Policy: Risk management
Section 16 of the Public Governance, Performance and Accountability (PGPA) Act provides that, accountable authorities of all Commonwealth entities must establish and maintain appropriate systems of risk oversight, management and internal control for the entity. As a corporate Commonwealth entity, the University’s Council, as the governing body, has approved this risk management policy to:
- establish a framework within which opportunities and threats to the University’s strategic objectives are managed;
- ensure stakeholders at all levels, across all operational areas, take active responsibility for risk management; and
- embed a positive risk culture that informs balanced decision-making.
This policy forms part of the University’s wider governance and control framework, and in- part, supports the University:
- meet legislative and Commonwealth policy requirements relating to risk management as outlined within the PGPA Act and the Commonwealth Risk Management Policy;
- outline its expectations on how opportunities and threats are to be engaged with, managed, and reported; and
- establish clear responsibilities from governing bodies to individual stakeholders on risk management.
This policy conforms to the requirements provided within the Australia and New Zealand Standard ISO 31000: 2018 Risk Management Guidelines.
This policy applies to all staff, Visiting and Honorary Appointments (VaHA), volunteers, affiliates, contractors, controlled entities, and persons authorised to undertake University- related business.
Risk is the effect of uncertainty on objectives which can include both threats and opportunities. The level of risk is measured in terms of consequence and likelihood.
Risk management is planned and systematic approach to the identification, evaluation and control of risk. For threats, the outcome of risk management is the reduced likelihood (probability) of a risk occurring or limiting the consequences (impact) should the risk occur by implementing appropriate methods of control (risk mitigations).
Risk culture is the set of shared attitudes, values and behaviours that characterise how an entity considers risk in its day-to-day activities.
Risk appetite is the amount of risk an entity is willing to accept or retain in order to achieve its objectives. It is a statement or series of statements that describes the entity’s attitude toward risk taking.
Risk category is a description of any set of risks. The set of risks can contain those that relate to the whole organisation, part of the organisation or as otherwise defined.
Risk Management Framework is the policy, governance and practical structures put in place by the University to manage risk and includes this policy and related documentation.
Risk Management Online Guide provides practical guidance for Colleges and Service Divisions to implement risk management as part of their day to day operations and decision making process within their local areas.
Risk Management Principles
- The University’s risk management principles are based on: ‘creating value’ and ‘preserving core operations’ as follows:
Preserving Core Operations
- All risks are managed in accordance with the Enterprise Risk Management Framework (ERMF), within the boundaries defined in the University’s Risk Appetite Statement.
- The ANU ERMF underpins this policy and outlines the:
- provision on identification, assessment and evaluation of risks;
- provision for the way risks are reported, escalated and communicated;
- roles and responsibilities for risk management;
- approach for managing risks;
- University’s risk appetite statement;
- University’s risk matrix;
- risk categories for the University;
- Risk Management Online Guide.
- The University maintains a Strategic Risk Register comprising of risks that may impact the University’s ability to achieve its strategic objectives. The Executive reviews/updates the University’s Strategic Risk register annually for ARMC consideration and endorsement, which is presented to Council for approval. A mid-year status report about the Strategic Risk Register is also prepared for the ARMC and Council.
- All Colleges, Service Divisions and Controlled Entities maintain a local level operational risk register which is reviewed and reported in accordance with the ERMF. All high and extreme operational risk with accompanying treatment plans, are reported annually to the executive, whilst other risks are managed and reported at the local area level.
- Program/project sponsors maintain a project risk register which are reviewed throughout the life of the program/project, and escalated in accordance with the ERMF.
- The Corporate Governance and Risk Office is responsible for consolidating strategic risks and reporting to the Audit and Risk Management Committee and Council annually.
Roles and Responsibilities
8. The key roles and responsibilities for stakeholders, including governing bodies and staff are outlined in the table below:
Senior Management Group (Executive & Deans, including Executive of Controlled Entities)
Service Division Directors and College General Managers
Research School Directors and Head of Business Areas
Academic and Professional Staff (including Controlled Entities), titleholders and contractors of the University
Corporate Governance and Risk Office (CGRO)
Audit and Risk Management Committee (ARMC)
Review and advise the Council on the appropriateness of :
Campus Planning Committee
This policy, and the ANU ERMF, seek to achieve positive risk management outcomes through:
- Staff and controlled entities must report risks in accordance with this policy and the ERMF.
- The Corporate Governance and Risk Office reports to the Audit and Risk Management Committee all strategic risks, and high and extreme operational risks annually.
Training and Development
- The University is committed to ensuring all staff, particularly those in managerial and decision making roles, have access to guidance and training on the application of risk management principles.
- College Deans, Research School Directors, Service Division Directors and Heads of budget units encourage staff to participate in risk management training offered by the University. Training and development is specifically aimed at assisting staff to comply with the requirements of this policy.
|Printable version (PDF)|
|Purpose||To provide a consistent framework for the identification, assessment, management and reporting of risk; and to enhance the University's internal controls.|
|Topic/ SubTopic||Risk Management|
|Effective Date||29 Apr 2021|
|Next Review Date||29 Apr 2026|
|Responsible Officer:||Director, Corporate Governance and Risk Office|
|Approved By:||ANU Council|
|Contact Area||Corporate Governance and Risk Office|
Australian National University Act 1991
Public Governance, Performance and Accountability Act 2013
Public Governance, Performance and Accountability Rule 2014
Commonwealth Risk Management Policy
Information generated and received by ANU staff in the course of conducting business on behalf of ANU is a record and should be captured by an authorised recordkeeping system. To learn more about University records and recordkeeping practice at ANU, see ANU recordkeeping and Policy: Records and archives management.