View Current

Resilience Management Framework

This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Purpose

(1) The University of Canberra (University) regards effective risk and resilience management as an integral component of the University’s efficient operations. Therefore the University has adopted a consistent and structured approach to identify, assess and manage significant risks and ensure efficient and effective utilisation of resources, informed decision-making and organisational resilience. The purpose of this Resilience Management Framework (Framework) is to:

  1. provide the foundation to effectively manage risks involved in all University activities to an acceptable level;
  2. ensure risk management processes are embedded consistently across all areas of the organisation;
  3. contribute to strengthening management practices, while protecting our community’s interest, and maintaining trust and confidence;
  4. provide assurance to stakeholders that the University is prepared and able to effectively manage a major or critical incident; and
  5. enable the University to embed a systematic and pro-active approach to risk as part of overall University governance.

Policy Statement

(2) The Vice-Chancellor and Council are committed to the implementation and maintenance of a formal resilience management system, including the integration of risk management, throughout all levels of the University. This is fundamental to achieving the University’s strategic and operational objectives, whilst protecting and enhancing the University’s reputation.

(3) In its application of this Framework, the University is committed to:

  1. achieving its business objectives while minimising the impact of significant risks that the University can meaningfully and realistically control;
  2. the allocation of appropriate resources for the achievement of University business objectives and effective resilience management;
  3. behaving as a responsible and ethical organisation, protecting staff, students and the broader community from harm and protecting physical property from loss or damage;
  4. communicating and collaboration with key stakeholders, and providing appropriate training, to enable implementation of policies and procedures;
  5. deciding the criteria for accepting risks and the acceptable levels of risk;
  6. establish the right balance between the cost of control and the risks it is willing to accept as part of the environment within which the University operates;
  7. the promotion of excellence in regard to business management processes, record keeping, performance improvement and monitoring;
  8. protecting and enhancing the University’s reputation;
  9. ensuring privacy and confidentiality in accordance with legislative requirements and University policy; and
  10. conducting management reviews and audits of elements of the Framework.

(4) The University considers risk management, business continuity, critical incident management, emergency management, disaster recovery, fraud control and health, safety and wellbeing management as crucial components of its Resilience Management Framework.

(5) This Framework applies to the University Group (i.e. all members of the University and controlled entities), unless otherwise agreed. Resilience management is a whole-of-University activity and as such, it is the responsibility of all members of the University community to contribute to the identification, management and reporting of risks. The University is committed to embedding this Framework into its organisational culture, governance and accountability arrangements, planning and reporting and improvement processes.

Top of Page

Section 2 - Scope

(6) The University’s approach to resilience management is based on a holistic organisational-wide model in order to achieve effective governance and assurance. This Framework describes the arrangements of this model, including:

  1. details of the main components resilience management framework;
  2. an outline of the principles of risk management which should be applied across the University community;
  3. an overview of the roles and responsibilities for managing risk; and
  4. details of internal and external communication and reporting mechanisms.

(7) The Framework recognises that resilience management is an integral part of all University processes. It is embedded in all elements of the University’s core business, and is not a standalone activity.

(8) The Framework also identifies five key components that are critical to the successful implementation of resilience management at the University. These are:

  1. risk management;
  2. business continuity management;
  3. critical incident management;
  4. emergency management;
  5. IT disaster recovery;
  6. fraud and corruption control; and
  7. health and safety.

(9) Each of the key components listed above are supported by corresponding plans, which underpin this Framework and its embedded policy. These plans describe the processes and arrangements to be used to manage the University’s key risks. 

Top of Page

Section 3 - Principles

Risk Management

(10) All organisations face a variety of risks, either from internal or external sources (which may be largely out of the immediate control of the organisation). Risks arise both at the strategic (organisation-wide) level and at the operational (business process) level. The University will maintain processes and procedures to provide a systematic view of the risk faced in the course of its academic, administrative and business activities.

(11) The University’s Risk Management Plan supports this Framework, detailing the processes and procedures, consistent with Australian and New Zealand Standard AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines.

(12) The processes described in the Risk Management Plan are to be applied in all the University’s activities to ensure that risks associated with the University’s strategic and operational objectives are identified and effectively integrated with the University’s annual planning processes. Reviews of controls and mitigating strategies that link with University planning objectives will be detailed in the University’s strategic and operational risk registers.

(13) The administration of the risk management program component of this Framework is the responsibility of the Director, Risk and Audit.

Business Continuity Management

(14) The University will develop arrangements to prepare staff should a major unplanned and disruptive event occur which impacts the University’s operations. These arrangements will be consistent with the Australian and New Zealand Standard AS/NZS 5050:2010 Business continuity— Managing Disruption-related Risk, and will be documented in the University’s Strategic Business Continuity Plan (BCP) and supporting operational BCPs.  

(15) The business continuity plans will enable key management staff to plan and manage both the immediate and longer-term consequence of incidents that impact on the University’s operations.

(16) The administration of the business continuity management component of this Framework is the responsibility of the Director, Risk and Audit.

Critical Incident Management

(17) A critical incident is any situation that affects University staff or students' its operations, environment, viability and/or reputation.

(18) The University will maintain a Critical Incident Management Team (CIMT) to control the University's response and provide executive decisions and strategic directions in relation to planning for and responding to critical incidents. This response will be in accordance with the procedures incorporated in the University's Business Continuity Plan and Critical Incident Management Team Plan.

(19) The University will develop arrangements and provide training to prepare staff to manage critical incidents should they occur, including critical student related incidents.

(20) The administration of the critical incident management component of this Framework is the responsibility of the Director, Risk and Audit.

Emergency management

(21) The University will develop and implement systems and processes for appropriate, effective and speedy responses to, and management of, emergency situations.

(22) These systems and processes form part of the University’s emergency management system and will be developed in line with Australian Standard AS 3745-2010 – Planning for emergencies in facilities; Building Fire Safety Regulations 2008, and Work Health and Safety Act 2011 (ACT).

(23) The University will aim for best practice in incident management responses and procedures, which will be documented in the University’s Emergency Management Response Plan.

(24) The administration of the emergency management component of this Framework is the responsibility of the Chief People Officer.

IT Disaster Recovery

(25) The University will develop a documented process to recovery and protect the University’s IT infrastructure and business systems in the event of an incident.

(26) The IT Disaster Recovery Plan (DRP) will be a comprehensive statement of consistent actions that are to be undertaken before, during and after an event. These arrangements will be consistent with AS/NZS 5050:2010 Business continuity – Managing disruption-related risk.

(27) The primary objective of the IT DRP is to minimise the effects on the University including downtime and data loss, in the event that all or part of its operations and/or computer services are rendered unusable. The IT DRP will align with the University’s business continuity arrangements.

(28) The administration of the IT disaster recovery component of this Framework is the responsibility of the Director, Digital Information and Technology Management reporting through the Chief Operating Officer and Vice-President Operations.

Fraud and Corruption Control

(29) The University will implement fraud and corruption preventative and detective processes to reduce the University’s exposure and vulnerability of fraudulent activity. 

(30) These processes will be documented in the University’s Fraud and Corruption Control Plan and will align with Australian Standard 8001-2021 Fraud and Corruption Control Standards. To support this Plan, a fraud risk assessment of the University’s operating environment will be conducted and documented in a fraud risk register. Control measures and treatment strategies will also be documented and reviewed periodically.

(31) The administration of the fraud and corruption control component of this Framework is the responsibility of the General Counsel.

Health and Safety

(32) The University recognises health and safety as a critical component of the Resilience Management Framework, the requirements for which are managed under the University’s Work Health and Safety Policy and administered by the Chief People Officer.

(33) The Work Health and Safety Policy have been developed in line with the Work Health and Safety Act 2011 and associated regulations.

(34) This Framework does not specify arrangements for the management of health and safety risks as these are documented in Work Health and Safety Policy, issued by the Chief People Officer.

Top of Page

Section 4 - Responsibilities

(35) This Framework identifies four levels of key resilience management arrangements at the University:

  1. Council has the overall fiduciary accountability to establish and maintain an appropriate Resilience Management Framework, with support and advice provided by the Audit and Risk Management Committee (ARMC).
  2. Vice-Chancellor and the Strategy and Planning Group (SPG) are accountable to the ARMC and Council for implementation of the Framework.
  3. Senior Management is responsible for developing and administering programs and systems to address key components of the Framework.
  4. All management and staff, and wider University community, have a responsibility to be “risk aware”. They are required to comply with risk management processes and practices, cooperate with designated University risk management specialists, and identify, assess, manage and report risks and opportunities in day-to-day processes.

(36) The responsibilities for resilience management within the University are defined as follows:

Role Responsibilities
Council
  • Oversees monitoring the assessment and management of risk across the University.
Audit and Risk Management Committee
  • Advises Council on:
    • the adequacy and effectiveness of the University’s control environment, including the implementation of the University’s resilience management framework; and
    • major risks which may impact on the operation or reputation of the University and associated risk management activities (including fraud incidents).
  • The Committee reviews, evaluates, approves and monitors, on the delegated authority of Council:
    • the University’s Resilience Management Framework and their implementation; and
    • the University’s insurance program and liability protection portfolio.
Vice-Chancellor
  • Endorses the University’s Resilience Management Framework.
  • Approves plans and procedures relating to risk management, business continuity, incident management, fraud and corruption prevention and IT disaster recovery.
  • Responsible for ensuring that risk management activities are carried out effectively within the University in accordance with the Framework.
  • Reviews, updates and approves the Strategic Risk Register, to present to the ARMC.
Strategy and Planning Group (SPG)
 
 		 Provides advice to the Vice-Chancellor on:
  • the University’s Resilience Management Framework;
  • the plans and procedures relating to risk management, business continuity, incident management, fraud and corruption prevention and IT disaster recovery;
  • the Strategic Risk Register, for presentation to the ARMC;
  • the University Risk Profile.
Senior Management Group (Executive/Deans/ Directors)
  • Integrates risk management principles in business and project planning.
  • Assesses and monitors risk exposures regularly.
  • Reviews, updates and approves operational risk registers, twice yearly.
  • Implements effective risk treatment actions and monitor the effectiveness of control measures.
  • Reports twice yearly on operational risks to the ARMC, via the Director, Risk and Audit.
  • Draws any new Extreme or High risks to the ARMC attention immediately, via the VPGD.
  • Reports project or other risks to the ARMC as appropriate or as requested.
  • Develops knowledge and skills in risk concepts and promote risk management awareness to enhance efficiency, effectiveness, responsiveness and integrity.
  • Maintains and coordinates the implementation of operational BCPs.
Critical Incident Management Team (CIMT)
  • Controls the University's response and provide executive decisions and strategic directions in relation to planning for and responding to critical incidents.
Risk and Audit, Office of the General Counsel
  • Maintains and coordinates the implementation of the University’s Resilience Management Framework and supporting plans, including Fraud and Corruption Control Plan, Risk Management Plan and the University Strategic BCP and Critical Incident Management Team Plan.
  • Collates and maintains the University’s Strategic Risk Register.
  • Actively promotes the integration of risk concepts across the University at both strategic and operational levels.
  • Provides advice and support into risk management activities and processes as required.
  • Coordinates reporting to the ARMC on risk registers.
Chief Operating Officer and Vice-President Operations
  • Maintains and coordinates the implementation of allocated components of the University’s Resilience Management Framework and supporting plans, including operational BCPs and the IT DRP.
Chief People Officer
  • Maintains and coordinates the implementation of allocated components of the University's Resilience Management Framework and supporting plans including Health and Safety policies and procedures and the Emergency Management Response Plan.
Managers and Supervisors
  • Contributes to risk management activities in their business unit.
  • Develops knowledge and skills in risk concepts and promote risk management awareness to enhance efficiency, effectiveness, responsiveness and integrity.
  • Prepares risk assessments as required.
  • Assesses and monitors risk exposures regularly.
  • Reports any new risks to senior management attention as soon as possible.
All staff
  • Identify, analyse and evaluate risk exposures (including current and potential risks) in work areas.
  • Report risk exposures to Managers and Supervisors immediately and, where applicable, discusses and implements treatment strategies to reduce the risk(s) to an acceptable level.
  • Develop and apply knowledge and skills in risk concepts.
  • Act in accordance with the University’s Code of Ethics.
  • Follow the University’s procedures in regard to incident reporting including injury, damage and loss.

Reporting Compliance

(37) Under the Tertiary Education Quality and Standards Agency Act 2011, the University is required to meet obligations for registered higher education providers in order to retain its accreditation.

(38) Furthermore, the University must report on their risk management and internal audit policies and practices in annual reports. The University is required to confirm that it understands, manages and controls key risk exposures and that a responsible body or audit committee verifies the University’s arrangements.

Monitoring and Reporting of Risk Management

(39) The University is expected to report on risk management performance to the Council and Audit and Risk Management Committee. Regular monitoring and review must be a planned part of the risk management process to ensure that:

  1. supporting plans have been developed, endorsed and implemented as required under this Framework;
  2. staff are aware of their roles and responsibilities in respect to resilience management;
  3. controls are effective and efficient in design and operation;
  4. lessons are learned from events, changes, trends, successes and failures;
  5. changes in the external and internal context, including the risk criteria, are detected and revised; and 
  6. emerging risks are identified and managed accordingly.

(40) Where a risk is identified, or changes, between nominated review dates, and needs to be immediately reviewed, the risk should be immediately addressed and reported to the appropriate Manager.

(41) Systems for reporting and investigating incidents are fundamental to the management of disruptive events and incidents. The University is committed to ensuring appropriate effective reporting and investigation processes exist and are being followed accordingly.