(1) The University has a statutory obligation to undertake risk management that is established under the University of Wollongong Act 1989 (the Act). (2) The University of Wollongong (the University)recognises that managing risk is an essential part of everyone’s role to support the achievement of strategic and operational objectives. (3) Effective risk management enables the University to achieve its objectives more effectively and efficiently by managing uncertainty, leading to better informed decision making. (4) Effective risk management enables: (5) The purpose of this Policy is to: (6) This Policy applies to all of UOW and all activities conducted by, or on behalf of the University, including: (7) This Policy should be read in conjunction with the Enterprise Risk Management Procedures and Risk Appetite Statement. (8) This Policy is supported by a range of documents that inform health, safety and risk management systems and practices across the University. These documents must be consistent with the broad direction of this Policy. (9) The University acknowledges that risk management is: (10) The University has an Enterprise Risk Management Framework (ERMF) that supports informed decision-making in pursuit of achievement of objectives, which is proportionate to its strategy and operational model. (11) The ERMF supports effective risk management by integrating it into activities and functions across the University. (12) The ERMF is consistent with the International Standard - AS ISO 31000:2018, Risk Management – Principles and Guidelines. (13) The ERMF consists of: (14) Risks associated with the University’s activities must be identified and assessed. (15) All risks are to be assessed using the methodology as specified in the Risk Management Procedures and relevant guidelines. (16) Specialised risk guidelines, e.g. for WHS or information security management, must be consistent with the broad directions of this policy and the risk management procedures as a minimum. (17) Risk and Control Self-Assessments are required for all activities as outlined in the scope and application of this Policy. (18) Control management and assurance activities will be conducted in accordance with any relevant regulatory requirements, standards or guidelines, and the University’s Risk Management Procedures. (19) An important component of Risk Management is: (20) An annual risk management plan will be developed and implemented to systematically identify, assess and mitigate risks while improving the University’s overall risk management maturity. (21) The maturity and performance of the risk management practices will be regularly evaluated through independent reviews and internal audits, ensuring the Risk Management Framework and Policy are fit for purpose. (22) The University will foster a resilient and proactive approach to risk management by continuously enhancing and adapting practices based on audit findings and evolving risk landscapes. (23) The University relies on timely analysis and reporting by stakeholders and other sources for the identification and management of risks and emerging threats. (24) All staff must ensure risk and controls self-assessments are undertaken, and that corresponding mitigations are reviewed in accordance with the Enterprise Risk Management Procedures. (25) Risks evaluated as requiring treatment must be mitigated, and the risk and mitigation plan escalated to the relevant Senior Executive. (26) Where risks are outside of the University’s Risk Appetite, but no treatment is available or the costs outweigh the benefits, the acceptance of the risk can be approved by the Vice-Chancellor and President or Chief Operating Officer and Vice-President Operations. All approvals must be made in accordance with the authority set out in the Delegations of Authority Policy. (27) Referral for the acceptance of risks outside of appetite where there is no treatment available or the costs outweigh the benefits must be made in writing via the Chief Risk and Assurance Officer, to the Vice-Chancellor and President or Chief Operating Officer and Vice-President Operations. All approvals must be made in accordance with the authority set out in the Delegations of Authority Policy. (28) Where risks outside of appetite are approved to be ‘accepted’ they must be reviewed every 3 months to ensure that the conditions that existed that led to the exception are still valid, where the conditions have changed, treatment plans must be developed in accordance with the Enterprise Risk Management Procedures for treatment. (29) Emerging threats will be incorporated into the University’s Enterprise Risk Management (ERM) System once the threat is measurable and becomes an assessable risk. (30) Assurance mapping is used to identify and assess assurance activities across the University to ensure that risks are effectively managed, and controls are properly monitored. (31) The Risk and Assurance Division (RAD) will provide a Risk Management Report to the Risk Advisory Group (RAG), University Executive (UE), Risk, Audit and Compliance Committee (RACC) and Council in accordance with the relevant Terms of Reference (TOR). These may include, but are not limited to: (32) Risk Owners will provide any detailed risk reports as requested by the Chief Risk and Assurance Officer (CRAO), Vice-Chancellor and President (VC) and/or the Chair of the Risk, Audit and Compliance Committee (RACC). (33) Breaches of this Policy are considered a failure to comply with the University’s Code of Conduct and will be managed in line with the Code. (34) The University Council is the governing authority for the University and, as such, has responsibility under the University of Wollongong Act 1989 for oversight of risk management and risk assessment activities across the institution. (35) The Risk, Audit and Compliance Committee (RACC) assists Council in fulfilling its corporate governance and independent oversight responsibilities in relation to the University’s management of risk, compliance with legislation and standards, management of internal controls, and, audit requirements in accordance with its Terms of Reference. (36) The Vice-Chancellor and President is responsible for: (37) Senior Executives and Executive Deans are responsible for: (38) Directors, Faculty Executive Managers, Directors of Research Institutes and Project Managers are, within their respective areas of responsibility, responsible for: (39) The Risk Management function is responsible for: (40) The internal audit function is responsible for: (41) The Chief Risk and Assurance Officer will have direct and independent access to the Risk, Audit and Compliance Committee (RACC) Chair and members as needed to escalate concerns related to the operations and efficacy of this Policy. (42) In accordance with the Controlled Entity Policy, the controlled entity and its subsidiaries must: (43) Every staff member of the University is responsible for the effective identification and management of risks including the identification and reporting of new and emerging threats. (44) Every staff member is responsible for participating, as required, in training, workshops and information sessions in relation to risk management practice provided by the University to ensure they:Enterprise Risk Management Policy
Section 1 - Purpose
Top of PageSection 2 - Application and Scope
Section 3 - Principles
Top of PageSection 4 - Enterprise Risk Management Framework
Section 5 - Reporting and Response Requirements
Section 6 - Policy Breaches
Section 7 - Roles and Responsibilities
University Council
Risk, Audit and Compliance Committee
Vice-Chancellor and President
Senior Executives and Executive Deans
Directors, Faculty Executive Managers, Directors of Research Institutes and Project Managers
Chief Risk and Assurance Officer (CRAO)and Risk and Assurance Division
Controlled Entities
All Staff
Top of PageSection 8 - Definitions
View Current
This is the current version of this document. To view historic versions, click the link in the document's navigation bar.
Word/Term
Definition
Assurance Map
Process that identifies, assesses, and aligns assurance activities across an organisation to ensure that risks are effectively managed, and controls are properly monitored.
Commercial Activity
As defined in the Commercial Activities Guidelines.
Consequence
Outcome of an event affecting objectives. Noting an event can lead to a range of consequences, consequences can be certain or uncertain, positive, or negative, qualitative, or quantitative and can be risks unto themselves, also known as knock-on effects.
Control
Any measure, action, or mechanism that is put in place to prevent or detect, the impact or likelihood of the identified risk.
Emerging Threat
An emerging threat refers to a new or evolving risk, danger, or challenge that is in the process of developing or gaining prominence.
Enterprise Actions Register
The central repository to record and monitor agreed management actions and remediations of risk, controls, internal audit, and reviews across the university.
Enterprise Risk Management
The integration of risk management processes across the university at all levels and in key decision-making areas.
Inherent Risk
The worst-case scenario of a risk without consideration of controls.
Internal Audit
Independent, objective assurance activity designed to add value and improve the university’s operations by identifying risks and control operating effectiveness.
Level of Risk
The magnitude of a risk expressed as a combination of consequence and likelihood. Also known as the risk rating, which could be inherent or residual.
Likelihood
Chance of something happening
Risk, Audit and Compliance Committee (RACC)
In accordance with Section 16 of the University of Wollongong Act 1989, the Council is charged with overseeing risk management and risk assessment across the University. The Council Risk, Audit and Compliance Committee assists the Council in fulfilling its corporate governance and independent oversight responsibilities in relation to the University’s management of risk, compliance with legislation and standards, its internal control structure and audit requirements, and its external reporting responsibilities.
Residual Risk
The current or typical risk based on control environment.
Risk
The effect of uncertainty on objectives, causing a deviation from the expected outcome, which may be positive (opportunities) or negative (risks). Risk is measurable by the combination of the consequences and the associated likelihood of the risk occurring.
Risk Acceptance
The informed decision to take a particular risk, this can occur without risk treatment or during the process of treatment. Accepted risks are subject to monitoring and review.
Risk Advisory Group (RAG)
The Management body responsible for providing advise to UE on the prioritisation of top risks and emerging threats to the university.
Risk Analysis
Process to comprehend the nature of risk and determine the level (size) of risk. Risk Analysis provides the basis for risk evaluation and treatment.
Risk Assessment
Is the overall process for risk identification, risk analysis and risk evaluation.
Risk Appetite
Risk appetite is the total, amount, and a type, of risk that the university is willing to accept in pursuit of its objectives
Risk and Control Self-Assessment (RCSA)
The process of risk identification, analysis, and evaluation; and provides an understanding of risks, their causes, consequences, likelihood, and controls. Risks can be assessed at a university, business unit, entity, function, program, project, or activity level.
Risk Evaluation
Process of comparing the results of risk analysis and risk appetite to determine whether the risk is acceptable or requires treatment.
Risk Management Framework
The components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing, and continually improving risk management throughout the University.
Risk Management
Coordinated activities to direct and control the University regarding risk.
Risk Matrix
A tool used for ranking (by risk level) and displaying risks by defining ranges for consequence and likelihood
Risk Owner
The person who is accountable for the management of the risk as it relates to their objective.
Risk Register
The central register of the University’s risks that may be filtered to view risk at a local level.
Risk Sponsor
The executive or entity with the accountability and authority to manage a category of risk
Risk Treatment
The process to modify risks that is deemed ‘unacceptable or outside of appetite’, also referred to as risk mitigation, risk elimination, risk prevention or risk reduction. Its important to note that risk treatment can creates new risks or modify existing risks.
Target Risk
Desired level of risk after risk treatment
University Executive Committee
The University Executive Committee makes recommendations to the Vice-Chancellor and President in the exercise of their delegated authority for university-wide planning, decision-making and oversight. It reports to Council on the prosecution and management of initiatives under the University’s strategic plan, and on the academic and financial health of the University.