ACU’s Risk Management Procedure details the process for the identification, analysis, treatment, monitoring and reporting of risks.
- Governing Policy
- Risk Management Model
- Roles and Responsibilities
- Glossary of Terms
- Review of this Procedure
1. Governing Policy
1.1 The Risk Management Procedure is governed by Australian Catholic University’s (ACU) Risk Management Policy, which outlines the University’s commitment to risk management.
2.1 Risk management is incorporated into all areas of the University’s operations and is the responsibility of all staff. Whilst specific staff may have explicit risk management responsibilities, it is the responsibility of all staff to be proactive in the University's risk management.
2.2 The Risk Management Procedure details the process for the identification, analysis, treatment, monitoring and reporting of risks. This includes project based risk as well as the development of the Organisational Unit Risk Register and its relationship with the University Risk Register.
2.3 Critical incident management and work, health and safety risks are covered by specific University policies and procedures1.
1 Please refer to the Human Resources Policy section on the University’s website for more information.
3.1 The University’s Risk Management Policy and Risk Management Procedure are aligned with the Australian and New Zealand Standard AS/NZS ISO 31000:2009 (Risk Management—Principles and Guidelines).
3.2 Risks will be identified, analysed, treated, monitored and reported on an ongoing basis at nominated levels within the University in accordance with organisational responsibilities.
4. Risk Management Model
4.1 The Risk Management Model2 integrates the Risk Management Principles and Risk Management Process. The Risk Management Process consists of the following steps:
- Monitor; and
4.2 As part of the Risk Management Process, staff are required to use the University’s Risk Register Template.
2 Please refer to the University’s Risk Management Policy for more information in relation to the Risk Management Model.
Identify the risk events that may prevent or delay the achievement of the University’s strategic goals and objectives. Staff will need to outline the:
- Risk Event – brief description of the risk; and
- Risk Owner – person who is responsible for the risk and ensures that the risk is effectively managed.
When identifying risks, staff are encouraged to focus on the high-level risks that impact upon the Organisational Unit and/or the University.
3As defined in the University’sDelegations of Authority Policy and Register.
4 A Member of the Senior Executive refers to the Vice-Chancellor, Provost, Chief Operating Officer or Deputy Vice- Chancellors.
Outline the causes, impacts and existing treatments in order to assess the consequence and likelihood of the risk and determine the risk rating. Staff will need to outline the:
- Causes – origin of the risk and/or mechanisms that fail;
- Impacts – consequences or outcomes that the Organisational Unit and/or University can expect if the risk eventuates;
- Existing Treatments – existing treatments that are in place, which may include procedural or administrative policies or physical barriers;
- Likelihood Rating – chance that the risk will occur;
- Consequence Rating – extent to which the risk will affect the Organisational Unit and/or the University if it occurs; and
- Risk Rating – product of the consequence rating and likelihood rating, which defines the magnitude of the risk.
With the existing treatments in place, staff will use Table 1 (below) to determine the risk rating. Staff will need to consider the likelihood of the risk occurring (ranging from ‘Rare’ to ‘Almost Certain’) and the consequence if the risk is realised (ranging from ‘Insignificant’ to ‘Catastrophic’).
Table 1 – Risk Rating Table
|Likelihood Rating||Consequence Rating|
|Insignificant (1)||Minor (3)||Moderate (10)||Major (30)||Catastrophic (100)|
|Almost Certain (3)||Moderate 3||Moderate 9||High 30||High 90||High 300|
|Likely (1)||Moderate 1||Moderate 3||Moderate 10||High 30||High 100|
|Moderate (0.3)||Low 0.3||Moderate 0.9||Moderate 3||Moderate 9||High 30|
|Unlikely (0.1)||Low 0.1||Low 0.3||Moderate 1||Moderate 3||Moderate 10|
|Rare (0.03)||Low 0.03||Low 0.09||Low 0.3||Moderate 0.9||Moderate 3|
Implement both existing and future treatments in order to prevent and/or mitigate the risk. Staff will need to outline the:
- Future Treatments – specific treatments that will further prevent and/or mitigate the risk event;
- Action Owner – person responsible for implementing the future treatments; and
- Resolution/ Review Date – the date the treatments will be resolved or reviewed.
Staff should outline all the future treatments that will be implemented, either in the short- term or long-term, to prevent and/or mitigate the risk event. The risk treatments should be proportionate to and indicative of the risk rating.
The Action Owner, in consultation with the Risk Owner, is responsible for ensuring that the risk treatments are implemented in accordance with the resolution/review date. Following the continuation of existing treatments and implementation of future treatments, the risk should be reduced or minimised.
Once a future treatment has been implemented, it will become part of usual business practice and be considered an existing treatment.
Continually monitor and evaluate the risks and treatments in order to maintain the effectiveness and appropriateness of the University's Risk Management.
The Risk Owner, in consultation with the respective Responsible Officer, will need to review the:
- Risk event, causes and impacts;
- Risk rating to ensure it is appropriate; and
- Existing and future treatments (including the resolution/review dates) in order to determine whether further treatments are required.
Provide reports and updates in order to assure the University and key stakeholders that risks are being appropriately managed and treated.
The frequency and method of reporting may vary and should reflect the significance of the risk and whether the risk is on an Organisational Unit Risk Register and/or the University Risk Register. For example, updates on an Organisational Unit Risk Register may be incorporated into existing reporting processes with a nominated supervisor, Member of the Executive or Senior Executive (as appropriate).
4.7.1 Summary Report
Aligned with Organisational Unit Planning, an annual update of Organisational Unit Risk Registers will need to be submitted to the Office of Planning and Strategic Management in the first quarter of each year.
The Office of Planning and Strategic Management will compile a summary report once the Organisational Unit Risk Registers have been submitted. The summary report will provide a high-level analysis of the risks and identify potential areas of concern for an Organisational Unit and/or University.
The Planning, Quality and Risk Committee will be responsible for determining whether any of the risks identified by Organisational Units pose a significant risk to the University and should be included on the University Risk Register.
The Planning, Quality and Risk Committee will regularly review the University Risk Register and provide updates to the Vice-Chancellor and Audit and Risk Committee as appropriate.
5. Roles and Responsibilities
5.1 The Audit and Risk Committee (a sub-Committee of Senate) is responsible for reviewing the risk management practices of the University. This includes overseeing the University Risk Register and ensuring significant risks to the University are reported to the Senate.
5.2 The Planning, Quality and Risk Committee is responsible for:
- Overseeing the risk management process, in particular, the development of the Organisational Unit Risk Registers;
- Monitoring, reviewing and updating the University Risk Register;
- Endorsing the University Risk Register prior to its submission to the Audit and Risk Committee; and
- Providing updates to the Vice-Chancellor and Audit and Risk Committee as appropriate.
5.3 The Members of the Senior Executive and Members of the Executive5 are responsible for risk management within their Portfolio or Organisational Unit. This includes overseeing the development, monitoring and reviewing of risk registers.
5.4 The Organisational Units are responsible for the risks recorded on their respective Risk Register. The Organisational Units are required to continually monitor and review their respective Risk Register, and provide an annual update in line with the Organisational Unit planning.
5.5 The Office of Planning and Strategic Management is responsible for assisting with the development, monitoring and review of the Organisational Unit and University Risk Registers, which may include assisting staff with the risk management process.
5 As defined in the University’s Delegations of Authority Policy and Register.
6. Glossary of Terms
|Action Owner||The person that is responsible for implementing the future treatments.|
|Causes||The origin of the risk and/or the mechanisms that fail.|
|Consequence Rating||The extent to which the risk will affect the Organisational Unit and/or the University if it occurs.|
|Existing Treatments||The existing treatments that are in place, which may include procedural or administrative policies or physical barriers.|
|Future Treatments||Specific treatments that will further prevent and/or mitigate the risk event.|
|Impacts||The consequences or outcome that the Organisational Unit and/or University can expect if the risk eventuates.|
The chance that the risk will occur.
|Resolution/ Review Date||The date the treatments will be resolved or reviewed.|
|Risk Event||A brief description of the risk that impacts on the achievement of the University’s objectives.|
|Risk Owner||The person who takes responsibility of the risk and ensures that the risk is effectively managed.|
|Risk Rating||The product of the consequence rating and likelihood rating, which defines the magnitude of the risk.|
|Risk Register||Summarises all the assessed risks within the Organisational Unit and/or the University.|
7. Review of this Procedure
This procedure will be reviewed every five years.
|19 July 2012||Procedure approved by the Planning, Quality and Risk Committee.|
|2012 – 2, 15 and 27 November||Minor amendments (including role titles)|
|2013 – 4 July||Major amendments|
|2014 – 6 November||The Policy content remains aligned with AS/NZS ISO 31000:2009 although has been further refined and applied to the University context.|
|Policy applies to||
|Governing Authority||Planning, Quality and Risk Committee|
|Responsible Officer||Director, Office of Planning and Strategic Management|
|Date of Last Revision||Not Applicable|
|Date of Policy Review *||19/11/2019|
* Unless otherwise indicated, this policy will still apply beyond the review date.
Related Policies, Procedures, Guidelines and Local Protocols
Delegations of Authority Policy and Register
Quality Management Policy
Risk Management Policy
Risk Register Template
Page last updated: 2017-06-28
Short url: https://policies.acu.edu.au/798859