POLICY NO: C-24.1
DATE: 4 May 1998, Resolution 98/3/40
AMENDMENTS: 1 August 2001
December 2010 Council Resolution 2010/7/9
REFERENCE AUTHORITY: Vice Chancellor
CROSS REFERENCES: University of South Australia Act 1990; Guidelines for Managing Business Risks; ISTS Guidelines for Risk Management; Legislative Compliance System; Strategic Crisis Management Framework
Risk is inherent in all our activities, and we continuously manage risks. Formal and systematic approaches to managing risk have been implemented and continuously improved in the University over a number of years. Risk management is regarded by the University as sound business practice, which enhances decision-making, performance and accountability.
This version of the policy has been updated to reflect a recently released International Standard on Risk Management, and incorporates recent improvements in the University’s risk framework.
This policy should be read in conjunction with the Guidelines for Managing Business Risks. Further information is available from the Director: Assurance Services.
The University will maintain a framework and supporting procedures that provide it with a systematic view of the risks it faces in the course of its activities. Where appropriate, these procedures will be consistent with the International Risk Management Standard ISO 31000.
Risk: The effect of uncertainty on objectives
Risk management: Coordinated activities to direct and control an organisation with regard to risk
For risk management to be effective, the University at all levels should comply with the following principles:
Everyone in the University is responsible for the effective management of risk. All staff are responsible for identifying and communicating potential risks. Management is responsible for engaging their staff in risk management processes, and for developing and implementing risk management action plans. Risk management processes should be integrated with other planning processes and management activities.
The Vice Chancellor is responsible for ensuring that a risk management framework is established, implemented and maintained in accordance with this policy. Assignment of responsibilities in relation to risk management is the prerogative of the Vice Chancellor.
Under the provisions of the University of South Australia Act, Council has as one of its primary responsibilities “overseeing and monitoring the assessment and management of risk across the University, including commercial undertakings”. The Audit and Risk Management Committee (ARMC) assists Council in exercising due care, diligence and skill in discharging oversight and monitoring responsibilities. The ARMC will report to Council on the implementation of this policy and related framework, and the outcome of any external or internal reports received on risks and the effectiveness of risk management.
The Director: Assurance Services will be responsible to the ARMC and the Vice Chancellor for the maintenance and continuous improvement of the risk management framework, including maintenance and appropriate distribution of the Guidelines for Managing Business Risks.
Senior Managers are responsible for ensuring that this policy and the
related framework is effectively implemented and a risk management
culture is embedded in the division/portfolio through demonstrating
appropriate risk leadership, and engagement of management and other
staff in risk management process and communications.
Senior Managers listed in the Guidelines for Managing Business Risk are responsible for maintaining a risk register for their area of responsibility.
Directors of Recognised Research Institutes, Directors of Units and
Heads of School are responsible for ensuring that this policy is
effectively implemented and a risk management culture is embedded in
their areas of responsibility through demonstrating appropriate risk
leadership and the engagement of management and other staff in risk
management process and communications.
Directors of Recognised Research Institutes and Directors of Units listed in the Guidelines for Managing Business Risk are responsible for maintaining a risk register in their area of responsibility.
The principles described previously include the notion that risk management is integral to all processes. Accordingly, this policy document cannot describe all instances and applications of risk management in the University. What it seeks to do is to describe key aspects of the risk management framework within UniSA.
Risk registers contain an overview of the significant business risks facing each level or organisational unit, and facilitate structured management, communication and overview of the relevant risks. Risk registers are the primary evidence of a robust risk culture, and as such should be the outcome of a sound approach. They are also the primary source of information on risk, and should be integrated (conceptually if not physically) in strategic planning and budgeting processes.
Risk registers are required for Divisions, Units, stand-alone Recognised Research Institutes and other entities as specified in the Guidelines for Managing Business Risk. All “high” and “high+” risks from these risk registers must be communicated to the ARMC. At least once a year, a University-wide risk register will be provided to Council by the Vice Chancellor.
There is a requirement that all projects undertaken in the University will incorporate a systematic risk management approach, noting the following principles:
Given the wide range of commonwealth and state legislation that impact on University operations, the Legislative Compliance System has been developed to provide a systematic approach to the assessment or our exposures and the continuous improvement of our compliance efforts.
The system requires regular input from identified Responsible Officers, as well as a range of managers across the University to assist in the identification of risk exposures and appropriate treatments. Where appropriate, this will be coordinated through the risk register update process.
The Legislative Compliance System outlines reporting requirements for Responsible Officers through to the ARMC.
Legislation and regulation relating to Occupational Health, Safety and Welfare (OHSW) requires a high level of activity, management, monitoring and reporting at all levels. While OHSW broadly forms part of the legislative compliance framework, it also has its own policy and guidelines framework.
The University is exposed to risks through its association and engagement with a range of other entities in which it has an ownership interest, or to which it may be seen as closely related. Council has previously approved a process for the identification and communication of these risks through the ARMC.
The ability to react effectively at an operational and strategic level to crisis events forms a subset of the University’s risk management framework. The University’s approach is outlined in the Crisis Management Framework. It incorporates emergency response, strategic response, disaster recovery, and business continuity planning.
The framework includes annual reporting to Council to ensure oversight and monitoring of the continuous improvement of the University’s crisis management capability.
From time to time processes will be introduced to enhance the University’s understanding of particular risk exposures and the effectiveness of their management. An example of this is Fraud Risk. Fraud was previously the subject of a self assessment and awareness raising workshop activity.
The University has adopted a standard methodology consistent with the International Risk Management Standard ISO 31000 for identifying, analysing and evaluating risks. The standard methodology will be applied in the preparation of all risk registers. This methodology assesses the consequences and likelihood of each risk event. The standard methodology is documented in the Guidelines for Managing Business Risks, which will be available to all staff. While use of this standard methodology is encouraged for measurement where possible, different components of the risk management framework will adopt different approaches. Risk measurement approaches must be relevant to the scope and purposes of the risk management issue which is being addressed.
The Audit and Risk Management Committee will provide Council with an
annual report on the performance of the framework as a basis for
improvement. This may form part of a broader report on the system of
internal control. On a five year cycle, the Vice Chancellor shall
arrange for a review of the policy and its supporting framework.