Bulletin Board - Document Comments

Bulletin Board - Review and Comment

Step 1 of 4: Comment on Document

How to make a comment?

1. Use this Comment Icon to open a comment box for your chosen Section, Part, Heading or clause.

2. Type your feedback into the comments box and then click "save comment" button located in the lower-right of the comment box.

3. Do not open more than one comment box at the same time.

4. When you have finished making comments proceed to the next stage by clicking on the "Continue to Step 2" button at the very bottom of this page.

Important Information

During the comment process you are connected to a database.  The session that connects you to the database may time-out due to inactivity.  The following tips will help you to avoid losing your comments or corrupting your entries:

  1. Do not jump between web pages/applications while logging comments.
  2. Do not log comments for more than one document at a time. Complete and submit comments from one document before commenting on another.
  3. Do not leave your submission part way through the comment process. If you are part way through and need to take a break, submit your current set of comments. The system will email you a copy of your comments, so you will be able to identify where you were up to so you can add to them later.
  4. Do not exit the process until you have completed all three stages.

Risk Management Procedure

Section 1 - Summary

(1) This Procedure outlines how Victoria University (VU) will implement its risk management framework.

(2) The application of a clear and consistent set of processes assists the University to create a positive risk culture and build expertise across the University.

Top of Page

Section 2 - Scope

(3) This Procedure applies to:

  1. All staff, students, Council members, Committee members, contractors, honorary and adjunct staff.
  2. All activities under the control or direction of VU, whether conducted on or off University property or in a digital environment.
Top of Page

Section 3 - Policy/Regulation 

(4) Risk Management Policy

Top of Page

Section 4 - Procedures

Part A - Summary of Roles/Responsibilities

Roles Responsibilities
Governance Roles  
Council • Set and monitor the strategic direction of the University.
• Set and promote a positive risk culture and risk-based decision making.
• Ensure that there is a risk management framework that applies to all of the University’s operations and those of any third-party arrangements, which explicitly defines the University’s view of risk, risk ratings, risk controls, accountability and responsibility, and processes such as risk identification, rating, monitoring, and reporting (Terms of Reference 20.a).
• With advice from the Audit and Risk Committee, approve the Risk Management Policy and Procedure, the Risk Appetite Statement and the VU risk profile.
Audit and Risk Committee (ARC) • Review and endorse the University’s risk management framework, oversee its implementation and report accordingly to Council (Terms of Reference 2).
• Review, assess and advise Council on the University’s risk appetite (Terms of Reference 3d(ii)).
• Monitor strategic, institutional and significant operational risks.
Academic Board • Maintain oversight of academic risk, including monitoring of emerging risks.
• Provide advice to Audit and Risk Committee on academic risk. 
Management Roles  
Vice-Chancellor (VC) and Vice-Chancellor's Group (VCG) • Set and promote a positive risk culture and systematically embed risk into decision making.
• Approve the VU risk profile for reporting to the Audit and Risk Committee.
• Monitor strategic, institutional and portfolio risk to ensure compliance with the University’s risk tolerances.
• Ensure significant new and emerging risks are identified and added to the appropriate risk register.
• Review and reset the strategic and enterprise risks annually for consideration by the Audit and Risk Committee.
• Oversee compliance with the risk management framework within area of accountability.
Chief Financial Officer • Provide administrative oversight of the Risk and Compliance function.
• Ensure provision of adequate resources to support the risk management functions.
Chief Risk Officer  • Provide strategic and executive oversight of the University’s risk management framework, ensuring it remains effective and fit for purpose.
• Advise the Vice-Chancellor, Vice-Chancellor’s Group, Audit and Risk Committee and Council on the University’s risk profile, risk appetite and emerging risks.
• Oversee management of enterprise risks in alignment with approved risk appetite and tolerances, including review of significant trends and systemic issues.
• Ensure appropriate escalation of significant risks, breaches of appetite or control weaknesses to senior management and governance bodies.
• Lead and promote a positive risk culture and the integration of risk-based thinking into executive decision making and governance processes.
Risk and Compliance team • Develop, maintain and continuously improve the University’s enterprise risk management framework, including policies, procedures, tools and templates.
• Provide advice, training, guidance and practical support that enables business areas to understand and fulfil their risk management obligations, including support for the design of local risk management frameworks.
• Facilitate and quality assure risk identification, assessment and review activities, including risk workshops, risk register refreshes and targeted deep dives.
• Maintain oversight of enterprise risk information to support consistency, timely review and appropriate escalation.
•Monitor aggregated risk profiles against approved risk appetite and tolerances, and coordinate risk reporting to senior management and governance bodies.
College/Research Centre/Department Lead or equivalent • Identify new and emerging operational risks in their college, research centre, business unit or area of accountability.
• Ensure significant operational risks are documented in the department’s risk register, reviewed and maintained in alignment with this procedure, and escalated where necessary.
• Ensure appropriate control environments are in place to effectively mitigate operational risks in alignment with VU’s risk appetite and good practice.
• Monitor implementation of operational risk treatment plans and recording actions.
All staff • Follow risk management procedures.
• Bring potential risks to management attention.
• Participate in risk identification, periodic reviews, control tests or other self-assurance activity as requested.

Part B - Risk Management Processes

(5) The University’s risk management processes are delivered through the following mechanisms:

  1. Risk appetite statement: a statement that outlines the amount and type of risk that the University is willing to take in order to meet its strategic objectives.
  2. Risk Tolerances: The acceptable range of risk rating within which the University will seek to maintain each risk.
  3. Clear processes: well-defined risk management processes implemented at the strategic, enterprise and operational levels.
  4. Accountability: clear risk ownership and accountability at all levels.
  5. Dedicated resources: expert staff possessing risk management expertise and understanding of the strategic and operational drivers of the University.
  6. Tools and templates: tools, templates and guidelines to assist with consistent documentation and analysis of risk.
  7. Centralised administration: a centralised corporate support function that proactively drives the University’s risk agenda through continual review and improvement.

(6) Risk management objectives will be delivered using the following processes:

  1. Communication and consultation: engaging with stakeholders to capture a broad view of risk and recording and communicating that information in a useful way.
  2. Analysis and action: risk identification, analysis and treatment to identify strengths and weaknesses.
  3. Regular review of risk registers and profiles: a cycle of activity that considers new and existing risk information on an ongoing basis.
  4. Reporting: a reporting cycle that reports the right information, to the right people, at the right time.
  5. Monitor and review: a monitoring and review cycle, which ensures regular review of significant risks by the Vice-Chancellor's Group and the Audit and Risk Committee.

Part C - Enterprise Risk Management Framework

Risk Levels and Accountability

(7) The University has defined four fundamental types of risk within the enterprise risk management framework with varying accountabilities to enable effective management of risk and appropriate self-assurance:

Risk Type    Domain Accountability   
Strategic Risk Enterprise Vice-Chancellor's Group
Institutional Risk Enterprise Vice-Chancellor's Group member
Portfolio Risk Enterprise Portfolio Lead
Operational Risk Enterprise College/Research Centre/Department Lead

(8) Strategic Risks

  1. Strategic risks are risks that directly impact upon the potential to reach the University’s strategic objectives. The strategic risks are forward looking and focused on risk to and from the strategic plan. 
  2. Development of the risks is integrated with the strategic planning process and reviewed in line with changing external circumstances or changes to the strategic plan.
  3. Strategic risks are typically over the horizon, large scale or game changing scenarios, the causes of which are outside the University’s direct control.

(9) Institutional Risks

  1. Institutional risks are University-wide risks that, if they were to materialise, have the potential severity or materiality to threaten the University’s ongoing sustainability or licence to operate.
  2. Institutional risks typically reflect larger-scale or complex internal threats, the causes of which are often within the University’s scope of control and influence.
  3. Institutional risks are based on risks identified in strategic reviews and through proactive management of portfolio or operational risk.

(10) Portfolio Risks

  1. Portfolio risks are threats to a collective portfolio and reflect key operational threats, often framed systemically, that are common across constituent Colleges/Research Centres/Departments or otherwise require coordinated VCG member-level management.
  2. Portfolio risks often have a parent-child relationship with relevant operational risks owned by Colleges/Research Centres/Department Leads within the Portfolio and are strongly influenced by the management of linked child risks.

(11) Operational Risks

  1. Operational risks affect a specific area of activity within the University.
  2. Operational risks are developed based on risks to the achievement of College/Research Centre/Department operational plans.  Some risks may be common across operational areas, which may drive identification of parent-Portfolio risks for coordinated DVC oversight.

Risk categories

(12) VU categorises all enterprise risks based on its primary area of potential impact. There are eight risk categories:

Category    Considerations
Financial What are the possible short, medium and long-term financial impacts?
Reputation What are the potential positive and negative impacts to VU’s brand and reputation?
People Are there physical or psychological health and safety risks to staff or students?
Could the proposed event impact our ability to attract and retain staff with the skills required?
Service Delivery What impact could this event or decision or project have on the operation of the college, research centre, business unit or University as a whole?
Will there be an impact on the student experience?
Legal and Regulatory Does the project or decision comply with all legal and regulatory requirements?  
Are there possible risk or compliance issues to be addressed?
Education & Student Experience
Will the proposed change affect teaching quality, learning integrity or student wellbeing?
Could it influence curriculum, course delivery, enrolments, retention or overall student experience?
Research & Partnerships
Could the activity impact research quality, integrity or continuity?
Are there potential effects on collaborations, funding, compliance with research ethics or obligations to partners?
Country Does the activity appropriately respect and uphold VU’s commitments to Traditional Owners?
What impact could this activity, decision or project have on Country, including land, waterways, ecosystems and cultural heritage?

Risk identification and assessment

(13) Maintaining awareness of potential risks is the responsibility of all members of the VU community.

(14) Senior leaders are responsible for proactively managing risks withing their scope of accountability or ownership. Risks are to be identified as they emerge, and existing risks should be considered as part of operational oversight, decision making and day to day management activity.

(15) Risk workshops will be facilitated by the Risk and Compliance team as required, including risk identification, analysis, assessment, evaluation, review, reporting, oversight and self-assurance.

(16) When a potential new risk is identified or a new project is initiated, consideration must be given to potentially significant enterprise risks. If it is reasonable to assume VU may be exposed to a significant risk carrying impacts aligned with VU’s risk categories, an enterprise risk assessment must be undertaken and quality-assured by the Risk and Compliance Team.

(17) VU has designed a risk assessment methodology to facilitate consistent assessment of risk across the organisation. The risk management framework includes a likelihood assessment table, consequence assessment table, risk matrix and risk tolerance statement. Using this tool, risks should be documented and added to the appropriate risk register.

Part D - Local Risk Management Frameworks

(18) Some areas of the University may require a specific or customised approach to risk management to meet regulatory, industry or contractual requirements. These instances are dealt with on a case-by-case basis and consultation with the Risk and Compliance Directorate must be undertaken to ensure an appropriate approach is developed to complement the organisational framework.

(19) Local risk management frameworks may be developed to support operational-level risks where enterprise tools are not suited. However, local approaches must not override, replace or conflict with the Enterprise Risk Management Framework. Any locally developed tools, processes or reporting methods must remain compatible with enterprise requirements.

(20) Local frameworks must be developed using relevant subject matter expertise in the area of risk being addressed, and, wherever possible, in consultation with the Risk and Compliance Directorate to ensure fitness-for-purpose and consistent application across the University.

(21) First line areas may design their own tools, simplified rating methods and escalation pathways where these are more effective for local needs, provided they do not contradict enterprise standards.

(22) Local frameworks must be documented in operational policies or procedures. The Risk and Compliance Directorate will provide guidance to ensure local approaches align with University expectations and integrate with entreprise-level reporting, oversight and escalation pathways.

(23) Where a local framework is proposed, the accountable lead must confirm how local ratings map to the enterprise risk matrix and tolerances to enable consistent escalation and aggregated reporting.

Part E - Approvals and escalations

(24) Risks will be escalated for review and approval in line with the following:

Acceptance and escalation of Strategic, Institutional and Portfolio Risks

Risk Rating    Action Required   
Very High Council approval must be obtained to proceed with any new projects, initiatives and significant change proposals identified as very high risk.
Risks and treatment plans must be monitored monthly by the Vice-Chancellor's Group and reported to the Audit and Risk Committee and Council. 
High Vice-Chancellor approval required to proceed with any new projects, initiatives and significant change proposals identified as high risk.
Risks and treatment plans must be monitored quarterly by the Vice-Chancellor's Group and reported to the Audit and Risk Committee and Council.
Medium  Vice-Chancellor's Group member approval must be obtained to proceed with any new projects, initiatives and significant change proposals identified as medium risk.
Risks and treatment plans will be monitored six monthly by the Vice-Chancellor's Group member.
Low  No treatment plan required.
No approval required.
Six monthly review.

Acceptance and escalation of Operational Risks

Risk Rating    Action Required    
Very High Treatment plan must be developed.
Vice-Chancellor's Group approval is required to accept risk subject to treatment plan.
High Treatment plan must be developed. 
Accountable Vice-Chancellor's Group member approval is required.
Medium Treatment plan may or may not be implemented based on the accepted risk tolerance.
College/Research Centre/Department Lead or equivalent approval is required.
Low No treatment plan required.
No approval required.

Managing and reviewing risks

(25) All identified risks must be regularly reviewed to ensure that changing operating environments are factored into the risk assessment. Accountability for management and review of risks rests with the risk owner.

(26) Review schedules will be set according to the current risk rating:

Risk Rating    Review Schedule   
Very High Monthly
High 3 monthly
Medium 6 monthly
Low Annual

(27) Where treatment plans have been identified to mitigate risks, review and updating of the status of these plans must be completed in line with identified key dates to inform the relevant risk review.

Risk appetite and profile monitoring

(28) Council approves VU’s risk appetite statement setting the amount and type of risk that the University is willing to take in order to meet its strategic objectives. To assist in working within this appetite, VU has agreed to a number of risk tolerances to guide what is and is not acceptable in relation to specific types of risk.

(29) Council will annually approve VU’s Risk Appetite Statement outlining the University’s qualitative attitude to the acceptance of risk. 

(30) As part of evaluating any risk management activity, regardless of the context, all risks should considered against VU’s approved risk matrix, risk appetite statement and tolerances.

(31) Risk appetite will be categorised and measured as follows:

  1. No Appetite: 95% of identified operational risks should be categorised as Low.
  2. Low Appetite: 80% of identified operational risks should be categorised as Low or Medium.
  3. Moderate Appetite: 80% of identified operational risks should be categorised as Low, Medium or High.
  4. High Appetite: Greater than 20% of identified operational risks may be categorised as High or above.

Reporting

(32) A summary of strategic, institutional and portfolio risks will be provided six monthly to the Vice-Chancellor's Group, to identify changes to risk profiles, overdue risk reviews and/or treatments that require management intervention.

(33) The strategic and institutional risks are reported together to Council and its Sub-Committees as the “VU Risk Profile”.

(34) A status report on the VU Risk Profile will be provided to the Audit and Risk Committee and Council on a quarterly basis outlining changes to VU’s operating environment (both internal and external), proposed adjustments to risk assessments, new and emerging risks identified and risk indicator trends.

(35) A summary of the academic risk profile will be provided to the Academic Board six monthly for consideration and oversight.

Top of Page

Section 5 - HESF/ASQA/ESOS Alignment

(36) HESF: 6.2.1e Corporate Monitoring and Accountability, 6.3.2d Academic Governance.

(37) Outcome Standards for NVR Registered Training Organisations 2025: Standard 1.8 Facilities, Equipment and Resources; 4.3 Risk Management.

Top of Page

Section 6 - Definitions

(38) Accountability: Responsibility for ensuring that risk is appropriately managed, including implementation of treatment plans and monitoring the effectiveness of controls.

(39) Contributing Factors: Factors internal and external that contribute to the risk existing or could result in the risk materialising.

(40) Controls:  The existing actions, activities or mitigation strategies in place to prevent the risk from materialising.

(41) Consequences: Outcome of a risk event or situation, being a loss, injury, disadvantage or gain.

  1. An event can lead to a range of consequences.
  2. A consequence can be certain or uncertain and can have positive or negative effects on objectives.
  3. Consequences can be expressed qualitatively or quantitatively.
  4. Initial consequences can escalate through knock-on effects.

(42) Likelihood: The chance or probability of a risk materialising.

(43) Risk: The effect of uncertainty on objectives:

  1. A deviation from the expected – positive or negative and can result in opportunities or threats.
  2. Objectives can have different aspects such as financial, academic, people, service delivery, reputation, legal and regulatory, cybercrime and data security and will be managed at different levels such as strategic, enterprise or operational.
  3. Risk is often categorised by reference to sources of risk, potential events, consequences and their likelihood of occurrence.

(44) Risk Appetite: The amount and type of risk that the University is willing to take in order to meet its strategic objectives.

(45) Risk Categories: Broad categories of risk that the University uses to identify and group risks.

(46) Risk Management: The coordinated management of activities to direct and control the University with regard to risk.

(47) Risk Tolerance: The acceptable range of rating within which the University seeks to maintain each risk.

(48) Treatment Plan: Actions that will be taken to reduce the likelihood or consequence of a risk occurring.