Policy: Risk management
Section 16 of the Public Governance, Performance and Accountability (PGPA) Act provides that, accountable authorities of all Commonwealth entities must establish and maintain appropriate systems of risk oversight, management and internal control for the entity. As a corporate Commonwealth entity, the University’s Council, as the governing body, has approved this risk management policy to:
- establish a framework within which opportunities and threats to the University’s strategic objectives are managed;
- ensure stakeholders at all levels, across all operational areas, take active responsibility for risk management; and
- embed a positive risk culture that informs balanced decision-making.
This policy forms part of the University’s wider governance and control framework, and in- part, supports the University:
- meet legislative and Commonwealth policy requirements relating to risk management as outlined within the PGPA Act and the Commonwealth Risk Management Policy;
- outline its expectations on how opportunities and threats are to be engaged with, managed, and reported; and
- establish clear responsibilities from governing bodies to individual stakeholders on risk management.
This policy conforms to the requirements provided within the Australia and New Zealand Standard ISO 31000: 2018 Risk Management Guidelines.
This policy applies to all staff, Visiting and Honorary Appointments (VaHA), volunteers, affiliates, contractors, controlled entities, and persons authorised to undertake University- related business.
Risk is the effect of uncertainty on objectives which can include both threats and opportunities. The level of risk is measured in terms of consequence and likelihood.
Risk management is planned and systematic approach to the identification, evaluation and control of risk. For threats, the outcome of risk management is the reduced likelihood (probability) of a risk occurring or limiting the consequences (impact) should the risk occur by implementing appropriate methods of control (risk mitigations).
Risk culture is the set of shared attitudes, values and behaviours that characterise how an entity considers risk in its day-to-day activities.
Risk appetite is the amount of risk an entity is willing to accept or retain in order to achieve its objectives. It is a statement or series of statements that describes the entity’s attitude toward risk taking.
Risk category is a description of any set of risks. The set of risks can contain those that relate to the whole organisation, part of the organisation or as otherwise defined.
Risk Management Framework is the policy, governance and practical structures put in place by the University to manage risk and includes this policy and related documentation.
Risk Management Online Guide provides practical guidance for Colleges and Service Divisions to implement risk management as part of their day to day operations and decision making process within their local areas.
Risk Management Principles
- The University’s risk management principles are based on: ‘creating value’ and ‘preserving core operations’ as follows:
Preserving Core Operations
- Encouraging risk-based decision- making at all levels.
- Engaging with opportunities to innovate and pursue our strategic objectives.
- Promulgating a culture which recognises and responds to uncertainty.
- Protect the wellbeing of all our students, staff and visitors.
- Protecting our culture of academic and research excellence while delivering on our national responsibility.
- Safeguarding our brand and long- term reputation nationally and globally.
- All risks are managed in accordance with the Enterprise Risk Management Framework (ERMF), within the boundaries defined in the University’s Risk Appetite Statement.
- The ANU ERMF underpins this policy and outlines the:
- provision on identification, assessment and evaluation of risks;
- provision for the way risks are reported, escalated and communicated;
- roles and responsibilities for risk management;
- approach for managing risks;
- University’s risk appetite statement;
- University’s risk matrix;
- risk categories for the University;
- Risk Management Online Guide.
- The University maintains a Strategic Risk Register comprising of risks that may impact the University’s ability to achieve its strategic objectives. The Executive reviews/updates the University’s Strategic Risk register annually for ARMC consideration and endorsement, which is presented to Council for approval. A mid-year status report about the Strategic Risk Register is also prepared for the ARMC and Council.
- All Colleges, Service Divisions and Controlled Entities maintain a local level operational risk register which is reviewed and reported in accordance with the ERMF. All high and extreme operational risk with accompanying treatment plans, are reported annually to the executive, whilst other risks are managed and reported at the local area level.
- Program/project sponsors maintain a project risk register which are reviewed throughout the life of the program/project, and escalated in accordance with the ERMF.
- The Corporate Governance and Risk Office is responsible for consolidating strategic risks and reporting to the Audit and Risk Management Committee and Council annually.
Roles and Responsibilities
8. The key roles and responsibilities for stakeholders, including governing bodies and staff are outlined in the table below:
- Ensure effective overall governance and risk management (Council Charter) as the governing authority of the University.
- Ensure that the principles and practices of risk are communicated to staff and embedded into strategic and operational practices and planning processes.
- Foster and encourage an environment where managing risks is accepted as the day-to-day responsibility of all individuals.
Senior Management Group (Executive & Deans, including Executive of Controlled Entities)
- Consider and respond appropriately to reports about the University’s risks and their management.
- Promote an appropriate risk management culture within their areas of responsibility.
- Manage risks to respective portfolio’s objectives and strategies.
- Facilitate annual review of extreme and high risks and controls by Corporate Governance and Risk Office and or any other ad hoc reviews by Audit and Risk Management Committee, and ensure any deficiencies identified through the review and assurance processes are promptly rectified.
- Ensure direct reports undertake the above for their respective areas of responsibility
Service Division Directors and College General Managers
- Promote an appropriate risk management culture within their areas of responsibility.
- Manage risks within the Service Divisions, Colleges, Schools and/or other associated areas such as Research Institutes.
- Develop and maintain an operational risk register.
- Integrate risk management into the annual business planning processes and activities of the Service Division/College/School.
- Monitor and review risks and controls with sufficient frequency to ensure the currency of their risk profile and ongoing effectiveness of controls.
- Report annually on extreme and high risks to portfolio Executive and update progress on risks mitigation action as necessary.
Research School Directors and Head of Business Areas
- Foster and encourage an environment where managing risk is accepted as each person’s day- to-day responsibility.
- Monitor and review function-specific risks and ensure the ongoing effectiveness of the related controls.
- Escalate extreme and high risks.
- Update progress on risks mitigation action as required by the College.
Academic and Professional Staff (including Controlled Entities), titleholders and contractors of the University
- Identify and familiarise with risks associated with their roles.
- Comply with risk management processes and practices in accordance with the Risk Management Policy and ERMF.
- Report and escalate to the respective manager, any significant risk or changes to the risk context that is not addressed within the local area operational risk register.
- Contribute to risk management activities as directed by management.
Corporate Governance and Risk Office (CGRO)
- Key advocate for risk management at the University.
- Provide advice and training on risk management.
- Co-ordinate the University’s Risk Management Plan in accordance with this policy and the ERMF.
- Manage the University’s Strategic Risk Register.
- Report annually to the ARMC and Council on all high and extreme risks.
- Facilitate risk reporting to internal and external bodies/stakeholders.
Audit and Risk Management Committee (ARMC)
Review and advise the Council on the appropriateness of :
- enterprise risk management framework and associated processes for effective identification and management of the University’s strategic, operational, regulatory and financial risks, including fraud risks and those associated with individual projects, program implementation and activities;
- business continuity planning arrangements,
- system of risk oversight and management as a whole, system of internal control and any specific areas of concerns or suggestions for improvement.
- Monitor, review and make recommendations to Council on risks applicable to the University’s financial performance, investment portfolio and commercial activities.
- Refer issues that may present a risk consideration for the University to Council and/or the Campus Planning Committee or the Audit and Risk Management Committee depending on the nature of the risk.
Campus Planning Committee
- Monitor, review and make recommendations to Council on risks applicable to capital works, acquisition and disposal of land and buildings and implementation of the Campus Master Plan.
- Refer issues that may present a risk to the University to the Council Committee with relevant expertise (Finance Committee and/or the Audit and Risk Management Committee).
- Monitor, review and make recommendations to Council on risks applicable to academic and research activities that could impact on the strategic objectives of the University.
- Refer issues that may present a risk consideration for the University to the Council and/or the Audit and Risk Management Committee.
This policy, and the ANU ERMF, seek to achieve positive risk management outcomes through:
- Staff and controlled entities must report risks in accordance with this policy and the ERMF.
- The Corporate Governance and Risk Office reports to the Audit and Risk Management Committee all strategic risks, and high and extreme operational risks annually.
Training and Development
- The University is committed to ensuring all staff, particularly those in managerial and decision making roles, have access to guidance and training on the application of risk management principles.
- College Deans, Research School Directors, Service Division Directors and Heads of budget units encourage staff to participate in risk management training offered by the University. Training and development is specifically aimed at assisting staff to comply with the requirements of this policy.