1. Purpose of policy
1.1 The purpose of this policy is to provide a framework for the management of risks associated with all university activities.
1.2 Under the University of the Sunshine Coast Act 1998 (Qld) and the Financial Accountability Act 2009 (Qld), Council is required to efficiently, effectively and economically manage and control the University’s operations and must establish and maintain appropriate systems of internal control and risk management.
2. Policy scope and application
2.1 This policy applies to all staff and members of the University decision-making or advisory bodies.
2.2 This policy is consistent with the International Standard ISO 31000:2018: Risk Management Guidelines.
Please refer to the University’s Glossary of Terms for policies and procedures. Terms and definitions identified below are specific to this policy and are critical to the effectiveness of it:
Risk is the effect of uncertainty upon the University’s objectives. Risk may have a positive or negative impact.
Risk Appetite conveys the degree of risk the University is prepared to accept in pursuit of its business objectives and strategic plan.
Risk Appetite Framework The overall approach, including policies, processes, controls and systems through which appetite is established, communicated and monitored.
Risk Management refers to the set of coordinated activities to direct and control an organisation with regard to risk.
Risk Management Framework is the totality of systems, structures, policies, processes and people that identify, measure, monitor and mitigate risk.
Risk Management Strategy the strategy for managing risk and the key elements of the risk management framework that give effect to this strategy.
4. Policy statement
4.1 The Council and the USC Executive are committed to the implementation and maintenance of a formal risk management system, including the integration of risk management throughout all levels of the University. This is fundamental to achieving the University’s strategic and operational objectives.
4.2 In its application of this policy, the University is committed to:
(a) achieving its business objectives while minimising the impact of significant risks that the University can meaningfully and realistically control;
(b) protecting and enhancing the University’s reputation;
(c) behaving in a responsible and ethical manner, protecting staff, students and the broader community from harm and protecting physical property from loss or damage;
(d) establishing the right balance between the cost of control and the risks it is willing to accept as part of the business and industry environment within which it operates;
(e) recognition and exploitation of opportunities; and
(f) establishing resilience and increased efficiency in relation to risk management.
4.3 All staff are required to be responsible and accountable for managing risk. Sound risk management principles and practices must become part of the normal management strategy for all organisational units within the University.
5.1 Overview of the Enterprise Risk Management Framework
5.1.1 The University Council approves the University’s Enterprise Risk Management Framework.
5.1.2 The University’s Enterprise Risk Management Framework must be consistent with the Risk Management Standard, ISO 31000:2018 (Risk Management - Guidelines).
5.1.3 The University’s Enterprise Risk Management Framework is outlined below:
Diagram 1 – Enterprise Risk Management Framework
5.1.4 The Enterprise Risk Management Framework recognises that risk management is an integral part of all University processes.
5.1.5 Underpinning the Enterprise Risk Management Framework are policies, procedures, manuals and processes that act as significant mitigation strategies for the University’s key risks.
5.1.6 The administration of the Enterprise Risk Management Framework is the responsibility of the Director, Governance and Risk Management.
5.2 Key components of the Enterprise Risk Management Framework
5.2.1 Governance and culture - the University’s governance structures support strong risk management practices. Risk governance and the risk management roles and responsibilities are outlined in the University’s Risk Management Strategy (RMS). The RMS is reviewed and updated on an annual basis.
5.2.2 Risk appetite – the University’s Risk Appetite Statement conveys the degree of risk the University is prepared to accept in pursuit of its business objectives and strategic plan. Risk appetite is reviewed annually with the process for establishing and reporting on risk appetite outlined in the Risk Appetite Framework. The University’s risk appetite is established by the Council and is set out in Appendix A.
5.2.3 Policy documents – the University maintains policies and procedures for managing risk. These policies and procedures are maintained in the Policy Repository and current versions are displayed on the Policies and Procedures Library within the USC website. The policies and procedures cover all areas of the University.
5.2.4 Risk assessment – The University’s risk assessment process involves risk identification, risk analysis, risk evaluation and risk treatment. The processes to support risk assessment are outlined in the Risk Management - Procedures which includes the Risk Rating Tables to assess the likelihood and consequence of a risk occurring.
5.2.5 Risk reporting – Risk reporting occurs at least quarterly to the USC Executive and the Audit and Risk Management Committee.
5.2.6 The University maintains appropriate Management Information Systems to enable the effective management of risks.
Overarching accountability for risk management and determining the University’s risk appetite
Oversight of the University’s risk management activities
Audit and Risk Management Committee (ARMC)
Liaise with management in monitoring key risks and, where appropriate, report to Council to provide assurances concerning the management of risks within the University
Audit and Risk Management Committee (ARMC)
Responsible for ensuring that risk management activities are carried out effectively within the University and for promoting a culture that encourages strong risk management
Vice-Chancellor and President
Responsible and accountable to the Vice-Chancellor and President to oversee implementation of the Risk Management Framework across the University and ongoing risk reporting to ARMC
Director, Governance and Risk Management
Responsible to develop and maintain risk registers and report on risks in line with the Risk Management – Procedures
Responsible to ensure staff are adequately trained in risk assessment and are acquainted with relevant policies and procedures
Responsible for examining and evaluating the adequacy, effectiveness and efficiency of risk management activities
Diligently identify, assess risks and implement mitigating actions to reduce the risk where required
Appendix A – Risk Appetite Statement (PDF)