View Document

Risk Management Procedure

This is not a current document. To view the current version, click the 'Current Version' tab above.

Section 1 - Purpose / Objectives

(1) This procedure describes the processes to enable risks to be identified, assessed, mitigated, reported and reviewed.

Top of Page

Section 2 - Scope / Application

(2) This procedure applies to the whole university.

Top of Page

Section 3 - Definitions

(3) Nil

Top of Page

Section 4 - Policy Statement

(4) Nil

Top of Page

Section 5 - Procedures

Part A - Roles/Responsibilities

Roles Responsibilities
Compliance, Audit and Risk Committee of Council Monitors and reviews the effectiveness of the University's risk management processes including oversight and monitoring the effectiveness of the internal audit program Endorses the Risk Management Policy, the Strategic High Risk Register and University-wide risk register Endorses the Vice Chancellor's risk annual attestation statement.
Academic Board Provides academic oversight of the University's research, academic programs and courses of study in further education, vocational education and higher education.
Senior management (being the Senior Leadership Team) Provides leadership on the university's acceptable risk exposure (risk appetite statement)
Risk Owners Take overall accountability for the risk Ensure that risk registers are updated. Ensure that the monitoring, reviewing and reporting of risks is carried out Develop risk plans and coordinate the implementation of risk plans.
Audit and Risk Unit, Legal, Governance & Risk Develops and manages the risk management strategy and policy Promotes ownership and accountability throughout the university Provides advisory, consultancy and training services as required Coordinates reporting to SLT, the Vice-Chancellor and the Audit and Risk Committee as required Conducts risk management reviews to identify university risk patterns and trends.
All managers and staff Are familiar with the University's Risk Management Policy and Strategy Engage in continuous improvement in awareness of risk management practices and processes Contribute to managing risks within their areas of responsibility.
Internal Auditors Develop a risk focused Strategic Internal Audit Plan In consultation with the Vice Chancellor, Senior Leadership Team and Legal, Governance & Risk, implement the internal audit program.

Part B - General

(5) The purpose of these procedures is to implement the Risk Management Policy. The process for managing Victoria University's risks is consistent with the risk management standard AS/NZS ISO 31000 : 2009. It involves five key steps and also includes feedback through a monitoring, review and reporting process and appropriate communication and consultation.

This is represented visually in Flowchart 1.

Step 1: Establish the Context

(6) The context in which Victoria University assesses risk should be established prior to commencing a risk assessment. Establishing the context requires an examination of the external, organisational and risk management environment in which the risk identification, analysis and treatment options will be considered.

(7) VU focuses on 3 key areas of risk management:

  1. Strategic high risks which are reviewed every six months by risk owners of which the high strategic risks are presented to the Compliance, Audit and Risk committee every six months
  2. Operational risks which are reviewed regularly or at least every six months by risk owners of which the high and major operational risks are presented to the Compliance, Audit and Risk committee annually
  3. Emerging risks which are considered regularly by everyone and escalated to the risk register by risk owners via the manager of Compliance, Audit and Risk as appropriate.

Step 2 - Identify the risks

(8) The next step in the risk management process is to identify risks and document the risks to be managed. The aim is to identify the likelihood of something happening that can prevent the organization from achieving its goals or objectives.

(9) At first, a broad list of possible risks should be developed but prioritisation of risks should lead areas to focus on high, major and moderate risks. Identification should include all (ie high, major, moderate and low) risks that impact the achievement of university objectives, whether or not they are under the control of the university.

(10) Risks are identified at any time but the best time to discuss risk management is when developing the organisational unit or portfolio unit's strategic plan so that both operational and strategic risks are aligned with VU's strategic plan.

(11) Risk Identification Methods

  1. There are many methods for identifying risk, including:
    1. facilitated brainstorms, interviews, questionnaires, workshops, data analysis, stakeholder feedback
    2. SWOT analysis; scenario planning and gap analysis are also useful management tools.
  2. Risks are likely to arise in the following circumstances:
    1. Lack of clarity about what needs to be done and what should not be done
    2. When it is not clear who is responsible and who is accountable to deliver a key output and key outcome
    3. When strategies are not clear and KPIs are not aligned with policy/project objectives
    4. Lack of knowledge about university policies, stakeholder needs and government requirements
    5. When decisions are made without analyzing relevant, accurate and up-to-date data
    6. Whenever there is a lot of staff turnover — including senior management
    7. When managing a complex project that is new and/or challenging and/or requiring stakeholder engagement and/or requiring a whole-of-university approach
    8. When a policy or program is not communicated well to key stakeholders
    9. Lack of capability
    10. Whenever organisational units experience a negative collegiate culture
    11. When managing large expensive projects
    12. When few are asked to do more work to compensate for the lack of resources
    13. When organisations undergo drastic changes.

Step 3: Analyse the risk level by combining the likelihood and consequences ratings

(12) Risk analysis is about developing an understanding of the risk and the extent to which it can prevent an organisation achieving its goals.

(13) Once all risks have been identified they are analysed in terms of how likely the risk event is to occur (likelihood) and the possible magnitude (consequence) of the risk event:

(14) Rating Consequences represent the magnitude of the risk or its impact if it were to occur — they are rated on a scale of 1 (insignificant) to 5 (catastrophic).

(15) Rating Risk Likelihood: requires an assessment of their frequency of occurrence. The likelihood of a risk is rated on a score from 1 (rare) to 5 (almost certain).

(16) The final ranking of a risk is obtained by combining the selected likelihood and consequence rating for each risk.

(17) The following tables provide broad descriptions used to support likelihood and consequence ratings.

  Risk Consequence Ratings
Rating Description Financial Human Business Interruption Environment Reputation Standards and Legal Strategy, Systems and processes
Catastrophic Unit University  
Above $500,000 Threatens University Viability Above $40m cash impact Single or Multiple Deaths Business interruption greater than 6 weeks Long term harm & Front page news & Clean up expenses > $5m Reputation of the University affected nationally and internationally, front page news Serious breach of legislation — Fines greater than $5 million Critical system failure Significant impact on key programs and projects Significant impact on key stakeholders
Major $250,000-$500,000 $5m-40m cash impact Intensive Care Hospital Business interruption between 4-6 weeks Short term harm & Adverse Media & Clean up expenses between $1m - $5m Embarrassment for VU - adverse media coverage Critical risk reported to Compliance, Audit and Risk committee Breach of legislation — fines from $1 to $5 M A number of KPIs not met Bad policy advice or ongoing non-compliance Trends show service is degraded Survival/ success of key programs and projects impacted in the medium term Strategies not aligned with VU's a great university of the 21st Century
Moderate $50,000-$250,000 $250,000- $5m cash impact Injury/ hospital Business interruption between 2-4 weeks Short term harm & local media coverage & Clean up expenses between $250,000 - $1m Student and/or community concern, heavy local media coverage Breach of legislation — Fines of $250K to less than $1 million One or more key KPIs / accountability requirements not met Service delivery inconvenient to clients Survival/ success of key programs and projects impacted in the short term
Minor $5,000-$50,000 $25,000 to $250,000 cash impact First Aid required Injury/ treatment Business interruption between 1-2 weeks Intermittent harm Student press Clean up expenses between $25,000 - $250,000 Issue raised by students and/or local press Minor breach of legislation — fines up to $250K Policy procedural rule at times not met or services do not fully meet needs Effectiveness and efficiency of key program or other programs impacted in short term
Insignificant Up to $5,000 Up to $25,000 cash impact   Business interruption up to 1 week Minimal harm Clean up expenses to $25,000 Issue resolved promptly by management Legal dispute — found not guilty — Fines up to $25k Minor errors/delays in systems or processes requiring corrective action Effectiveness and efficiency of program impacted in short term
LIKELIHOOD TABLE
Rating Likelihood
Almost Certain 5 The event will occur within one year
Likely 4 The event is likely to occur within one year
Possible 3 The event may occur within 3 years
Unlikely 2 The event is not likely to occur in within 3 years
Rare 1 The event will only occur in exceptional circumstances

(18) The final risk score for each risk is calculated by adding the likelihood and consequence response scores. This will give a risk score of between 2 and 10 which can then be plotted on the Risk Rating Matrix (refer below) to give a risk rating of high (8-10), major (7), moderate (6) or low (2-5).

(19) All risks ranked as "high", "major" or "moderate" require detailed analysis of mitigating practices / controls to determine the residual risk rating. Low risks require less analysis but should be recorded on the risk register and reviewed regularly.

Initial risk rating matrix

LIKELIHOOD CONSEQUENCES
INSIGNIFICANT MINOR MODERATE MAJOR CATASTROPHIC
ALMOST CERTAIN 6 MODERATE 7 MAJOR 8 HIGH 9 HIGH 10 HIGH
LIKELY 5 LOW 6 MODERATE 7 MAJOR 8 HIGH 9 HIGH
POSSIBLE 4 LOW 5 LOW 6 MODERATE 7 MAJOR 8 HIGH
UNLIKELY 3 LOW 4 LOW 5 LOW 6 MODERATE 7 MAJOR
RARE 2. LOW 3 LOW 4 LOW 5 LOW 6 MOGERATE
Risk Priority - Legend  
High Action & review by the Vice Chancellor, DVCs; VPs; Principal Officers and Compliance, Audit and Risk Committee. To be included in High Risk Register.
Major Action and review by the risk owners — including Principal Officers; DVCs; VPs; Directors; Heads Academic areas and College Deans
Moderate Management to review and monitor risks. Action may be required eg. include improving controls.
Low Management to review and monitor risks in case changing circumstances increase the level of risk. Action may be required eg. include improving controls

Step 4: Evaluate risks to assess whether further management action is required to mitigate the risk

(20) Following the determination of the initial risk rating it is important to consider any existing management action or management processes that are designed to manage the risk and increase the likelihood that goals will be achieved.

(21) Management action may include:

  1. Developing a decision making process including the assignment of authority and responsibility
  2. Refinement of policies and practices
  3. Addressing any gaps in the competence of personnel
  4. Refreshing the communication of policies, procedures etc to internal staff and key stakeholders
  5. Regular monitoring and reviewing of management action to see that KPIs are met.

(22) If management considers the level of risk is unacceptable, then a risk management mitigation plan must be developed so that the risk is reduced to an acceptable level.

Step 5: Treat Risks

(23) High, major and moderate risks require treatment, so action plans need to be developed. That is, it is necessary to identify options to mitigate these risks, evaluate the options and develop and document an action plan for implementation.

(24) Management should use the Risk Register template to document the risk treatment for each risk. Management is required to note: the risk (including what is causing the risk); management action for each cause; a target date; the name of the person responsible to complete each action point.

Step 6: Monitoring and Reviewing risks

(25) Monitoring and reviewing risks is an important part of risk management. It allows risk owners to identify any new risks arising or changes in existing risk rating due to changing circumstances and to review the extent to which risks have been mitigated.

(26) Risk owners should monitor and review risks regularly or at least every six months - in March and September. College Deans should review all high and major risks identified by each academic area. Senior Managers should review high, major and moderate risks identified within their portfolio. Risk Owners should review progress reports for each risk so that an up-to-date risk assessment for each risk can be made.

Step 7: Reporting Risks

(27) The Manager, Audit and Risk will collate the information provided to develop:

  1. the high risk register that will be presented to the Compliance, Audit and Risk Committee in May and November each year
  2. the university-wide risk register that will be presented to the Compliance, Audit and Risk Committee in July each year

(28) See Flow Chart 2 for a visual representation of this cycle.

Step 8: Risk management continuous improvement cycle

(29) The risk management methodology is aligned with the principles of continuous improvement. It requires management to continually identify, assess, mitigate, review and report risks within their organisation so that all risks are mitigated and managed to an acceptable level in accordance with the University's risk appetite statement.

(30) The diagram linked as Flow Chart 3 illustrates the risk management continuous improvement cycle.

Flow Chart 3
Top of Page

Section 6 - Guidelines

(31) Nil