View Current

Enterprise Risk Management Procedures

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose

(1) These Procedures support the Enterprise Risk Management Policy and describe the methodology and processes to guide, direct and support a consistent approach to risk management across the University of Wollongong (the University).

Top of Page

Section 2 - Application and Scope

(2) The application and scope of these Procedures is consistent with the Enterprise Risk Management Policy.

Top of Page

Section 3 - Risk Ownership

(3) Section 5 of the Enterprise Risk Management Policy provides detail on reporting requirements.

(4) Risk Management Committees are outlined in the committee pipeline diagram.

(5) The University adopts the Institute of Internal Auditors, Three Lines Model for defining risk accountability:

  1. Line 1 – functions that own and manage risk;
  2. Line 2 – functions that oversee or specialise in risk management or compliance;
  3. Line 3 – functions that provide independent assurance such as internal audit.

(6) The University is a complex organisation that requires the following tiered accountabilities:

  1. Executive Risk Sponsor is a senior leader who champions and supports the management of a significant risk, ensuring it receives the necessary resources, attention, and alignment with organisational objectives;
  2. Risk Sponsor is a nominated delegate of the executive risk sponsor.  They may assess a risk or group of risks across the University on behalf of the Executive Risk Sponsor;
  3. the Risk Owner is the individual responsible for identifying, assessing, managing and monitoring a specific risk, ensuring that appropriate controls and actions are in place to mitigate its impact on the organisation; and
  4. the Control Owner is the individual responsible for implementing, maintaining, and monitoring specific control measures to manage or mitigate an identified risk within the University.
Top of Page

Section 4 - Risk Management Process and System

(7) The University’s risk management process is aligned to the ISO31000:2018 Risk Management Principles and Guidelines.

(8) The University’s risk appetite is captured in the Risk Appetite Statement.

(9) Risk categories are used to formally classify risks into taxonomies to allow for systematic and consistent reporting and aggregation of risk information across the University.

(10) The Risk Taxonomies can be found here.

(11) Protecht is the  Enterprise Risk Management (ERM) System that is currently used for capturing risk management information in accordance with the Enterprise Risk Management Policy.

(12) Risk and control self-assessments must be documented in the University’s ERM, Protecht, unless specified otherwise in the Enterprise Risk Management Policy or in this Procedure.

(13) Risk and control self-assessments for WHS are to be recorded in Safety Net, in accordance with the WHS Risk Management Guidelines.

(14) Risk and control self-assessments for Strategic Initiatives and Projects managed and reported through the Enterprise Risk Management Office (ePMO), are to be recorded in the supplied templates from the ePMO.

Top of Page

Section 5 - Risk and Control Self-Assessment

(15) A clear understanding of the University’s and the Faculty/Institute/Division/Business Entity objectives is essential when identifying risks related to any activity because risks are defined as the effect of uncertainty on objectives.

Step 1 - Establish the Context

(16) Understand the internal and external operating environment and the factors that could lead to a risk.

(17) Understand the objectives or activity that could be impacted by the risk.

(18) Understand the University’s risk appetite.

Step 2 – Identify the Risk

(19) Risk identification is the process of recognising and describing risks. A risk is the effect of uncertainty on objectives and is usually expressed in terms of risk sources (causes), potential events and their consequences. These risks will be produced based on events that might prevent, degrade, accelerate or delay the achievement of objectives.

(20) Document the risk event components:

  1. develop a risk description: Ask ‘What could happen?’ to define the risk event;
  2. identify the potential causes. Ask ‘What could cause the risk event to happen?’;
  3. identify consequences: Ask ‘What are the potential consequences if this risk eventuates?’.
  4. comprehensive identification is crucial and all possible risks (i.e., extreme, high, medium and low) that could impact the achievement of objectives should be recorded for further analysis.

(21) Risk Bowtie Analysis is a recommended tool to assist teams in unpacking the risk components prior to analysis. A Risk Bowtie Analysis Template can be accessed here.

Step 3 - Risk Analysis

(22) Risk analysis is the process of assessing the nature and significance of the risk by considering the likelihood of the risk occurring and the potential consequence/s, and then plotting this information on the University’s 5x5 risk matrix (refer to the link later in this section for guidance and templates).

(23) The Risk Matrix is customised to address the complexity of the organisation. It allows specialist risk areas, projects, Divisions, and the ‘whole of University’ to assess risks in a consistent way and to compare relative risk levels across the organisation.

(24) Use the following links to access the likelihood guidelines, consequence guidelines, Risk Matrix and control assessment guidelines.

(25) Determining the worst case (inherent) level of risk. Once a risk has been identified, the first step in analysis is to allocate the risk a worst case (inherent) risk rating. Assess the likelihood and potential consequence of the risk based on the scenario that the current controls do not exist or completely fail.

(26) Analysis of existing controls. The next step is to identify controls that currently exist to minimise or prevent negative consequences or reduce the likelihood of a potential event (or enhance positive consequences or likelihood of an opportunity). Existing controls are already in place such as policies, procedures and training programs. These controls require rating as either effective, requires improvement or ineffective.

(27) Determining the current (residual) level of risk. The consequences and likelihood of the risks identified through the risk identification process should now be estimated and combined to determine the current level of a risk, considering the existing controls.

Step 4 - Risk Evaluation

(28) Risk evaluation is the process of deciding which risks require further treatment and in what order. It is based on the outcomes of risk analysis. It involves determining where a particular risk, after existing controls are applied, sits compared with the level of risk your area is prepared to accept or tolerate, and the need for and priority of further treatment.

(29) Using the qualitative risk matrix technique allows risks to be prioritised according to their likelihood and consequence, with risks being either low, medium, high or extreme. It does not, however, provide an objective method of distinguishing or prioritising risks that have been assessed as having the same consequence and likelihood. Such risks may have to be subjectively ranked.

(30) The Risk Appetite Statement should be referred to, to identify whether or not the risk is acceptable.

(31) A risk may be acceptable or tolerable in one or more of the following circumstances:

  1. there is no treatment available;
  2. treatment costs outweigh the benefits;
  3. the level of risk is low and does not warrant the use of resources to treat it; and/or,
  4. the opportunities/benefits significantly outweigh any risks and align with the University’s strategy and objectives.

(32) For (a), (b) and (d), the acceptance of any high or extreme risk must be:

  1. approved by the Vice-Chancellor and President or Vice-President Operations in accordance with the Delegations of Authority Policy;
  2. reported to RACC; and
  3. reviewed every 3 months to ensure the conditions for approval remain the same.

Step 5 - Risk Treatment

(33) Risk treatment proactively establishes controls and accountability to help the University address risk, promote desirable conduct, prevent undesirable conduct, prepare for an event (either adverse or opportunistic) and protect from negative impact.

(34) The most suitable risk treatment / action options are generally identified as:

  1. Risk Acceptance:
    1. when all treatment options have been explored and there is no course of action likely to be effective or, the option will cost more than the benefits gained. It could also be when the risk is of low consequence and unlikely to occur, then it is appropriate to accept the risk. (This may require an explanatory note from the risk owner if the residual rating is rated at extreme).
    2. when after careful analysis of the risk, it cannot be avoided, reduced or transferred, or where the cost to do so is not justified.
  2. Risk Avoidance:
    1. This is when stopping or not proceeding with the activity, or choosing an alternative, eliminates the risk.
  3. Risk Transfer:
    1. This is when the risk is transferred to other parties. This includes taking out insurance policies, outsourcing activities or moving operations to a better equipped part of the department that can handle the risk. In some cases, liability cannot be transferred as contractors may cap their level of liability and therefore responsibility remains with the organisation.
  4. Risk Reduction (reduce the likelihood and/or consequence of the event):
    1. This is where most of the effort is generally required in managing risk. Management processes such as audit and compliance programs, preventative maintenance, training of employees etc. are some of the methods that will reduce the likelihood of risks being realised. Ensuring that controls are in place such as contingency plans, evacuation procedures or structural barriers, may reduce the consequences.

(35) The monitoring and review of risks on an individual basis and the interaction with the governance structure is prescribed by the residual risk rating of each risk as outlined below.

Residual Risk/Level
Accountability
 Reporting Protocol
Extreme
Senior Executive
Executive Deans
Director
Faculty Executive Manager
 Risk must be reported to the Vice-Chancellor and President and RACC at the earliest opportunity.   Mitigation plans must be developed within 7 days, with implementation of that plan due within a maximum period of 1 month.
 
High
Director
Faculty Executive Manager
 Risk must be reported to relevant Executive at the earliest opportunity and RACC per the reporting cycle. Mitigation plans must be developed within 1 month, with implementation of that plan due within 3 months.
 
Medium
Senior Manager
 Risk must be reported to relevant Director/Faculty Executive Manager per the reporting cycle.
Low
Line Manager
 No action required

(36) Action/Mitigation plans must be developed and documented for each unacceptable risk and should outline the:            

  1. risk control to be implemented;
  2. person responsible for implementation; and
  3. target date for completion.

(37) Risk reduction may include the re-design or enhancement of existing controls, the introduction of new controls or further monitoring of existing controls.

Step 6 – Monitor and Review

(38) The University’s Enterprise Risk Register and Local Risk Registers are to be reviewed on a continual basis and at a minimum, semi-annually and as part of the strategic and business planning process

(39) The University is required to report to various internal and external bodies and stakeholders. Key reporting requirements are outlined in the University’s Enterprise Risk Management Policy.

Top of Page

Section 6 - Enterprise Actions Register

(40) The University maintains an Enterprise Actions Register (EAR) to record and monitor the remediation of risk-related actions. Actions represent existing instances of non-compliance, gaps or improvement opportunities in operational controls and processes, and proactive measures required to reduce the likelihood/impact of risks in accordance with the University's risk appetite.

(41) Each action recorded on the EAR will be assigned an action owner responsible for the timely completion of agreed actions to mitigate the identified risk.

(42) The Risk and Assurance Division (RAD) manages the EAR and provides status reporting to the University Executive and RACC.

(43) Reporting on actions is crucial from a risk accountability perspective. When actions taken to address risk are documented and reported, it provides a clear record of the steps that have been taken to manage and mitigate actual and potential issues. This accountability ensures that staff members (or teams) are held accountable for their roles in risk management, facilitates communication about the progress of risk treatment efforts, and improves the overall risk culture of the University.

Top of Page

Section 7 - Education and Training

(44) The University supports education and training as an essential mechanism in developing and maturing its risk and compliance culture.

(45) The University implements education and training programs to increase awareness of risk and compliance and the responsibilities of managers and staff to understand and fulfill their obligations.

Top of Page

Section 8 - Roles and Responsibilities

(46) Refer to the Enterprise Enterprise Risk Management Policy.

Top of Page

Section 9 - Definitions

(47) Refer to the Enterprise Enterprise Risk Management Policy.