee on the status of risk as requested.

Top of Page

Section 4 - Procedures

(22) Nil.

Top of Page

Section 5 - Guidelines

(23) Nil.