Bulletin Board - Document Comments

Bulletin Board - Review and Comment

Step 1 of 4: Comment on Document

How to make a comment?

1. Use this Comment Icon to open a comment box for your chosen Section, Part, Heading or clause.

2. Type your feedback into the comments box and then click "save comment" button located in the lower-right of the comment box.

3. Do not open more than one comment box at the same time.

4. When you have finished making comments proceed to the next stage by clicking on the "Continue to Step 2" button at the very bottom of this page.

Important Information

During the comment process you are connected to a database.  The session that connects you to the database may time-out due to inactivity.  The following tips will help you to avoid losing your comments or corrupting your entries:

  1. Do not jump between web pages/applications while logging comments.
  2. Do not log comments for more than one document at a time. Complete and submit comments from one document before commenting on another.
  3. Do not leave your submission part way through the comment process. If you are part way through and need to take a break, submit your current set of comments. The system will email you a copy of your comments, so you will be able to identify where you were up to so you can add to them later.
  4. Do not exit the process until you have completed all three stages.

Risk Management Policy

Section 1 - Summary

(1) This Policy establishes Victoria University’s (VU) commitment to managing risk through implementation of a risk management framework and accountability structure.

Top of Page

Section 2 - Scope

(2) This Policy applies to:

  1. All staff, students, Council members, Committee members, contractors, honorary and adjunct staff.
  2. All activities under the control or direction of Victoria University, whether conducted on or off University property or in a digital environment.
Top of Page

Section 3 - Policy Statement

(3) Managing risk is an essential component of good governance and leadership. Effective risk management both creates and protects value in an organisation by improving decision making.

(4) To achieve its strategic objectives, the University must accept a measured degree of risk. Through the identification and analysis of risk, the University is able to be creative, adaptive and progressive in working to deliver its vision to be a global leader in dual sector learning and research.

Risk management principles

(5) VU’s risk management framework is based upon the International Standard for Risk Management AS ISO31000:2018, consistent with the Victorian Government Risk Management Framework and takes into account key risk considerations of the TEQSA and ASQA risk frameworks.

(6) The framework is underpinned by the following principles:

Principle           Demonstrated by
A positive risk culture
• Creating a culture where risk identification and management is acknowledged as a driver of positive outcomes.  
• A culture where identifying and managing risk is accepted as everyone’s responsibility.
• Driving excellence in corporate governance by increasing accountability, awareness and a positive attitude to risk management.
Accountability • Clear accountability for each category of risk, individual risk and treatment plan to ensure action and monitoring is implemented.
Transparency • Providing transparency and oversight to senior management and the University Council that strategic, enterprise and significant operational risks are managed effectively.
Risk based decision making • Decision making, resource allocation and investment are prioritised and informed by risk analysis.
Embedded risk management • All operational functions and process should include a link to risk.
• Risk analysis and identification will include broad stakeholder consultation.
Informed investment • The consideration of the balance between risk and benefit in the development of investment strategies.
Informed resource allocation • Adoption of a risk-based approach to the allocation of resources to mitigate future risks.

Three Lines Model of Assurance

(7) VU adopts the Three Lines Model of Assurance to effectively coordinate and oversee enterprise risk management activity: 

Line Role Key duties
First Line – management and internal controls Vice Chancellor’s Group and Senior Leadership Group Identify and manage risk in daily operations, projects and pursuit of strategic objectives.
Develop policies, procedures and controls to mitigate risks.
Implement treatment plans to reduce risks where appropriate.
Second Line – oversight  Risk and Compliance Develop and implement the enterprise risk management framework and tools.
Provide advice, assistance and training in identifying, assessing and managing risk of all types.
Drive self-assurance across the University by promoting clear accountability and respectfully challenging the first line activity. 
Coordinate monitoring, reporting and escalation of risk to appropriate bodies.
Third Line – assurance Internal Audit Undertake independent review of internal controls.
Provide analysis and improvement insights to the Vice-Chancellor's Group (VCG). 
Provide assurance to Council on application and appropriateness of risk controls.

(8) The University Council approves the Risk Management Policy (this document), the Risk Appetite Statement and changes to the VU Risk Profile.

(9) It delegates to the Audit and Risk Committee (ARC) the responsibility to ensure that management has implemented the risk management framework, that it remains fit for purpose, and the authority to approve the Risk Management Procedure, including the articulations of risk tolerances.

(10) ARC will review and refer proposed changes to the VU Risk Profile prior to approval by Council.

(11) The Vice-Chancellor's Group is accountable for first and second line assurance activity, including managing risks, establishing controls, and providing guidance and monitoring within their areas of responsibility.

(12) University Council provides oversight of the third line by receiving independent assurance from Internal Audit on the effectiveness of risk controls, internal governance processes and the overall adequacy of the University’s risk management framework.

University risk management governance

(13) VU manages risk across two interconnected domains, including Enterprise Risk Management and Local Risk Management. These domains operate at different management levels and utilise separate frameworks to support integrated risk management across the University.

(14) The University has defined four fundamental types of risk within the enterprise risk management framework with varying accountabilities to enable effective management of risk and appropriate self-assurance:

Risk Type Domain Ownership
Strategic Risk Enterprise Vice-Chancellor's Group
Institutional  Risk Enterprise Vice-Chancellor's Group Member
Portfolio risk Enterprise Portfolio Lead
Operational risk Enterprise College/Research Centre/Department Lead
Locl risk Local Team/Functional Lead

Enterprise risk management framework

(15) The enterprise risk management framework forms part of the University’s governance system. The primary purpose of the framework is to enable coordinated and consistent identification and management of all university risks and generate appropriate assurance to support strategic and operational decision making by senior leaders. 

(16) VU’s enterprise risk management framework comprises:

  1. Risk Management Policy
  2. Risk Management Procedure
  3. Risk Appetite Statement
  4. Risk Matrix
  5. Risk Management System

Local risk management frameworks

(17) Local frameworks may be developed to manage operational-level risks where enterprise tools are not suited, provided they support good practice risk management.

(18) These local approaches must not override, replace or conflict with the Enterprise Risk Management Framework.

(19) First line areas may design their own tools, categories, rating criteria and escalation processes if effective for local needs and not contradictory to enterprise requirements.

(20) Local frameworks must be documented in operational policies or procedures, with Risk and Compliance providing guidance to ensure alignment with University expectations and integration with enterprise reporting and escalation pathways.

Top of Page

Section 4 - Procedures

(21) Risk Management Procedure

Top of Page

Section 5 - HESF/ASQA/ESOS Alignment

(22) HESF: 6.2.1e Corporate Monitoring and Accountability, 6.3.2d Academic Governance

(23) Outcome Standards for NVR Registered Training Organisations 2025: Standard 1.8 Facilities, Equipment and Resources; 4.3 Risk Management.

Top of Page

Section 6 - Definitions

(24) Accountability: Responsibility for ensuring that risk is appropriately managed including the implementation of treatment plans and monitoring the effectiveness of controls.

(25) Contributing Factors: Factors internal and external that contribute to the risk existing or could result in the risk materialising.

(26) Controls: The existing actions, activities or mitigation strategies in place to prevent the risk from materialising.

(27) Consequences: The outcome of a risk event or situation, being a loss, injury, disadvantage or gain.

  1. An event can lead to a range of consequences.
  2. A consequence can be certain or uncertain and can have positive or negative effects on objectives.
  3. Consequences can be expressed qualitatively or quantitatively.
  4. Initial consequences can escalate through knock-on effects.

(28) Likelihood: The chance or probability of a risk materialising.

(29) Risk: The effect of uncertainty on objectives:

  1. A deviation from the expected – positive or negative and can result in opportunities or threats.
  2. Objectives will have different aspects such as financial, academic, people, service delivery, reputation, legal and regulatory, cybercrime and data security and will be managed at different levels such as strategic, enterprise or operational.
  3. Risk is often categorised by reference to sources of risk or potential events, consequences and their likelihood of occurrence.

(30) Risk Appetite: The amount and type of risk that the University is willing to take in order to meet its strategic objectives.

(31) Risk Categories: Broad categories of risk that the University uses to identify and group risks.

(32) Risk Management: The coordinated management of activities to direct and control the University with regard to risk.

(33) Risk Tolerance: The acceptable range of risk rating within which the University will seek to maintain each risk.

(34) Treatment Plan: Actions that will be taken to reduce the likelihood or consequence of a risk occurring.