View Document

Risk Management Policy

This is the current version of this document. To view historic versions, click on the 'Historic Versions' tab above.

Section 1 - Summary

(1) This Policy establishes Victoria University’s (VU) commitment to managing risk through implementation of a risk management framework and accountability structure.

Top of Page

Section 2 - HESF/ASQA/ESOS Alignment

(2) HESF: 6.2 Corporate Monitoring and Accountability, 6.3 Academic Governance

(3) Standards for RTOs: Standard 7, Standard 8.

Top of Page

Section 3 - Scope

(4) This Policy applies to:

  1. All staff, students, Council members, Committee members, contractors, honorary and adjunct staff.
  2. All activities under the control or direction of Victoria University, whether conducted on or off University property or in a digital environment.
Top of Page

Section 4 - Definitions

(5) Accountability: Responsibility for ensuring that risk is appropriately managed including the implementation of treatment plans and monitoring the effectiveness of controls.

(6) Contributing Factors: Factors internal and external that contribute to the risk existing or could result in the risk materialising.

(7) Controls: The existing actions, activities or mitigation strategies in place to prevent the risk from materialising.

(8) Consequences: The outcome of a risk event or situation, being a loss, injury, disadvantage or gain.

  1. An event can lead to a range of consequences.
  2. A consequence can be certain or uncertain and can have positive or negative effects on objectives.
  3. Consequences can be expressed qualitatively or quantitatively.
  4. Initial consequences can escalate through knock-on effects.

(9) Likelihood: The chance or probability of a risk materialising.

(10) Risk: The effect of uncertainty on objectives:

  1. A deviation from the expected – positive or negative and can result in opportunities or threats.
  2. Objectives will have different aspects such as financial, academic, people, service delivery, reputation, legal and regulatory, cybercrime and data security and will be managed at different levels such as strategic, enterprise or operational.
  3. Risk is often categorised by reference to sources of risk or potential events, consequences and their likelihood of occurrence.

(11) Risk Appetite: The amount and type of risk that the University is willing to take in order to meet its strategic objectives.

(12) Risk Categories: Broad categories of risk that the University uses to identify and group risks.

(13) Risk Management: The coordinated management of activities to direct and control the University with regard to risk.

(14) Risk Tolerance: The acceptable range of risk rating within which the University will seek to maintain each risk.

(15) Treatment Plan: Actions that will be taken to reduce the likelihood or consequence of a risk occurring.

Top of Page

Section 5 - Policy Statement

(16) Managing risk is an essential component of good governance and leadership. Effective risk management both creates and protects value in an organisation by improving decision making.

(17) To achieve its strategic objectives, the University must accept a measured degree of risk. Through the identification and analysis of risk, the University is able to be creative, adaptive and progressive in working to deliver its vision to be a global leader in dual sector learning and research.

Risk management principles

(18) VU’s risk management framework is based upon the International Standard for Risk Management AS ISO31000:2018, consistent with the Victorian Government Risk Management Framework and takes into account key risk considerations of the TEQSA and ASQA risk frameworks.

(19) The framework is underpinned by the following principles:

Principle           Demonstrated by
A positive risk culture
• Creating a culture where risk identification and management is acknowledged as a driver of positive outcomes.  
• A culture where identifying and managing risk is accepted as everyone’s responsibility.
• Driving excellence in corporate governance by increasing accountability, awareness and a positive attitude to risk management.
Accountability • Clear accountability for each category of risk, individual risk and treatment plan to ensure action and monitoring is implemented.
Transparency • Providing transparency and oversight to senior management and the University Council that strategic, enterprise and significant operational risks are managed effectively.
Risk based decision making • Decision making, resource allocation and investment are prioritised and informed by risk analysis.
Embedded risk management • All operational functions and process should include a link to risk.
• Risk analysis and identification will include broad stakeholder consultation.
Informed investment • The consideration of the balance between risk and benefit in the development of investment strategies.
Informed resource allocation • Adoption of a risk-based approach to the allocation of resources to mitigate future risks.

Risk management framework

(20) The primary purpose of the risk management framework is to provide a coordinated and managed approach to critical risk that, if it were to occur, would impact on the achievement of strategic and operational objectives.  VU’s risk management framework comprises:

  1. Risk Management Policy
  2. Risk Management Procedure
  3. Risk Appetite Statement
  4. Risk Matrix
  5. Risk Assessment Guideline
  6. Risk Management System

(21) The University has defined three levels of risk and accountability as outlined in the attached Risk Hierarchy:

Risk Type        Accountability   
Strategic Risk Council
Enterprise Risk Vice-Chancellor's Group
Operational Risk College/Research Centre/Business Unit Lead

(22) Strategic Risk Profile

  1. Strategic risks are risks that directly impact upon the potential to reach the University’s strategic objectives. The strategic risk profile is forward looking and focused on risk to and from the strategic plan. 
  2. The profile development is integrated with the strategic planning process and is reviewed in line with changing external circumstances or changes to the strategic plan.
  3. Strategic risks are typically over the horizon, large scale or game changing scenarios, the causes of which are outside the University’s control.
  4. Risks are often interdependent and require an integrated management approach.

(23) Enterprise Risk Profile

  1. Enterprise risks are University wide risks that, if they were to materialise, have the potential severity or materiality to threaten the University’s ongoing sustainability or licence to operate.
  2. The enterprise risk profile is based on risks identified in strategic reviews and risks identified in operational risk reviews which are of significance to the broader University.

(24) Operational Risk Profile

  1. Operational risks affect a specific area of activity of the University.
  2. The operational risk profiles are developed based on risks to the achievement of college/research centre/business unit operational plans.  Some risks may be similar across operational areas.

Three Lines of Defence

(25) VU employs three lines of defence to mitigate risk: 

Line Role Key duties
First Line – management and internal controls Vice Chancellor’s Group and Senior Leadership Group Identify and manage risk in daily operations, projects and pursuit of strategic objectives.
Develop policies, procedures and controls to mitigate risks.
Implement treatment plans to reduce risks where appropriate.
Second Line – oversight  Risk and Compliance Directorate Develop and implement a risk management framework and tools.
Provide advice, assistance and training in assessing and managing risk.
Coordinate monitoring, reporting and escalation of risk to appropriate bodies.
Third Line – assurance Internal Audit Undertake independent review of internal controls.
Provide gap analysis and best practice advice to VCG. 
Provide assurance to Council on application and appropriateness of risk controls.

(26) Oversight and reporting of the first and second lines of defence is to the Vice-Chancellor's Group.

(27) Oversight and reporting of the third line of defence is to the Vice-Chancellor and University Council.

Top of Page

Section 6 - Procedures

(28) Risk Management Procedure