View Current

Risk Management Framework

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Introduction

(1) Risk influences the strategic and operational decisions of the University and risk management is an integral part of its governance arrangements. Effective risk management, which includes the understanding, assessment, management and mitigation of risks, supports UON to make better decisions, safeguard assets, provide services to students and communities and achieve strategic objectives.

(2) This Framework sets out the process for integrating risk management into operations. The Risk Management Framework provides the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management.

(3) Risk Management is focused on identifying, evaluating, controlling and mitigating risks. It is not a negative or constraint concept but rather allows the University to take advantage of opportunities to achieve improved outcomes by ensuring that risks taken are based on informed decision making, realistic and measurable objectives and sound analysis of possible outcomes.

Top of Page

Section 2 - Audience

(4) This Framework applies to UON in the entirety.

Top of Page

Section 3 - Background

(5) Risk Management is the co-ordination of activities to optimise the management of potential opportunities and reduce the consequence or impact of adverse effects or events.

(6) An effective Risk Management Framework will assist the University Council, Risk Committee, Vice-Chancellor and Executive in obtaining reasonable assurance that:

  1. the University’s strategic and corporate objectives are supported by effective risk management systems and processes;
  2. risk exposures are identified and adequately monitored and managed; and
  3. the effectiveness of controls are systematically improved where necessary.

(7) The Risk Management Framework provides the key principles that guide risk management and ensure that risk is identified, effectively managed and mitigated within the defined risk appetite.

(8) The Risk Management Framework is based on the International Standard ISO 31000:2018 Risk management – Guidelines.

Top of Page

Section 4 - Risk Management Principles

(9) UON’s Risk Management Framework supports the 8 principles of risk management, from ISO 31000, as the qualities key to effective risk management:

  1. Risk Management is an integral part of all processes – by operating effectively throughout the University and incorporating the risk processes into management processes.
  2. Risk Management is comprehensive, systematic, structured and timely – the management of risk is undertaken in a planned, consistent manner contributing to efficiency and comparability.
  3. Risk Management is based on best available information – from a variety of sources.
  4. Risk Management is customised – with the risk profile and risk appetite set for UON’s experiences and strategy.
  5. Risk Management takes human and cultural factors into account – taking into consideration the University's culture and communities.
  6. Risk Management is transparent and inclusive – the risk management processes includes the timely involvement of stakeholders and decision makers across UON and with controlled and associated entities.
  7. Risk Management is dynamic, iterative and responsive to change – the risk profile and framework is reviewed regularly.
  8. Risk Management facilitates continual improvement of the organisation – the framework continues to improve with the risk maturity. 
Top of Page

Section 5 - Approach to Risk Management

(10) The Council has adopted a Risk Management Policy confirming its commitment to risk management. It sets out the approach to enhancing risk management capability and maturity and ensuring continual improvement of the Risk Management Framework.

(11) Risk Management should be performed continuously and is not just about responding to events. UON supports a risk culture which involves the process of establishing the risk context, identification, analysis, evaluation, treatment, monitoring and review when making decisions. The process should include consultation with relevant stakeholders and be communicated widely throughout the UON community.

(12) The risk management process covers the establishment of the risk categories (context), the risk assessment which includes the identification, analysis, evaluation and the risk treatment supported by effective communication and consultation and continuous monitoring and review (Refer – Risk Management Process).

Top of Page

Section 6 - Risk Appetite and Risk Tolerance

(13) The Strategic Plan, the Corporate Plan, the Faculty, School, Divisional and Unit Corporate plans and specific project plans set the strategic and operational objectives. This planning cycle supports the assessment of emerging or known risks that may impact objectives.

(14) The Council and Executive Management consider and set the risk appetite and risk tolerance. In setting the risk appetite the Council acknowledges that it is not possible, or may not be desirable, to eliminate all risks inherent in activities. Acceptance of some risk may be necessary to support innovation within well controlled business activities.

(15) The risk appetite is considered in strategic and operational decision making. The risk tolerance supports the translation of risk appetite into operational quantitative limits. The risk appetite and risk tolerance are considered at least annually.

(16) The risk appetite provides guidance as to the risk boundaries that are acceptable and how risk and reward are to be balanced. It recognised that risks present both challenges and opportunities and should not be considered solely in terms of their potential financial consequences. The risk appetite aids in the understanding of the level of risk that is acceptable across the University, and which risks require further consultation prior to acceptance.

Top of Page

Section 7 - Overall Risk Appetite

(17) The University’s approach is to minimise exposure to risks relating to its regulatory responsibilities, long term financial health and people, while accepting and encouraging an increased degree of managed risk in pursuit of its vision and strategic goals. It recognises that its appetite for risk varies according to the activity undertaken, and that acceptance of risk is subject always to ensuring that the potential benefits and risks are fully understood before activities, projects and processes are authorised, and that sensible measures to mitigate risk are established.

(18) The overarching risk appetite is:

  1. In pursuing its objectives, as expressed in the strategic plan, the University has minimal appetite for risk where there is a likelihood of loss of life or serious harm, illegal or unethical activity, significant and lasting reputational damage, negative material long term financial impacts or compromise of system security.
  2. UON accepts a high level of risk in strategies that deliver quality, equity, excellence, impact and innovation, and a medium level of operational risk in business units to deliver these strategic priorities.

(19) This overarching appetite can be segregated into specific appetites for different activities within strategic, operational, financial and regulatory categories. Where an activity is not made explicit in the following categories, the upper and lower limits of that category apply, in addition to the application of the overarching appetite. (Refer Risk Appetite Statement Defined and Risk Appetite Statement Depiction).

(20) Managed risk refers to risk of any level that has been identified and assessed, with the appropriate level of controls and treatments in place and passed through the relevant review and approval channels. In the instance that there is a high risk appetite, it is imperative that high rated risks are managed risks.

Top of Page

Section 8 - Statement of Risk Appetite

(21) The appetite for risk across UON activities is provided in the following statements, and in detail in Risk Appetite Statement Defined.

Strategic

(22) To achieve its objectives the University is willing to take and accept a level of managed risks. Strategic activities support the University to adapt to changes in the regulatory, teaching, research and technological environments and in the nature and conduct of the University's activities. This will include changes in campuses, learning centres, courses and research initiatives as set out in New Futures Strategic Plan 2016 - 2025 and supported by Faculty / Divisional strategic plans. The University acknowledges many activities carry higher risk and that these need to be managed effectively and in line with the risk appetite. The University assesses and measures the value of these activities not just on an individual basis but also relative to all available options including the “do nothing” option. These actions are consistent with our values. The University considers its risk appetite in this area to be high.

People – Health and Safety

(23) The University maintains a safe place to work and study and has a minimal willingness to accept risk to the health, safety and wellbeing of staff, students and others on the campuses. It is not the intention to avoid inherently risky activities, which are part of running a University, however, a strong culture of health and safety awareness and risk management is expected to all staff and students. This includes identifying and managing health and safety risk to the best extent possible.

People – People and Culture

(24) The University aims to value, support, develop and utilise the skills and potential of staff to create an agile high performance culture. It places importance on a culture of academic freedom, equality, equity and diversity, collaboration and the development of staff. It has a high risk appetite for activities that support a high performance culture.

Education

(25) The University is committed to delivering high quality teaching and learning for all of its students as well as developing enhanced approaches to teaching and learning. Achieving these objectives will involve investing in teaching and learning facilities / infrastructure and continual review and refresh of the curriculum. The University recognises the need to identify solutions to meet diverse student needs and to further its work with professional bodies and industry to ensure success for our graduates and their employers. We recognise that this will involve risk and accept a moderate risk appetite, subject to ensuring that potential benefits and risk are fully understood before activities are authorised, that sensible measures are in place to mitigate risk and that academic quality is maintained.

Research & Innovation

(26) The University supports the pursuit of research opportunities that strengthen performance by generating impact and contributing to the social good of our communities. The University has a high risk appetite for investment to grow its research strengths through research partnerships and industry collaboration. The University has a minimal risk appetite for research conduct that is unethical, non-compliant with legislation or compromises quality.

Physical & Digital

(27) The University has a low risk appetite for business interruptions at critical periods of operations impacting staff and students. The ability to support operations on a day to day basis is important, and the University has a high risk appetite for initiatives and projects that create or adapt to digital disruption and support that optimise performance.

Regulatory

(28) As a good corporate citizen, the University seeks to comply with relevant statutory requirements to the best of its endeavours. We will continue to achieve this through strong institutional governance and management which will shape the University’s culture for compliance, ethical conduct and living our values. There is minimal risk appetite for actions that do not support regulatory governance or undermines the integrity of the University. We have a low risk appetite for non-compliance with external regulation which is informed using a risk-based approach (including management of risk).

Financial

(29) The University maintains a sound financial base in terms of annual operating surpluses, diversified and growing income streams, and effective control of costs. The University has a minimal appetite for risks which may compromise the long term financial health and a moderate appetite for any risks which support strategic initiatives and the achievement of financial targets.

Reputational

(30) The University has an established record of world-class learning, teaching, research and student experience. There is a minimal appetite for any risks which would impact negatively upon its reputation, “brand” or ethical standing, which would lead to adverse publicity, or could lead to loss of confidence in the University.

Top of Page

Section 9 - Risk Categories

(31) Risk Management addresses a broad range of potential exposures to risks across the entire operations of the University and includes core and enabling activities.

(32) Strategic risk refers to the impact of changes within the environment, including changing legislation, and the ability to meet the strategic objectives.

(33) The University has identified the risk categories which are likely to affect the ability to deliver on objectives. These are as follows (See also Risk Framework - Risk Categories Diagram):

Core Risks

(34) Operational risk refers to the risk that arises from day-to-day operations including project management activities and may arise from inadequate or failed internal processes, practices, systems or people. It may also occur from failures due to external systems or events and deliberate actions such as fraud.

  1. People risk refers to the risks associated with attracting and retaining talented and engaged staff and includes risks associated with:  recruitment and retention; training and development; career development and performance management.

(35) Regulatory (compliance) risk refers to the failure to comply with regulatory requirements. These include legislative obligations, legal requirements, UON Rules, policies, frameworks, guidelines and may be deliberate or inadvertent.

(36) Health and Safety risk refers to the direct and indirect impact on staff, students, the community and third parties arising from the activities undertaken by UON including the management of the physical environment.

(37) Financial risk refers to the risk associated with the inability to achieve financial outcomes. This includes short term and long term financial and capital planning.

(38) Reputation risk refers to the brand and image impact on the UON as a result of the outcome of an activity. This may impact on financial or operational outcomes or may result in the loss of trust or standing within the community.

Business Risks

(39) The business risks are a subset of the core risks and are assessed at each core risk level.

  1. Education – learning and teaching is a core activity. Risks arising from academic activities include: student administration, progress, assessment, grading, retention and success; academic and staff teaching capacity and capability, learning resources and support, learning spaces, course curriculum and content.
  2. Research and innovation is a core activity. Risks include: ethics, quality and value of research, commercialisation, collaboration, intellectual property, supervision and support of students.
  3. Assets refers to the physical infrastructure and the digital environment with these assets being fundamental to the delivery of services. The risks include: loss or ineffective use of assets; failure or unavailability and ineffective management resulting in loss.
Top of Page

Section 10 - Risk Assessment – Identification

(40) University Leaders are required to identify their role in contributing to UON’s goals, objectives, values, policies and strategies when making informed risk decisions.

(41) The goal of the risk identification process is to generate a comprehensive array of risks that may impact on the activity. In establishing the context of risks key questions may include:

  1. when, how, why and where are the risks likely to occur, or arise from the activity;
  2. what is the consequence should the risk or event occur, consider time and monetary impact;
  3. what are the threats and opportunities;
  4. what are the significant factors in both the internal and external environment that may affect the outcome;
  5. what is the source of the risk, has this occurred before, and how likely is it to eventuate?;
  6. what is the impact should this occur;
  7. what controls are in place to mitigate this risk; and
  8. who are the stakeholders.

(42) All identified risks are documented in risk registers which identify what can happen, when and where it can happen, how and why it would occur.

(43) The risk owner has responsibility for:

  1. ensuring that risks are managed appropriately;
  2. monitoring and reporting progress to manage the risks;
  3. ensuring that their risk register is maintained on a timely basis; and
  4. assisting in reporting as required.

(44) Effective risk identification can be undertaken by a number of processes including: scenario analysis; workshopping; prior experience; inspections; flowcharting; survey/ questionnaires; and SWOT analysis.

Top of Page

Section 11 - Risk Assessment – Analysis

(45) The risk analysis process supports the prioritisation of risks which may have the most significant impact on achieving objectives.

(46) Risks are determined by the relationship between the likelihood (frequency or probability of occurrence) and the consequence (impact or magnitude of effect) if the risk occurs. The likelihood and consequence are assessed at a residual level taking into consideration the adequacy of current internal controls in place and their effectiveness. Please see the Consequence and Likelihood Tables.

(47) The assessment of each risk is determined at both the inherent risk (risk without internal controls in place) and residual risk (risk with effective internal controls in place).

(48) Internal controls which are in place to support the early identification and rectification or lower the impact will affect the consequence (detective controls). Internal controls which are in place to prevent the risk will affect the likelihood of occurrence (preventative controls).

(49) In considering the adequacy of internal controls the effectiveness needs to be considered. The control effectiveness criteria is as follows:

Control Effectiveness Table
Fully Effective  Substantially Effective Partially Effective Largely Ineffective
Controls are subject to regular monitoring and review. The existing controls are well designed and addresses the risk. Controls are effective and reliable at all times. No improvement possible.
Most controls are designed correctly, are in place and are effective. Controls are operating 80-99% of the time. Some additional work is required to ensure operational effectiveness and reliability.
The existing controls have some impact on mitigating the risk. Controls are  inconsistent in their application, and monitoring and effectiveness.  Controls are operating 50-79% of the time. Scope for improved effectiveness.
The existing controls are missing or ineffective and do not support the risk mitigation.
Controls are poorly communicated and are not subject to monitoring. Controls are operating at <50% of the time.  Enhancement required.
Top of Page

Section 12 - Risk Assessment – Evaluation

(50) The risk evaluation process supports the decision making as to whether the risk is acceptable or unacceptable. In undertaking an evaluation, consideration is given to the cost impact, benefits and opportunities presented by the risk and the degree of control over the risk.

(51) In assessing and ranking the risk consideration is given to:

  1. what is the risk appetite and risk tolerance;
  2. what is the risk rating and ranking; and
  3. what are the alternative courses of action.
Top of Page

Section 13 - Risk Treatment

(52) The risk treatment involves dealing with risks where the residual risk rating is determined to be unacceptable. To effectively consider the treatment, the causes of the risks need to be determined for treatment not the symptoms.

(53) Risk treatment options are:

  1. Avoidance – an informed decision is made to not proceed with the activity, obtain an alternative solution or exit the activity as the risk rating is unacceptable;
  2. Reduce/ transfer – actions are implemented to reduce the likelihood or consequence (or both) to reduce the risk or transfer the risk to another part (including through insurance); or
  3. Accept – no further action is taken.

(54) Acceptance of the risk occurs when an informed decision has been made that retaining the residual risk level supports the objectives and the cost to implement additional controls or options cannot be justified. The risk reward assessment supports the strategic objectives and the benefits outweigh the risk exposure.

(55) For those risks where the residual risk rating is outside the risk appetite, defined actions are to be considered and included in the Risk Treatment Plan for ongoing monitoring and review.

Top of Page

Section 14 - Risk Monitoring and Review

(56) Monitoring and reviewing risks supports the integration of the Risk Management Framework. Risks do not remain static and are monitored to ensure that changing conditions are considered in the risk priority and assessment.

(57) Regular review can assist in the early identification of risk trends, concerns and potential impact on objectives.

(58) University Leaders - Faculties, Schools, Divisions and Units:

  1. Consider the risks associated with achieving their corporate plans, develop treatment plans as required and document these as part of the corporate planning process each year.
  2. Ongoing review and update of risk register for emerging risks and assess the effectiveness of the risk treatments as part of the Faculty and Division review of performance.

(59) Executive Committee will:

  1. Receive a report on the Operational Risk Register annually.
  2. Review and shape the annual Strategic Risk Register ahead of consideration by the Risk Committee and Council.
  3. Consider Strategic Risk Reports from risk owners on risks identified in the Strategic Risk Register ahead of consideration by the Risk Committee and Council, and as frequently as is determined by the Executive Committee to maintain appropriate oversight of the risk.

(60) The Risk Committee and University Council will receive:

  1. The Operational Risk Report annually. This report will identify those risks which are outside risk appetite and include plans for managing the risks.
  2. The Strategic Risk Register annually.
  3. Strategic Risk Reports from Risk Owners on risks identified in the Strategic Risk Register at least annually, or more regularly where the risk is managed out of appetite.
Top of Page

Section 15 - Risk Registers

(61) Risk registers capture the process to establish the context, identify, analyse, evaluate, treat, monitor and communicate risks to support the attainment of objectives, goals and the benefits of effective risk management processes.

(62) Strategic Risk Register:

  1. Executive leaders shape the identified strategic risks and the Vice-Chancellor presents these views to the Risk Committee and Council for approval.
  2. Strategic risk assessment processes are aligned with the annual strategic planning cycle, commencing with the Council Strategic Retreat in June of each year.

(63) The Operational Risk Registers are completed for risks identified by the Faculty/School, Division/Unit, controlled entity, project and commercial activity. These risks are reviewed and risk rated at the inherent and residual risk rating in conjunction with the Risk team.

(64) The Operational Risk Register will be prepared and maintained by Assurance Services, in consultation with Executive Leaders, and will be subject to regular review.

(65) Local risk registers are prepared and maintained by Faculties and Schools, Divisions and Units and by project managers for major projects and new commercial activities.

  1. Local risk registers must be endorsed by the relevant senior leader ahead of reporting to the Executive Committee and inclusion of relevant risks in the Operational Risk Report.
  2. Residual risks rated outside risk appetite are required to be reported to the relevant Executive Leader as soon as practicable after the risk is identified.
  3. Project risk registers will be developed as part of project planning/business case development for major projects or strategic initiatives and be maintained by the project manager for reporting to the project sponsor and/or project steering committee.
  4. Commercial Activity risk registers are required as per the Commercial Activity Guidelines.
  5. Emerging risk issues are required to be incorporated in the local risk register as they are identified.
  6. Health and safety risk registers are a subset of Faculty/School/Division/Unit Risk Profiles and are supported by the Health & Safety Team.

(66) Unless otherwise determined by the Vice-Chancellor, an appropriate risk mitigation plan must be documented and implemented for any risk outside the University's risk appetite. These will be documented in the local Risk Treatment Plans.

Top of Page

Section 16 - Corporate Governance Principles

(67) Corporate governance refers to the process by which the University is controlled and governed in order to achieve objectives. UON’s Council is committed to establishing and maintaining an organisational culture that ensures risk management is an integral part of all activities. The core function of risk management within the University is the achievement of the University's short and long term objectives and supporting the strategic direction.

(68) Sound and effective risk management contributes to good governance and provides support and protection for managers in the event of adverse outcomes. Effective identification and management of risks in accordance with the approved Risk Management Framework supports UON by potentially reducing the severity of the outcome and assisting those who are accountable for the risk management, in the demonstration of a proper level of due diligence.

(69) The responsibility for effective risk management practice is undertaken by all University leaders and staff. Specific roles and responsibilities for risk management are outlined below. Key terminology is included in “Risk Terminology and Definitions”.

ROLE RISK MANAGEMENT FRAMEWORK RESPONSIBILITY
University Council • The University Council and its Committees have responsibility under the University of Newcastle Act 1989 No 68 for overseeing risk management and risk assessment activities across the University.
• The University Council, via the Risk Committee is responsible for setting the risk appetite of the University and evaluating the effectiveness of the key components of the Risk Management Framework.
Risk Committee of Council The Risk Committee is responsible for assisting Council in:
• Evaluating the soundness of risk systems implemented at the University.
• Reviewing the outcomes of risk management processes, monitoring emerging risks that are material to the achievement of the University’s strategic plans and facilitating assurance that risk exposures are being managed appropriately.
• Informing University Council of the adequacy and effectiveness of the University's risk management processes.
Vice-Chancellor • The Vice-Chancellor is responsible for ensuring that a risk management system is established, implemented and maintained.
• Providing leadership on the University's  risk appetite and acceptable risk exposure.
• Maintaining the risk management framework and controls to manage the University’s material risks and to report to the Council and Risk Committee on whether the risks are being managed effectively.
• Development of the Strategic Risk Register.
Executive Committee • Providing advice to the Vice-Chancellor on matters of risk management and provide leadership in portfolio areas.
• Reviewing and shaping the Strategic Risk Register.
• Considering Strategic Risk Reports from risk owners on risks identified in the Strategic Risk Register as frequently as required to maintain appropriate oversight of the risk.
• Reviewing the outcomes of the risk management processes.
• Considering enterprise risks and facilitating assurance that the enterprise risk exposures are being managed appropriately.
All Staff Recognise, communicate and respond to known, emerging or changing risks.
• Contribute to the process of developing risk profiles.
• Implement risk plans within area of responsibility.
• Update progress on risks and risk treatment plans.
Top of Page

Section 17 - Review

(70) This Framework and the effectiveness of risk management practices will be reviewed by Assurance Services annually.

(71) This Framework will be reviewed by the University Council every three years or earlier as required.

Top of Page

Section 18 - Appendices 

(72) Risk Categories Diagram

(73) Risk Management Process

(74) Risk Appetite Statement – Defined

(75) Risk Appetite Statement – Depiction

(76) Risk Appetite Statement – Strategic

(77) Consequence and Likelihood Tables

(78) Risk Terminology and Definitions