	< BackUniversity Council Home	ContactSearch
	University Council

Risk Management Policy

Policy Document No. P3

Relevant UTAS Ordinance and/or Rule Reference No.	Ordinances 3 (The Vice-Chancellor), 6 (Council Delegations) and 7 (Execution of Documents), Principle No. GLP2 (Risk Management)
Relevant State/Federal Govt. Legislation	University of Tasmania Act 1992
Commencement Date	8 July 2005
Review Date	8 July 2008

1. Objective

Managing risk and compliance are critical matters to achieving the goals and objectives of the University.
Risks are defined as the chance of anything happening that would impact on the University's ability to achieve its goals.

2. Policy Statement

The University faces a variety of risks from external and internal sources that must be identified and managed. Risk management derives directly from the objectives of the organisation, and an assessment of the financial, operational, systems and compliance risks that are involved in pursuit of the objectives. Some need to be eliminated, others insured and others managed internally 1 .

UTAS is committed to building an organisational culture where active and effective risk management is an integral part of all university activities, and a core management capability and responsibility.

Effective risk management requires:

a strategic focus;
forward thinking and proactive approaches to management;
an astute balancing of the cost of managing risks with the anticipated benefits; and
contingency planning in the event that mission critical threats are realised.

3. Scope

This policy applies to all members of the University – staff, students and Council members.

4. Approach

4.1 Model

The model of risk management adopted by UTAS is similar to that in AS/NZS4360 as set out in Figure 1.

Figure 1 - Risk Management Model

This model requires Council input at three stages:

• establishing the context of risk analysis;
• providing a policy on the priority of risk management; and
• approving a management proposal for the treatment of risk. This process should take into account the cost of mitigation of risks in relation to the consequences of loss.

Council, through the Audit Committee, monitors all aspects of the risk management process.
Six major risk areas are identified in Attachment 1:

Duty of care;
Service delivery;
Managing resources;
Managing relationships,
EDGE objectives; and
Compliance

4.2 Risk Acceptance

For each of the risks identified, sufficient analysis is undertaken to present a risk management grid as set out in Figure 2 . Council sets the policy on the classification of combinations of loss and probability (i.e. what is, ‘extreme', ‘high' ‘moderate' or ‘low').

**Figure 2 - Risk Management Matrix**

	Consequences
Likelihood	Insignificant	Minor	Moderate	Major	Catastrophic
Almost Certain	M	H	H	E	E
Likely	M	H	H	H	E
Moderate	L	M	M	H	H
Unlikely	L	M	M	M	H
Rare	L	L	L	M	M
Legend:
E	Extreme risk: must be managed by senior management with a detailed plan
H	High risk: senior management attention is required and management responsibility specified
M	Moderate risk: manage by specific monitoring or response procedures
L	Low risk: manage by routine procedures

4.3 Program of Implementation

Risks identified for active mitigation are allocated a mitigation implementation plan, with a management representative nominated to take active responsibility for the mitigation. The plan includes reporting responsibilities for all relevant related events. A detailed consolidated report will be made to the Audit Committee and presented in summary to Council.

4.4 Information Collection

Management executes a process that identifies the risk environment of the University. This process will include a review of the potential risks by Council through the Audit Committee. The process is reviewed on at least an annual basis to identify emerging risks that result from either a change of operations, change of operating environment or change of information. It is important that this process explicitly recognises the need for fresh review of risks so as to avoid the possibility of familiarity with the previous review(s) clouding the judgement of those involved.

4.5 Incident Analysis

Any serious incidents, or frequent minor incidents where a systemic issue may be involved, is reviewed in a debrief process by the Audit Committee. This process includes a causal analysis, and a review of the risk management structure related to the incident. The resulting report to Council will include recommendations for changes to the risk management structure that emerge from incidents which indicate a systematic failure.

4.6 Compliance

Compliance with the implementation and management of risk mitigation policies is audited and reported to Council through the Audit Committee.

4.7 Effectiveness

Periodic independent review of the effectiveness of the University’s risk management approach will be commissioned by the Audit Committee and reported to Council.

5. Responsibilities

The University uses a multilevel approach to managing risk. Overall management responsibilities for risk management are specified in Attachment 2.
There are three levels of risk management activity within management. At each level the following questions are addressed:

what are the relevant goals and objectives?
what are the key risks to achieving these objectives?
what are the characteristics of these risks (likelihood and impact)?
how can the risks be mitigated and who is responsible for implementing actions?
who needs to be informed?
how will risks be monitored and reviewed?

5.1 Corporate

The VCE (through the Planning and Resources Committee):

undertakes regular assessments of risk focusing on
corporate wide risks (including strategic risk and reputational risk)
monitoring and reviewing consolidated risk assessments (risk management reports) from the other two levels;
produces a corporate level risk management report; and
reports on risk management to the Audit Committee and Council.

5.2 Faculty/Division/Institute

Each unit:

undertakes regular risk assessment focusing on strategic, financial, operational, compliance and reputational risks; and
produces a regular unit level risk management report.

5.3 Project level

Before significant new projects proceed (e.g. business ventures, IT projects, building projects, major research projects, CRCs), a business case must be established (according to a specified methodology) and approved. A key feature of each business case is the completion of a risk analysis. Project implementation is based a standard project management methodology which includes risk management.

6. Policy Provisions

6.1 Corporate governance and risk management

Risk management is an integral component of corporate governance and builds on transparent and accountable processes consistent with sound business practice. Risk management is applied to the development and implementation of policy, procedures, plans and future directions of UTas.

6.2 Executive and management commitment

The Chancellor and Council, the Vice-Chancellor and the VCE, Deans, Heads of School, Heads of Section and management at all levels are committed to the pro-active management of risk in a systematic way in order to enhance the operation of the University. The risk management process makes a significant contribution towards establishing priorities in the allocation of resources.

Managers at all levels are accountable for risk management.

6.3 Culture of risk management

All staff are committed to ensuring that their behaviours relating to their individual performance encompass informed decisions to do or not do things based on a reasonable analysis of foreseeable risks, opportunities and their associated impacts on the implementation of University strategies and the attainment of goals.

6.4 Review and monitoring risks

Formal mechanisms for review and monitoring are in place to measure and benchmark the effectiveness of risk management throughout the University at all governance and management levels.

6.5 Reporting

Risk management information systems are in place to communicate and report on risks that have been identified and the status of actions implemented to mitigate risks.

6.5 Risk tolerance

The risk tolerance of the University is ultimately determined by Council.

6.6 Opportunity

Risk management also involves the University identifying and taking advantage of opportunities in a way that ensures that any risks are managed on the basis of informed decision-making and on a realistic analysis of possible outcomes.

7 Supporting/related Documents

7.1 Council Principle

This establishes the University's approach to risk management and assigns responsibilities between Council, the Audit Committee and management.

7.3 Risk Management Toolkit

This provides:

practical guidance on how to undertake risk management tasks; and
reporting templates.

8 Review of Policy

This policy will be reviewed by July 2008.

9 Supporting/Related Documents

The Risk Management Toolkit is available at:

http://www.utas.edu.au/universitycouncil/policyframework/risk_toolkit.pdf

RESPONSIBILITIES

Implementation	Director, Risk Management
Compliance	Director, Risk Management
Monitoring and Evaluation	University Council
Development and/or Review	Director, Risk Management, Audit Committee
Interpretation and Advice	Director, Risk Management

WHO NEEDS TO KNOW THIS POLICY?

All members of the University Community, including staff, students and Council members

POLICY HISTORY

Policy No.	3
Approved / Rescinded	Approved
Date	8 July 2005
Vice-Chancellor	Professor Rudi Lidl (Acting Vice-Chancellor)

1 Adapted from McKinnon, K., Walker, S. H. and Davis, D. (2000), Benchmarking: A Manual for Australian Universities, Canberra: DETYA
( available at: http://www.detya.gov.au/highered/otherpub.htm)

Attachment 1: UTAS Major Risk Areas
RISK GROUP	RISK AREA	RISK TYPE	EXAMPLES
Duty of Care	Students	A1	Duty of care owed by the University to all students in respect of their personal safety and learning activities both on and off campus
	Staff	A2	Duty of care owed by the University to all employees including protecting them from adverse actions by third parties.
	Visitors	A3	Duty of care owed by the University to all persons on and in the reasonable vicinity of the University including visitors, contractors and volunteers.


University Goals	EDGE Goals	B1	The risk of not achieving the University's reputation, people and position goals as described in the UTAS Plan 2005-2007.
Managing Resources	Human	C1	Risks associated with managing human resources including single-person dependency for critical functions, ageing workforce, lack of succession plans, loss of corporate expertise, failure to attract high calibre staff, failure to develop and retain high quality staff
	Information	C2	Risks associated with the provision of information including failure of major IT systems, lack or failure of back-up systems, loss of access to information due to upgrade of technologies and ageing equipment and IT infrastructure.
	Financial	C3	Risks associated with the provision of financial services and program funding, including insufficient funds to meet Government objectives, misappropriation of funds, lack of understanding of financial transactions and purchasing requirements, change in Government funding policy. Inability to meet targets, failure of faculties and departments to exercise budgetary control.
	Property, Assets & Facilities	C4	Risks associated with managing property and assets including ageing infrastructure and costs of upkeep or redundant facilities, destruction of library and archival material by fire or flood, not maintaining and protecting records, lack of or inadequate security systems on UTAS facilities.
	External legal	C5	Risks of failure to manage relationship with external solicitors, in particular, delays and costs.
Managing Relationships	Government	D1	Risks associated with managing communication with all levels of Government including failure to recognise politically sensitive issues, ineffective handling of the media.
	Community	D2	Risks associated with the UTAS' the involvement in the community including failing to respond to the communities concerns about noise pollution from student residences and student activities including sport and social activities, loss of community support.
	Key Stakeholders	D3	Risks such as non-recognition of stakeholders, non-compliance with statutory requirements imposed by government authorities, failure to fulfil Commonwealth funding prerequisites.
	Internal	D4	Risks associated with internal management processes including insufficient and inappropriate communication strategies within and between the campuses and lack of consistency of processes throughout the University.
Compliance	OH&S	F1	Failure to comply with statutory regime
	Records	F2	Failure to comply with statutory archiving legislation; failure to adequately save, record and store University records;
	Anti-discrimination	F3	Failure to comply with statutory regime.
	Certified Agreement	F4	Failure to comply with terms of Certified Agreement.
	Taxation (including GST)	F5	Failure to comply with statutory regime.
	Workers compensation	F6	Failure to comply with statutory regime
	Environmental laws	F7	Failure to comply with statutory regime
	Planning laws	F8	Failure to comply with statutory regime

Attachment 2: Roles and responsibilities

Element

Management

Audit Committee

Council

1. Risk policy

• interact with the Audit Committee on policy development

• develop policy proposal

• approve policy (including the classification of combinations of loss and probability (i.e. what is ‘critical', ‘significant', ‘moderate' or ‘low').

2. Risk identification

• identify risks within agreed context

• analyse

• assess and prioritise

• identify risk treatment

• regularly review

• propose context

• assess risks identified, priorities allocated and treatments proposed

• identify gaps

• regularly review and report to Council

• establish the context of risk analysis

• approve a management proposal for the treatment of risk endorse

• receive and review regular reports

3. Incidents in identified risk areas

• monitor

• record and report

• manage and respond

• review and evaluate

• propose any consequential policy changes

• propose what/when/how reporting to Council occurs (depending on risk matrix)

• receive reports

• review evaluations (confirm or challenge conclusions and responses)

• consolidate reporting to Council

• confirm the approach recommended by the Audit Committee

• receive consolidated reports and critical incident reports

• assess responses and determine any required policy changes

• inform stakeholders as appropriate

4. Changes in the consequences or probabilities of identified risks.

Possible triggers include:

• defined business incidents

• changes in the external environment

• changes or renewals of major contracts

• incidents in similar facilities elsewhere

• changes in personnel, financial arrangements, statutory arrangements, demand patterns

• changed operational requirements (which need to be evaluated with regard to original design assumptions)

• regularly monitor changes

• review and evaluate

• recommend changes to risks and/or probabilities and treatments

• propose any consequential policy changes

• report to the Audit Committee

• receive regular reports

• review evaluations (confirm or challenge conclusions and responses)

• assess any proposed policy changes

• consolidate reporting to Council

• receive regular reports

• assess responses

• approve any required policy changes

• inform stakeholders as appropriate

5. Changes in mitigating strategies for identified risks (e.g. due to a change in something relied on for mitigation)

• regularly monitor changes

• review and evaluate

• recommend changes to treatments

• propose any consequential policy changes

• report to the Audit Committee

• receive regular reports

• review evaluations (confirm or challenge conclusions and responses)

• assess any proposed policy changes

• consolidate Council reporting

• redirect issues to another Committee if appropriate

• receive regular reports

• assess responses

• approve any required policy changes

• inform stakeholders as appropriate

6. Audit

• co-operate with auditors

• commission periodic independent audits of the risk management process (with appropriate involvement of the Audit Committee)

• evaluate audits and report to Council

• receive review reports

• assess responses and determine any required policy changes

7. Effectiveness Review

• participate in reviews

• commission independent reviews of the effectiveness of the risk management process on a periodic basis

• evaluate reviews and report to Council

• receive review reports

• assess responses and determine any required policy changes

Attachment 3: Definitions and Acronyms

*Risk management*	The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects in order to improve the achievement of its goals by UTas
*Risk management process*	The systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating risks to the achievement of University goals
*Risk tolerance*	The level of risk UTas is prepared to accept without insisting on action to reduce the likelihood of the event occurring or its likely impact
*Risk management context*	Defining the relationship between the University and its environment, identifying UTas' strengths, weaknesses, opportunities and threats. The context includes the financial, operational, competitive, political (public perceptions/image), social, client, cultural and legal aspects of UTas. It is similar to the first step in a soundly based strategic planning process
*Corporate governance*	The way in which UTas is directed and controlled in order to achieve its strategic goals and operational objectives. The control environment makes the university reliable in achieving its goals and objectives within an acceptable degree of risk. Corporate governance ensures a high standard of accountability at all levels of the organisation and as such enables the University's accountable officer, the Vice-Chancellor, to exercise accountability in law. Corporate governance is the glue that holds the organisation together in pursuit of its objectives, while risk management provides the resilience The concept of public sector governance places an additional emphasis on delivering outcomes and cost-effective outputs through implementing programs and reforms in accordance with enabling legislation
*Risk management framework*	The structure within UTas that supports the risk management practice, reporting, responsibilities and accountabilities at all organisational management levels. The risk management framework is a description of streams of accountability and reporting that will support the risk management process within existing organisational structures
*Streams of accountability*	The major areas within UTas that are accountable for and report on an area of service or service support. This enables the risk management process to be applied within the current organisational structures.

Top of Page