1.1 This procedure is governed by the Australian Catholic University (ACU) Risk
Management ... 1. As defined by ISO 31000:2009 Standard (Risk Management) ...
Name of Procedure
Risk Management Procedure
Description of Procedure
ACU’s Risk Management Procedure details the process for the identification, analysis, treatment, monitoring and reporting of risks.
Procedure applies to
☒ University-wide ☐ Specific ☒ Staff Only
☐ Students Only
☐ Staff and Students
Procedure Status
☐ New Procedure
Approval Authority
Vice-Chancellor
Governing Authority
Planning, Quality and Risk Committee
Responsible Officer
Director, Planning and Strategic Management
Approval Date
8 December 2014
Effective Date
8 December 2014
Date of Last Revision
19 July 2012
Date of Procedure Review*
November 2019
☒ Revision of Existing Procedure
* Unless otherwise indicated, this procedure will still apply beyond the review date.
Related Legislation, Policies, Procedures, Guidelines and Local Protocols
ACU Risk Management Procedure
Delegations of Authority Policy and Register Quality Management Policy Risk Management Policy Risk Register Template
Page 1 of 6
1. Governing Policy 1.1 The Risk Management Procedure is governed by Australian Catholic University’s (ACU) Risk Management Policy, which outlines the University’s commitment to risk management. 2. Scope 2.1 Risk management is incorporated into all areas of the University’s operations and is the responsibility of all staff. Whilst specific staff may have explicit risk management responsibilities, it is the responsibility of all staff to be proactive in the University's risk management. 2.2 The Risk Management Procedure details the process for the identification, analysis, treatment, monitoring and reporting of risks. This includes project based risk as well as the development of the Organisational Unit Risk Register and its relationship with the University Risk Register. 2.3 Critical incident management and work, health and safety risks are covered by specific University policies and procedures1. 3. Overview 3.1 The University’s Risk Management Policy and Risk Management Procedure are aligned with the Australian and New Zealand Standard AS/NZS ISO 31000:2009 (Risk Management—Principles and Guidelines). 3.2 Risks will be identified, analysed, treated, monitored and reported on an ongoing basis at nominated levels within the University in accordance with organisational responsibilities. 4. Risk Management Model 4.1 The Risk Management Model2 integrates the Risk Management Principles and Risk Management Process. The Risk Management Process consists of the following steps: • Identify; • Analyse; • Treat; • Monitor; and • Report. 4.2 As part of the Risk Management Process, staff are required to use the University’s Risk Register Template.
Please refer to the Human Resources Policy section on the University’s website for more information: http://www.acu.edu.au/policy/136651. 2 Please refer to the University’s Risk Management Policy for more information in relation to the Risk Management Model. 1
ACU Risk Management Procedure
Page 2 of 6
4.3 Identify Identify the risk events that may prevent or delay the achievement of the University’s strategic goals and objectives. Staff will need to outline the: • Risk Event – brief description of the risk; and • Risk Owner – person who is responsible for the risk and ensures that the risk is effectively managed. The Risk Owner will usually be a Member of the Executive 3 for an Organisational Unit Risk Register and a Member of the Senior Executive4 for the University Risk Register. When identifying risks, staff are encouraged to focus on the high-level risks that impact upon the Organisational Unit and/or the University. 4.4 Analyse Outline the causes, impacts and existing treatments in order to assess the consequence and likelihood of the risk and determine the risk rating. Staff will need to outline the: • Causes – origin of the risk and/or mechanisms that fail; • Impacts – consequences or outcomes that the Organisational Unit and/or University can expect if the risk eventuates; • Existing Treatments – existing treatments that are in place, which may include procedural or administrative policies or physical barriers; • Likelihood Rating – chance that the risk will occur; • Consequence Rating – extent to which the risk will affect the Organisational Unit and/or the University if it occurs; and • Risk Rating – product of the consequence rating and likelihood rating, which defines the magnitude of the risk. With the existing treatments in place, staff will use Table 1 (below) to determine the risk rating. Staff will need to consider the likelihood of the risk occurring (ranging from ‘Rare’ to ‘Almost Certain’) and the consequence if the risk is realised (ranging from ‘Insignificant’ to ‘Catastrophic’).
As defined in the University’s Delegations of Authority Policy and Register (www.acu.edu.au/policy/675829). A Member of the Senior Executive refers to the Vice-Chancellor, Provost, Chief Operating Officer or Deputy ViceChancellors.
3 4
ACU Risk Management Procedure
Page 3 of 6
Table 1 – Risk Rating Table Likelihood Rating Almost Certain (3) Likely (1) Moderate (0.3) Unlikely (0.1) Rare (0.03)
Consequence Rating Insignificant (1) Moderate 3 Moderate 1 Low 0.3 Low 0.1 Low 0.03
Minor (3) Moderate 9 Moderate 3 Moderate 0.9 Low 0.3 Low 0.09
Moderate (10) High 30 Moderate 10 Moderate 3 Moderate 1 Low 0.3
Major (30) High 90 High 30 Moderate 9 Moderate 3 Moderate 0.9
Catastrophic (100) High 300 High 100 High 30 Moderate 10 Moderate 3
4.5 Treat Implement both existing and future treatments in order to prevent and/or mitigate the risk. Staff will need to outline the: • Future Treatments – specific treatments that will further prevent and/or mitigate the risk event; • Action Owner – person responsible for implementing the future treatments; and • Resolution/ Review Date – the date the treatments will be resolved or reviewed. Staff should outline all the future treatments that will be implemented, either in the shortterm or long-term, to prevent and/or mitigate the risk event. The risk treatments should be proportionate to and indicative of the risk rating. The Action Owner, in consultation with the Risk Owner, is responsible for ensuring that the risk treatments are implemented in accordance with the resolution/review date. Following the continuation of existing treatments and implementation of future treatments, the risk should be reduced or minimised. Once a future treatment has been implemented, it will become part of usual business practice and be considered an existing treatment. 4.6 Monitor Continually monitor and evaluate the risks and treatments in order to maintain the effectiveness and appropriateness of the University's Risk Management. The Risk Owner, in consultation with the respective Responsible Officer, will need to review the: • Risk event, causes and impacts; • Risk rating to ensure it is appropriate; and • Existing and future treatments (including the resolution/review dates) in order to determine whether further treatments are required.
ACU Risk Management Procedure
Page 4 of 6
4.7 Report Provide reports and updates in order to assure the University and key stakeholders that risks are being appropriately managed and treated. The frequency and method of reporting may vary and should reflect the significance of the risk and whether the risk is on an Organisational Unit Risk Register and/or the University Risk Register. For example, updates on an Organisational Unit Risk Register may be incorporated into existing reporting processes with a nominated supervisor, Member of the Executive or Senior Executive (as appropriate). 4.7.1
Summary Report
Aligned with Organisational Unit Planning, an annual update of Organisational Unit Risk Registers will need to be submitted to the Office of Planning and Strategic Management in the first quarter of each year. The Office of Planning and Strategic Management will compile a summary report once the Organisational Unit Risk Registers have been submitted. The summary report will provide a high-level analysis of the risks and identify potential areas of concern for an Organisational Unit and/or University. The Planning, Quality and Risk Committee will be responsible for determining whether any of the risks identified by Organisational Units pose a significant risk to the University and should be included on the University Risk Register. The Planning, Quality and Risk Committee will regularly review the University Risk Register and provide updates to the Vice-Chancellor and Audit and Risk Committee as appropriate. 5. Roles and Responsibilities 5.1 The Audit and Risk Committee (a sub-Committee of Senate) is responsible for reviewing the risk management practices of the University. This includes overseeing the University Risk Register and ensuring significant risks to the University are reported to the Senate. 5.2 The Planning, Quality and Risk Committee is responsible for: • Overseeing the risk management process, in particular, the development of the Organisational Unit Risk Registers; • Monitoring, reviewing and updating the University Risk Register; • Endorsing the University Risk Register prior to its submission to the Audit and Risk Committee; and • Providing updates to the Vice-Chancellor and Audit and Risk Committee as appropriate. 5.3 The Members of the Senior Executive and Members of the Executive 5 are responsible for risk management within their Portfolio or Organisational Unit. This includes overseeing the development, monitoring and reviewing of risk registers. 5
As defined in the University’s Delegations of Authority Policy and Register.
ACU Risk Management Procedure
Page 5 of 6
5.4 The Organisational Units are responsible for the risks recorded on their respective Risk Register. The Organisational Units are required to continually monitor and review their respective Risk Register, and provide an annual update in line with the Organisational Unit planning. 5.5 The Office of Planning and Strategic Management is responsible for assisting with the development, monitoring and review of the Organisational Unit and University Risk Registers, which may include assisting staff with the risk management process. 6. Glossary of Terms Term Action Owner
Definition The person that is responsible for implementing the future treatments.
Causes
The origin of the risk and/or the mechanisms that fail.
Consequence Rating
The extent to which the risk will affect the Organisational Unit and/or the University if it occurs.
Existing Treatments Future Treatments
The existing treatments that are in place, which may include procedural or administrative policies or physical barriers. Specific treatments that will further prevent and/or mitigate the risk event.
Impacts
The consequences or outcome that the Organisational Unit and/or University can expect if the risk eventuates.
Likelihood Rating
The chance that the risk will occur.
Resolution/ Review Date
The date the treatments will be resolved or reviewed.
Risk Event
A brief description of the risk that impacts on the achievement of the University’s objectives.
Risk Owner
The person who takes responsibility of the risk and ensures that the risk is effectively managed.
Risk Rating
The product of the consequence rating and likelihood rating, which defines the magnitude of the risk.
Risk Register
Summarises all the assessed risks within the Organisational Unit and/or the University.
7. Review of this Procedure This procedure will be reviewed every five years. Date/s 19 July 2012
Amendments Procedure approved by the Planning, Quality and Risk Committee.
2012 – 2, 15 and 27 November
Minor amendments (including role titles)
2013 – 4 July
Major amendments
2014 – 6 November
The Policy content remains aligned with AS/NZS ISO 31000:2009 although has been further refined and applied to the University context.
ACU Risk Management Procedure
Page 6 of 6
