INTRODUCTION

This procedure outlines ANU's Risk Management Framework, which incorporates:

• Risk Management Policy
• Accountabilities
• Approach
• Common Language

The framework is supported by a range of guidance material, templates and tools, but recognises the need to ensure that these are aligned with the context and focus of the specific risk analysis task being undertaken.

ACCOUNTABILITIES

Council:

• Ensure that a risk management framework is established, implemented and maintained;
• Identify strategic risks (in consultation with the Vice Chancellor) that impact upon the University's strategic objectives; and
• Monitor the management of strategic risks.

Vice-Chancellor:

• Identify and manage strategic risks; and
• Ensure that a risk management framework is established, implemented and maintained in accordance with this policy.

University Executive:

• Identify and manage strategic and operational risks within their portfolio that may impact upon the University's strategic and operational objectives; and
• Promote compliance with statutory and regulatory requirements.

ANU Deans, Directors & Heads of Colleges and Administrative Divisions:

• Develop and maintain an ANU College strategic plan that integrates risk management principles with strategic planning processes and the management activities of the College;
• Ensure the application of risk management principles when major projects are considered or managed;
• Identify and report on risk issues as part of budget planning, annual reporting and assurance processes;
•  Develop and maintain a fraud risk management plan in accordance with the Fraud Control Procedure;
• Develop and maintain a Business Continuity Plan (BCP) as part of the ANU Emergency Management Strategy; and
• Ensure that staff are encouraged to participate in risk management training activities.

Heads of Budget Units:

• Identify and manage operational risks relevant to the budget unit;
• Integrate risk management principles with planning processes (e.g. business plans) and management activities including project management;
• Identify and report on risk issues as part of budget planning and annual reporting and assurance processes; and
• Encourage staff to participate in risk management training activities.

Heads of Controlled entities, and Entities that are derived from the legal status of the University will be responsible to their respective Boards for:

• Develop and maintain a strategic plan that integrates risk management principles with strategic planning processes and management activities;
• Identify and report on risk issues as part of budget planning and annual reporting and assurance processes; and 
• Develop and maintain a fraud risk management plan in accordance with the Fraud Control Procedure;
• Develop and maintain a Business Continuity Plan (BCP) as part of the ANU Emergency Management Strategy; and
• Ensure that staff are encouraged to participate in risk management training activities.

Audit & Risk Management Committee:

• Oversee the risk management framework;
• Monitor strategic and enterprise-wide risks; and
• Receive and consider risk management reports to inform both Council and internal audit activity (including the internal audit plan).

Risk Management Advisory Committee:

• Monitor and review institutional risks;
• Make recommendations to the Director, Risk Management and Audit, the Audit and Risk Management Committee, and the Vice-Chancellor (as appropriate) on risk management policies and procedures;
• Assist the University to raise levels of management awareness and accountability for risk management and the development of a risk management culture;
• Review and monitor local area risk management, crisis management and business continuity plans; and
• Make recommendations on the University's crisis management plans and arrangements and review incidents as they occur.

Risk Management and Audit Office:

Through broad consultation the role and responsibilities of the RMAO include:

• Facilitate the development, ratification and adoption of an ANU risk management policy and improvement plan;
• Development and implementation of a University-wide risk management framework; 
• Provide support and advice to the relevant ANU College Convenors and Heads of Administrative Divisions and Budget Units on the implementation of risk management ; and
• Raising the profile of risk management within the University and ensuring a culture of risk management is developed.
  

APPROACH - OVERVIEW

Risk analysis is based on identifying those events that contribute to the uncertainty surrounding the achievement of specific objectives or outcomes. Essentially this event can then be investigated through a two dimensional construct of the likelihood of the event occurring and its consequences (sometimes also referred to as impact).

The identification of the events as well as the assessment of likelihood and consequence can be undertaken with the aid of tools and techniques which range from relatively simple qualitative tools through to highly involved quantitative analysis.  The University engages across this entire spectrum of complexity. 

The University endorses the application of Australian & NZ Risk Management Standard 4360:2004, which details the generic risk management process. 

Specifically this includes the following elements:

• Establish the context
• Identify the risks
• Analyse the risks (including evaluating associated controls, determine consequence likelihood)
• Evaluate the risks
• Treat the risks
• Communicate and consult (at all prior steps)
• Monitor & Review (at all prior steps)

All staff are encouraged to familiarise themselves with the Australian & NZ Risk Management Standard 4360:2004 and undertake associated training from a recognised provider. Upcoming training events will be publicised through ANU's risk portal and the Risk Management and Audit Office is available to facilitate customised training as required.


APPROACH - GUIDANCE

In addition to adhering to the Australian & NZ Risk Management Standard, ANU staff analysing risks are strongly encouraged to:

1.  Review risk tolerance levels
Without appropriately calibrating the ranking scale (particularly for financial impacts), any subsequent assessment will not prioritise risks in relation to the intended context. E.g. using the financial consequence criteria appropriate to a reporting unit with an $88m dollar spend may be unhelpful in prioritising the key risks for a reporting unit with an $8m budget.

Focusing statements as to acceptable tolerance levels with respect to specific impacts should be articulated: E.g. The Division will not accept any residual risk associated with operational objectives that has more than a "rare chance" (less than one every 5 years or 1% probability) of a financial loss of A$1m to A$10m NPV, or more than a "possible" chance (less than once per year or 25% probability) of a financial loss of A$1m to A$500k.

2.  Document the context of the risk profile (e.g. link to strategic and or operational plan)
Without a documented internal and external context, the scope of any associated assessment remains unclear. Significant risks may therefore remain unidentified.

3.  Link risks to University outcomes/objectives
Risk is defined as "the chance that something will happen that will have an impact on objectives". Hence the identification of objectives (or outcomes) is a fundamental step prior to further analysis.

4.  Take particular care in the articulation of risk statements
Confusion often arises between what is a ‘risk' and what is a ‘control failure'. The nomenclature of the risk statement is vital to ensure that what is articulated can be consistently assessed (e.g. in a multi-disciplinary workshop), controls applied, a risk hierarchy established (linked to objectives) and accountability assigned.

5.  Document the risk identification techniques utilised
A common problem confronting many risk analysts is the interpretation of results by a variety of audiences. All analysis (including risk assessments) is dependent on the inherent constraints of the methodology applied. To ensure that the appropriate level of reliance is placed on results by decision makers, the tools, techniques and assumptions inherent in the analysis should be disclosed (e.g. qualitative vs. quantitative analysis;  workshop vs. expert assessment; SWOT  analysis vs. Bow-tie  analysis).

Further, given the inherent diversification in the application of risk management within the ANU, flexibility in the type of risk analysis tools applied should be allowed for, subject to appropriate disclosure in any associated reporting. The analysis should be ‘fit-for-purpose' given the particular context, thereby supporting the efficacy of the decision making process.

E.g. a bow-tie analysis may be appropriate in preparing a safety case for a new laboratory; whereas a SWOT based risk analysis may be more helpful in promoting discussion on strategic directions.

6.  Ensure Controls are assessed as part of the risk analysis
Important considerations prior to evaluating and ranking risk (based on likelihood and consequence) are:

• what controls are applied;
• how appropriate are these controls; and
• how effective are they in reducing either the likelihood or the consequence (or both) of the event[1]

The rigour applied in analysing these dimensions ultimately impacts on the subsequent risk evaluation.

7.  Ensure the development of appropriate risk mitigation strategies
Having identified and prioritised significant risks (based on defined tolerance levels), no value has been achieved until a decision is made whether or how to treat risks.

Further, should an event (e.g. with a safety impact) occur, subsequent discovery of a risk profile or report highlighting concerns without action may point to negligence with the potential for increased regulatory and or reputational consequences.

8.  Consider the prioritisation of resources
Subject to contextual restraints (e.g. compliance risks), the value of the prioritisation of risks is that this allows scarce resources to be allocated to more effectively achieve desired outcomes.

Therefore, prior to the implementation of proposed mitigation strategies, risk rankings should be reviewed to ensure that the envisaged strategies are likely to reduce risks to desired levels.

Lower ranked risks should also be reviewed (as appropriate) to assess whether they are in fact ‘over-controlled' with associated resources potentially re-deployed.

9.  Identify risk owners
Given ANU's risk categorisation of strategic, operational and routine risks, the identification of risk owners is important to help facilitate the associated accountability.

10.  Develop contingency plans for low likelihood and high consequence risks
Recognising the inherent flaws in any assessment of likelihood, contingency plans for the management of high consequence incidents, provide an important safeguard within the risk assessment framework.

11.  Support the consolidation and consideration of risks at Division and Executive Level
All risks identified and assessed within a Division should be reviewed and consolidated (based on appropriate tolerance levels) for consideration by the Division's leadership team.

12.  Escalate risks to an appropriate organisational level
Risk Management within the ANU is significantly devolved based on the organisational structure of Colleges and Administrative Divisions. It is therefore important for risks to be appropriately escalated not only within the Divisions themselves, but also to the ANU Executive and VC, to ensure the requisite resources are brought to bear.

13.  Support integrated and comprehensive risk reporting
A formal periodic risk report, tailored to the needs of the specific Division, allows for the collation of the results from a range of risk analysis activities, contexts, tools and techniques. In essence, it provides a focus for a rigorous risk management programme balanced with the flexibility required for a fit-for-purpose approach.

14.  Facilitate monitoring of completed actions and subsequent re-assessment of risk rankings
For risk management to be effective those actions implemented to treat risks should be reviewed upon completion and the associated risks re-evaluated. This drives an active management programme and ultimately delivers the value of the risk management activity.

15.  Support the iterative nature of risk management by considering ‘update drivers' (e.g. change in objectives, change in accountabilities, change in processes, change in risk levels, and completion of mitigation strategies)
Risk management is an iterative process and should reflect the changing circumstances (or context) of a Division, the ANU and the wider community. A Division's risk management programme should take into account the triggers that prompt review, thereby driving the iterative nature of the risk management. 

COMMON LANGUAGE

[1] I.e. reducing for downside risk or increasing for up-side risk.

Previous approval 22 January 2007; reviewed June 2009.