View Current

Risk Management Plan

This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Purpose

(1) The University of Canberra (University) is committed to effective and efficient identification, treatment and monitoring of risks that may affect the achievement of the University’s strategic and business objectives. The Audit and Risk Management Committee (ARMC) and Council oversee the implementation and operation of risk management at the University.

(2) The University pursues an effective risk management philosophy and culture through a governance framework that integrates its risk management activities with its Strategic Plan and supporting business and operational plans.

(3) The objectives of the University’s Risk Management Plan (Plan) are to:

  1. provide a detailed guide to support the implementation of risk management at the University;
  2. outline the risk management process to be followed by all members of the University, including controlled entities and contractors, where applicable;
  3. minimise the University’s exposure to significant risks through the identification, assessment, management and reporting of risk; and
  4. enhance the University’s ability to capitalise on opportunities through risk management and overall performance improvement.
Top of Page

Section 2 - Scope

(4) The Plan establishes the processes for risk management across the University. This Plan applies to the University Group (i.e. all members of the University, including controlled entities), unless otherwise agreed by the governing board and the Vice-Chancellor.

(5) The risk management process is designed to ensure that risk management decisions are based on a robust approach, assessments are conducted in a consistent manner, and a common language is used and understood across the University.

(6) This Plan is consistent with the Australian and New Zealand Risk Management Standard - ISO 31000:2018 Risk Management –Guidelines.

Top of Page

Section 3 - Procedure

(7) The risk management process consists of the following:

  1. communication and consultation with relevant stakeholders;
  2. defining the scope of the process and understanding the external and internal context;
  3. risk assessment which includes the process for identifying, analysing and evaluating risks;
  4. treating the identified risks;
  5. monitoring and review which includes determining whether the risk profile has changed and whether new risks have emerged. Checking control effectiveness and progress of the treatment plans; and
  6. recording and reporting to relevant stakeholders.

(8) Supporting tools and templates are available to assist in the application risk management process.

(9) Risk assessments should be undertaken to assess:

  1. strategic risks – are the risks specific to the ongoing operations of the University which may impact the achievement of the Strategic Plan and objectives;
  2. operational risks – are the risks specific to a single business unit, faculty, research institute or controlled entity; and
  3. project risks – are the risks related to specific projects, including contracts, capital works, events, procurements, partnerships and business ventures.

(10) A risk assessment may be undertaken at any time for any University activity. However a risk assessment should always be undertaken in any of the following circumstances:

  1. where required by a regulatory body, University policy or procedure (e.g. Work Health and Safety Act 2011, international travel, field trips);
  2. at the commencement of any major project relevant to the University – a major project is defined as having a total value greater than $200,000, or where there is a risk that would have a potential consequence rating of moderate or above (refer to the University Risk Matrix for consequence ratings);
  3. to support decision-making, such as in determining the feasibility of a project or in supporting the requirement for additional resources or new equipment;
  4. prior to significant new initiatives being commenced by faculties, business units or controlled entities;
  5. prior to undertaking any significant new commercial activity, joint venture or partnership arrangement;
  6. as part of a significant procurement activity; or
  7. prior to the commencement of any activity where serious injury, significant property loss or adverse media attention may result.

(11) A risk assessment for a project, procurement, contract and event can be applied across all phases of the lifecycle (i.e. from initial concept and definition through realisation to a final completion, decommissioning or disposal).

(12) It is important that consideration for a risk assessment occurs at the outset of an activity as this may assist in understanding the feasibility of the project due to the potential risks involved and ultimately, whether to proceed or not. 

(13) A risk assessment can also be used to assist in determining the best option where alternative options or solutions are available.

(14) During the design and development phase of a project/activity, a risk assessment contributes to:

  1. defining the risk;
  2. ensuring risks are understood and tolerable;
  3. informing decision making processes;
  4. cost-effectiveness studies; and
  5. identifying risks impacting on subsequent life-cycle phases.

(15) As the activity proceeds, risk assessment can be used to provide information to assist in developing procedures for normal and emergency conditions.

Note: the University has specific policies and procedures for conducting risk assessments relating to work health and safety practices and international travel. Refer to the Policy Database for further details.

Developing a Risk Register

(16) The development of a risk register involves risk identification and assessment where major strategic and operational risks, and potential sources of risks, are considered and identified.

(17) The University applies a five-point risk assessment scale to determine the seriousness of the resulting consequence if the risk does occur and how likely it is that any given risk will occur based on the consequence. These two assessments are then brought together in a two-dimensional matrix and their interactions determine the rating of each assessed risk as Low, Medium, High or Extreme (Risk Matrix).

(18) In practice risks are assessed on both a current and residual basis.

(19) The current assessment considers the risk rating taking into account current controls that have been implemented.

(20) The residual assessment considers the risk rating taking into account the impact of any further controls and treatment strategies which will be implemented to mitigate the risks consequence and/or likelihood.

Assessing the Risk Profile

(21) Each operating area within the University is required to develop a risk register identifying all risks that may impact on organisational activities and outcomes across the range of activities and processes undertaken. These risks are then assessed against the Risk Matrix, current and potential treatment and control actions and options are reviewed. A residual risk rating is then applied by taking into consideration the current risk rating and related current treatment and control action(s).

(22) Operational risk registers are then aggregated to develop a University wide risk profile.

Developing Risk Treatment Action Plans and Risk Summary Reports

(23) Executive Deans/Directors/Senior Managers/Managers must report on all risks currently rated as Extreme or High due to the potential impact on business activities that may result should these risks eventuate.

(24) This is done using risk treatment action plans and risk summary reports. The risk treatment action plans must include the risk reference number, detail of the risk, treatment/control measures and implementation progress of treatment/control measures. Risk treatment action plans must also indicate whether it is considered that Executive intervention is required.

(25) The risk treatment action plans are analysed and summarised into risk summary reports. The Extreme and High level risks set out in these risk summary reports are presented to the Audit and Risk Management Committee (ARMC) (or relevant Boards for controlled entities) for monitoring and any further action, if required.

Risk Assessment – Business Planning Cycle

(26) Operational and strategic level risk assessments should be undertaken as part of the University’s business planning process. These plans include the University’s Strategic Plan and operational plans. A risk assessment, including the review of existing risk registers, should be undertaken to support this process.

Approval, Maintenance and Review

(27) All operational risk registers should be submitted to the Risk and Audit team at risk.management@canberra.edu.au to monitor the level of acceptable risk and the extent of which risks are being managed appropriately. 

(28) All risk registers must be finalised and formally approved by the appropriate level of authority when developed and on completion of formal review process.

(29) All risk management documentation is to be recorded, stored and maintained in an appropriate manner and location. A current copy of strategic and operational level risk registers is to be held with the Risk and Audit team.

(30) The level of approving authority and frequency for review is detailed in the following table:

Level Approving Authority Frequency
Strategic Vice-Chancellor and
Strategy and Planning Group (the latter for noting)		 Bi-annual reviews (i.e. every six months)
or more frequently as part of strategic planning
or at a major environmental change
Operational Portfolio Head, Executive Dean or Director Bi-annual reviews (i.e. every six months)
or more frequently as part of business planning
or at a major environmental change
Project/Event Project Manager or Project Steering Committee. At key milestones
or more regularly as required by project requirements.

(31) Risk assessments and reviews should be conducted to align with development of plans (e.g. strategic, operational and project plans) and budgeting cycles where practicable.

(32) A risk register review will entail assessing the state of each risk and updating the register to reflect the current status of the existing controls and further treatment actions to be undertaken.

(33) Reviews of the risk ratings based on any changes should also be considered. It is important that a review of the risk assessment be conducted when there is a change in context, as it may impact an existing risk or mean new risks may emerge. 

(34) Risk owners will have accountability for managing the risk and ensuring any associated risk treatment plans are implemented accordingly.

Reporting

(35) Risk register reporting allows management to monitor and review risks. Risk reports draw information from the risk registers and, depending upon the requirements, may include:

  1. a demonstration of the link between objectives and risks;
  2. priorities, based on the risk rating, accompanied by information on key controls and treatments needed to modify the risk;
  3. risks that are getting worse, success of treatment plans and risks that require additional attention;
  4. new risks that may still need to be fully considered and understood;
  5. potential areas that require urgent attention;
  6. main areas of exposure;
  7. systemic control analysis;
  8. untreated risks and risk treatments that are overdue; and
  9. risk owners.

(36) The Annual Internal Audit Plan will be developed in part on the basis of the Strategic Risk Register and operational unit risk registers with a view to testing and validating the risk registers and plans to ensure that treatments and controls are adequate.

Top of Page

Section 4 - Conclusion

(37) The University takes its responsibility to students, staff, partners, affiliates and the wider community seriously. To this end, its approach to managing risks to its operations can be seen to have three key focuses:

  1. A risk management platform of defined guidelines and accountabilities supported by risk management tools and templates;
  2. A business practice approach to risk management, embedded into all levels including business, project and resource planning and reporting; and
  3. Continuous identification and management of risks, supported by regular ongoing review and monitoring.

(38) This Plan, in conjunction with the University’s Resilience Management Framework, is one of the key governance measures designed to ensure that risks are properly identified, assessed and managed. In practice the Resilience Management Framework, and this Plan must be maintained as living documents, developing and evolving to reflect changing internal and external environments, and responding to new and previously unanticipated risks to the quality and effectiveness of its work.

(39) It is expected that all staff will know, understand and support their defined role in the management of risks and in the development and application of this Plan.

(40) The Director, Risk and Audit is responsible for the promulgation and implementation of this Procedure. Enquires about the above process should be directed to the implementation officer by emailing risk.management@canberra.edu.au.