View Current

Risk Management Policy

This is the current version of this document. You can provide feedback on this document to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Purpose of Policy

(1) The University has a statutory obligation to undertake risk management that is established within the University of Wollongong Act 1989 (the Act).

(2) The University recognises that effective risk management is an integral part of good governance and best management practice that assists the University to meet its statutory objectives and deliver on its Strategic Plan.

(3) The purpose of this Policy is to:

  1. define responsibilities and structures to ensure risk management practices are integrated into strategic, operational and project planning/management and review processes;
  2. promote an environment where informed decisions to identify and manage the University’s risks are made in an open and transparent manner;
  3. create a risk intelligent culture at the workplace where all staff are encouraged to proactively manage risks in their day-to-day activities; and
  4. ensure all areas across the University apply a consistent approach to risk management.
Top of Page

Section 2 - Application and Scope

(4) This Policy applies to all Faculties, Divisions and significant University activities.

(5) This Policy should be read in conjunction with the Risk Management Framework and Guidelines and Risk Appetite Statement.

(6) This Policy is supported by a range of documents that inform health, safety and risk management systems and practice across the University. These documents must be consistent with the broad directions of this policy.

Top of Page

Section 3 - Policy Principles

(7) The University has a robust risk framework in order to assess risks in its strategic and operational decision-making.

(8) The University applies a structured and consistent approach to risk management at all levels across the University.

(9) Effective risk management enables:

  1. an understanding of the range of social, political, cultural and environmental factors that may impact the University’s objectives;
  2. the identification, evaluation and management of threats and opportunities to ensure the University is conscious of the risks it faces;
  3. the management of complex and shared risks, identification of their causes, impacts/consequences and controls;
  4. improved information for decision making;
  5. improved University performance and resilience;
  6. clear reporting and transparency of information; and
  7. accountability, assurance, and effective governance.

(10) All staff are responsible for the management of risk, and contributing to a positive risk management culture.

(11) Risk management must be incorporated internal policy development.

(12) All risks, across all aspects of the University’s operations, should be understood and considered.

Top of Page

Section 4 - Risk Assessments

(13) Formal risk assessments are required for:

  1. all commercial activities and major projects;
  2. all formal and informal research activities, with specific attention to international collaboration;
  3. any activity where there is there is potential for fraud, corruption, modern slavery, or risks to national security; and
  4. any other activity directed by legislation, regulation or informed by national policy.

(14) Risk assessments should be based on the best available information, which may include historical data, experience, stakeholder feedback, observation, forecasts and expert judgement.

(15) All risks are to be assessed as specified the Risk Management Framework and Guidelines.

Top of Page

Section 5 - Risk and Control Allocation structure and responsibilities

(16) The Risk, Audit and Compliance Committee is responsible for risk approach, subject to continuous assessment and improvement in line with current standards and conventions, and in line with direction of:

  1. Executive risk sponsor, the accountable executive for a group of similar risks, noting that the individual risk ownership still resides with the Risk Owner.
  2. Risk Sponsor, responsible for the assesses a group of risks across the University to identify any negative trends or clusters. The Risk Sponsor may lead an initiative to reduce a group of risks at a University level
  3. The Risk Owner, responsible for:
    1. Managing and monitoring the risk and ensuring adequate controls are:
      1. Applied so risks are within the University’s Risk Appetite; or,
      2. if not within the appetite, then dealt with as described in the Risk Appetite Statement; and
      3. Proportional to the risk consequence and likelihood.
Top of Page

Section 6 - Emerging Threats

(17) Emerging threats are:

  1. new or evolving threats, danger, or challenges, and for which the likelihood and potential impact are unknown;
  2. they may signify a situation or trend that has the potential to cause harm, disruption, or negative impacts;
  3. the threats may not be fully understood or addressed by existing policies, strategies, or countermeasures.

(18) Emerging threats:

  1. can arise from various sources such as technological advancements, social changes, environmental shifts, geopolitical developments, or even unexpected events;
  2. require careful monitoring, analysis, and proactive response to effectively mitigate their potential negative consequences; and
  3. may pose uncertainties and complexities that need to be carefully studied and managed.

(19) The University relies on analysis and reporting by stakeholders and other sources for the identification and management of emerging threats.

(20) Emerging threats are to be reported to the Senior Manager, Risk and Assurance.

(21) The Senior Manager, Risk and Assurance will report  and assess emerging threats to  the Risk, Resilience and Assurance Group in accordance with the Risk Management Framework and Guidelines.

(22) The Risk, Audit and Compliance Committee will receive regular updates on emerging risk assessments undertaken by the Risk, Resilience and Assurance Group.

Top of Page

Section 7 - University Risk Register

(23) The University Risk register is maintained by the Risk and Assurance Division.

(24) The  University Risk Register:

  1. enables filtering to a local risk register level;
  2. includes details of the University’s risks and how they are rated and managed;
  3. includes details of mitigation plans for those risks that are rated outside of the University’s Risk Appetite; and
  4. forms the basis of regular reporting to the Risk, Resilience and Assurance Group, the University Leadership Group, the Risk, Audit and Compliance Committee and the University Council.  This reporting will include, but not be limited to:
    1. any risk outside the University’s risk appetite including those risks reported and approved as described in the University’s Risk Appetite Statement; and
    2. any risk where the targeted completion of an appropriate mitigation plan exceeds the agreed maximum timeframe for implementation.
Top of Page

Section 8 - Local Risk Registers

(25) Local risk registers must be developed and maintained by each School, Faculty, Division and Portfolio.

(26) The University may extend this requirement to other entities and business units, as appropriate.

(27) Separate risk registers must be maintained for major projects, research projects, international collaborations or other specific activities which have been identified as requiring a separate or customised register.

(28) Local risk registers and associated mitigation plans will require regular review and update by those accountable in accordance with the Risk Management Framework and Guidelines.

(29) Emerging threats will be incorporated into the relevant risk register once the threat becomes a risk.  Any new high-risk issue must be reported to the Risk, Resilience and Assurance Group.

(30) If an identified high or extreme risk is reported and approved by the Risk, Resilience and Assurance Group, an appropriate mitigation plan must be developed.

(31) Local risk registers must be endorsed by the relevant Head of School, Executive Dean, Director or Executive.

Part A - 8. Risk Registers for Commercial Activities, Major Projects and Additional Activities

(32) Risk registers will be maintained for:

  1. new commercial activities and major projects (as defined by this Policy). 
  2. additional activities that are identified as having a high-level of risk on the operations of the University. (such as, but not limited to legislative and regulatory changes or National policy directives relating, Foreign Arrangements, Foreign Interference, Whistleblower Protections, Fraud and Corruption and Modern Slavery).

(33) The Senior Executive may require that these registers be reported to governance bodies.

Top of Page

Section 9 - Roles and Responsibilities

University Council

(34) The University Council and its Committees have responsibility under the University of Wollongong Act 1989 for overseeing risk management and risk assessment activities across the University. 

(35) The University Council, via the Risk, Audit and Compliance Committee, is responsible for endorsing this Policy, the Risk Management Framework and Guidelines and Risk Appetite Statement.

Risk, Audit and Compliance Committee

(36) The Risk, Audit and Compliance Committee is responsible for:

  1. the oversight of the processes for the identification and assessment of the general risk spectrum, reviewing the outcomes of risk management processes and monitoring emerging threats based on changes in the internal and external environment;
  2. overseeing risk reporting in all areas of University operations; and
  3. informing the University Council of the adequacy and effectiveness of the University’s risk management processes and internal control system as advised.

Vice-Chancellor and President

(37) The Vice-Chancellor and President is responsible for:

  1. ensuring a risk management system is established, implemented and maintained in accordance with this policy in any designated functional area or activity;
  2. ensuring systems are in place so that risk owners are held responsible for implementing, monitoring and reporting risks that are within their area of responsibility;
  3. providing leadership on the University’s risk appetite and acceptable risk exposure; and
  4. the assignment of responsibilities in relation to risk management

Senior Executives and Executive Deans

(38) Senior Executives and Executive Deans are responsible for:

  1. championing a risk management culture and supporting the enhancement of risk management practices across the University;
  2. the formal identification of risks that may impact upon the University’s objectives;
  3. allocation of priorities and allocation of resources to mitigate unacceptable risks;
  4. the provision of risk management guidance to their stakeholders;
  5. oversight of local risk, and/or activity registers;
  6. monitoring the adequacy of controls and mitigation plans; and
  7. overseeing the management of risks that have been escalated from within their respective areas of responsibility, including any controls to mitigate adverse impacts or maximise opportunities as described in the University’s risk appetite statement.

Directors, Faculty Executive Managers, Directors of Research Institutes and Project Managers

(39) Directors, Faculty Executive Managers, Directors of Research Institutes and Project Managers are, within their respective areas of responsibility, responsible for:

  1. implementation of this policy;
  2. managing risks (including identifying, assessing, monitoring and reviewing, communicating and reporting) that may impact on objectives;
  3. ensuring a local risk register is developed and regularly reviewed and maintained;
  4. maintaining effective internal controls;
  5. the development and implementation of appropriate and effective mitigation plans;
  6. regular reporting of risks and progress of mitigation plans;
  7. reporting to their Senior Executive or Executive Dean any new high-risk issues as soon as practicable after the risk has been identified;
  8. reporting any new and emerging threats in their area through the Risk, Resilience and Assurance Group; and
  9. ensuring medium and high residual risks for Commercial Activities, Major Projects and any other specifically identified activities as requested, are registered and managed and used to inform their local risk register.

Chief Risk and Assurance Officer, in conjunction with the Senior Manager, Risk and Assurance

(40) The Chief Risk and Assurance Officer and Senior Manager, Risk and Assurance are responsible for:

  1. facilitating development and implementation, through the Risk, Resilience and Assurance Group and the Risk and Assurance Division, of the University’s risk management approach and associated policies, framework and guidelines;
  2. ensuring the review and continuous improvement of the University’s risk management framework;
  3. maintaining the University Risk Register;
  4. training and facilitation of University staff in relation to risk management practice;
  5. reporting on risk data to the relevant Group or Committee; and
  6. evaluating, through the University’s internal audit function, the design adequacy and operating effectiveness of controls in place to mitigate the risks associated with key University activities.

All Staff

(41) Every staff member of the University is responsible for the effective management of risks including the identification and reporting of new and emerging threats.

(42) Every staff member is responsible for participating, when required in training and workshops in relation to risk management practice provided by the University to ensure staff:

  1. are risk aware, promote a risk aware culture and understand the methodology and approach to identifying, assessing and managing risks in day-to-day decision making and business planning;
  2. understand and adhere to the reporting processes within the University’s governance framework in relation to risk management.
Top of Page

Section 10 - Definitions

Commercial Activity
Any measure, action, or mechanism that is put in place to mitigate, minimize, or manage the impact or likelihood of identified risks.
Emerging Threat
An emerging threat refers to a new or evolving risk, danger, or challenge that is in the process of developing or gaining prominence.
Level of Risk
The magnitude of a risk expressed as a combination of consequence and likelihood. Also known as the risk rating, which could be inherent or residual.
Risk Register
The central register of the University’s risks that may be filtered to view risk at a local level.
The potential of uncertain events or situations to have adverse effects on objectives, goals, values, or assets. It involves the possibility of something going wrong, leading to undesirable consequences or losses. Risk encompasses both the likelihood of an event occurring and the potential impact or severity of its consequences.
Risk Appetite
Risk appetite considers the total risk exposure to UOW and stipulates the behaviours expected based upon the basis of risk-return trade-offs for one or more of the desired outcomes. Appetite may be expressed quantitatively or qualitatively e.g. behavioural, as applied in the Risk Appetite Statement.
Risk Management
Coordinated activities to direct and control the University with regard to risk.
Risk Owner
A risk owner is an individual within UOW who is assigned the responsibility for overseeing and managing a specific risk. The risk owner is accountable for the effective management of the identified risk, including implementing risk mitigation strategies, monitoring and reporting on risk status, and ensuring that appropriate actions are taken to address any potential negative outcomes associated with those risks.
Risk Sponsor
A Risk Sponsor is an individual within UOW that takes on the responsibility of overseeing and managing a group of risks. The role of a risk sponsor is to advocate for effective risk management, ensure that appropriate strategies are in place to address the identified risks, and provide guidance and support to the teams involved in managing those risks. Risk sponsors play a crucial role in aligning risk management efforts with UOW's objectives and overall risk management framework
Executive Risk Sponsor
An Executive Risk Sponsor refers to a senior-level individual within UOW who takes on a leadership role in overseeing and managing a specific category of risks at the highest level. This role involves providing strategic direction, guidance, and support for risk management efforts related to a particular set of risks. The executive risk sponsor plays a critical role in aligning risk management with UOW's overall strategy and ensuring that risks are appropriately addressed to support the achievement of goals. If required, the executive risk sponsor will speak to a category of risks at Council, any Council subcommittee or the University Leadership Group. Noting that the risk owner may be required to speak on a specific risk.