View Current

Risk Management Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose and Context

(1) This policy confirms the commitment of the University to good corporate governance through risk management. It defines the broad accountabilities and structures the University and its controlled entities will maintain to manage risks.

(2) Risk is inherent in all academic, projects, administrative and commercial activities, and every member of the University community is continually managing risk. Risk may be potentially advantageous or harmful. The University recognises the primary objective of risk management is to eliminate exposure to adverse risk, but where its elimination is not possible to provide a structured approach to its identification and treatment by:

  1. prioritising risks so that appropriate resources can be directed towards their mitigation, and
  2. obtaining leverage from risk management by converting risks into opportunities

(3) The purpose of this policy is to:

  1. affirm the University's commitment to risk management
  2. enhance the University's ability to seize opportunities while reducing impacts of risk to the desired or an acceptable level
  3. establish the principles by which the University will identify, assess and manage risks
  4. foster an environment where staff take responsibility for managing risks
  5. provide a consistent risk management framework in which the risks concerning business processes and functions of the University will be identified, considered, and addressed in approval, review and control-assessment processes
  6. encourage a proactive rather than reactive management of risks
  7. provide assistance to improve the quality of decision making throughout the University, and
  8. assist in safeguarding the University's people, assets, finance, property and reputation

Benefits

(4) A structured risk management program will provide a number of beneficial outcomes by:

  1. enhancing strategic planning through the identification of threats to the University's mission and addressing uncertainty associated with its operations
  2. encouraging a proactive approach to risk issues likely to impact the strategic and operational objectives of the University, and
  3. improving the quality of decision-making by providing structured methods and techniques to explore threats, opportunities and resource allocations

Application

(5) This policy applies to all staff and all current and future activities of the University and its controlled entities.

(6) Detailed risk management policies or procedures should be developed to cover specific areas of the University's operations (i.e. insurance, work health and safety, research, commercial activities, campus safety and security, information technology, business continuity, and project management).

Top of Page

Section 2 - Definitions

(7) For this Policy, the following definitions apply:

  1. Business Unit/School Risk Register - a register of locally identified risks is established and maintained by a School, Institute, or business unit for their operations, including significant project or commercial activities.
  2. Emerging Risk - a new risk or existing risk with a heightened potential exposure for the University.
  3. Research Project Risk Register – a register of risks identified that may impact the successful achievement of a research project’s goals and objectives.
  4. Risk - the effect of uncertainty on the University's goals and objectives. Risk is measured in terms of the likelihood and impact/consequences of an event/circumstance. The impact/consequences can be a positive or negative deviation from what is expected.
  5. Risk Appetite – the level of risk the University is willing to take to pursue its strategic and operational goals and objectives.
  6. Risk Assessment - a process used to determine risk management priorities by evaluating and comparing the level of risk associated with an activity against predetermined tolerances or generally acceptable levels of risk (formulated in consultation with key stakeholders).
  7. Risk Issue – a risk becomes an issue when risk materialises. That is, the risk event has happened, and it needs to be managed.
  8. Risk Management - the principles, framework, and processes that are in place to manage risk effectively. In other words, addressing the effect of uncertainty on objectives.
  9. Risk Management Framework – a set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing, and continually improving risk management throughout the University.
  10. Risk Management Process - the systematic application of risk management policies, procedures, and practices to identify, analyse, assess, evaluate, treat, and communicate risk.
  11. Risk Owner - a person or entity with the accountability and authority to manage risk. In other words, at the University, a person whose business objectives are impacted by the risk. Generally, it is the process or activity owner. This could be, but is not limited to, a Director; Executive Director; School Dean; Business Unit Manager; Divisional Head; Director, Research Institute; Researcher; Project Manager; Commercial Activity owner; Pro Vice-Chancellor or a member of the Senior Executive.
  12. Risk Profile – a representation of a set of risks according to their likelihood and consequence. Profiles are used to promote discussion and prioritise actions or responses to risk.
  13. University Strategic Risk Register - the central register of the University's key strategic risks that have an essential impact at an organisational level is established by the University's Senior Executive team and maintained by the Chief Audit and Risk Officer.
  14. WesternERM – the University's Enterprise-wide Risk Management system. It is required that operational risk assessments are recorded and maintained in WesternERM.
Top of Page

Section 3 - Policy Statement

Part A - Risk Management Principles

(8) The University is committed to making risk management an integral part of all the University processes and embedding risk management into the key decisions and approval processes of all major business processes and functions.

(9) The University will embrace well-managed risk-taking in pursuit of its vision and strategic objectives, while:

  1. protecting the wellbeing, health and safety of students, staff, affiliates, and the public, and
  2. minimising exposure to:
    1. any potential damage to the culture of excellence in research and education
    2. long-term brand and reputation damage, and
    3. health and safety, regulatory compliance, and financial solvency-related risks

(10) All risks should be managed within the boundaries defined in the University's Risk Appetite Statement. Please refer to the University's Risk Appetite Statement for more information.

Part B - Risk Management Framework

(11) The University has adopted a methodology consistent with the International Standard for Risk Management Standard (ISO 31000:2018 Risk Management - Guidelines) for identifying, assessing, and managing risks. This methodology is the basis of the University's risk management framework. The framework helps to ensure a consistent approach to the same risk by different business units of the University. It also provides a structure for:

  1. communicating, mitigating, and escalating Critical and High-rated emerging or materialised risks, and
  2. incorporating risk management principles and objectives into strategic, operational, research activities, project management, and commercial activities

(12) The University's Risk Management Framework is a set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing, and continually improving risk management throughout the University. The Risk Management Framework includes the following, in addition to this policy:

  1. a governance structure that enables Senior Executives and the Board of Trustees oversight of risks
  2. the University's Risk Appetite Statement which articulates the type and degree of risk the Board is prepared to accept and the maximum level of risk that the University must operate within
  3. tools, templates, guidelines and systems which enable risks to be identified, assessed, evaluated, treated and reported upon
  4. a strong risk culture being the University's leadership at the top, Code of Conduct, values, principles and practices within the University that determines how our staff identify, measure, govern and act upon risks
  5. the University's insurance process to manage unplanned losses from events that the University provides insurance for, and
  6. training provided to staff to enhance their skills and capabilities to effectively manage risks for their operations and more broadly across the University

(13) The University should evaluate its existing risk management practices and processes, assess any gaps, and address them within the framework.

(14) A significant element of the framework is an ongoing program of risk assessment across the University. Risk assessments aim to establish a prioritised list of risks and issues for further consideration or action by senior management and executives.

(15)  Risk assessments are performed by the management or delegated staff as risk champions and may be facilitated by the Office of Audit and Risk Assessment. Typically, these risk assessments involve:

  1. an assessment of the extent, consequence, and likelihood of risk, and
  2. the development of risk registers, risk profiles, and risk mitigation strategies

Risk Appetite Statement

(16)  The University's Risk Appetite Statement sets out its desired level of risk-taking for its most significant risks. The University's management is aware of the high standards that the community expects of the University.

Risk Management Guidelines

(17) The Office of Audit and Risk Assessment has developed a Western Risk Assessment Guide (WRAG) which should be utilised by all staff. The WRAG provides an overview of how:

  1. risk assessments should be performed considering the likelihood and impact of the risk events
  2. how one should perform the effectiveness of controls
  3. who can approve a course of action required to address the risks depending on the level of risks, and
  4. indicative time frame for remediating the risks

(18) The WRAG should be adopted and implemented by other risk management functions of the University, including but not limited to: Work Health, Safety and Wellbeing; Campus Safety and Security; Strategic Projects Implementation and Improvements; Information Technology and Digital Services; Business Continuity and Planning; Office of General Counsel; and Compliance Program Unit. 

Risk Registers

(19) The University's Senior Executive team must establish a Strategic Risk Register for the University which will be coordinated and maintained by the Chief Audit and Risk Officer.

(20) The University Risk Registers are comprised of, but not limited to:

  1. the University-wide strategic risk register
  2. individual business unit operational risk register, where operations of the unit are large, complex or the unit performs multiple different functions
  3. divisional-level operational risk register, where individual business units under the division are too small, simple and do not have multiple functions which justify risk assessment to be performed at the divisional level
  4. School’s operational risk register
  5. Research Institute and specific research project-based risk register
  6. significant business programs or project specific risk register, and
  7. commercial activities risk registers

(21) The risk registers should document key risk events that would impact the strategic or operational goals and objectives of each relevant area noted above.

Part C - Responsibility for Risk Management

Board of Trustees

(22) The Board has overall responsibility for risk management and in exercising this function delegates:

  1. responsibility for the implementation of risk management frameworks to the Vice-Chancellor and President,and 
  2. responsibility for oversight of risk management activities to its Audit and Risk Committee (ARC)

Audit and Risk Committee (ARC)

(23) The ARC advises and makes recommendations to the Board (or, as appropriate, the Chancellor or the Vice-Chancellor and President) on matters concerning risks to the University and its controlled entities and the effectiveness of systems of control or management of those risks. The roles and responsibilities of the ARC are formalised via the ARC Charter approved by the Board.

(24) The ARC will oversee risk management activities across the University and its controlled entities and monitor the following:

  1. the implementation of remedial actions to minimise or eliminate adverse risk, and
  2. actions were taken by management to maximise risk opportunities

(25) The Committee will report at least quarterly to the Board of Trustees on the performance of risk management activities (this may form part of a broader report on the work of the Committee).

Vice-Chancellor and President

(26) The Vice-Chancellor and President is responsible for the following:

  1. ensuring that risk management practices are established and maintained in accordance with this policy
  2. communicating Critical and High-risk issues to the Board of Trustees and Audit and Risk Committee as appropriate, and
  3. ensuring the risk management function is appropriately resourced and funded

Senior Management and Executives (Senior Deputy Vice-Chancellor, Deputy Vice-Chancellors/Vice-Presidents, Pro Vice-Chancellors, Chief Officers, Deans, Campus Provosts, Executive Directors, Directors)

(27) Senior management and executives are responsible for regularly reporting to the Vice-Chancellor and President on risks, immediately in instances where a Critical or High-risk is identified.

(28) Senior management and executives are to ensure that all major proposals including business cases for projects (involving significant financial or reputational risk, for example) that are submitted to the University Executives, Board of Trustees or any of its committees for endorsement/approval, indicate if a risk assessment has been undertaken (and if so whether risk mitigation plans have been developed for Critical and High-risk issues identified). Refer to the Guidelines for Writing Board and Committee Papers.

(29) Senior management and executives are also responsible to the Vice-Chancellor and President for the implementation of this policy within their respective areas of responsibility, specifically:

  1. periodic reporting on the status of risk mitigation strategies within their portfolio as articulated in the University's Strategic Risk Register (a process that will be facilitated by the Office of Audit and Risk Assessment and overseen by the Senior Deputy Vice-Chancellor)
  2. undertaking risk assessments for all major commercial ventures (also refer to Commercial Activities Guidelines), and
  3. making training opportunities in risk management available to staff as appropriate to their position and role within the University.

Chief Audit and Risk Officer

(30) The Chief Audit and Risk Officer is responsible for the establishment and ongoing maintenance of the Risk Management Policy, and:

  1. facilitating a formal process for identifying, assessing, recording, and communicating strategic risks that may impact the University
  2. establishing supporting processes, tools, and advice to facilitate effective risk management
  3. facilitating the development and annual update of the University's Strategic Risk Register
  4. continuously monitoring activities undertaken by the University to address strategic risk issues
  5. providing guidance and assistance to senior management and executive in fulfilling the responsibilities defined in this policy
  6. reporting key risks to the Vice-Chancellor and President, University Executives, Audit and Risk Committee, and
  7. reviewing other risk management functions of the University to ensure these functions have applied this policy appropriately

Team Leaders/Managers, Researchers and Project Managers (Managers)

(31) Managers of the University are responsible for incorporating risk management into their standard management practices by:

  1. understanding the University's risk management principles and fostering a risk-aware culture within their areas of responsibility;
  2. identifying and determining appropriate actions to address risks within their area of responsibility in accordance with University policies and procedures;
  3. documenting their risk management processes, and developing and maintaining a register of risks;
  4. escalating and reporting of Critical and High emerging or residual risks; and
  5. ensuring the inclusion of risk management responsibilities in job description, induction, professional development, and performance management processes for all staff within their area of responsibility.

Researchers

(32) As per the Responsible Conduct of Research Policy, in conducting research activities, researchers have responsibility to assess and manage the risk of their research activities by:

  1. identifying and familiarising themselves with risks associated with their projects;
  2. managing risks consistently with this policy;
  3. identifying and determining appropriate actions to address risks within their research project in accordance with University policies and procedures;
  4. documenting their risk management processes by developing and maintaining a register of risks; and
  5. escalating incidents, risks and concerns to management, where appropriate.

All Staff

(33) All staff are required to be aware of this policy, and to support and participate in the risk management processes adopted by the University by:

  1. identifying and familiarising themselves with risks associated with their roles;
  2. managing risks consistently with this policy;
  3. contributing to risk management activities as directed by management; and
  4. escalating incidents, risks and concerns to management, where appropriate.

(34) All staff must report any incident or knowledge of Critical and/or High risks immediately to their supervisor before escalating the matter to the Office of Audit and Risk Assessment.

Top of Page

Section 4 - Procedures

(35) Nil.

Top of Page

Section 5 - Guidelines

(36) Refer to the Western Risk Assessment Guide.