Skip to content

Enterprise Risk Management Procedure

Procedure overview

1 Purpose

To implement the Enterprise Risk Management Policy and related frameworks.

2 Scope

This procedure applies to all University Members.

3 Procedure Overview

This procedure outlines the processes to be followed for an integrated approach to the identification, assessment, treatment, recording, reporting and monitoring and review of Risk.

4 Procedures

4.1 Risk management environment

Risk management applies at all levels of the university and comprises:

  • Strategic Risks
  • Operational Risks
  • Tactical Risks.

4.1.1 Risk management - Strategic

Strategic Risks are identified by Vice-Chancellor's Executive and managed through their portfolios. They are recorded and managed within the University-endorsed Risk management systems and the Deputy Vice-Chancellor Enterprise Services provides bi-monthly reports to Council through the Audit and Risk Committee and Vice-Chancellor's Executive. As a minimum, reports include:

  • Identification and assessment of all Strategic Risks;
  • Flagging of high or extreme Residual Risk and recommendations to keep the Risk within the agreed Risk Tolerance;
  • Identification of new Strategic Risks, assessment, recommended mitigation and Risk management plans; and
  • Risk Appetite and Tolerances that reflect emerging threats and opportunities.

4.1.2 Risk management - Operational

Operational Risks are identified by business units and assessed and managed through regular planning operations, including those in Research projects. They are recorded and managed within the University-endorsed Risk management systems, following operational guidelines. As a minimum, records include:

  • Identification and assessment of Operational Risks;
  • Escalation of high or extreme Residual Risk and recommendations to keep the Risk within the agreed Risk Tolerance; and
  • Identification of new Operational Risks, assessment, recommended mitigation and Risk management plans.

4.1.3 Risk management - Tactical

Tactical Risks include projects that are managed under the Project Management Framework (PMF) and operational initiatives that are materially significant to warrant Tactical Risk management. Recording, reporting escalation protocols are provided below.

Activity

Initiative

Project (under PMF)

Identification and assessment

Initiative managers

Project/Program Managers

Recording

Initiative Risk register

Project-level Risk registers maintained within the Project Management Framework SharePoint Hub

Reporting frequency

Bi-monthly

Monthly

Reporting and escalation

  1. Very low/low Risk - Initiative manager
  2. Medium Risk - divisional executive group
  3. High/extreme Risk - Vice-Chancellor's Executive
  1. Very low/low Risk - Project Control Group
  2. Medium Risk - Program Board
  3. High/extreme Risk - Portfolio Board

4.2 Roles and responsibilities

The following roles and responsibilities are held by University Members to ensure the appropriate management of Risk:

Role

Responsibility

Approval Authority

Minimum Activity Frequency

Reporting Frequency

Establish, monitor, and review an effective Enterprise Risk Management Framework, including policy and procedure and report to Vice-Chancellor's Committee, Audit and Risk Committee and Council on its implementation

Deputy Vice-Chancellor (Enterprise Services)

Council (policy)

Vice-Chancellor (procedure)

Every 3 years

Every meeting (refer University meeting schedule)

Facilitate, support, and monitor application of the Enterprise Risk Management Framework through the Risk Working Group and report progress to the Deputy Vice-Chancellor (Enterprise Services)

Director (Planning and Performance Support Services) and Director (Assurance Services)

Deputy Vice-Chancellor (Enterprise Services)

Quarterly

Bi-monthly

Provide independent assessment of the effectiveness of the Enterprise Risk Management Framework

Assurance Services (Internal Audit)

Council

As required

As required

Develop, implement, review and approve Risk Appetite and Tolerances

Vice-Chancellor

Council

Annually

Annually

Implement Risk management within portfolio areas

Vice-Chancellor's Executive Members

Vice-Chancellor

Constantly

Bi-monthly

Manage Operational Risks and report to Vice-Chancellor's Executive Committee Members

Line managers

Vice-Chancellor's Executive Members

Constantly

Bi-monthly

Participate in the Risk management process, as provided in Position Descriptions

All Employees

Line managers

As requested by line managers and identified through the annual performance review processes

As required by Line managers

4.3 Risk Appetite and Tolerances

Risk Appetite and Tolerances are expressed in statements, reviewed annually by the Vice-Chancellor in collaboration with Vice-Chancellor's Executive and approved by Council. They are accessible to all University Employees within the intranet and as a minimum take the following form:

Appetite

Action

Definition

Choice~

Trade-off

Minimal

Prevent

All reasonably practical and affordable measures to minimise and, in certain cases, eliminate the Risk where possible must be taken. Management must act in the short-term to return business activities within target.

Will select the lowest Risk option

With extreme reluctance/
never

Conservative

Remediate

Safe approaches should be taken, the cost of controls/mitigation should be evaluated to ensure they achieve a reasonable outcome. A strong preference for strategies and plans that present minimal Risk.

Will accept if limited and heavily outweighed by benefits

Prefer to avoid

Open

Enhance

Management can take measured Risks to operate and enhance the business within appetite; providing adequate controls and contingency plans have been established.

Will choose to put at Risk, but will manage the impact

Will under certain circumstances

Willing

Pursue

Management must explore opportunities to grow the business within appetite.

Will choose option with highest return, accept possibility of failure

Eager to prioritise above others

~How willing are you to select an option that puts this objective at Risk?
#How willing are you to trade-off against achievement of other objectives

Source: PricewaterhouseCoopers, 2022.

4.4 Risk management

Risk management comprises the following components, as outlined in the Risk Management Framework, and supporting processes:

  1. Communication and consultation
  2. Scope, context, and criteria
  3. Assessment - overall process of Risk
    1. Identification;
    2. Analysis; and
    3. Evaluation
  4. Treatment - process to modify Risk in alignment with Risk Appetite and Tolerance Schedule
  5. Monitoring and review
  6. Recording and reporting (Sections 4.5 and 4.6).

4.5 Risk recording

All Risk-related records are maintained within the University-endorsed enterprise Risk management systems. As a minimum, this includes:

  • Agreed Risk Categories for Strategic, Tactical and Operational Risks;
  • Risk registers;
  • Risk assessment and treatment;
  • Risk management plans;
  • Risk responsibility (owners/managers/advisors); and
  • Risk escalation methodology and alerts.

4.6 Risk reporting

Reporting is undertaken on all Material Risks and draws upon data retained in the University-endorsed enterprise Risk management systems. Reporting is undertaken at intervals as provided in Section 4.1.

4.7 Education and training

The Deputy Vice-Chancellor (Enterprise Services) ensures that appropriate mandatory and non-mandatory induction, education and training is available for University Members, as appropriate to their position and role within the University. During each annual performance appraisal line managers will ensure that appropriate Risk management training plans are put in place.

5 References

Institute of Internal Auditors, 2018, Factsheet - Risk Management, viewed 12 May 2022, https://iia.org.au/sf_docs/default-source/technical-resources/2018-fact-sheets/factsheet---risk-management.pdf?sfvrsn=2

6 Schedules

This procedure must be read in conjunction with its subordinate schedules as provided in the table below.

7 Procedure Information

Accountable Officer

Deputy Vice-Chancellor (Enterprise Services)

Responsible Officer

Director (Planning and Performance Support Services)

Policy Type

University Procedure

Policy Suite

Enterprise Risk Management Policy

Subordinate Schedules

Risk Appetite and Tolerance Schedule (under development)

Approved Date

6/12/2022

Effective Date

6/12/2022

Review Date

6/12/2025

Relevant Legislation

Related Policies

Fraud and Corruption Management Policy

Work Health and Safety Policy

Related Procedures

Fraud and Corruption Control Plan Procedure (under development)

Fraud and Corruption Management Procedure

Related forms, publications and websites

Crisis Management Framework

Enterprise Risk Management Framework (under development)

Fraud and Corruption Control Plan (under development)

Project Management Framework SharePoint Hub (restricted access)

University Meeting Schedule

Definitions

Terms defined in the Definitions Dictionary

Council

Council means the governing body, the University of Southern Queensland Council....moreCouncil means the governing body, the University of Southern Queensland Council.

Employee

A person employed by the University and whose conditions of employment are covered by the USQ Enterprise Agreement and includes persons employed on a continuing, fixed term or casual basis. Employees also include senior Employees whose conditions of employment are covered by a written agreement or contract with the University....moreA person employed by the University and whose conditions of employment are covered by the USQ Enterprise Agreement and includes persons employed on a continuing, fixed term or casual basis. Employees also include senior Employees whose conditions of employment are covered by a written agreement or contract with the University.

Research

Research is the creation of new knowledge and/or the use of existing knowledge in a new and creative way to generate new concepts, methodologies, inventions and understandings. This could include the synthesis and analysis of previous research to the extent that it is new and creative....moreResearch is the creation of new knowledge and/or the use of existing knowledge in a new and creative way to generate new concepts, methodologies, inventions and understandings. This could include the synthesis and analysis of previous research to the extent that it is new and creative.

Risk

The effect of uncertainty on objectives....moreThe effect of uncertainty on objectives.

Risk Appetite

The level of Risk the University is willing to accept or take in pursuit of its objectives....moreThe level of Risk the University is willing to accept or take in pursuit of its objectives.

Risk Tolerances

Boundaries for Risk taking expressed in upper and lower limits....moreBoundaries for Risk taking expressed in upper and lower limits.

University

The term 'University' or 'UniSQ' means the University of Southern Queensland....moreThe term 'University' or 'UniSQ' means the University of Southern Queensland.

University Members

Employees of the University whose conditions of employment are covered by the USQ Enterprise Agreement whether full time or fractional, continuing, fixed-term or casual, including senior Employees whose conditions of employment are covered by a written agreement or contract with the University; Members of the University Council and University Committees; Visiting and adjunct academic...moreEmployees of the University whose conditions of employment are covered by the USQ Enterprise Agreement whether full time or fractional, continuing, fixed-term or casual, including senior Employees whose conditions of employment are covered by a written agreement or contract with the University; Members of the University Council and University Committees; Visiting and adjunct academics; Volunteers who contribute to University activities or who act on behalf of the University; Individuals who are granted access to University facilities or who are engaged in providing services to the University, such as contractors and consultants, where applicable.

Vice-Chancellor

The person bearing the title of Vice-Chancellor and President, or as otherwise defined in the University of Southern Queensland Act 1998, including a person acting in that position....moreThe person bearing the title of Vice-Chancellor and President, or as otherwise defined in the University of Southern Queensland Act 1998, including a person acting in that position.

Definitions that relate to this procedure only

Material Risk

Risks that arise from both strategic and operational risks and are those that present the most significant potential detriment to the University.

Operational Risk

Risks that arise from standard business as usual operations.

Risk Advisor

Provides expert advice on a risk and compliance category

Risk Category

Categories of Strategic, Tactical and Operational Risk identified by Risk Owners and Risk Managers and used to categorise risk in the University-endorsed risk management systems.

Risk Manager

Responsible for Operational Risk identification, management, monitoring and advice.

Risk Owner

Responsible for Strategic Risk identification, management, monitoring and advice.

Strategic Risk

Risks that might impact the Strategic Plan aims and require coordinated effort across the Vice-Chancellor's Executive to mitigate.

Tactical Risk

Risks that arise from projects or initiatives managed under the PMF or large and/or complex operational initiatives.

Residual Risk

Risk remaining after risk treatment.

Source: Institute of Internal Auditors Australia

Keywords

Record No

22/222PL

Complying with the law and observing Policy and Procedure is a condition of working and/or studying at the University.

* This file is available in Portable Document Format (PDF) which requires the use of Adobe Acrobat Reader. A free copy of Acrobat Reader may be obtained from Adobe. Users who are unable to access information in PDF should email policy@usq.edu.au to obtain this information in an alternative format.