Marketing Framework; Risk Management by enw98634

VIEWS: 8 PAGES: 28

Marketing Framework; Risk Management document sample

More Info
									UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK




 THE UNIVERSITY OF
    NEWCASTLE


 RISK MANAGEMENT
    FRAMEWORK




                      -1-
                     UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK


Contents

1.     Preamble ................................................................................................................................................... 3
2.     Roles & Responsibilities ......................................................................................................................... 4
3.     University of Newcastle - Risk Management Policy ........................................................................... 8
4.     The University of Newcastle’s Approach to Risk Management ........................................................ 8
   1. Communicate and Consult ..................................................................................................................... 9
   2. Establish a context .................................................................................................................................. 9
   3. Identify Risks ............................................................................................................................................ 9
   4. Analyse Risks ......................................................................................................................................... 10
   5. Evaluate Risks ....................................................................................................................................... 11
   6. Treat Risks .............................................................................................................................................. 12
   7. Monitor and Review Risks .................................................................................................................... 12
Appendix 1 The University of Newcastle Risk Framework Overview .................................................... 13
Appendix 2 This University of Newcastle Risk Management Policy ...................................................... 14
Appendix 3 Tables for Risk Assessment Criteria; Consequence; Likelihood and Risk Management
...................................................................................................................... Error! Bookmark not defined.21




                                                                            -2-
                   UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK


      1. Preamble


The University of Newcastle Act establishes clear responsibilities on Council to oversee the assessment and
management of risk1.

Without limiting the functions of the Council under subsection (1A), the Council is, in controlling and
managing the affairs and concerns of the University:
  Section 16 (1B) (e) “to oversee risk management and risk assessment across the University (including, if necessary,
taking reasonable steps to obtain independent audit reports of entities in which the University has an interest but which
                          it does not control or with which it has entered into a joint venture)”

The University’s 5 year Strategic Plan (2007-2011) also clearly articulates the University’s commitment to
establishing an organizational philosophy and culture that ensures effective risk management is an integral
part of all university activities and a core management capability:

     “We will protect and further the University’s best interests by developing and implementing a comprehensive and
                              robust risk management framework across all our campuses”.

The University of Newcastle Risk Management Framework comprises policy and procedural guidance to
assist staff with embedding the risk management process into strategic and operational activities.




1
    University of Newcastle Act 1989 No. Division 1 General, Section 16 (1B) (e)

                                                             -3-
                              UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK
   2. Roles & Responsibilities

Responsible Area /
                       Role                                  Responsibilities
Officer
University Council     The University Council (Council),     The University of Newcastle Act, establishes the following as functions of Council:
                       as the governing body of the
                       University of Newcastle, is           “to oversee risk management and risk assessment across the University
                       ultimately responsible for            to approve and monitor systems of control and accountability for the University”
                       overseeing the overall risk profile
                       of the University of Newcastle
Audit & Risk           The Council reviewed the Council      The Charter of the A&RMC establishes the following responsibilities on the
Management             standing committees on 1 July         A&RMC for risk management:
Committee              2005 and established the Audit            review whether management has in place a current and comprehensive
                       and Risk Management                         risk management framework, and associated procedures for effective
                       Committee (A&RMC) as a                      identification and management of the University’s strategic, operational and
                       standing sub-committee of the               project-related risks, including fraud;
                       Council (Resolution C05:97).              review whether a sound and effective approach has been followed in
                                                                   developing strategic risk management plans for major projects or
                                                                   undertakings;
                                                                 review the impact of the University’s risk management framework on its
                                                                   control environment and insurance arrangements;
                                                                 review whether a sound and effective approach has been followed in
                                                                   establishing the University’s business continuity planning and management
                                                                   arrangements, including whether critical incident and disaster recovery
                                                                   plans have been tested periodically;
                                                                 review the University’s fraud control plan and satisfy itself the University
                                                                   has appropriate processes and systems in place to capture and effectively
                                                                   investigate fraud related information; and
                                                                 receive periodically (normally each Committee meeting) a report from the
                                                                   Director, Risk & Commercial Services on the operation and performance of
                                                                   risk management in the University

Executive Committee    The Executive Committee (EC)          Whilst the Terms of Reference of the Executive Committee do not specifically
                       was established on 1 January,         mention the area of risk management, the EC’s responsibilities include;
                       2007 by the Vice-Chancellor as a
                                                             “providing advice to the Vice-Chancellor on matters of strategic and operational
                       standing committee advisory to
                                                             significance for the University, particularly in relation to matters arising from
                       the Vice-Chancellor to provide
                                                             discussion of strategic themes linked to the strategic plan…”
                       advice on matters of strategic
                       and operational significance for      The EC therefore has risk-related responsibilities, including:
                       the University.                           defining the University’s appetite and tolerance for risk, including high-level
                                                                   -4-
                                         UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK
Responsible Area /
                                 Role                                      Responsibilities
Officer
                                                                                 operational risk exposure limits.
                                                                                defining the University’s strategic risks as part of its annual planning
                                                                                 processes.
                                                                               actively engaging in monitoring and review of the University’s approach to
                                                                                 managing and measuring strategic and operational risk.
                                                                               integrating the outputs of the risk management process to the University’s
                                                                                 planning and budgeting processes such that risk is appropriately
                                                                                 considered in the University’s strategic and operational decision making,
                                                                                 budgeting and planning processes.
Senior Executives and            The University’s Senior                   The University’s senior management has responsibility for:
Senior Managers2                 Executives and Management                     maintaining a thorough understanding of the University’s risk management
                                 play a role in:                                 policy, approach, framework, processes and systems.
                                 championing the rollout of the                ensuring the adoption of robust systems and processes exist (and which
                                 Council-approved risk                           are aligned with the University’s risk management framework) to facilitate
                                 management framework into the                   identification and assessment of risk within their area of responsibility.
                                 University’s business operations              developing appropriate operational risk-related controls, treatment plans
                                 ensuring that staff within their                and processes for the effective management of identified risks within their
                                 areas understand their                          area of responsibility.
                                 responsibilities with respect to              ensuring that adequate systems of internal review, monitoring and
                                 operational risk management                     compliance exist within their areas of responsibility.
                                 assisting develop a risk aware                notifying the Director, Risk & Commercial Services of material changes or
                                 culture within their area of                    exceptions from established policies that will impact the operations of the
                                 responsibility                                  operational risk management framework.
                                                                               articulating the drivers of their operational risk profile and demonstrating
                                                                                 how they utilise the outputs of the risk measurement system to supplement
                                                                                 their day-to-day decision making and activities.
                                                                               assisting in the risk review process

Line Managers /                  Line Managers & Supervisors               The University’s line managers, supervisors and middle management have a
Supervisors                      play a role in:                           responsibility to:
                                 ensuring that staff within their              maintain an understanding of the University’s risk management policy,
                                 areas understand their                          approach, framework, processes and systems.
                                 responsibilities with respect to              ensure operational risks assigned to them are being identified, assessed,
                                 operational risk management                     reviewed and appropriately and effectively managed on an ongoing basis
                                 assisting develop a risk aware

2
    Deputy Vice-Chancellors, Pro Vice-Chancellors, Directors, Associate Directors, Heads of School
                                                                                   -5-
                                        UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK
Responsible Area /
                                Role                                      Responsibilities
Officer
                                culture within their area of
                                responsibility

Project Office, Project         The Services Project Office and           The Services Project Office:
Managers & Related              the Universities Committees play              coordinates the monthly review and reporting of risks in the University’s
Committees3                     a role in:                                      various projects
                                Overseeing and monitoring risks
                                and issues in projects and/or             The University’s Committees:
                                their areas of reference                      oversee the risks relevant to their areas of reference
                                Ensuring that direction is                    assist in the risk review process
                                provided to project steering
                                committees/ responsible officers
                                to assist in the management of
                                risk
Risk Management Unit:           The Risk Management Unit’s                The Risk Management Unit has responsibility for:
                                (RMU) role is to coordinate and               the design, implementation and ongoing development of the University’s
                                facilitate the University’s                      risk management framework and related assessment tools, processes and
                                enterprise risk management                       systems
                                framework.                                    ensuring that clear, transparent documentation exists that explains the
                                The RMU needs to work closely                    University’s approach to risk management and the rationale for that
                                with staff from within the                       approach
                                University’s major departments,               assisting in the consistent implementation of the University’s risk
                                yet maintain independence and                    management framework
                                impartiality at all times                     ensuring a process exists for facilitating compliance with the University’s
                                                                                 compliance obligations
                                                                              maintaining a system of risk review, approvals and authorisations to ensure
                                                                                 accountability is directed to an appropriate level of management
                                                                              establishing policies and procedures concerning risk management
                                                                              the design and implementation of University’s operational risk
                                                                                 measurement system
                                                                              ensuring the University has in place appropriate risk reporting such that the
                                                                                 Council and senior management and other stakeholders are able to
                                                                                 respond appropriately to and effectively manage identified risks
                                                                              raising the level of risk awareness across the University
                                                                              assisting in the development of training programs and packages and

3
    Related committees include; IT Governance, Services Directors Committee, University Directors Group
                                                                                  -6-
                            UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK
Responsible Area /
                     Role                                 Responsibilities
Officer
                                                                 provide support to areas when undertaking risk identification, assessment
                                                                 and management processes
                                                                undertaking periodic review of the University’s risk management policy and
                                                                 risk management implementation plan for reporting to A&RMC.
                                                                Ensuring a culture of continuous improvement in risk, audit and compliance

Internal Audit       The internal audit function in the   Internal audit has responsibility for:
                     University is a management tool           assessing the effectiveness and appropriateness of internal controls and
                     for continuous monitoring and                risk mitigation strategies
                     reporting on compliance with              reviewing the adequacy, effectiveness and independence of the
                     established policies and                     University’s operational risk management function
                     procedures.                               providing a level of assurance to A&RMC and Council as to the adequacy
                     It provides systematic scrutiny of           of controls, compliance with policy, procedure and other regulations
                     the University’s operations,
                     systems and performance and
                     assists management to identify,
                     assess and reduce risks.
External Audit       External audit is an important       External audit has responsibility for:
                     source of expert advice and can          the annual audit of the University’s (and its Controlled Entities’) financial
                     be relied upon to provide an                accounts
                     independent perspective on               providing a level of assurance to A&RMC and Council in terms of the
                     management.                                 provision of an independent audit opinion on the University’s accounts
                     External audit can also advise           reporting to Parliament on the audit findings arising from the audit of the
                     management and the A&RMC of                 University and its Controlled Entities
                     the likely implications of
                     developments or changes in
                     financial reporting and
                     accounting standards and other
                     elements of the broader
                     accountability framework.




                                                                 -7-
              UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK

    3. University of Newcastle - Risk Management Policy

The Risk Policy confirms the University’s commitment to adopting a strategic, consistent and structured
enterprise-wide approach to risk management in order to achieve an appropriate balance between realising
opportunities for gains and minimising losses. It should be read in conjunction with the Australian Standard
on Risk Management (AS/NZ 4360 2004) which provides the overall framework for risk management at the
University of Newcastle, and with the University of Newcastle Risk Framework.
See Appendix 2 for the Risk Management Policy.



    4. The University of Newcastle’s Approach to Risk Management

The Council has endorsed that the Australian / New Zealand Risk Management Standard, AS/NZS 4360:
2004, be the benchmark against which the effectiveness of the University’s approach to risk management
should be compared.

This AS/NZ 4360:2004 defines risk management as:
    1. “the culture, processes and structures that are directed towards the effective management of
       potential opportunities and adverse effects”.
    2. “an iterative process consisting of well-defined steps which, taken in sequence, support better
       decision-making by contributing a greater insight into risks and their impacts”

AS/NZ4360:2004 recommends a 7 Step process or framework for risk management, as depicted below:




Figure 1.1 AS/NZ 4360:2004 Risk Management Process4


4
 Risk Management Process - Overview, “Risk Management Guidelines Companion to AS/NZ 4360:2004”, Standards
Australia, p15.
                                                  -8-
                         UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK
                     Effective communication, consultation and education in risk management is necessary to achieve
1. Communicate and   a successful integration of the risk processes into the business, and will be delivered through:
                        Regular presentations and briefings
                        Participation in Steering Committees
      Consult

                        Regular liaison with both internal and external stakeholders
                        Risk Workshops
                        Reporting
                        Senior risk review process
                        Through implementing an organisational wide training framework that allows all staff to
                         participate and contribute;
                        Risk Management Training modules available to all staff on HR Online
                        A comprehensive communications plan

                     Understanding the strategic, organizational and risk management context against which the
                     University’s risks will be assessed requires an understanding the university’s external
2. Establish a




                     relationships, and its internal and organizational environment.
   context




                     The University has defined its internal and external stakeholders and considered roles and
                     responsibilities as part of the implementation of the University’s integrated approach to risk
                     management.


                     The University’s appetite for risk and the criteria against which risk will be assessed and
                     evaluated has been established in consideration of the context, and has resulted in the
                     Consequence, Likelihood and Risk Treatment tables listed in the Appendix 2 and in the
                     configuration of the University’s Enterprise Risk Management System.

                     The University has adopted a comprehensive process to identify the strategic, operational and
                     project related risks that form part of its overall risk profile. (See Appendix 3 for Risk Types and
                     Sub Types to assist the identification process).
3. Identify Risks




                     The University’s risk profile has been established though a process of:
                            Staff/institution experience or lessons from the past;
                            Results of audits or physical inspections;
                            Records of prior losses (claims, financial or property losses, data/record losses, lost time
                             incident/occupational health and safety reports);
                            Gap analysis - difference between existing practice and business plan objectives; policy;
                             procedure etc;
                            Market and sector research;
                            Specialist knowledge;
                            Risk Identification workshops
                            Interviews with Senior Management and Executives

                                                              -9-
                      UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK
                   Risk Analysis considers the range of potential consequences. Consequence and likelihood are
                   combined to produce a risk rating. The risk rating determines if the risk warrants further
                   management by University.


                   Risk management involves measuring bigger risks from smaller risks. This is achieved by
                   defining risk management assessment criteria that distinguish the level of risk to the University.
                   These criteria include the following:
                         Likelihood of the risk, which reflects how often a risk may occur;
                         Consequence defines the actual/potential impact that would/might occur;


                   The effectiveness of existing controls or treatment plans is then considered prior to arriving at a
4. Analyse Risks




                   residual risk rating.
                   The residual risk rating measures the level of risk remaining after considering the effectiveness of
                   existing controls to reduce the likelihood and impact/consequence of a risk.


                   In order to identify existing mitigations, the University may think about general management
                   controls, such as:
                         Management systems and structures;
                         Reporting;
                         Delegations;
                         Audit plans and/or Periodic (formal) reviews;
                         Insurance;
                         Training;
                         Process/procedures;
                         Policies;
                         Contract Conditions;
                         Design specifications;
                         Supervision / Testing;
                         Monitoring/quality assurance;
                         Segregation of duties.




                                                           - 10 -
                            UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK

                         To Evaluate the University’s risks, refer to the Consequence, Likelihood and Treatment tables
                         listed in the Appendix 3. This enables risks to be ranked and prioritized according to a consistent
                         overall ranking and rating system.

                         Management priorities and cost/benefit analysis will ultimately determine how risks will be
                         prioritised for treatment.

                         In this regard, the University will adopt the ALARP5 (“As Low As Reasonably Practical”) principle
                         in determining how to best reduce its risk exposures to within tolerable levels.
     5. Evaluate Risks




                         Figure 1.2 The ALARP Principle




5
    The ALARP Principle, “Risk Management Guidelines Companion to AS/NZ 4360:2004”, Standards Australia, p75.
                                                                - 11 -
                                 UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK
                              For higher priority risks, the University’s risk and/or control owners may be required to develop
                              and implement specific risk mitigation or treatment plans including funding considerations. Lower
                              priority risks within the University’s agreed tolerance ranges may be accepted and monitored on
6. Treat Risks
                              an ongoing basis.
                              There a number of possible options for Treating a Risk:
                                         1. Accept the risk: this may be appropriate where a risk is regarded as unavoidable,
                                            tolerable or with no available treatment plans.
                                         2. Reduce the Likelihood or Impact of the Risk by introducing a new treatment plans
                                            to better detect the risk.
                                         3. Transfer the risk: This requires the partial or complete responsibility for the impact
                                            of the risk being shared between parties (internal/external). (eg. insurance; join
                                            ventures etc)
                                         4. Avoid the risk: Avoid involvement in the activity that raises the University’s
                                            exposure to the risk.


                              The University’s internal and external environment is constantly changing and dynamic and
                              hence the University needs to continually monitor and review its risks and the effectiveness of its
                              management of risk over time.
                              Risk review will be facilitated through the use of the University’s Enterprise Risk Management
                              System. The period of review will be determined by the residual risk rating, with higher rated
                              risks and associated controls/risk mitigation strategies reviewed more often for higher rated risks.
7. Monitor and Review Risks




                              Risk monitoring and review will:
                                    ensure risks appropriately reflect the reality of the University’s operating environment and
                                     risk appetite and tolerance levels.
                                    involve the review of risk ratings (likelihood & consequence) within the University’s risk
                                     register / Enterprise Risk Management System to ensure these risks appropriately reflect
                                     the reality of the University’s operating environment.
                                    involve a review of the adequacy and effectiveness of existing risk controls / treatment
                                     plans and recommend changes to treatment priorities & timeframes
                                    involve review and consideration of the appropriate “responsible person(s)” for ongoing
                                     monitoring and review of risks within the University’s risk register / risk management
                                     system.


                              Enterprise Risk Management System
                              Risk information will be contained and maintained within the Enterprise Risk Management
                              System (80-20 Software).
                              Changes resulting from the Monitoring and Review processes will be tracked and audited
                              through this system. The 80-20 system facilitates a consolidated view of the University’s risks.
                              This includes the ability to assign ratings, ownership, review and monitoring schedules and the
                              generation of reports to monitor the University’s risk portfolio.


                              The Risk management registers are reviewed and updated at regular intervals throughout the
                              year.


                                                                     - 12 -
           UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK

Appendix 1 The University of Newcastle Risk Framework Overview




                                          - 13 -
                          UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK

      Appendix 2 This University of Newcastle Risk Management Policy




                                                         Risk Management Policy

Date of commencement:                     November 2007


1.          INTRODUCTION

The Australian New Zealand Risk Management Standard (AS/NZ 4360:2004) defines risk
management as “the culture, processes and structures that are directed towards the effective
management of potential opportunities and adverse effects”6.

Risk arises in all aspects of the University’s operations and at all stages within the life cycle of those
operations. It offers both opportunity and threat, and must therefore be managed appropriately.

This policy confirms the University’s commitment to adopting a strategic, consistent and structured
enterprise-wide approach to risk management in order to achieve an appropriate balance between
realising opportunities for gains and minimising losses. It should be read in conjunction with the
Australian Standard on Risk Management (AS/NZ 4360 2004) which provides the overall framework
for risk management at the University of Newcastle, and with the University of Newcastle Risk
Framework.

Risk management involves establishing an appropriate risk management infrastructure and culture,
and applying logical and systematic risk management processes to all stages in the life cycle of any
activity, function or operation that includes risk. By minimising losses and maximising gains, risk
management enables the University to best meet its organisational objectives.


2.          POLICY INTENT

Risk Management is an integral part of sound management practice and an essential element of good
corporate governance, as it improves decision-making and enhances outcomes and accountability.

The aim of this policy is to ensure that the University makes informed decisions with respect to the
activities that it undertakes by appropriately considering both risks and opportunities.

2.1        Policy Objectives
           The application of this policy and related procedures will provide the basis and framework for:
             i. more confident and rigorous decision-making and planning;
            ii. better identification of opportunities and threats;
           iii. pro-active rather than re-active management;
           iv. more effective allocation and use of resources;


      6
          Australian Standard on Risk Management (AS/NZ 4360 2004) .
                                                                       - 14 -
                    UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK
       v.    improved incident management and reduction in loss and the cost of risk, including
             commercial insurance premiums;
      vi.    improved stakeholder confidence and trust;
      vii.   a clear understanding by all staff of their roles, responsibilities and authorities for managing
             risk;
     viii.   improved compliance with relevant legislation;
      ix.    better corporate governance; and
       x.    the development of a more risk aware organisational culture through enhanced
             communication and reporting of risk.


3.    DEFINITIONS

The University will adopt a consistent terminology in relation to risk to ensure effective communication
and stakeholder awareness of risk and risk management within the University.

In the context of this policy:

Consequence means the outcome of an event expressed qualitatively or quantitatively, being a loss,
injury, disadvantage or gain. There may be a range of possible outcomes associated with an event;


Enterprise Risk Management System (ERMS) the system within which Risk information will be
contained and maintained.


Issue means a risk that has already occurred (risk means the chance of something happening that
will have an impact on the achievement of the University’s objectives).


Likelihood means a qualitative description of probability or frequency;


Loss means any negative consequence, financial or otherwise;


Risk means the chance of something happening that will have an impact on the achievement of the
University’s objectives. Risk is measured in terms of consequences and likelihood;


Risk analysis means a systematic use of available information to determine how often specified
events may occur and the magnitude of their consequences;


Risk appetite means the amount of risk that the University is prepared to accept or be exposed to at
any point in time;


Risk assessment means the overall process of risk analysis and evaluation;


                                                     - 15 -
                  UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK
Risk evaluation means the process used to determine risk management priorities by comparing the
level of risk against predetermined standards, target risk levels or other criteria;


Risk framework means the policy and procedural guidance to assist staff with embedding the risk
management process into strategic and operational activities


Risk identification means the process of determining what, where, when, why and how something
could happen;


Risk management means the culture, processes and structures that are directed towards realising
potential opportunities, whilst managing adverse effects;


Risk management process means the systematic application of management policies, procedures
and practices to the tasks of establishing the context, identifying, analysing, evaluating, treating,
monitoring and communicating risk;


Risk rating means the rating resulting from the application of the University’s risk assessment matrix
on the likelihood and consequence of a risk occurring; and


Risk treatment means selection and implementation of appropriate options for dealing with risk.




4.      POLICY PRINCIPLES

         Appendix 4                                    Risk Overview
 i.     Risk management will be incorporated into the strategic and operational planning processes at
        all levels within the University.

 ii.    Risk and the management of risk will be prioritized identified and monitored according to the
        risk categories defined in the Risk Management Framework.


 iii.   Risk assessments will be conducted on all new commercial activities, ventures and projects
        prior to commencement to ensure alignment with risk appetite and rioritized al objectives.


 iv.    Risks will be identified, reviewed and monitored on an ongoing basis at nominated levels within
        the University.


 v.     Risks will be assessed against the University’s agreed risk assessment matrix according to
        agreed definitions of likelihood and consequence.

                                                    - 16 -
                     UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK

 vi.       All identified risks will be recorded in the University’s risk management system.


 vii.      All risks will be assigned an owner who is responsible for managing, monitoring and ensuring
           that adequate controls and treatments are being applied so that risks are brought within
           tolerable levels.


4.2        Risk Management Approach
      i.   Risks will be managed within the University’s Enterprise Risk Management System which is
           based on the Australian New Zealand Risk Management Standard (AS/NZ 4360:2004) –
           displayed in Figure 1.1(Details of the ANZ Risk management Standard are provided in
           Appendix 1).




                              Figure 1.1 AS/NZ 4360:2004 Risk Management Process7


            Appendix 5                                               Roles and Responsibilities
      ii. The University Council will “oversee risk management and risk assessment across the
          University”8 ..
      iii. The Audit and Risk Management Committee will advise the Council in relation to its functions
           under section 16(1B) of the Act.
      iv. The University’s Executive Committee will advise the Vice-Chancellor on matters of strategic
          and operational significance related to the identification and management of risk.
      v. Senior executives9 will be responsible for championing the roll out of the Council-approved Risk
         Management Framework into the University’s business operations; for ensuring that staff

      7
        Risk Management Process - Overview, “Risk Management Guidelines Companion to AS/NZ 4360:2004”, Standards Australia,
      p15.
      8
        University of Newcastle Act 1989 No 68, 16 (1B) (e)
                                                            - 17 -
                      UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK
             understand their responsibilities with respect to operational risk management; and for
             developing a risk aware culture within their area of responsibility.
      vi. Managers and supervisors will ensure that staff within their areas, understand their
          responsibilities with respect to operational risk, and will assist in fostering a risk aware culture
          within their area.
      vii. The Risk Management Unit will coordinate and facilitate the University’s Risk Management
           Framework.
      viii. Roles and responsibilities for risk management at all levels of the University are described in
            the University of Newcastle’s Risk Management Framework.


4.4         Reporting
      i.     The Risk Management Unit will report to Executive Committee and Council via the Audit and
             Risk Management Committee on strategic, operational and project risks, in accordance with the
             University’s Risk Management Framework.


                Appendix 4                                                  ESSENTIAL SUPPORTING DOCUMENTS

             University of Newcastle Risk Management Framework



                Appendix 5                                                  RELATED DOCUMENTS

             AS/NZ 4360:2004
             Compliance Policy
             Compliance Procedure



               Approval Authority:

               Date Approved:                               Date for Review:

               Policy Contact Position:

               Amendment
               History:




      9
           Deputy Vice-Chancellors, Pro Vice-Chancellors, Directors, Associate Directors, Heads of School
                                                                   - 18 -
            UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK
     APPENDIX 1: RISK MANAGEMENT PROCESS – EXPLANATORY NOTES




                                AS/NZ 4360:2004 Risk Management Process10



     1. Communicate and Consult: Effective communication, consultation and education in risk
        management are necessary to achieve a successful integration of the risk processes into the business.

     2. Establish the Context: Understanding the strategic, rioritized al and risk management context
        against which the University’s risks will be assessed requires an understanding of the University’s
        external relationships, and its internal and rioritized al environment.


     3. Identify Risks: Identifying the strategic, operational and project related risks that form part of its
        overall risk profile must be done systematically as part of an overarching and comprehensive process.


     4. Analyse Risks: Risk Analysis includes considering the range of potential consequences.
        Consequence and likelihood are combined to produce a risk rating. Which determines if the risk
        warrants further management by the University.


     5. Evaluate Risks: An evaluation of the University’s risks enables risks to be ranked and               rioritized
        according to a consistent overall ranking and rating system.




10
  Risk Management Process - Overview, “Risk Management Guidelines Companion to AS/NZ 4360:2004”, Standards Australia,
p15.
                                                      - 19 -
           UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK
6. Treat Risks: Treating risks involves the development and implementation of specific risk mitigation
   or treatment plans including funding considerations.


7. Monitor and Review: Continual monitoring and reviewing of its risks is essential if the University is
   to assess the effectiveness of its risk management over time.




                                             - 20 -
                   UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK
Appendix 3 Risk Management Matrix

 Likelihood            Rare                  Unlikely               Possible                     Likely                      Almost certain
                Only in exceptional      Small chance of       Might   occur     at     Will probably occur in      Expected to occur more
                circumstances.           occurring    at       some time.               most circumstances.         than once per year or a
                                         some time.                                                                 common occurrence.



Consequence
                    General             Compliance/         Employees       Financial     Reputation      Service levels             HS&E
                                          Legal
Insignificant   Nil or very minor
                impact.
                The impact can
                be     absorbed
                within the day-
                to-day business
                running costs.
   Minor        Negative              Contractual non-      Some            Financial     Minor           Minor impact        Inadvertent        or
                outcomes from         compliance       or   damage to       impact of     adverse         on     internal     previously
                risks    or   lost    breach           of   morale and      $25-          publicity       Services only.      unknown failure to
                opportunities         legislation with      confidence      250k.         unlikely to                         meet           HS&E
                that are unlikely     unlikely litigation   in continuity                 decrease                            requirements that
                to      have     a    or prosecution        of                            the public’s                        may lead to the
                permanent       or    and/or penalty.       employment                    confidence                          University     being
                significant effect    Limited                                             in                                  issued     with     a
                on             the    regulatory                                          University                          WorkCover or EPA
                University’s          consequence.                                                                            Improvement
                reputation or on                                                                                              Notice     (to    the
                operational and                                                                                               detriment          of
                strategic                                                                                                     employee morale,
                performance.                                                                                                  reputation       and
                                                                                                                              financial cost).
 Moderate       Negative              Contractual non-      Damage to       Potential     Possible        Moderate            Prohibition        or
                outcomes from         compliance    or      morale and      financial     decrease in     decline       in    Penalty notice due
                risks    or   lost    breach        of      confidence      impact of     public’s        service/product     to an unsafe act,
                opportunities         legislation with      in continuity   $250k-        confidence      delivery, value     piece of plant or
                that will have a      threat        of      of              1m            in        the   and or quality      equipment.      This
                significant           litigation    or      employment                    University      recognized by       may       to     the
                impact on the         prosecution                                         due to local    University          detriment          of
                university’s          and/or penalty.                                     adverse         patrons.            teaching           or
                operational           Limited                                             publicity                           research activities;
                performance but       immediate                                                                               staff and student
                can be managed        regulatory                                                                              morale;     financial
                without      major    consequence.                                                                            costs            and
                impact         on                                                                                             reputation, as well
                strategic goals in                                                                                            as        increasing
                the       medium                                                                                              regulator
                term.                                                                                                         surveillance.
   Major        Negative              Contractual non-      Widespread      Potential     Probable        Major decline       Serious injury, or a
                outcomes from         compliance    or      damage to       financial     decrease in     in                  negative
                risks    or    lost   breach        of      staff morale    impact of     public’s        service/product     environmental
                opportunities         legislation with      and             $1-5m         confidence      delivery, value     impact, resulting in
                with a significant    probable              confidence                    in              and/or quality      notification of the
                effect           on   litigation    or      in continuity                 University      recognized by       Authority.       This
                operational           prosecution           of                            due        to   University          may       result    in
                performance           and/or penalty.       employment                    negative        patrons.            significant financial
                and will require      Major negative                                      headlines in                        cost through court
                major effort to       sanction      by                                    the national                        actions, damage to
                manage        and     DEST                                                press.                              the        University
                resolve in the                                                                                                reputation, adverse
                medium term to                                                                                                publicity and major
                avoid         non                                                                                             disruption to senior
                achievement of                                                                                                managements
                strategic goals,                                                                                              work commitments
                but     do      not                                                                                           through           the
                threaten        the                                                                                           investigation
                existence of the                                                                                              process.
                University in the
                medium term.
                                                                       - 21 -
                   UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK
Severe          Negative             Contractual non-   Staff   lose    Potential     Sustained,     Serious             Breach of HS&E
                outcomes from        compliance    or   confidence      financial     serious loss   decline       in    legislation and/or
                risks    or   lost   breach        of   in continuity   impact of     in     brand   service/product     serious injury or
                opportunities        legislation with   of              over          value          delivery, value     death leading to a
                which     if   not   litigation    or   employment      $5m.          and/or         and/or quality      prosecution      and
                resolved in the      prosecution                                      market         recognized by       conviction to the
                medium term will     and/or penalty                                   share due      University          University and/or
                threaten             with fines or                                    to             patrons             senior staff. The
                achievement of       substantial                                      sustained                          outcome of this
                operational and      regulatory                                       negative                           event could result
                strategic goals,     consequence.                                     headlines in                       in financial cost
                and            the   Major negative                                   the national                       through        court
                existence of the     sanction      by                                 press.                             actions, damage to
                University.          DEST.                                                                               the        University
                                                                                                                         reputation, adverse
                                                                                                                         publicity and major
                                                                                                                         disruption to senior
                                                                                                                         managements
                                                                                                                         work commitments
                                                                                                                         through          the
                                                                                                                         investigation
                                                                                                                         process.




                    Severe                  Low            Medium                   High             Extreme            Extreme
  Consequence




                     Major                  Low            Medium              Medium                 High              Extreme


                  Moderate                  Low              Low               Medium                Medium              High


                     Minor                  Low              Low                    Low              Medium             Medium


                Insignificant               Low              Low                    Low               Low                 Low



                                                                                                                        Almost
                                           Rare          Unlikely             Possible               Likely
                                                                                                                        Certain


                                                             Likelihood




                                                                    - 22 -
            UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK


Risk Management Action

  Extreme     Operational An “extreme” risk is unacceptable, save in extraordinary circumstances.
              Comprehensive consideration by Senior Staff (Executive; Director; Manager) is required to
              ensure that the residual risk is consistent with the university objectives and risk appetite. A
              detailed mitigation plan should be developed; regular monitoring of the risk treatment
              strategies is required.
              HS&E Immediately cease the activity and inform Security Services on 15888 who will assist
              to secure the area if the event has commenced.
              Do not continue development of the event until there has been a further assessment made
              by suitably competent people. This may take the form of an HS&E risk assessment and
              control implementation process that reduces the risk to low or may prohibit the event in its
              planned form.
    High      Operational A “high” risk is usually unacceptable, save in extraordinary circumstances.
              Comprehensive consideration by Senior Staff (Manager) is required to ensure that the
              residual risk is consistent with the university objectives and risk appetite. A mitigation plan
              must be developed for ongoing risk management; risk exposures and mitigations are
              regularly monitored and reported on to the relevant management/steering committee.
              HS&E Immediately cease the activity and inform Security Services on 15888 who will assist
              to secure the area if the event has commenced.
              Undertake an assessment of the current controls and implement more stringent controls in
              line with the Hierarchy of Controls, and Re-assess.
  Medium      Operational A mitigation plan must be developed for ongoing risk management; risk
              exposures and mitigations are regularly monitored and reported. Management must ensure
              that existing controls, consequences and likelihood do not substantially change.
              HS&E Undertake an assessment of the current controls and implement more stringent
              controls in line with the Hierarchy of Controls, and Re-assess.
    Low       HS&E Ensure a documented HS&E risk assessment is provided to supervisors and
              managers, and the relevant health and safety committee. Continue to review and monitor the
              risks with the goal of risk elimination.
              Operational Risk is tolerable. Manage by well established, routine processes/procedures
              and be mindful of changes to nature of risks.




                                                   - 23 -
               UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK
Appendix 4 Risk Types




                                                               1                                                   1   Management of




                                                                 RESEARCH RISK



                                                                                                  ISK
                                                                                                                       specific business risks




                                    LEG
                                      CO MM




                                                                                               SR
                                                                                                                   2
                                       CO




                                                                                         RIS L &
                                                               2




                                        AL R
                                                                                                                       Insurable Risks

                                        UN UN




                                                                                            NT

                                                                                       AL N A
                                                                                            K
                                           TE ITY




                                                                                         DE
                          M                                                                                        3




                                            ISK
                                                                                                                       Business Continuity




                                                                                    OB TIO
                         & AR
                                             RP




                                                                                 STU
                                                               3                                                       Management risks and
                          PR K                 AR RIS




                                                                                      NA
                               E
                                                                                                       CE
                                                                                                                       incidents (BCM)
                             R TI                 TY K
                              IS N                                                                  AN




                                                                                   ER
                                K G                                                              RN K




                                                                                  GL
                                                                                                                   4
                                                    &
                     HU                                                                                                Policies and strategies




                                                                                      T
                        MA                                                                     VE RIS




                                                                                   IN
                    RE                                         4
                                                                                            GO
                           N                                                                                           for managing risks
                       S
                   RIS OUR                                                                            CIA
                                                                                                          L
                      K     CE                                                                    AN
                               S                                                              FIN
                                                                                                   K
                                                                                               RIS
                                                                                             PROPER
                    TEACHING &                                                                         TY &
                                                                                             INFRAST
                   LEARNING RISK                                                                        RUCTUR
                                                                                            RISK               E
                                         TY
                                      FE
                                   SA ENT
                                                                                       R M R

                                 H, N M
                                                                                        IS P A
                                                                                         C SSU


                              LT
                                                                                          O
                                                                                          K LI NC
                                                                                          A




                           EA VIRO K
                                                                                            ,A A

                          H N
                           &E     RIS
                                                                                              U NC R
                                                         RISK NOLOG N
                                                     N




                                                                                 CO
                                                AT TE




                                                                                               DI E IS
                                                  IO



                                                                   Y
                                                         TEC RMATIO




                                                                                                 T, & K
                                              RM RA




                                                                                 MM ISK
                                            FO O




                                                                                                    E
                                                                                   R
                                                                                   ER
                                         IN RP




                                                                                      CI
                                           CO




                                                          INFO




                                                                                        AL
                                        SK



                                                             H
                                      RI




     Original Source: Monash University

                                                                                                                                            1




                                                                - 24 -
               UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK
Risk Type – Strategic                                               Sub-types
and Operational Risk                                             (Short title risks)
   1.                     Development, implementation and management of courses offered by the University Eg.
          Teaching &      Academic Support, Development, Promotion & Retention; Academic Integrity; Course and
           Learning       Curriculum Design; Course & Program Review & Accreditation; Educational Methods; Library
                          & Scholarly Materials; Professional accreditation standards; Quality Assurance and Teaching
                          and Learning practices.
   2.                     Development; Applications for funding; Implementation and management of the Research
                          projects run by the University. Eg
           Research       Research Commercialisation; Reseach Data Protection & Management; Research Ethics &
                          Safety; Research Funding & Resourcing; Research Grant Administration; Research Higher
                          Degree Students and Research Infrastructure.
   3.    Counterparty     Management of counterparty and community relationships, including: Alliances; Alumni;
             and          Bequests and donations; Business Planning; Campus Operations; Community engagement
          Community       and New ventures.
   4.                     Managing assets and liabilities to optimise financial outcomes. Eg Accounting Policies,
                          Procedures & Processes; Budgeting & Planning; Cashflow & Liquidity Management; Cash
                          Handling & Control; Commercial Debt/Borrowings Management; Debtor Management; End of
                          Period Processes; Expenditure Management; Finance Systems Management; Financial
           Financial      Accounting & Reporting; Foreign Exchange Management; Funding Arrangements;
                          Management Accounting & Reporting; Payments & Payables; Reserves Management;
                          Revenue Management; Taxation Management; Treasury & Investment Management; Trusts,
                          Donations & Bequests and Solvency.

   5.                     Managing legal obligations Contracts, Regulatory Risk, Intellectual Property, Complaints,
             Legal        Privacy, Trade Practices, Warranties & Indemnities, National Governance protocols,
                          Statutory & Legal Compliance,
   6.                     Managing the functions and process that enable the University to operate each day. Eg
                          Consultant Activity & Contractor Management; Contract Management; Corporate Credit
         Commercial       Cards & Expense Management System; Fleet Management; Procurement & Tenders
                          Management; Project Management; Supply Chain and Travel Management

   7.      Human          Human Resource management, including Code of Conduct; Employee & Industrial Relations;
          Resources       Indigenous Support & Engagement; Internal Communications; Job Design & Review; Leave
                          management; Performance Management; Recruitment & Appointment; Remuneration;
                          Payroll & Superannuation; Staff Attraction & Retention; Staff Development and Training; Staff
                          Study Programs; Staff Workload management; Succession & Workplace Planning; and
                          Workplace Culture & Behaviours.
   8.    Information      Providing the information and technology services necessary to support the business and
         Technology       financial processes. Eg Application Development; Database Administration; Disaster
                          Recovery & BCM; Hardware & Hardware Support; IT Network Security & Management;
                          Operations; Security; Strategy; Systems Software; Vendor & Relationship Management; IT
                          Strategy; IT Vendor & Relationship Management and Telecommunications .

   9.      Property &     Protecting and managing the life cycle of the assets required by the business process. Eg.
         Infrastructure   Asset Management & Maintenance; Asset & Property Services; Campus Security; Campus
                          Planning; Energy Management; Infrastructure Planning; Major Works; Minor Works; Safety;
                          and Space Planning & Management
   10.   Health Safety    Managing all aspects health and safety related issues, including Hazard Management;
               &          Manual handling practices; Rehabilitation & Injury Management; Staff Stress & Work-Related
         Environment      Fatigue; Workers Compensation Management and Workplace Safety.

                          Managing the University’s potential exposure to meet regulatory and community expectations
                          Eg Air emissions; Contamination and Pollution; Environmental Management, Conservation
                          & Planning; Environmental Regulation; Hazardous/Dangerous Goods/Substances; Noise and
                          Waste disposal.

   11.   International/   Managing and responding to international factors that impact on our business: Agents &
             Global       Student Recruitment; Curriculum
                                                     - 25 -
             UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK
                        Engagement Strategies and Priorities; International Markets & Demand; Natural Disasters;
                        Onshore Programs & Operations
                        Offshore Partners; Offshore Programs & Operations; Political & Regulatory Change;
                        Regulation & Legislation & Student Support.
 12.      Corporate     All aspects of data management for our business; including: Data Integrity & Usefulness;
         Information    Data/Information Availability; Data/Information Confidentiality & Security and Records &
                        Information Management
 13.    Governance      Managing all aspects of the University’s governance framework, including: Committee
                        Effectiveness & Governance; Controlled Entity Governance; Delegations and authorities;
                        Policy Management; Privacy & Freedom of Information; Procedures, Processes and Rules
                        Management
 14.    Marketing &     Managing marketing and public relations risks, such as: Brand & Reputation; Marketing and
          Public        Public Relations.
         Relations
 15.     Students       Including all risks that impact on the student experience at the University, including:
                        Enrolment & Admission Processes; Examinations & Assessments; Student Attraction &
                        Retention; Student Experience; Student Fees; Student Scholarships & Prizes; Student
                        Support, and Health & Wellbeing.
 16.     Risk, Audit,   Managing Risk. Audit, Compliance and Assurance related Risks, including: Assurance –
        Compliance &    Control Self Assessment; Business Continuity & Critical Incident Management; Compliance
         Assurance      Management; Fraud & Corruption Prevention & Control; Insurance Management and Risk
                        Management.

Risk Type – Project                                               Sub-types
       Risks
   1.      Budget       Budget; Resources; Cost Overrun
   2.     Schedule      Functionality; Delays; Time allocated; Estimates; Schedule
   3.    Resources      Training; Business; Technical (Internal); Technical (External)
   4.   Commitment      Senior Management; Steering Group; Business Owners; Vendors.
   5.     System//      System Performance; System Environment (DEV, TEST); Data Integrity; Design; Change in
                        Technology; Integration/Interfaces
         Technical
   6.      Scope        Scope Creep




                                                    - 26 -
                       UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK

        Appendix 6 Risk Management Glossary

        TERM                                                                    DEFINITION / MEANING
AS/NZ 4360            The Australian / New Zealand Risk Management standard to which the University of Newcastle’s risk management policy aims to adhere
                      to.
Assurance             A process that provides confidence that planned objectives will be achieved within an acceptable degree of residual risk. An evaluated
                      opinion, based on evidence gained from review, on the organisation’s governance, risk management and internal control framework.
Audit                 The formal examination of the University's accounts, financial situation, internal controls, systems, policies and processes and
                      compliance with applicable terms, laws, and regulations.
Audit & Risk          A standing committee of the University of Newcastle Council responsible for providing oversight of the University’s management of risk.
Management
Committee
Operational Risk      Those risks that arise in day to day operations (potentially from doing the right things the wrong way), and which require specific and
                      detailed response and monitoring regimes and which if not treated and monitored effectively could potentially arise in major adverse
                      consequences for the University.
Compliance            A state of being in accordance with established internal rules, guidelines, policies, specifications, social ethics and norms and legislation.
Consequence           The outcome of an event expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain. There may be a range of
                      possible outcomes associated with an event.
Control Self          A formal assurance activity whereby managers make a formal analysis of risks and controls and identify key controls that collectively
Assessment            confirm acceptable operation. These controls are then formally checked and reported on a regular basis.
Inherent Risk         A measure of risk in its natural state (ie without any specific controls in place); ie where the factors preventing its occurrence or limiting
                      its impact are largely outside the control of an organisation. A risk that is impossible to manage or transfer away.
Insurable Risk        A risk that can be treated via the application of insurance as a risk financing technique.
Control               Any action taken to manage risk. These actions may be taken to manage either the impact if the risk is realised, or the frequency of the
                      realisation of the risk.
Likelihood            A qualitative description of probability or frequency.
Loss                  Any negative consequence, financial or otherwise.
Residual Risk         Risk remaining after implementation of and/or effect of existing controls, structures and treatments within the organisation are taken in to
                      account.
Risk                  The chance of something happening that will have an impact on the achievement of the University's objectives. Risk is measured in
                      terms of consequences and likelihood.
Risk Acceptance       An informed decision to accept the consequences and the likelihood of a particular risk.
Risk Analysis         A systematic use of available information to determine how often specified events may occur and the magnitude of their consequences.
Risk Appetite         The amount of risk that the University is prepared to accept or be exposed to at any point in time.
Risk Assessment       The overall process of risk analysis and evaluation.
Risk Avoidance        An informed decision not to become involved in, or to withdraw from, a risk situation.
Risk Control          That part of risk management which involves the implementation of policies, standards, procedures and physical changes to eliminate or
                      minimise adverse risks.
Risk Control          A relative assessment of actual level of control that is currently present and effective, compared with that which is reasonably achievable
Effectiveness         for a particular risk.
Risk Evaluation       The process used to determine risk management priorities by comparing the level of risk against predetermined standards, target risk
                      levels or other criteria.
Risk Financing        The methods applied to fund risk treatment and the financial consequences of risk.
Risk Identification   The process of determining what, where, when, why and how something could happen
Risk Management       The culture, processes and structures that are directed towards realising potential opportunities whilst managing adverse effects
Risk Management       The University's policies, procedures, systems and processes concerned with managing risk
Framework
Risk Management       The systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying,
Process               analysing, evaluating, treating, monitoring and communicating risk.
Risk Profile          The documented and prioritised overall assessment of a range of specific risks faced by the University, Faculties and Divisions.
Risk Rating           The rating resulting from the application of the University’s risk assessment matrix on the likelihood and consequence of a risk occurring.
Risk Reduction        Actions taken to lessen the likelihood, negative consequences, or both, associated with a risk

                                                                           - 27 -
                  UNIVERSITY OF NEWCASTLE RISK MANAGEMENT FRAMEWORK
Risk Register    A system or file that holds all information on identifying and managing a risk
Risk Retention   Intentionally or unintentionally retaining the responsibility for loss, or financial burden of loss within the organisation.
Risk Sharing     Sharing with another party the burden of loss, or benefit of gain from a particular risk
Risk Tolerance   The amount of risk that the University’s balance sheet can bear.
Risk Transfer    Shifting the responsibility or burden for loss to another party through legislation, contract, insurance or other means. Risk transfer can
                 also refer to shifting a physical risk or part thereof elsewhere.
Risk Treatment   Selection and implementation of appropriate options for dealing with risk.
Strategic Risk   Risks that relate to the University doing the wrong things in pursuit of its goals and strategic objectives
Target Risk      Risk after implementation of and/or effect of appropriate existing and new controls, structures and treatments within the organisation are
                 taken in to account. A risk is at the a level of target risk when the organisation deems the level of control is appropriate to how they wish
                 to treat the risk.




                                                                       - 28 -

								
To top