(1) This Procedure describes the processes to enable risks to be identified, assessed, mitigated, reported and reviewed. (2) This Procedure applies to: (3) Nil (4) Refer to Risk Management Policy. (5) It is critical for the successful implementation of the risk management framework that there are clear accountabilities and responsibilities for the process. (6) The overall responsibilities of various groups and individuals within VU are summarised in the table below. (7) Please see the Key Activities in Operationalising the Risk Management Framework, including who is responsible, accountable, consulted and informed as part of those activities. (8) Greater detail regarding the activities of certain roles is found in the Risk Management Framework Guidelines. (9) The purpose of these procedures is to implement the Risk Management Policy. The process for managing Victoria University's risks is consistent with the risk management standard AS/NZS ISO 31000: 2009. The key steps include providing feedback through a monitoring, review and reporting process and appropriate communication and consultation. (10) This is represented visually in Flowchart 1 and Flowchart 2. (11) VU has defined three levels of risk: (12) At the very start of any risk management activity, the answers to two simple questions should be sought: (13) The IRACI Communications Tool helps to ensure that appropriate persons are identified as stakeholders, and that these “providers” and “recipients” of information have their communication needs addressed during the risk management process. This should be considered for all risks identified to ensure that all stakeholders are communicated to. (14) Establishing the context for the risk management activity sets the scope and boundaries for the whole risk management process. It is the key mechanism for providing the foundations for identifying and analysing the risks. (15) The key objectives of establishing the context are: (16) Establishing the context involves a consideration of the: external context, internal context and risk management context as further described in the Risk Management Framework Guidelines. (17) The effort that should be put into establishing the context will depend upon the extent and complexity of the risk management activities concerned. The more comprehensive the context, the more information is developed to inform the risk management process. However, there will always be legitimate trade-offs that will limit the extent of, and effort put into the context. (18) Management needs to identify ‘What Must Go Right’ to achieve the objectives. This will be ‘What Must Go Right’ for the: (19) At first, a broad list of possible risks should be developed but prioritisation of risks should lead areas to identify all high, major and moderate risks which would impact the achievement of VU’s objectives, whether or not they are under the control of VU. (20) Risks are to be identified as they arise any time but risk management is a critical component of the development of VU unit or College's strategic plan; so that both operational and strategic risks are aligned with VU's strategic plan. (21) There are many methods for identifying risk, including: (22) Risks are likely to arise in the following circumstances: (23) Risk analysis is about developing an understanding of the risk and the extent to which it can prevent an organisation achieving its goals. (24) Once all risks have been identified they are analysed in terms of how likely the risk event is to occur (likelihood) and the possible magnitude (consequence) of the risk event. (25) Rating Risk Likelihood (see Likelihood Criteria Table): requires an assessment of the risk’s frequency of occurrence. The likelihood of a risk is rated on a score from 1 (rare) to 5 (almost certain). (26) Rating Consequences (see Risk Consequence Rating) represent the magnitude of the risk or its impact if it were to occur — they are rated on a scale of 1 (insignificant) to 5 (catastrophic). (27) The final ranking of a risk is obtained by combining the selected likelihood and consequence rating for each risk. Please see the Risk Matrix. Note that existing controls in place to mitigate risk should be considered when assessing the likelihood and consequence so that the assessment reflects the residual level of risk. (28) A risk assessment can generate a large number of risks and dealing with such a quantity in a meaningful way may well be beyond the capabilities, resources and time limitations of an individual assessment. It is therefore entirely appropriate to conduct an initial ‘screening’ assessment in order to create a ‘shortlist’ of risks for a more in-depth analysis. (29) The consequence and likelihood criteria referred to above have been developed for most risk management activities down to project level. However, the applicability of these criteria needs to be examined as part of establishing the context for each individual risk assessment activity. (30) The consequences reflect the amount and type of risk that VU is willing to accept in order to meet its strategic objectives. It is the responsibility of the Planning and Performance Unit to refresh this table if VU’s risk appetite changes and to facilitate SEG obtaining CARC’s approval of any such changes. (31) The interrelation of risk across VU needs to be assessed and plotted in accordance with Risk Management Profile Structure and Responsibilities to ensure an holistic view of VU’s risk is obtained and communicated. (32) The level of risk is determined by aligning the consequence and likelihood using the risk rating matrix outlined above to derive a level of risk. As each risk will require different levels of management attention at different times based on the complexity of the control environment and factors causing the risk to exist, the management priority focus should be captured for each risk using the Risk Priority Rating. (33) Each risk will need to be assigned a Risk Priority Rating, depending on the rating derived from the risk matrix and the ability of VU to control the risk. Further information is in the Risk Management Framework Guidelines). (34) Mitigation strategies may include: (35) Except in exceptional circumstances VU will only accept risks which have a final risk rating (as a result of mitigation strategies or otherwise) which is acceptable. (36) The person proposing that VU accept the risk must develop an action plan to mitigate these risks to ab acceptable level (see Risk Management Framework Guidelines). Action plans must be implemented. (37) The Risk Management Form must be used to document the risk treatment for each risk. The form requires identification of the risk (including what is causing the risk); management action for each cause; a target date; the name of the person responsible to complete each action point. (38) It is critical that there are clear and concise communication channels to provide management with the mechanisms to elevate specific risk information whilst providing the transparency and oversight to Council, CARC and SEG. The accuracy and timeliness of risk information is critical to providing the right information to specific groups so that they can make informed risk based decisions. (39) Risk registers must be developed and maintained. (40) The Planning and Performance Unit is responsible for the planning and facilitation of any strategic risk register refresh. (41) The register must be focused on risk to and from VU’s strategic plan. (42) SEG and the CARC will participate in annual workshops to develop and refresh the register of strategic risks. (43) It is the responsibility of the Planning and Performance Unit to finalise the register of these risks and report to SEG and CARC in accordance with the Annual Risk Planning and Review Cycle. Out of cycle reports must be made if there is a material change to VU’s Strategic Plan. (44) The Planning and Performance Unit is responsible for the planning and facilitation of the quarterly review and annual refresh of the enterprise risk register following the strategic register. (45) The register must be developed based on risks identified in the strategic risk register related to operations and those risks identified in operational risk registers which, if they were to materialise, would result in significant consequences for VU. (46) SEG will conduct quarterly reviews and annually refresh the enterprise risk register. (47) It is the responsibility of the Planning and Performance Unit to finalise the enterprise risk register and report to SEG and CARC in accordance with the annual risk cycle in Annual Risk Planning and Review Cycle. (48) The Planning and Performance Unit is accountable for ensuring that the quarterly review and annual refresh of the operational risk registers is completed by each VU unit and College. (49) The operational risk registers must be developed based on risks to the achievement of VU units’ and Colleges’ business plans and the enterprise risks which affect the whole of VU. (50) The head of VU’s unit or College is responsible for ensuring that, on a quarterly basis, the operational risks are appropriately reviewed and updated. Annually a then operational risk register must be finalised. (51) It is the responsibility of the Planning and Performance Unit to ensure that the operational risk registers are finalised so that it can report to SEG and report highlights to CARC in accordance with the annual risk cycle in Annual Risk Planning and Review Cycle. (52) The Risk Management Framework Guidelines provide details regarding the requirements of reports. (53) Monitoring and reviewing risks is an important part of risk management. It allows risk owners to identify any new risks arising or changes in existing risk rating due to changing circumstances and to review the extent to which risks have been mitigated. (54) Risk owners should monitor and review risks regularly and ensure that changes are recorded in appropriate risk registers on an ongoing basis. (55) The risk management methodology is aligned with the principles of continuous improvement. It requires all individuals and groups within VU to continually identify, assess, mitigate, review and report risks within their areas of operation, so that all risks are mitigated and managed to an acceptable level in accordance with the risk appetite that has been approved by CARC. (56) The Risk Management Continuous Improvement Flowchart illustrates the risk management continuous improvement cycle. (57) Refer to Risk Management Framework Guidelines.Risk Management Procedure
Section 1 - Purpose / Objectives
Section 2 - Scope
Top of PageSection 3 - Definitions
Section 4 - Policy
Section 5 - Procedures
Part A - Summary of Roles/Responsibilities
Roles
Responsibilities
Council
• Delegate risk management responsibility to the Compliance, Audit and Risk Committee (CARC).
• Review all strategic and enterprise risks and significant operational risks.
• Oversees CARC discharging its risk management responsibilities.
Compliance, Audit and Risk Committee (CARC)
• Ensures the risk management framework is being maintained by Management.
• Elevate critical risks to the Council.
• Approves the definitions of strategic, enterprise and operational risk profiles.
• Approves the characterisation of specific risks as strategic, enterprise and significant operational risk.
Senior Executive Group
• Highlights any significant or emerging risks to CARC.
• Develops / refreshes the current strategic and enterprise risk registers which fall within CARC’s approved profiles.
• Oversees the effectiveness of control mechanisms and treatment plan implementation for strategic and enterprise risks and significant operational risks.
Senior Leadership Group
• Highlights significant operational risks to the Senior Executive Group (SEG).
• Develops / refreshes operational risk which fall within CARC approved profile.
• Implements effective control mechanisms and mitigation plans for operational risks.
Planning and Performance Unit
• Collaborates with VU units and Colleges to embed risk management process and culture.
• Develops / refreshes the tools used to identify, assess, and manage risks.
• Maintains and updates records of strategic, enterprise and operational risks and provides a risk highlight report, at least quarterly to SEG.
• Provides proactive assistance, education and performance checks for all units and Colleges of VU.
All staff
• Manage operational risks in their day-to-day roles.
• Bring any potential risks to the attention of management.
• Participate in the operational risk identification, recording and review processes whilst developing and implementing treatment plans where required.
• Following procedures and policies which govern the implementation of controls to manage risks.Part B - General
Characterisation of risks
Step 1 - Communicate and Consult
Step 2 - Refresh Develop
Set the context
Developing the evaluation criteria
Step 3 - Define ‘What Must Go Right’ to Achieve Objectives
Step 4 – Identify the Risks
Risk Identification Methods
Step 5 - Analyse the Risk Level by Combining the Likelihood and Consequences Ratings
Determining the Level of Risk
Step 6: Evaluate Approach to Managing Risks
Step 7: Treat Risks
Step 8: Recording Risk
Risk Registers
Strategic Risk Register
Enterprise Risk Register
Operational Risk Register
Step 9: Monitoring and Reviewing risks
Step 10: Risk Management Continuous Improvement Cycle
Section 6 - Guidelines
View Document
This is not a current document. To view the current version, click the 'Current Version' tab above.