1. Purpose of policy
1.1 The purpose of this policy is to provide a framework for the management of risks associated with all University activities.
1.2 Under the University of the Sunshine Coast Act 1998 (Qld) and the Financial Accountability Act 2009 (Qld), Council is required to efficiently, effectively and economically manage and control the University’s operations and must establish and maintain appropriate systems of internal control and risk management.
1.3 This policy must be read in conjunction with the linked Risk Management - Procedures.
2. Policy scope and application
2.1 This policy applies to all staff, contractors/consultants and members of the University decision-making or advisory bodies.
2.2 This policy is consistent with the International Standard ISO 31000:2018: Risk Management Guidelines.
3. Definitions
Please refer to the University’s Glossary of Terms for policies and procedures. Terms and definitions identified below are specific to this policy and are critical to the effectiveness of it:
Risk is the effect of uncertainty upon the University’s objectives. Risk may have a positive or negative impact.
Risk Appetite conveys the degree of risk the University is prepared to accept in pursuit of its business objectives and strategic plan.
Risk Appetite Framework is the overall approach, including policies, processes, controls and systems through which appetite is established, communicated and monitored.
Risk Management refers to the set of coordinated activities to direct and control an organisation regarding risk.
Risk Management Framework is the totality of systems, structures, policies, processes and people that identify, measure, monitor and mitigate risk.
Risk Management Strategy is the strategy for managing risk and the key elements of the Risk Management Framework that give effect to this Strategy.
Likelihood measures the expected frequency of a risk occurring. Typically, it is a subjective judgement based on past experience and the insights of persons familiar with the activity.
Consequence measures the expected level of impact on the University and its objectives, should the risk occur.
Risk Owner is an individual within the University with primary responsibility for managing a particular risk.
Risk Event is an occurrence or change of particular circumstances.
Control is a measure that maintains, modifies or mitigates a risk.
Risk Source is an element which, alone or in combination, has the potential to give rise to risk.
4. Risk management objectives
4.1 The University is committed to a Risk Management Framework which:
(a) enables a strong risk culture and management function, overseen by Council, and undertaken by staff across the University in all operations and activities; and
(b) is practical, and clearly articulates the University’s risk appetite, to enable staff to make strategic decisions in the achievement of the University’s Strategic Plan.
5. Policy statement
5.1 The Council and the Executive Committee are committed to the implementation and maintenance of a formal risk management system, including the integration of risk management throughout all levels of the University. This is fundamental to achieving the University’s strategic and operational objectives.
5.2 In its application of this policy, the University is committed to:
(a) achieving its business objectives while minimising the impact of significant risks that the University can meaningfully and realistically control;
(b) protecting and enhancing the University’s reputation;
(c) behaving in a responsible and ethical manner, protecting staff, students and the broader community from harm and protecting physical property from loss or damage;
(d) establishing the right balance between the cost of control and the risks it is willing to accept as part of the business and industry environment within which it operates;
(e) recognition and exploitation of opportunities; and
(f) establishing resilience and increased efficiency in relation to risk management.
5.3 All staff are required to be responsible and accountable for managing risk. Sound risk management principles and practices must become part of the normal management strategy for all organisational units within the University.
6. Principles
6.1 Overview of the Enterprise Risk Management Framework
6.1.1 The Council approves the University’s Enterprise Risk Management Framework.
6.1.2 The University’s Enterprise Risk Management Framework must be consistent with the Risk Management Standard, ISO 31000:2018 (Risk Management - Guidelines).
6.1.3 The University’s Enterprise Risk Management Framework is outlined below:
Diagram 1 – Enterprise Risk Management Framework
6.1.4 The Enterprise Risk Management Framework recognises that risk management is an integral part of all University processes.
6.1.5 Underpinning the Enterprise Risk Management Framework are policies, procedures, manuals and processes that act as significant mitigation strategies for the University’s key risks.
6.1.6 The administration of the Enterprise Risk Management Framework is the responsibility of the Director, Governance and Risk Management.
6.2 Key components of the Enterprise Risk Management Framework
6.2.1 Governance and culture - the University’s governance structures support strong risk management practices. Risk governance and the risk management roles and responsibilities are outlined in the University’s Risk Management Strategy (RMS). The RMS is reviewed and updated on an annual basis.
6.2.2 Risk appetite – the University’s Risk Appetite Statement conveys the degree of risk the University is prepared to accept in pursuit of its business objectives and strategic plan. Risk appetite is reviewed annually with the process for establishing and reporting on risk appetite outlined in the Risk Appetite Framework. The University’s risk appetite is established by the Council and is set out in Appendix A.
6.2.3 Policy documents – the University maintains policies and procedures for managing risk. These policies and procedures are maintained in the Policy Repository and current versions are displayed on the Policies and Procedures Library within the UniSC website. The policies and procedures cover all areas of the University.
6.2.4 Risk assessment – The University’s risk assessment process involves risk identification, risk analysis, risk evaluation and risk treatment. The processes to support risk assessment are outlined in the Risk Management - Procedures which includes the Risk Rating Tables to assess the likelihood and consequence of a risk occurring.
6.2.5 Risk reporting – Risk reporting occurs at least quarterly to the Executive Committee and the Audit and Risk Management Committee.
6.2.6 The University maintains appropriate Management Information Systems to enable the effective management of risks.
7. Authorities/Responsibilities
Appendix A – Risk Appetite Statement (PDF)
END