Ordinances 3 (The Vice-Chancellor), 6 (Council Delegations) and 7 (Execution of Documents)
Relevant State/Federal Govt. Legislation
University of Tasmania Act 1992
Commencement Date
19 November 2004
Review Date
27 February 2009
1. Statement of Context
The University faces a variety of risks from external and internal sources that must be identified and managed. Risk management derives directly from the objectives of the organisation, and an assessment of the financial, operational, systems and compliance risks that are involved in pursuit of the objectives. Some need to be eliminated, others insured and others managed internally1 .
2. Objectives
Managing risk and compliance are critical matters for Council attention for the following reasons:
• to achieve the goals and objectives of the University;
• to maintain a successful and sustainable University;
• to maintain a focus on priority matters that are important to the University, not just those that are currently urgent;
• to ensure statutory requirements are met;
• to analyse and better understand the organisational context and the implications and level of risk of operational and strategic decisions;
• to make respective roles and responsibilities clear;
• to take advantage of opportunities as they arise; and
• to discharge Council Members’ governance responsibilities
3. Approach
3.1 Model
To manage risk and compliance Council will adopt a model of risk management similar to that in AS/NZS4360 as set out in Figure 1.
Figure 1 - Risk Management Model
This model requires Council input at three stages:
• establishing the context of risk analysis;
• providing a policy on the priority of risk management; and
• approving a management proposal for the treatment of risk. This process should take into account the cost of mitigation of risks in relation to the consequences of loss.
For each of the risks identified, sufficient analysis should be undertaken to present a risk management grid as set out in Figure 2 . Council sets the policy on the classification of combinations of loss and probability (i.e. what is, ‘extreme', ‘high' ‘moderate' or ‘low').
Figure 2 - Risk Management Matrix
Consequences
Likelihood
Insignificant
Minor
Moderate
Major
Catastrophic
Almost Certain
M
H
H
E
E
Likely
M
H
H
H
E
Moderate
L
M
M
H
H
Unlikely
L
M
M
M
H
Rare
L
L
L
M
M
Legend:
E
Extreme risk: must be managed by senior management with a detailed plan
H
High risk: senior management attention is required and management responsibility specified
M
Moderate risk: manage by specific monitoring or response procedures
L
Low risk: manage by routine procedures
3.3 Program of Implementation
Risks identified for active mitigation will be allocated a mitigation implementation plan, with a management representative nominated to take active responsibility for the mitigation. The plan will include reporting responsibilities for all relevant related events. A detailed consolidated report will be made to the Audit Committee and presented in summary to Council.
3.4 Information Collection
Management will execute a process that identifies the risk environment of the University. This process will include a review of the potential risks by Council through the Audit Committee. The process will be reviewed on at least an annual basis to identify emerging risks that result from either a change of operations, change of operating environment or change of information. It is important that this process explicitly recognises the need for fresh review of risks so as to avoid the possibility of familiarity with the previous review(s) clouding the judgement of those involved.
3.5 Incident Analysis
Any serious incidents, or frequent minor incidents where a systemic issue may be involved, shall be reviewed in a debrief process by the Audit Committee. This process will include a causal analysis, and a review of the risk management structure related to the incident. The resulting report to Council will include recommendations for changes to the risk management structure that emerge from incidents which indicate a systematic failure.
3.6 Compliance
Compliance with the implementation and management of risk mitigation policies will be audited and reported to Council through the Audit Committee.
3.7 Effectiveness
Periodic independent review of the effectiveness of the University’s risk management approach will be commissioned by the Audit Committee and reported to Council.
3.8 Council Role
Emerging from this risk management model and approach, Council has the following responsibilities:-
1. Appoint the Audit Committee to undertake detailed risk management tasks on behalf of Council;
2. Establish the context of risk analysis;
3. Establish the priority of risk management;
4. Approve a management proposal for the treatment of specific risks;
5. Set a framework for risk acceptance; and
6. Review the process on a predetermined cycle.
1 Adapted from McKinnon, K., Walker, S. H. and Davis, D. (2000), Benchmarking: A Manual for Australian Universities, Canberra: DETYA
( available at: http://www.detya.gov.au/highered/otherpub.htm)
Attachment 1: UTAS Major Risk Areas
RISK GROUP
RISK AREA
RISK TYPE
EXAMPLES
Duty of Care
Students
A1
Duty of care owed by the University to all students in respect of their personal safety and learning activities both on and off campus
Staff
A2
Duty of care owed by the University to all employees including protecting them from adverse actions by third parties.
Visitors
A3
Duty of care owed by the University to all persons on and in the reasonable vicinity of the University including visitors, contractors and volunteers.
University Goals
EDGE Goals
B1
The risk of not achieving the University's reputation, people and position goals as described in the UTAS Plan 2005-2007.
Managing Resources
Human
C1
Risks associated with managing human resources including single-person dependency for critical functions, ageing workforce, lack of succession plans, loss of corporate expertise, failure to attract high calibre staff, failure to develop and retain high quality staff
Information
C2
Risks associated with the provision of information including failure of major IT systems, lack or failure of back-up systems, loss of access to information due to upgrade of technologies and ageing equipment and IT infrastructure.
Financial
C3
Risks associated with the provision of financial services and program funding, including insufficient funds to meet Government objectives, misappropriation of funds, lack of understanding of financial transactions and purchasing requirements, change in Government funding policy. Inability to meet targets, failure of faculties and departments to exercise budgetary control.
Property, Assets & Facilities
C4
Risks associated with managing property and assets including ageing infrastructure and costs of upkeep or redundant facilities, destruction of library and archival material by fire or flood, not maintaining and protecting records, lack of or inadequate security systems on UTAS facilities.
External legal
C5
Risks of failure to manage relationship with external solicitors, in particular, delays and costs.
Managing Relationships
Government
D1
Risks associated with managing communication with all levels of Government including failure to recognise politically sensitive issues, ineffective handling of the media.
Community
D2
Risks associated with the UTAS' the involvement in the community including failing to respond to the communities concerns about noise pollution from student residences and student activities including sport and social activities, loss of community support.
Key Stakeholders
D3
Risks such as non-recognition of stakeholders, non-compliance with statutory requirements imposed by government authorities, failure to fulfil Commonwealth funding prerequisites.
Internal
D4
Risks associated with internal management processes including insufficient and inappropriate communication strategies within and between the campuses and lack of consistency of processes throughout the University.
Compliance
OH&S
F1
Failure to comply with statutory regime
Records
F2
Failure to comply with statutory archiving legislation; failure to adequately save, record and store University records;
Anti-discrimination
F3
Failure to comply with statutory regime.
Certified Agreement
F4
Failure to comply with terms of Certified Agreement.
Taxation (including GST)
F5
Failure to comply with statutory regime.
Workers compensation
F6
Failure to comply with statutory regime
Environmental laws
F7
Failure to comply with statutory regime
Planning laws
F8
Failure to comply with statutory regime
Attachment 2: Roles and responsibilities
Element
Management
Audit Committee
Council
1. Risk policy
• interact with the Audit Committee on policy development
• develop policy proposal
• approve policy (including the classification of combinations of loss and probability (i.e. what is ‘critical', ‘significant', ‘moderate' or ‘low').
2. Risk identification
• identify risks within agreed context
• analyse
• assess and prioritise
• identify risk treatment
• regularly review
• propose context
• assess risks identified, priorities allocated and treatments proposed
• identify gaps
• regularly review and report to Council
• establish the context of risk analysis
• approve a management proposal for the treatment of risk endorse
• receive and review regular reports
3. Incidents in identified risk areas
• monitor
• record and report
• manage and respond
• review and evaluate
• propose any consequential policy changes
• propose what/when/how reporting to Council occurs (depending on risk matrix)
• receive reports
• review evaluations (confirm or challenge conclusions and responses)
• consolidate reporting to Council
• confirm the approach recommended by the Audit Committee
• receive consolidated reports and critical incident reports
• assess responses and determine any required policy changes
• inform stakeholders as appropriate
4. Changes in the consequences or probabilities of identified risks.
Possible triggers include:
• defined business incidents
• changes in the external environment
• changes or renewals of major contracts
• incidents in similar facilities elsewhere
• changes in personnel, financial arrangements, statutory arrangements, demand patterns
• changed operational requirements (which need to be evaluated with regard to original design assumptions)
• regularly monitor changes
• review and evaluate
• recommend changes to risks and/or probabilities and treatments
• propose any consequential policy changes
• report to the Audit Committee
• receive regular reports
• review evaluations (confirm or challenge conclusions and responses)
• assess any proposed policy changes
• consolidate reporting to Council
• receive regular reports
• assess responses
• approve any required policy changes
• inform stakeholders as appropriate
5. Changes in mitigating strategies for identified risks (e.g. due to a change in something relied on for mitigation)
• regularly monitor changes
• review and evaluate
• recommend changes to treatments
• propose any consequential policy changes
• report to the Audit Committee
• receive regular reports
• review evaluations (confirm or challenge conclusions and responses)
• assess any proposed policy changes
• consolidate Council reporting
• redirect issues to another Committee if appropriate
• receive regular reports
• assess responses
• approve any required policy changes
• inform stakeholders as appropriate
6. Audit
• co-operate with auditors
• commission periodic independent audits of the risk management process (with appropriate involvement of the Audit Committee)
• evaluate audits and report to Council
• receive review reports
• assess responses and determine any required policy changes
7. Effectiveness Review
• participate in reviews
• commission independent reviews of the effectiveness of the risk management process on a periodic basis
• evaluate reviews and report to Council
• receive review reports
• assess responses and determine any required policy changes
<
Back
