Procedure overview
1 Purpose
To implement the Enterprise Risk Management Policy and related frameworks.
2 Scope
This procedure applies to all University Members.
3 Procedure Overview
This procedure outlines the processes to be followed for an integrated approach to the identification, assessment, treatment, recording, reporting and monitoring and review of Risk.
This procedure aligns with:
- Higher Education Standards Framework (Threshold Standards) 2021: Standard 6.2 Corporate Monitoring and Accountability
4 Procedures
4.1 Risk management environment
Risk management applies at all levels of the university and comprises:
- Strategic Risks
- Operational Risks
- Tactical Risks.
4.1.1 Risk management - Strategic
Strategic Risks are identified by Vice-Chancellor's Executive and managed through their portfolios. They are recorded and managed within the University-endorsed Risk management systems and the Deputy Vice-Chancellor Enterprise Services provides bi-monthly reports to Council through the Audit and Risk Committee and Vice-Chancellor's Executive. As a minimum, reports include:
- Identification and assessment of all Strategic Risks;
- Flagging of high or extreme Residual Risk and recommendations to keep the Risk within the agreed Risk Tolerance;
- Identification of new Strategic Risks, assessment, recommended mitigation and Risk management plans; and
- Risk Appetite and Tolerances that reflect emerging threats and opportunities.
4.1.2 Risk management - Operational
Operational Risks are identified by business units and assessed and managed through regular planning operations, including those in Research projects. They are recorded and managed within the University-endorsed Risk management systems, following operational guidelines. As a minimum, records include:
- Identification and assessment of Operational Risks;
- Escalation of high or extreme Residual Risk and recommendations to keep the Risk within the agreed Risk Tolerance; and
- Identification of new Operational Risks, assessment, recommended mitigation and Risk management plans.
4.1.3 Risk management - Tactical
Tactical Risks include projects that are managed under the Project Management Framework (PMF) and operational initiatives that are materially significant to warrant Tactical Risk management. Recording, reporting escalation protocols are provided below.
| Activity | Initiative | Project (under PMF) |
| Identification and assessment | Initiative managers | Project/Program Managers |
| Recording | Initiative Risk register | Project-level Risk registers maintained within the Project Management Framework SharePoint Hub |
| Reporting frequency | Bi-monthly | Monthly |
| Reporting and escalation |
|
|
4.2 Roles and responsibilities
The following roles and responsibilities are held by University Members to ensure the appropriate management of Risk:
| Role | Responsibility | Approval Authority | Minimum Activity Frequency | Reporting Frequency |
| Establish, monitor, and review an effective Enterprise Risk Management Framework, including Policy Instruments and report to Vice-Chancellor's Committee, Audit and Risk Committee and Council on its implementation | Deputy Vice-Chancellor (Enterprise Services) | Council (policy) Vice-Chancellor (procedure) | Every 3 years | Every meeting (refer University meeting schedule) |
| Facilitate, support, and monitor application of the Enterprise Risk Management Framework through the Risk Working Group and report progress to the Deputy Vice-Chancellor (Enterprise Services) | Director (Planning and Office of the Deputy Vice-Chancellor Enterprise Services) and Director (Assurance Services) | Deputy Vice-Chancellor (Enterprise Services) | Quarterly | Bi-monthly |
| Provide independent assessment of the effectiveness of the Enterprise Risk Management Framework | Assurance Services (Internal Audit) | Council | As required | As required |
| Develop, implement, review and approve Risk Appetite and Tolerances | Vice-Chancellor | Council | Annually | Annually |
| Implement Risk management within portfolio areas | Vice-Chancellor's Executive Members | Vice-Chancellor | Constantly | Bi-monthly |
| Manage Operational Risks and report to Vice-Chancellor's Executive Committee Members | Line managers | Vice-Chancellor's Executive Members | Constantly | Bi-monthly |
| Participate in the Risk management process, as provided in Position Descriptions | All Employees | Line managers | As requested by line managers and identified through the annual performance review processes | As required by Line managers |
4.3 Risk Appetite and Tolerances
Risk Appetite and Tolerances are expressed in statements, reviewed annually by the Vice-Chancellor in collaboration with Vice-Chancellor's Executive and approved by Council. They are accessible to all University Employees within the intranet and as a minimum take the following form:
| Appetite | Action | Definition | Choice~ | Trade-off |
| Minimal | Prevent | All reasonably practical and affordable measures to minimise and, in certain cases, eliminate the Risk where possible must be taken. Management must act in the short-term to return business activities within target. | Will select the lowest Risk option | With extreme reluctance/ |
| Conservative | Remediate | Safe approaches should be taken, the cost of controls/mitigation should be evaluated to ensure they achieve a reasonable outcome. A strong preference for strategies and plans that present minimal Risk. | Will accept if limited and heavily outweighed by benefits | Prefer to avoid |
| Open | Enhance | Management can take measured Risks to operate and enhance the business within appetite; providing adequate controls and contingency plans have been established. | Will choose to put at Risk, but will manage the impact | Will under certain circumstances |
| Willing | Pursue | Management must explore opportunities to grow the business within appetite. | Will choose option with highest return, accept possibility of failure | Eager to prioritise above others |
~How willing are you to select an option that puts this objective at Risk?
#How willing are you to trade-off against achievement of other objectives
Source: PricewaterhouseCoopers, 2022.
4.4 Risk management
Risk management comprises the following components, as outlined in the Risk Management Framework, and supporting processes:
- Communication and consultation
- Scope, context, and criteria
- Assessment - overall process of Risk
- Identification;
- Analysis; and
- Evaluation
- Treatment - process to modify Risk in alignment with Risk Appetite and Tolerance Schedule
- Monitoring and review
- Recording and reporting (Sections 4.5 and 4.6).
4.5 Risk recording
All Risk-related records are maintained within the University-endorsed enterprise Risk management systems. As a minimum, this includes:
- Agreed Risk Categories for Strategic, Tactical and Operational Risks;
- Risk registers;
- Risk assessment and treatment;
- Risk management plans;
- Risk responsibility (owners/managers/advisors); and
- Risk escalation methodology and alerts.
4.6 Risk reporting
Reporting is undertaken on all Material Risks and draws upon data retained in the University-endorsed enterprise Risk management systems. Reporting is undertaken at intervals as provided in Section 4.1.
4.7 Education and training
The Deputy Vice-Chancellor (Enterprise Services) ensures that appropriate mandatory and non-mandatory induction, education and training is available for University Members, as appropriate to their position and role within the University. During each annual performance appraisal line managers will ensure that appropriate Risk management training plans are put in place.
5 References
Institute of Internal Auditors, 2018, Factsheet - Risk Management, viewed 12 May 2022, https://iia.org.au/sf_docs/default-source/technical-resources/2018-fact-sheets/factsheet---risk-management.pdf?sfvrsn=2
6 Schedules
This procedure must be read in conjunction with its subordinate schedules as provided in the table below.
7 Procedure Information
| Accountable Officer | Deputy Vice-Chancellor (Enterprise Services) |
| Responsible Officer | Director (Risk Management, Compliance and Insurance) |
| Policy Type | University Procedure |
| Policy Suite | |
| Subordinate Schedules | Risk Appetite and Tolerance Schedule (under development) |
| Approved Date | 6/12/2022 |
| Effective Date | 6/12/2022 |
| Review Date | 6/12/2027 |
| Relevant Legislation | |
| Policy Exceptions | |
| Related Policies | |
| Related Procedures | Fraud and Corruption Control Plan Procedure (under development) |
| Related forms, publications and websites | Enterprise Risk Management Framework (under development) Fraud and Corruption Control Plan (under development) Project Management Framework SharePoint Hub (restricted access) |
| Definitions | Terms defined in the Definitions Dictionary |
| Council means the governing body, the University of Southern Queensland Council....moreCouncil means the governing body, the University of Southern Queensland Council. A person employed by the University and whose conditions of employment are covered by the Enterprise Agreement and includes persons employed on a continuing, fixed term or casual basis. Employees also include senior Employees whose conditions of employment are covered by a written agreement or contract with the University....moreA person employed by the University and whose conditions of employment are covered by the Enterprise Agreement and includes persons employed on a continuing, fixed term or casual basis. Employees also include senior Employees whose conditions of employment are covered by a written agreement or contract with the University. A Policy Instrument refers to an instrument that is governed by the Policy framework. These include Policies, Procedures and Schedules....moreA Policy Instrument refers to an instrument that is governed by the Policy framework. These include Policies, Procedures and Schedules. Research is the creation of new knowledge and/or the use of existing knowledge in a new and creative way to generate new concepts, methodologies, inventions and understandings. This could include the synthesis and analysis of previous research to the extent that it is new and creative....moreResearch is the creation of new knowledge and/or the use of existing knowledge in a new and creative way to generate new concepts, methodologies, inventions and understandings. This could include the synthesis and analysis of previous research to the extent that it is new and creative. The effect of uncertainty on objectives....moreThe effect of uncertainty on objectives. The level of Risk the University is willing to accept or take in pursuit of its objectives....moreThe level of Risk the University is willing to accept or take in pursuit of its objectives. Boundaries for Risk taking expressed in upper and lower limits....moreBoundaries for Risk taking expressed in upper and lower limits. The term 'University' or 'UniSQ' means the University of Southern Queensland....moreThe term 'University' or 'UniSQ' means the University of Southern Queensland. Persons who include: Employees of the University whose conditions of employment are covered by the UniSQ Enterprise Agreement whether full time or fractional, continuing, fixed-term or casual, including senior Employees whose conditions of employment are covered by a written agreement or contract with the University; members of the University Council and University Committees; visiti...morePersons who include: Employees of the University whose conditions of employment are covered by the UniSQ Enterprise Agreement whether full time or fractional, continuing, fixed-term or casual, including senior Employees whose conditions of employment are covered by a written agreement or contract with the University; members of the University Council and University Committees; visiting, honorary and adjunct appointees; volunteers who contribute to University activities or who act on behalf of the University; and individuals who are granted access to University facilities or who are engaged in providing services to the University, such as contractors or consultants, where applicable. The person bearing the title of Vice-Chancellor and President, or as otherwise defined in the University of Southern Queensland Act 1998, including a person acting in that position....moreThe person bearing the title of Vice-Chancellor and President, or as otherwise defined in the University of Southern Queensland Act 1998, including a person acting in that position. | |
| Definitions that relate to this procedure only | |
| Material Risk Risks that arise from both strategic and operational risks and are those that present the most significant potential detriment to the University. Operational Risk Risks that arise from standard business as usual operations. Risk Advisor Provides expert advice on a risk and compliance category Risk Category Categories of Strategic, Tactical and Operational Risk identified by Risk Owners and Risk Managers and used to categorise risk in the University-endorsed risk management systems. Risk Manager Responsible for Operational Risk identification, management, monitoring and advice. Risk Owner Responsible for Strategic Risk identification, management, monitoring and advice. Strategic Risk Risks that might impact the Strategic Plan aims and require coordinated effort across the Vice-Chancellor's Executive to mitigate. Tactical Risk Risks that arise from projects or initiatives managed under the PMF or large and/or complex operational initiatives. Residual Risk Risk remaining after risk treatment. | |
| Keywords | |
| Record No | 22/222PL |