Risk Management Handbook
Risk Management Handbook
Risk Management Handbook
CONTENTS
PART A: Introduction
8
9
12
13
14
15
16
17
19
22
PART D: Resources
23
13. Glossary
24
26
28
Page 1
PART A: INTRODUCTION
The University undertakes teaching, research and commercial activities across a diverse spectrum of
disciplines, fields and environments. This diversity of activity creates an equally diverse and complex range
of risks as well as a wealth of opportunities for the University. Understanding and managing the risks
associated with these activities and environments, and making the most of new opportunities, is challenging
and critical to preserving and protecting the Universitys reputation, resources, and standing in the local,
national and international context.
The University has a statutory obligation for risk that is set out in The University of Adelaide Act. In addition,
it recognises that risk management is an integral part of good governance and best management practice for
an organisation charged with responsibility for the advancement of learning and knowledge and university
education.
The Universitys Risk Management Framework connects the
Universitys governance structure and the management structure so
that the two work together to provide a combined commitment, set of
expectations, and organisational and personal accountabilities and
responsibilities.
The Council, the Audit Compliance and Risk Committee and the ViceChancellor and President, have ultimate responsibility for risk within the
University. From this highest level of governance and management,
each of the Divisions, led by the Vice Presidents, work with the
Faculties, Schools and administrative areas so that risks are managed
strategically and operationally. For the Universitys Controlled Entities,
the Board and Senior Management of each entity takes responsibility
for managing their risks.
All activities of an
organisation involve risk
Organisations manage risk by
anticipating, understanding and
deciding whether to modify it.
Throughout this process they
communicate and consult with
stakeholders and monitor and
review the risk and the controls
that are modifying the risk.
The University has adopted the principles of risk management as set out in the International, Risk
Management Standard - AS/NZS ISO 31000:2009 Risk Management Principles and guidelines.
The Risk Policy formally affirms the Universitys strategic commitment to building a risk management culture
in which risks and opportunities are identified and managed effectively. The University recognises that, in
pursuing its strategic objectives, measured risk-taking is both acceptable and appropriate.
The Risk Management Handbook provides details on the principles and processes identified in the Policy.
The Handbook includes resources which have been designed to assist with the risk management process
and to encourage a consistent and comprehensive language and approach to managing risk across the
whole University.
Throughout this handbook any reference to The University means and includes the University itself, its
student body, all academic and professional staff, titleholders and contractors, and staff and employees of
controlled entities.
Page 2
1.
The International Risk Management Standard AS/NZS ISO 31000:2009 (the Standard) provides the
principles and guidelines for risk management. According to the Standard, the success of risk management
will depend on the effectiveness of the management framework providing the foundations and arrangements
that will embed it throughout the organisation at all levels. Within the Standard the expressions, risk
management and managing risks, are both used. In general terms:
risk management refers collectively to the principles, framework and process for managing risks
effectively, and
managing risks refers to the application of these principles, framework and process to particular risks.
The University adopts the principles of risk management as set out in the Standard and actively works
towards complying with these principles to ensure that risk management is effective.
Principles of Risk
Management:
Create and protect value
Are an integral part of all
organisational processes
Is part of decision
making
Explicitly address
uncertainty
Are systematic,
structured and timely
Are based on the best
available information
Are tailored for the
internal and external
context
Takes human and
cultural factors into
account
Is transparent and
inclusive
Is dynamic, iterative and
responsive to change
Facilitates continual
improvement of the
organisation
Page 3
2.
Organisations of all kinds face challenging natural, political, socio-economic and cultural influences
that make their operating environments uncertain. These influences may impact on the extent to
1
which objectives can be met. The University is not immune from risks and is required by statute to
manage risk.
The effect this uncertainty has on the organisations objectives is known as risk.
Risk management refers to the coordinated activities that an organisation takes to direct and control risk.
Risk management can be value enhancing or value protecting or both. The actions, processes and
controls put into place to manage risks that affect the achievement of the Universitys strategy are value
enhancing; that is, they increase the potential for achieving strategic outcomes that add value to the
University. The actions, processes and controls put into place to manage risks that have a negative
consequence are value protecting; that is, they protect the value of the University by preventing or
minimising the impact of negative events.
The University is committed to effective and efficient planning, thinking and decision-making. Risk
management helps organisations become more efficient and effective by improving forward planning and
critical thinking, and enabling better-informed decision making.
When the management of risk is effective it generally goes unnoticed. Conversely, when it is absent or fails,
the impact is often highly visible and felt across the entire organisation rather than just at a school, branch or
project level or by individual staff. The consequences may also be publically embarrassing, politically
damaging or compromising to the University in some material way.
For a University, brand and reputation are very important; damage to brand and reputation may be transient
or long lasting and will almost certainly effect rankings, research funding, ratings, research partnerships, and
public and political sentiment and support; it can impact student enrolments, staff morale and community
engagement.
Adopting good risk management ensures that an organisation can
undertake activities in the knowledge that
a) appropriate and adequate measures are in place to maximise the
benefits,
and
b) appropriate and adequate measures are in place to minimising the
negative or unanticipated effects of any of the risks or opportunities
that are presented in the course of achieving organisational
objectives.
1
2
Page 4
3.
A demonstrable risk
management system
incorporates
Risk profiles
Risk assessments
Treatment plans
Results of monitoring &
risk reviews
Evidence of
consultation &
communication
Good documentation /
formal records
In order for risk management to become part of everyday practices, each person needs to recognise and
accept the role they play in identifying and managing risk within the University.
Page 5
Understanding risk management in the University context who is it relevant to and why?
The University context:
why is risk management relevant?
Responsible for
organisation-wide, strategic
& operational issues
Executive
Managers
Sometimes
wear both
hats (local and
executive
manager)
Managing
local business &
operational issues
Local Managers
Local areas
Staff
Doing a job
enabling the
University to operate
Academic staff
Carry out the core
functions of the
University; ie
learning & teaching
and research
Professional staff
Support & enable the
core functions of the
University (through
provision of support,
services & resources)
Page 6
Improve decision-making:
Applying a commonsense approach to
risk management will help to better inform
decision-making processes, improve
forward planning, lead to more
meaningful strategic & operational
planning, and encourage critical thinking
in formulating new initiatives, activities or
relationships
Sensible handling
of problems
RISK MANAGEMENT
ENHANCES:
- Good governance
- Brand & reputation
of the University and of
individual managers and
decision makers
Increased
stakeholder
confidence
- Communication
around risk issues and
opportunities
Improved
accountability
- Reliability
of decisions and of
outcomes
- Decision-making
- Ability and confidence
to take on new
opportunities while clearly
understanding the risks
involved
Measured risk
taking
REDUCES:
- Hasty, rash or poorly
considered decisions
- Uncertainty
around objectives
Better informed
decisions
- Inconsistency
in decision-making
- Procrastination
due to uncertainty
- Adverse events or
negative consequences; ie
the unanticipated or
unplanned
- Embarrassment or
discredit
from poor outcomes
Efficient allocation
of resources
Opportunities
maximised
Everyone taking
responsibility
for risk
Page 7
Risk Management Handbook: designed to be read in conjunction with the Policy and to guide,
direct and assist everyone to better understand the principles of risk management and to adopt
consistent processes for managing risks.
University Risk Register (URR): principle repository for risks across the University and its
Controlled Entities. The risk register enables areas to profile risks, monitor controls and prioritise
treatment actions. The risk register also facilitates standardised reporting of risks within the approved
University governance framework and reporting to external bodies such as government funders,
regulators, auditors, accrediting bodies and ethics committees.
University risk centre (i.e. the Legal & Risk Branch of the Division of Services and Resources):
responsible for coordinating and facilitating the Universitys risk management program, including the
regular monitoring and review of risks and formal reporting within the approved governance
framework and, at any time requested, to the Vice-Chancellor & President.
University Risk Management Committee (URMC): responsible for overall co-ordination of risk
management within the University.
Regular monitoring and review: on a regular and as needs basis, to enable the University to
confirm that risk management is relevant, effective, sustained and facilitates the achievement of its
objectives.
Formal reporting: the University is required to report to various internal and external bodies; to
achieve this, the University needs to be informed and actively managing risks on a regular basis and
in a timely manner. Formal risk reporting occurs via the University Risk Register or other approved
formal report.
Page 8
4.
Every person who engages in University activities is impacted in some way by risks, so every person has an
active role in being risk aware. This involves identifying, assessing and managing risks and opportunities in
day-to-day decision-making and planning, as well as understanding and adhering to the reporting process
within the Universitys governance framework.
Certain people will be more active in the risk management process than others:
all people who work for the University are encouraged to identify and report risks;
senior staff and managers will help staff and students cooperate and comply with controls put into
place by the University to mitigate certain risks;
certain individuals within the University and within each of the Controlled Entities will monitor and
review or formally report on risks; and
others will carry out tasks, often in collaboration, to ensure that risks are treated or controlled.
Everyone is expected to work individually and collectively towards the active promotion of a positive risk
management culture within and across the University and its Controlled Entities.
Comply with risk management processes and practices in accordance with this
Policy and the Risk Management Handbook.
Co-operate with designated University risk specialists (including but not
limited to Legal and Risk Branch and the HSW Team in the Human Resources
Branch).
Report risks through the University Risk Register.
NB: Health safety & welfare issues are assessed and recorded in accordance
with the HSW Policy and Handbook. HSW related risks will be reported
through the University Risk Register by Human Resources where and when it is
appropriate to do so.
Page 9
Executive Deans
Vice-Presidents
Vice-Chancellor &
President
Manage risks within the Faculty and Schools and other associated areas such
as Research Institutes.
Monitor and review compliance with the Risk Policy.
Notify extreme risks to the Convenor of the University Risk Management
Committee (for reporting through that Committee to the Vice-Chancellor and
President).
Update progress on risks as requested by the University Risk Management
Committee and/or the Associate Director Risk Services.
Report annually to the University Risk Management Committee on the
Facultys risk profile using the University Risk Register or other approved
formal report.
Manage risks within the Divisions and Branches.
Ensure that adequate resources are available to implement the Risk Policy
and to monitor and review risks in accordance with the Risk Management
Handbook.
Notify extreme risks to the Convenor of the University Risk Management
Committee (for reporting through that Committee to the Vice-Chancellor and
President).
Update progress on risks as required by the University Risk Management
Committee and/or the Associate Director Risk Services.
Report annually to the University Risk Management Committee on their
Divisions risk profiles using the University Risk Register or other approved
formal report.
As the principal academic and chief executive officer of the University, the
Vice-Chancellor and President is responsible for the academic standards,
management and administration of the University, including risk (refer to The
University of Adelaide Act 1971 Section 8 Powers of the Vice-Chancellor).
Ensure that the principles and practices of risk are communicated to staff and
embedded into strategic and operational practices and planning processes.
Foster and encourage an environment where managing risk is accepted as the
day-to-day responsibility of all individuals.
Staff and employees of Controlled Entities of the University are also responsible for adopting the principles of
risk management as follows:
All staff & employees of
Controlled Entities
Chief Executives or
General Managers of
Controlled Entities
Comply with risk management processes and practices in accordance with this
Policy and the Risk Management Handbook.
Co-operate with designated University risk specialists (including but not
limited to Legal and Risk Branch and the HSW Team in the Human Resources
Branch).
Report risks through the University Risk Register.
Manage risks within the Controlled Entity.
Implement the Risk Policy and monitor and review risks in accordance with
the Risk Management Handbook.
Notify extreme risks to the Convenor of the University Risk Management
Committee (for reporting through that Committee to the Vice-Chancellor and
President).
Report annually to the Associate Director Risk Services (for reporting through
to the University Standing Committees) and in a time and manner prescribed.
Page 10
The responsibility for overseeing and monitoring the assessment and management of risk across the
University is ultimately held by the University Council but may be delegated to any of the Standing or
Management Committees to actively manage.
The University Risk Policy outlines these responsibilities as follows:
University Risk
Management Committee
Under the Terms of Reference of the Committees Charter, Section 5.1.6 & 5.1.8,
the Committee is to:
Identify and monitor the exposure of the University and its subsidiaries to
environmental, occupational health, welfare and safety risks and all other
operational risks, including financial and business risks, and risks associated
with litigation, conflicts of interest, fraud, theft and third-party liability (5.1.6),
and
Monitor and review the policies and procedures of the University and its
subsidiaries with respect to financial and other operational controls relating,
including but not limited to, the risks referred to in 5.1.6, the appropriate and
effective exercise of delegated authority and the reporting of significant risks,
however arising, to Council (5.1.8).
University Council
Page 11
OVERVIEW
Risk management is no longer special or optional: it is a necessary consideration each time we make a
decision whether to develop a relationship, start a project or hold an event. It is required for good quality
outcomes. We must constructively align our activities and decision-making with objectives and outcomes that
help us reach our strategic goals or successfully execute our operational plans. This is risk management. To
manage risk we apply the standard in the way described here. It takes into account the unique and special
environments in which we work.
Risk Assessment
Risk identification
Risk analysis
Risk treatment
Risk evaluation
Page 12
6.
Establish the context by identifying the objectives of the project, event or relationship and then
consider the internal and external parameters within which the risk must be managed.
The risk management process applies equally to risks that arise at an enterprise wide or strategic level, at an
operational or day-to-day business level or for new partnerships, projects and new initiatives.
Any proposed partnership, project or initiative should actively consider risk and document the assessment
formally. It is recognised that specific and fit for purpose processes may be established to assess and
manage the specific risks of an individual project or initiative but that further risk management work is
required when the project moves to an operational level.
Identify the purpose and objectives right at the beginning; focus on this at the outset of the risk assessment
to avoid being overwhelmed by details and data.
The Process:
Set the scope for the risk assessment by identifying what you are assessing is it a new partnership,
program, project or perhaps an event?
Define the broad objectives. Identify the reason for the risk assessment perhaps a change in law, a
request from an external auditor or regulator, an operational change or review.
Identify the relevant stakeholders. Aim for an appropriately inclusive process from the outset: be sure
to identify the areas that are, or might be, impacted and seek their input. Make sure that appropriate
delegations are being exercised even at this early stage.
Gather background information. Having proper information is important. Ask the right people and
identify the information that is available. Sometimes it is useful to identify information that is not available
(immediately) but may be necessary. Consider:
Strategic & business plans
Audit reports, inspections, site visit reports
Personal experience (of staff, students, others)
Corporate knowledge & institutional memory
Previous event investigations or reports
Surveys, questionnaires and checklists
Insurance claim reports
Local or international experience
Expert judgment (internal University expertise &/or external expertise)
Structured interviews
Focus group discussion
Historical records
Where possible, consider both the strategic context and operational context, so that a complete picture is
obtained.
Establishing the context sets the framework within which the risk assessment should be undertaken,
ensures the reasons for carrying out the risk assessment are clearly known, and provides the backdrop of
circumstances against which risks can be identified and assessed.
The next three steps Identify the risk, Analyse the risk and Evaluate the risk - form the Risk Assessment phase of the of the risk
management process.
Page 13
7.
Identify the risks that might have an impact on the objectives of the University or relevant Faculty,
School, Branch, area or entity.
Identify sources of the risk, areas of impact, events (including changes in circumstances) and their causes
and potential consequences. Describe those factors that might create, enhance, prevent, degrade,
accelerate or delay the achievement of your objectives. Aim also to identify the issues associated with not
pursuing an opportunity; that is, the risk of doing nothing and missing an opportunity.
In identifying the risk, consider these kinds of questions:
Risk identification
What could happen: what might go wrong, or what might prevent the
achievement of the relevant goals? What events or occurrences could
threaten the intended outcomes?
How could it happen: is the risk likely to occur at all or happen again?
If so, what could cause the risk event to recur or contribute to it happening again?
Where could it happen: is the risk likely to occur anywhere or in any environment/place? Or is it a
risk that is dependent on the location, physical area or activity?
Why might it happen: what factors would need to be present for the risk to happen or occur again?
Understanding why a risk might occur or be repeated is important if the risk is to be managed.
What might be the impact: if the risk were to eventuate, what impact or consequences would or
might this have? Will the impact be felt locally or will it impact on the whole University? Areas of
impact to consider include: education or research program/activity; human impact; service delivery;
financial consequences; compromise to legal or contract compliance; and adverse impact on brand
and reputation for failure to meet or achieve our strategic objectives.
Who does or can influence this partnership, program, project or event? How much is within
the Universitys control or influence? Make sure that those with delegations, control, influence,
resources and budgets are at least informed if not actively involved. This becomes more important
when considering the treatments for the risk (see below).
Wherever possible, provide quantitative and/or qualitative data to assist in describing the risk or to support
the risk rating. Sources of information may include past records, staff expertise, industry practice, literature
and expert opinion.
Page 14
8.
Process:
The assessment of likelihood and consequence is mostly subjective, but can be informed by data or
information collected, audits, inspections, personal experience, corporate knowledge or institutional
memory of previous events, insurance claims, surveys and a range of other available internal and
external information.
Rate the level of risk: use the University Risk Matrix (refer page 28 of the Resource section of the
handbook or on line at http://www.adelaide.edu.au/legalandrisk/docs/resources/Risk_Matrix.pdf) to
assess the likelihood and consequence levels; the risk matrix then determines whether the risk
rating is low, medium, high or extreme. The University Risk Matrix also identifies the management
action required for the various risk ratings.
Page 15
9.
Decide whether the risk is acceptable or unacceptable. Use your understanding of the risk to make
decisions about future actions.
Decisions about future actions may include:
not to undertake or proceed with the event, activity, project or initiative
actively treat the risk
prioritising the actions needed, if the risk is complex and treatment is required
accepting the risk
Whether a risk is acceptable or unacceptable relates to a willingness to tolerate
the risk; that is, the willingness to bear the risk after it is treated in order to
achieve the desired objectives.
The attitude, appetite and tolerance for risk is likely to vary over time, across the
University as a whole and for individual Faculties, Schools, Divisions, Branches
and Controlled Entities.
A risk may be acceptable or tolerable in the following circumstances:
No treatment is available
Treatment costs are prohibitive (particularly relevant with lower ranked
risks)
The level of risk is low and does not warrant using resources to treat it
The opportunities involved significantly outweigh the threats
A risk is regarded as acceptable or tolerable if the decision has been made not
to treat it (in accordance with the next step, Step 5 Treating the risk).
It is important to remember that regarding a risk as acceptable or tolerable does
not imply that the risk is insignificant.
Risk attitude
An organisations approach
to assess and eventually
pursue, retain, take or turn
away from risk
Risk appetite
The amount and type of risk
that an organisation is
willing to pursue or retain
Risk tolerance
An organisations or
stakeholders readiness to
bear the risk after risk
treatment in order to
achieve its objectives
Risks that are considered acceptable or tolerable risks may still need to be
monitored.
When conducting a risk assessment, there are generally lots of potential consequences identified. This is not
necessarily a problem as a number of these can be addressed by the risk treatments, or they may not need
any specific action.
The previous three steps described Identify the risk, Analyse the risk and Evaluate the risk - form the Risk
Assessment phase of the risk management process.
The Risk Assessment process is well suited to a structured and systematic approach. For complex or more
widespread issues a facilitated workshop format involving participants with different perspectives is often
helpful and using an experienced facilitator to lead the discussion can help provide another objective
perspective.
Facilitated workshops can be requested by contacting the Associate Director Risk Services in the Legal and
Risk Branch (refer to the contact details in PART D: Resources).
Page 16
Risk treatment
The process taken to
modify the risk
Process:
Decide if specific treatment is necessary or whether the risk can be adequately treated in the
course of standard management procedures and activities; that is, embed the treatment into day-today practices or processes. In assessing what treatments could be implemented, it is useful to
consider ways in which standard practices already serve as a control, or ways in which those
standard practices could be modified to adequately control the risk.
Work out what kind of treatment is desirable for this risk determine what the goal is in treating
this particular risk; is it to avoid it completely, reduce the likelihood or consequence, transfer the risk
(to someone else such as an insurer or contractor) or accept the level of risk based on existing
information? The type of risk treatment chosen will often depend on the nature of the risk and the
tolerance for that risk.
Identify and design a preferred treatment option once the goal of treatment is known.
o
Treatment options
If the goal is to share the risk, then involving another party, such as an insurer or
contractor, may help. Risk can be shared contractually, by mutual agreement, and in a
variety of ways that meet all parties needs. Any such arrangement should be formally
recorded whether through a contract or agreement or by letter.
Page 17
Sharing the risk does not remove our obligations and does not avoid us suffering
consequential damage if something unexpected happens or something goes wrong.
If the risk is so significant that the goal is to eliminate or avoid it altogether then the
options are limited to changing the project materially, choosing alternative approaches or
processes to render the risk irrelevant or abandoning the activity or partner or program. It is
not often that a risk can be eliminated completely and balance is an important part of the risk
assessment exercise (please note: this does not refer to safety type risks or hazards).
Sometimes, a decision is made to accept or tolerate the risk, due to the low likelihood or
minor consequences of the risk event, or the fact that the cost of effectively controlling the
risk is unjustifiably high or that the opportunity outweighs the risk. The University
acknowledges that in pursuing its strategic objectives measured risk taking is both
acceptable and appropriate. However, in these instances the decision to accept risk should
be carefully documented, so that a record is available for future reference (or evidence) if
the risk does eventuate. Thought should also be given to contingency planning in order to
deal with and reduce the consequences, should they arise.
Evaluate treatment options and assess their feasibility relative to the tolerance for risk. Do the
controls selected appear to have the desired treatment effect (that is, will they stop or reduce what
they are meant to stop or reduce)?
o
Will the controls trigger any other risks? For example, a sprinkler system installed to counter
fire risk may cause water damage, presenting a different risk requiring consideration or
management.
Are the controls beneficial or cost efficient? Does the cost of implementing the control
outweigh the cost that would flow from the event occurring without the control in place?
Overall, is the cost of implementing the control reasonable for this risk?
The cyclical process of treating a risk, deciding whether residual risk levels are tolerable and
assessing the effectiveness of that treatment are all case-by-case assessments that depend on a
good understanding of the risk and a focus on the end objective of the activity being assessed.
Document the risk treatment plan. Once the treatment options have been identified, a risk
treatment plan should be prepared (NB. These can be easily generated through the University risk
register once a risk is recorded). Treatment plans should identify responsibilities for action, time
frames for implementation, budget requirements or resource implications, performance measures
and review process where appropriate. The review process should monitor the progress of
treatments against critical implementation milestones.
Implement agreed treatments. Once any options requiring authorisation for resourcing, funding or
other actions have been approved, treatments should be implemented by those identified as having
the responsibility to do so. The person assigned with the primary responsibility for the risk, is
ultimately accountable for the treatment of the risk.
Once the risk has been treated, assess the level of residual risk. Even when a risk has been
treated and the controls are in place the risk may not be completely eliminated. The level of residual
risk refers to the likelihood and consequence of the risk occurring after the risk has been treated.
Once implemented, treatments provide or modify the controls. The residual risk rating is generally
lower than the original risk rating otherwise the controls were not effective.
The residual risk should be documented and monitored and reviewed. Where appropriate, further
treatment might be prudent. Having a good awareness of residual risk is important in monitoring and
reviewing risk on an ongoing basis.
Page 18
Process:
The frequency of review will depend on the risk rating, the strength of controls and the ability to
effectively treat the risk. Each of us has a role to play in continually monitoring known or emerging
risks and regularly checking or ensuring that controls are in place and are being used.
Internal audit: the Universitys internal audit program provides for a review of systems, policies and
process assurance and compliance. The auditors apply a risk-based approach to the audit program
and help bring a measure of independence and external perspective to the University Risk
Management Framework.
External audit: the University is audited annually by the South Australian Auditor General. That
external audit covers financial, governance, contracting, IT and risk management systems and
processes. Management and staff may be required to respond to the risk management activities
involved with these audits. Other audits occur from time to time and are imposed through contracts,
compacts, and Federal and State legislation.
Local Coordinators or Risk Facilitators: for staff active in the monitoring and review of risks, being
able to access and use the University Risk Register (URR) may be required. To apply for access to
the URR please contact the Associate Director Risk Services for training and support.
(Refer to the contact details in PART D: Resources).
Page 19
Risk management
records should be
traceable
Formal risk reporting needs to occur via the University Risk Register or other appropriate formal report.
Formal reports should identify new risks, detail the progress with treating existing risks and report outcomes
from the monitoring and review process.
Annual risk reporting should confirm that all risks relevant to the area of responsibility are being adequately
and appropriately managed.
In addition, any risk verified as an extreme risk will require a risk assessment and management plan to be
prepared by the senior manager for the Vice-Chancellor. Extreme and high risks will be overseen by the
University Risk Management Committee (URMC). Responsive and appropriate action will be agreed
between the person with primary responsibility for the risk (risk owner) and the appropriate Vice-President
(or Controlled Entity where relevant). Medium and low risks need to be managed by the local area and
monitored and reviewed locally as necessary.
Having a formal structured reporting process enables the University to confirm that the risk management
framework is effective and that individuals are doing what should be done and that those who are
accountable are answerable for risk management.
Page 20
A risk profile is a
description of any
set of risks. Over
time the types and
significance of risks
will evolve.
There is value in each local area having, or compiling, a formal and consolidated risk profile, as it helps to
determine how much time and effort should be put into risk management and how frequently monitoring and
reviews should be conducted.
Even for areas in the University that might consider themselves to be low risk, the risk management
process can contribute significantly to business planning, improving the responsiveness of the area to crises
or threats and responding to opportunities in an informed and measured manner.
With all areas gradually contributing to and using the risk register an invaluable body of institutional
knowledge will grow, further strengthening the Universitys demonstrable risk management processes and
maximising the Universitys efforts and strategies.
What to record
When documenting a risk assessment record the following information
within the risk register:
Printing risk records: the risk register can automatically generate Risk
Summary Reports. These reports, which reflect the risk profile for the area,
can be used for local area reporting and to supplement formal/annual reports.
The risk register can also generate Risk Management Reports and Risk Treatment Plans for individual risks.
Page 21
meetings;
distribution of minutes;
reports;
induction packages;
newsletters;
circulation lists;
A collaborative and consultative team approach - through co-creation - is more likely to:
Ensure that different, and sometimes opposing, views are appropriately considered when defining
risk criteria and in evaluating risks;
Page 22
PART D: RESOURCES
In this section of the Handbook additional resources are included to assist staff with the risk management
process and to encourage a consistent and comprehensive language and approach to managing risk across
the whole University.
The resources include:
A glossary of key risk management terms (from the Risk Management Standard)
Anne Hill
Associate Director Risk Services
Legal & Risk Office
Room G07
Mitchell Building,
North Terrace Campus
(08) 8313 4603
[email protected]
Page 23
13. GLOSSARY
Risk
Risk management
Risk management
framework
Risk management policy
Risk management process
Stakeholder
Establishing the context
Risk assessment
Risk identification
Risk description
Risk source
Event
Hazard
Risk owner
Risk analysis
Likelihood
Consequence
Risk matrix
Page 24
Level of risk
Risk evaluation
Risk attitude
Risk appetite
Risk tolerance
Risk acceptance
Risk treatment
Control
Residual risk
Resilience
Monitoring
Review
Risk reporting
Risk register
Risk profile
Page 25
Risk Register
A record of
information about
identified risks
The register is accessible from the Universitys Intranet. To find the register, type University Risk Register
in the general search function and follow the links.
Please note: Workplace hazards or safety issues are reported separately. They are assessed and
managed in accordance with the Health Safety and Wellbeing (HSW) Policy and Handbook and under the
responsibility of the HSW Team in Human Resources (HR). HSW related risks will be reported through the
University Risk Register by HR where and when it is appropriate to do so.
The register allows any staff member to Log a Risk (i.e. no special login is required) see below:
Page 26
When logging a risk you are asked to describe the risk and identify where the risk has been detected or
where it sits within the University or Controlled Entity organisational structure:
The Description
& Comments
field
only accepts a
limited number of
characters or words.
If there is too much
detail the risk will
not be saved.
If you have more
information than
will fit into the
Description &
Comments field
email the System
Administrator (see
left hand side of
screen).
Page 27
15.
A
Almost Certain
B
Likely
Description of likelihood
Extreme risk = immediate attention & response needed; requires a risk assessment &
management plan prepared by relevant senior managers for Vice-Chancellor; risk
oversight by Council or nominated Standing Committee or Management Committee
High risk = risk to be given appropriate attention & demonstrably managed; reported
to Vice-Chancellor or other senior Executives / Management Committees as necessary
Medium risk = assess the risk; determine whether current controls are adequate or if
further action or treatment is needed; monitor & review locally, e.g. through regular
business practices or local area meetings
Low risk = manage by routine procedures; report to local managers; monitor & review
locally as necessary
C
Possible
D
Unlikely
E
Rare
RISK MATRIX
CONSEQUENCE
1
Insignificant
2
Minor
3
Moderate
4
Major
5
Extreme
B - Likely (probable)
C - Possible (occasional)
D - Unlikely (uncommon)
E - Rare (remote)
LIKELIHOOD
Page 28
Score
5
Extreme
4
Major
3
Moderate
2
Minor
1
Insignificant
Generic impact
description
Event or
circumstance with
potentially
disastrous impact
on business
or significant
material adverse
impact on a key
area
Critical event or
circumstance that
can be endured
with proper
management
Significant event
or circumstance
that can be
managed under
normal
circumstances
Event with
consequences
that can be
readily absorbed
but requires
management
effort to minimise
the impact
Service delivery
Finance
Compliance
Human
Serious breach of
contract or legislation
Significant prosecution &
fines likely
Potential for litigation
including class actions
Future funding /
approvals / registration /
licensing in jeopardy
Serious injury
Dangerous near miss
Loss of some key staff
resulting in skills, knowledge &
expertise deficits
Threat of industrial action
Threat of student protest /
activity
Sustained damage to
brand / image or
reputation nationally or
locally
Adverse national or
local media coverage
Major breach of
contract, Act, regulations
or consent conditions
Expected to attract
regulatory attention
Investigation,
prosecution and / or
major fine possible
Significant breach of
contract, Act, regulation
or consent conditions
Potential for regulatory
action
Unlikely to impact on
budget or funded
activities
Unlikely to result in
adverse regulatory
response or action
Page 29