Policy directory
Download/print as PDF

RISK MANAGEMENT POLICY

Date first approved:

15 April 2005

Date of effect:

15 April 2005

Date last amended:
(refer to Version Control Table)

March 2021

Date of Next Review:

1 March 2026

First Approved by:

University Council

Custodian title & e-mail address:

Chief Operating Officer

Author:

Manager, Business Assurance
business-assurance@uow.edu.au

Responsible Division & Unit:

Business Improvement & Assurance Division

Supporting documents, procedures & forms:

Business Continuity Management Policy

Commercial Activity Guidelines

Risk Appetite Statement

Risk Management Framework and Guidelines

Work Health and Safety Policy

Relevant Legislation &

External Documents:

AS/NZS ISO 31000:2018 Risk Management - Guidelines

Australia’s Foreign Relations (State and Territory Arrangements) Bill 2020

Environmental Policy

Foreign Influence Transparency Scheme Act 2018

Guidelines to Counter Foreign Interference in the Australian University Sector

ISO Guide 73:2009 Risk Management – Vocabulary

Modern Slavery Act 2018

Public Interest Disclosure Act 2013

University of Wollongong Act, 1989 (NSW)

Work Health and Safety Act 2011 (NSW)

Work Health and Safety Regulation 2017

Audience:

Public

Contents

1. Purpose of Policy 3

2. Definitions 3

3. Application & Scope 4

4. Risk Management Approach 5

5. Emerging Risks 6

6. Organisational Risk Register 6

7. Local Risk Registers 7

8. Risk Registers for Commercial Activities, Major Projects & Additional Activities 7

9. Roles & Responsibilities 8

10. Version Control & Change History 11

    1. Purpose of Policy

      • 1. The University has a statutory obligation to undertake risk management that is established within the University of Wollongong Act 1989 (the Act).1
      • 2. The University recognises that effective risk management is an integral part of good governance and best management practice that assists the University to meet its statutory objectives and deliver on its Strategic Plan.
      • 3. The purpose of this policy is to:

        a. Define responsibilities and structures to ensure risk management practices are integrated into strategic, operational and project planning/management and review processes;

        b. Promote an environment where informed decisions to identify and manage the University’s risks are made in an open and transparent manner;

        c. Create a risk intelligent culture at the workplace where all staff are encouraged to proactively manage risks in their day to day activities; and

        d. Ensure all areas across the University apply a consistent approach to risk management.

    2. Definitions2

Word/Term

Definition

Commercial Activity

As defined in the Commercial Activities Guidelines.

Control

A measure that modifies a risk.

Emerging Risk

A new risk or existing risk with a heightened potential exposure for the University.

Level of Risk

The magnitude of a risk expressed as a combination of consequence and likelihood. Also known as the risk rating.

Local Risk Register

A register of locally identified risks maintained by a faculty, institute or administrative division/unit or for a Major Project or Commercial Activity.

Major Project

A large-scale project, as identified in the University’s Capital Management Plan.

Organisational Risk Register

The central register of the University’s key risks that have an important impact at an organisational level.

Project Manager

For the purposes of this policy, Project Manager refers to those staff responsible for managing a Major Project, as per the University’s Capital Management Plan.

Risk

The effect of uncertainty on objectives.

Risk Appetite

The level or risk, which, if breached by a risk assessment, would require the development of risk treatment actions to reduce the likelihood and consequence of the risk.

Risk Appetite Level

The level or risk, which, if breached by a risk assessment, would require the development of risk treatment actions to reduce the likelihood and consequence of the risk.

Risk Appetite Statement

The overarching document which outlines the approach of the University to risk appetite and establishes the specific risk categories and associated risk appetite level for each category.

Risk Assessment

The overall process of risk identification, risk analysis and risk evaluation.

Risk Management

Coordinated activities to direct and control the University with regard to risk.

Risk Management Framework

The set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the University.

Risk Management Process

The systematic application of management policies, procedures and practices to the activities of identifying, communicating, consulting, establishing the context and identifying, analysing, evaluating, treating, monitoring and reviewing risks.

Risk Owner

The position with the accountability and authority for managing a risk and any associated risk controls. At UOW, Risk Owners will usually be a Director, Faculty Executive Manager, Project Manager (as defined by this policy), Executive Dean or a member of the Senior Executive (including the Vice-Chancellor)

    3. Application & Scope

      • 1. This policy applies to all Faculties, Divisions and significant University activities. This policy should be read in conjunction with the Risk Management Framework and Guidelines and Risk Appetite Statement.
      • 2. Specific risk management policies, procedures and/or guidelines covering specialised areas or entities of the University may apply and will be consistent with the broad directions in this policy such as the Workplace Health and Safety Policy which informs the health, safety and risk management process and system used to ensure workplace hazards are identified, assessed, controlled and reviewed where they cannot be implemented supplementary to this Policy.
      • 3. Where there is legislation in place for the management of specific risks such as, for example, Workplace Health and Safety, Equal Opportunity, Research Ethics, Foreign Arrangements, Foreign Interference, Modern Slavery and Fraud and Corruption; the Risk Management Policy does not relieve the University of its responsibility to comply with the applicable legislation.

    4. Risk Management Approach

      • 1. The University is committed to having a robust risk framework in order to properly assess risks in its strategic and operational decision-making.
      • 2. The University applies a structured and consistent approach to risk management at all levels across the University.
      • 3. Effective Risk Management enables:

        a. An assessment and understanding of the challenging natural, political, socio-economic and cultural influences that create uncertainty in the University’s operating environment and may impact on the extent the objectives of the University can be met;

        b. The identification, evaluation and management of threats and opportunities to ensure the University is conscious of the risks it faces;

        c. The management of complex and shared risks, identification of their causes, impacts/consequences and controls;

        d. Improved information for decision making;

        e. Improved University performance and resilience;

        f. Clear reporting and transparency of information; and

        g. Accountability, assurance and effective governance.

      • 4. The management of risk is the responsibility of all staff and will be incorporated into policies, procedures and planning and review processes at all levels across the University. All staff are required to work individually and collectively towards the active promotion of a positive risk management culture within and across the University.
      • 5. The management of risk requires identifying and understanding risks across every aspect of the University’s operations.
      • 6. In addition to embedded risk management and due diligence when undertaking operational activities, a formal risk assessment must be completed prior to commencement, reviewed periodically and managed in accordance with this policy for the following activities:

        a. All Commercial Activities and Major Projects;

        b. All formal and informal research activities and with specific emphasis on those likely to involve direct or indirect international collaboration. This is in order to minimise the impact of foreign relations and safeguard national security, academic freedom, intellectual property and the reputation of the University.

        c. Any activity where there is the potential for the University to cause, contribute to or be directly linked to risks associated with fraud and corruption, national security via international activities or modern slavery. This is particularly when engaging with supply chains but is also inclusive of collaborations, partnerships and investments.

        d. Any other activity directed by legislation, regulation or informed by National Policy.

      • 7. Risk assessments should be based on the best available information, which may include historical data, experience, stakeholder feedback, observation, forecasts and expert judgement.
      • 8. Although the processes applied to identify risks may vary across the University, all risks are to be assessed using the standard methodology outlined in the Risk Management Framework and Guidelines.
      • 9. Each risk will be assigned a Risk Owner(s). The Risk Owner is responsible for managing and monitoring the risk. Risk Owners must ensure that adequate controls are:

        a. Applied so risks are within the University’s Risk Appetite; or, if not within the appetite, then dealt with as described in the Risk Appetite Statement; and

        b. Proportional to the risk consequence and likelihood.

      • 10. Risk Owners are required to continually monitor and review each risk assigned to them to ensure that the management of the risk (causes, consequences/impacts and controls) is relevant, demonstrable, effective and to ensure the information available to management is accurate and complete.
      • 11. The University’s Risk Management approach will be subject to continuous assessment and improvement in line with current standards and conventions, and in line with direction of the Risk, Audit & Compliance Committee.

    5. Emerging Risks

      • 1. Emerging risks are new risks or familiar risks that can become heightened under new or unfamiliar conditions.3 The sources of these risks can be natural and/or human and may include new technologies, economic, social, environmental, regulatory or political change.
      • 2. Emerging risks have the potential to impact on the operations of the University and require early identification and development of a proactive response to mitigate their impact should they arise.
      • 3. The Risk Management Group relies on intelligence from stakeholders and other sources to alert the University to emerging risks such as market factors, political changes, sector insight or changes to the internal or external operating environment.
      • 4. Emerging Risks are to be reported to the Manager, Business Assurance to be raised with the Risk Management Group and assessed in accordance with the Risk Management Framework and Guidelines.
      • 5. The Risk, Audit and Compliance Committee will receive regular updates on emerging risk assessments undertaken by the Risk Management Group.

    6. Organisational Risk Register

      • 1. Business Assurance will develop and maintain the Organisational Risk Register for the University.
      • 2. The Organisational Risk Register will:

        a. Include details of the University’s risks and how they are rated and managed;

        b. Include details of mitigation plans for those risks that are rated outside the University’s Risk Appetite; and

        c. Form the basis of regular reporting to the Vice-Chancellor’s Advisory Group, the Risk, Audit & Compliance Committee and University Council. This reporting will include, but not be limited to:

        i. any risk outside the University’s risk appetite including those risks reported and approved as described in the University’s Risk Appetite Statement; and

        ii. any risk where the targeted completion of an appropriate mitigation plan exceeds the agreed maximum timeframe for implementation, including those risks where increased timeframes have been agreed outside those described in the University’s Risk Appetite Statement.

    7. Local Risk Registers

      • 1. Each Faculty and Division is required to develop and maintain a local risk register. The University may extend this requirement to other entities and business units, as appropriate.
      • 2. Local risk registers will not take the place of specific risk registers for major projects, research projects, international collaborations or other specific activities which may have been identified as requiring a separate or customised register.
      • 3. Local risk registers and associated mitigation plans will require regular review and update by their owners in accordance with the Risk Management Framework and Guidelines.
      • 4. Emerging risk issues will be incorporated into the local risk register as they are identified and applicable to the local operating environment. Any new high-risk issue must be reported to the Risk Management Group.
      • 5. If an identified high risk is reported and approved by the Risk Management Group, an appropriate mitigation plan must be implemented as described in the University’s Risk Appetite Statement.
      • 6. Local risk registers must be endorsed by the relevant Senior Executive or Executive Dean prior to being forwarded to the Manager, Business Assurance for implementation into the University’s Risk Register.

    8. Risk Registers for Commercial Activities, Major Projects & Additional
    Activities

      • 1. Risk registers will be maintained for new Commercial Activities and Major Projects (as defined by this policy). This requirement will be extended to additional activities that are identified as having a high-level risk on the operations of the University for example legislative and regulatory changes or National policy directives such as those relating, but not limited to, Foreign Arrangements, Foreign Interference, Whistleblower Protections, Fraud and Corruption and Modern Slavery.
      • 2. Risk registers for these activities and projects may be required for reporting to governance bodies as requested by Senior Executive of the University.

    9. Roles & Responsibilities

The University Council, Risk, Audit & Compliance Committee and the Vice-Chancellor have ultimate responsibility for ensuring risks are appropriately managed within the University and are in line with strategic objectives. Detailed roles and responsibilities are outlined below:

University Council

      • 1. The University Council and its Committees have responsibility under the University of Wollongong Act 1989 for overseeing risk management and risk assessment activities across the University.
      • 2. The University Council, via the Risk, Audit & Compliance Committee, is responsible for endorsing the University’s Risk Management Policy, Risk Management Framework and Guidelines and Risk Appetite Statement.

Vice-Chancellor & Principal

      • 1. The Vice-Chancellor & Principal is responsible for:

        a. Ensuring a risk management system is established, implemented and maintained in accordance with this policy in any designated functional area or activity;

        b. Ensuring systems are in place so that risk owners are held responsible for implementing, monitoring and reporting risks that are within their area of responsibility;

        c. Providing leadership on the University’s risk appetite and acceptable risk exposure.

      • 2. Assignment of responsibilities in relation to risk management is the prerogative of the Vice Chancellor & Principal.

Risk, Audit & Compliance Committee (RACC)

      • 1. The Risk, Audit & Compliance Committee is responsible for:

        a. The oversight of the processes for the identification and assessment of the general risk spectrum, reviewing the outcomes of risk management processes and monitoring emerging risks based on changes in the internal and external environment;

        b. Overseeing risk reporting in all areas of University operations; and

        c. Informing University Council of the adequacy and effectiveness of the University’s risk management processes and internal control system as advised.

Senior Executives & Executive Deans

      • 1. Senior Executives and Executive Deans are accountable for risk management within their respective areas of responsibility, inclusive of ensuring operational managers and their teams apply the risk management requirements through policies, processes and work practices. They are responsible for:

        a. Championing a risk management culture and supporting the enhancement of risk management practices across the University;

        b. Developing and reviewing, in conjunction with the Vice-Chancellor, the University’s risk appetite;

        c. The formal identification of risks that may impact upon the University’s objectives;

        d. Allocation of priorities and allocation of resources;

        e. The provision of risk management guidance to their stakeholders;

        f. Oversight of local risk, and/or activity registers;

        g. Monitoring the adequacy of controls and mitigation plans; and

        h. Overseeing the management of risks that have been escalated from within their respective areas of responsibility, including any controls to mitigate adverse impacts or maximise opportunities as described in the University’s risk appetite statement.

Directors, Faculty Executive Managers, Directors of Research Institutes and Project Managers

      • 1. Directors, Faculty Executive Managers, Directors of Research Institutes and Project Managers are, within their respective areas of responsibility, responsible for:

        a. Implementation of this policy;

        b. Managing risks (including identifying, assessing, monitoring and reviewing, communicating and reporting) that may impact on objectives;

        c. Ensuring a local risk register is developed and regularly reviewed and maintained;

        d. Maintaining effective internal controls;

        e. The development and implementation of appropriate and effective mitigation plans;

        f. Regular reporting of risks and progress of mitigation plans; and

        g. Reporting to their Senior Executive or Executive Dean any new high-risk issues as soon as practicable after the risk has been identified.

        h. Reporting any new and emerging risks in their area through the Risk Management Group

        i. Ensuring medium and high residual risks for Commercial Activities, Major Projects and any other specifically identified activities as requested, are registered and managed and used to inform their local risk register.

Director Business Improvement & Assurance Division, in conjunction with the Manager, Business Assurance

      • 1. The Director, Business Improvement and Assurance Division and Manager, Business Assurance are responsible for:

        a. Facilitating development and implementation, through the Risk, Audit & Compliance Committee, of the University’s risk management approach and associated policies, framework and guidelines;

        b. Ensuring the review and continuous improvement of the University’s risk management framework;

        c. Maintaining the University’s Organisational Risk Register;

        d. Training and facilitation of University staff in relation to risk management practice;

        e. Reporting on risk data to the Vice-Chancellor’s Advisory Group, and University Council via the Risk, Audit & Compliance Committee; and

        f. Evaluating, through the University’s internal audit function, the design adequacy and operating effectiveness of controls in place to mitigate the risks associated with key University activities.

All Staff

      • 1. Every staff member of the University is responsible for the effective management of risks including the identification and reporting of new and emerging risks.
      • 2. Every staff member is responsible for participating, when required in training and workshops inr elation to risk management practice provided by the University to ensure staff:

        a. Are risk aware, promote a risk aware culture and understand the methodology and approach to identifying, assessing and managing risks in day-to-day decision making and business planning;

        b. Understand and adhere to the reporting processes within the University’s governance framework in relation to risk management.

    10. Version Control & Change History

Version Control

Date Effective

Approved By

Amendment

1

15 April 2005

University Council

First version

2

6 May 2009

Vice-Principal (Administration)

Migrated to UOW Policy Template as per Policy Directory Refresh

3

9 March 2010

Vice-Principal (Administration)

Future review date identified in accordance with Standard on UOW Policy

4

26 August 2010

Vice-Principal (Administration)

Updated to reflect divisional name change from Personnel Services to Human Resources Division

5

3 September

2012

Vice-Chancellor

Updated to reflect conformance with the spirit of the International Risk Management Standard ISO 31000

6

4 March 2013

Vice-Principal

(Administration)

Updated to reflect title change from Associate Director Financial Services to Director Financial Operations

7

22 August 2014

University Council

Complete review due to review of risk management framework

8

1 December 2015

Vice-Chancellor

Clarification of requirements related to Major Projects and Commercial Activities and update of titles and responsibilities

9

11 December 2019

Vice-Chancellor

Update of policy in line with current standard and practice

10

17 March 2021

Vice-Chancellor

Update to include references to Foreign Relations, Modern Slavery and Fraud and Corruption.

Here to Help

Need a hand? Contact the Governance & Policy Unit for advice and assistance on policy issues.

 

Academic Policy UpdateRead: AQS Newsletter