Enterprise Risk Management - Governing Policy - University of the Sunshine Coast, Queensland, Australia

Accessibility links

Enterprise Risk Management - Governing Policy

Download PDF
Approval authority
Responsible Executive member
Vice-Chancellor and President
Designated officer
Director, Governance and Risk Management
First approved
14 October 2008
Last amended
26 October 2021
Review date
26 October 2022
Related documents
Audit and Assurance Framework - Governing Policy
Compliance Management Framework - Governing Policy
Critical Incident Management - Governing Policy
Fraud and Corruption Control - Governing Policy
Governance Framework - Governing Policy
Health, Safety and Wellbeing - Governing Policy
Risk Management - Procedures
Linked documents
Risk Management - Procedures
Superseded documents
Risk Management Framework - Governing Policy|Enterprise Risk Management and Resilience - Governing Policy
Related legislation / standards
Work Health & Safety Act 2011
University of the Sunshine Coast Act 1998 (Qld)
Financial Accountability Act 2009 (Qld)
Building Fire Safety Regs 2008

1. Purpose of policy

1.1 The purpose of this policy is to provide a framework for the management of risks associated with all university activities.

1.2 Under the University of the Sunshine Coast Act 1998 (Qld) and the Financial Accountability Act 2009 (Qld), Council is required to efficiently, effectively and economically manage and control the University’s operations and must establish and maintain appropriate systems of internal control and risk management.

2. Policy scope and application

2.1 This policy applies to all staff and members of the University decision-making or advisory bodies.

2.2 This policy is consistent with the International Standard ISO 31000:2018: Risk Management Guidelines.

3. Definitions

Please refer to the University’s Glossary of Terms for policies and procedures. Terms and definitions identified below are specific to this policy and are critical to the effectiveness of it:

Risk is the effect of uncertainty upon the University’s objectives. Risk may have a positive or negative impact.

Risk Appetite conveys the degree of risk the University is prepared to accept in pursuit of its business objectives and strategic plan.

Risk Appetite Framework The overall approach, including policies, processes, controls and systems through which appetite is established, communicated and monitored.

Risk Management refers to the set of coordinated activities to direct and control an organisation with regard to risk.

Risk Management Framework is the totality of systems, structures, policies, processes and people that identify, measure, monitor and mitigate risk.

Risk Management Strategy the strategy for managing risk and the key elements of the risk management framework that give effect to this strategy.

4. Policy statement

4.1 The Council and the USC Executive are committed to the implementation and maintenance of a formal risk management system, including the integration of risk management throughout all levels of the University. This is fundamental to achieving the University’s strategic and operational objectives.

4.2 In its application of this policy, the University is committed to:

(a) achieving its business objectives while minimising the impact of significant risks that the University can meaningfully and realistically control;

(b) protecting and enhancing the University’s reputation;

(c) behaving in a responsible and ethical manner, protecting staff, students and the broader community from harm and protecting physical property from loss or damage;

(d) establishing the right balance between the cost of control and the risks it is willing to accept as part of the business and industry environment within which it operates;

(e) recognition and exploitation of opportunities; and

(f) establishing resilience and increased efficiency in relation to risk management.

4.3 All staff are required to be responsible and accountable for managing risk. Sound risk management principles and practices must become part of the normal management strategy for all organisational units within the University.

5. Principles

5.1 Overview of the Enterprise Risk Management Framework

5.1.1 The University Council approves the University’s Enterprise Risk Management Framework.

5.1.2 The University’s Enterprise Risk Management Framework must be consistent with the Risk Management Standard, ISO 31000:2018 (Risk Management - Guidelines).

5.1.3 The University’s Enterprise Risk Management Framework is outlined below:

Diagram 1 – Enterprise Risk Management Framework

A graphic representation of the Enterprise Risk Management Framework, including Governance and Culture; Risk Appetite; Policies and Procedures; Risk Process; Risk Reporting; and Management Information Systems.

5.1.4 The Enterprise Risk Management Framework recognises that risk management is an integral part of all University processes.

5.1.5 Underpinning the Enterprise Risk Management Framework are policies, procedures, manuals and processes that act as significant mitigation strategies for the University’s key risks.

5.1.6 The administration of the Enterprise Risk Management Framework is the responsibility of the Director, Governance and Risk Management.

5.2 Key components of the Enterprise Risk Management Framework

5.2.1 Governance and culture - the University’s governance structures support strong risk management practices. Risk governance and the risk management roles and responsibilities are outlined in the University’s Risk Management Strategy (RMS). The RMS is reviewed and updated on an annual basis.

5.2.2 Risk appetite – the University’s Risk Appetite Statement conveys the degree of risk the University is prepared to accept in pursuit of its business objectives and strategic plan. Risk appetite is reviewed annually with the process for establishing and reporting on risk appetite outlined in the Risk Appetite Framework. The University’s risk appetite is established by the Council and is set out in Appendix A.

5.2.3 Policy documents – the University maintains policies and procedures for managing risk. These policies and procedures are maintained in the Policy Repository and current versions are displayed on the Policies and Procedures Library within the USC website. The policies and procedures cover all areas of the University.

5.2.4 Risk assessment – The University’s risk assessment process involves risk identification, risk analysis, risk evaluation and risk treatment. The processes to support risk assessment are outlined in the Risk Management - Procedures which includes the Risk Rating Tables to assess the likelihood and consequence of a risk occurring.

5.2.5 Risk reporting – Risk reporting occurs at least quarterly to the USC Executive and the Audit and Risk Management Committee.

5.2.6 The University maintains appropriate Management Information Systems to enable the effective management of risks.

6. Authorities/Responsibilities


University Officer/s

Overarching accountability for risk management and determining the University’s risk appetite


Oversight of the University’s risk management activities

Audit and Risk Management Committee (ARMC)

Responsibility for the oversight and monitoring specifically of academic risks

Academic Board

Liaise with management in monitoring key risks and, where appropriate, report to Council to provide assurances concerning the management of risks within the University

Audit and Risk Management Committee (ARMC)

Responsible for ensuring that risk management activities are carried out effectively within the University and for promoting a culture that encourages strong risk management

Vice-Chancellor and President

Responsible and accountable to the Vice-Chancellor and President to oversee implementation of the Risk Management Framework across the University and ongoing risk reporting to ARMC

Director, Governance and Risk Management

Responsible to develop and maintain risk registers and report on risks in line with the Risk Management – Procedures

Senior Staff

Responsible to ensure staff are adequately trained in risk assessment and are acquainted with relevant policies and procedures

Senior Staff

Responsible for examining and evaluating the adequacy, effectiveness and efficiency of risk management activities

Internal Audit

Diligently identify, assess risks and implement mitigating actions to reduce the risk where required

All Staff

Appendix A – Risk Appetite Statement (PDF)