Policy

Enterprise Risk Management Framework - Policy

Printer-friendly version
Body

1.0       Purpose and Scope

1.1     Context

Risk is the ‘effect of uncertainty on objectives'. Risk may be a single event or a set of circumstances that affect, adversely or beneficially, the achievement of objectives.

In the context of risk management, uncertainty exists when there is an inadequate or incomplete knowledge or understanding of an event, its likelihood and/or its consequence.

Risk management refers to the set of principles, framework, culture, processes and coordinated activities to direct and control an organisation with regard to the many risks that can affect its ability to achieve its objectives. Effective risk management increases the likelihood of achieving objectives, identifying and pursuing opportunities and avoiding or minimising harmful surprises.

1.2     UQ’s Risk Management Obligations

In addition to the international Standard ISO31000:2009, UQ’s risk management function is shaped by, and demonstrates compliance with, the following obligations relating to risk management:

  • Section 61 of the Financial Accountability Act 2009 (the Act) requires the establishment and maintenance of an appropriate system of risk management.
  • Section 28 of the Financial and Performance Management Standard 2009 prescribes that UQ's risk management system must provide for mitigating the risk to the University and the State from unacceptable costs or losses associated with the operations of the University, and managing the risks that may affect the ability of the University to continue to provide services.
  • The Higher Education Standards Framework (Threshold Standards) 2015, made under the Tertiary Education Quality and Standards Agency Act 2011 (TEQSA Act 2011), requires that risks to higher education operations are identified and material risks managed and mitigated effectively.
  • Crime and Corruption Act 2010, refers to corruption risks and development of prevention strategies.

1.3     Risk Management Objectives

Risk management at UQ is an enabling management function overseen by the Senate and undertaken by managers and staff at all levels of the University and in all aspects of its operations.

UQ’s risk management objectives are to facilitate the achievement of its strategic and operational objectives including:

  • Value creation and protection;
  • Effective and efficient performance and compliance; and
  • The development, enhancement and protection of its strategic and operational capabilities.

UQ’s Enterprise Risk Management Framework (ERMF) provides the overall framework, direction and oversight for the systematic, disciplined and consistent identification and assessment of risks (including opportunities) and for their effective and efficient management.

The ERMF comprises the risk management policy (integrated in this document), enterprise risk management’s authorities and objectives, Senate and management commitment to effective risk management, people and relationships that enable a risk-aware culture and the objectives and strategies that provide the context for risk assessment and management.

The following diagram highlights the core elements of UQ’s risk management framework and helps demonstrate that risk management at UQ is:

  • An enabling management function, supported by input from staff at all levels, dedicated to the achievement of UQ’s strategic and operational objectives and priorities while operating within the Senate-approved risk appetite and tolerance levels.
  • Contextual (i.e. risks are assessed against specific objectives) and recognises that uncertainty could affect objectives adversely and/or beneficially.
  • Built on and supported by the following five ‘pillars’:

a. Senate’s expectations and risk appetite

b. Management/ leadership commitment and support for risk management function, organisational culture and relationships

c. External compliance obligations relating to risk management

d. Risk management objectives, strategies, mandate and accountabilities

e. Risk management resources, plans, processes and activities

 

 

This ERMF applies to the whole of UQ and its operations and demonstrates the Senate and the Vice-Chancellor and President’s commitment and support for effective and efficient risk management.

Also, the ERMF applies to all categories of risk. In addition to this Framework, more detailed risk management governance documents with additional requirements will exist for certain risk domains, e.g. OHS and ITS. These more detailed risk governance documents are consistent with and give further effect to this Framework. 

2.0       Key Requirements  

To demonstrate effective and efficient risk management, UQ will:

1. Manage its risks in alignment with the risk appetite statement (RAS) approved by the Senate and towards the achievement of its strategic and operational objectives. Appendix A contains an overview of UQ’s RAS. It is important to note that:

a. The RAS is not an exhaustive list that addresses every eventuality, but provides general guidelines. Management and staff are expected to be prudent and apply good judgement in interpreting the risk appetite statements to make sensible, risk-based decisions in the best interest of the University and its stakeholders.

b. Risk Categories and their associated appetite statements do not operate in isolation to each other. Decisions will need to be taken with due consideration of all relevant appetite statements. It is acknowledged that in some circumstances the appetite statements may appear to be conflicting. Where this is the case, a trade-off in risk will be required in order to achieve the most beneficial outcome and Enterprise Risk should be advised.

c. External obligations, budget constraints and the impact of external influences must be considered to determine the optimal treatment plan to manage particular risks.

2. Create and continually enhance a constructive risk management culture in which staff and managers at all levels are encouraged and supported to raise and respectfully discuss risks, issues and opportunities towards beneficial outcomes.

3. Adopt an enterprise approach to risk management and ensure its risk management framework, processes and practices:

a. Explicitly address “uncertainty” in relation to the achievement of objectives and priorities with a view to reducing the variability of outcomes.

b. Are context-driven (i.e. based on specific objectives).

c. Recognise the impact of human, cultural and environmental factors on University objectives.

d. Are systematic, structured, timely and consistent with UQ’s Governance Framework

e. Are transparent and inclusive i.e. risk assessment and management activities and decisions include perspectives of all stakeholders, not just management’s.

f. Enable risk management to be an integral part of management thinking, discussions and decision making and help management find the right balance amongst risk, cost and value.

g. Are integrated into all organisational processes, activities and practices including strategic and operational planning, project management and day-to-day operations and that risks are sufficiently documented in relevant plans and reports.

h. Help safeguard assets both tangible and intangible.

i.  Protect the integrity of financial accounting and reporting.

j. Are based on the best available information and recognise any limitations with the underlying data. 

k. Are dynamic, iterative, responsive to change and continually improving.

l.  Are efficient and where feasible, harness technology to support risk management.

m. Facilitate the continual improvement and enhancement of the University. 

4. Ensure clarity of roles, responsibilities and accountabilities for effective risk management including monitoring, reviews and provision of assurance on risks and controls.

5. Adopt a risk-based approach to demonstrating compliance including coordination of regulatory and compliance matters across the University.

6. Embed risk management in its investment processes and decisions to help identify, prioritise, assess and pursue viable opportunities in a systematic and disciplined manner.

7. Assess its risks using the Risk Categories (Appendix B), and Likelihood and Consequences ratings tables (Appendix C) and record the risks and controls in a risk register (format prescribed in Appendix E).

8. Manage its risks through the design, development and implementation of effective and efficient controls, including General Management Controls (GMCs) as defined in Appendix D. All risks will be managed at a level as low as reasonably practicable and on a legally justifiable and cost/benefit basis with a financial and business outcome focus. Risk management options include (but are not limited to): risk elimination; risk avoidance; risk transfer (through insurance or contracts); and risk retention or acceptance with proper management.

9. Build resilience and requisite capabilities to anticipate, prepare, respond, rapidly recover and minimise adverse impacts from critical incidents, including possible but hard to predict risks.

10. Provide meaningful and useful reports and assurance to senior management and the Senate on risks and controls.

Potential systemic, UQ wide risk exposures and/or risk trends observed by other Functions (e.g. Internal Audit, Integrity & Investigations, Finance, HR) and any material changes in existing risk profiles and controls, are to be advised to Enterprise Risk for consideration in these risk reports.

11. To the extent feasible, integrate risk management and Internal Audit activities by ensuring that Internal Audit’s annual plans and programs of work give sufficient consideration to the primary risks and controls of the University and provide assurance on their effectiveness.

12. Continually review and optimize its risk management function, framework, processes and practices.

3.0    Roles, Responsibilities and Accountabilities

3.1     Senate

The Senate is the University’s governing body and accountable for the effective and efficient governance of the University. The Senate approves the University’s risk appetite.

3.2     Senate Risk and Audit Committee

The role of the Senate Risk and Audit Committee (SR&AC) is to oversee the assessment and management of risks. As per its Terms of Reference, the Committee’s responsibilities in relation to enterprise risk include:

  1. Review the tone and risk culture of UQ, and promote robust discussion around risk appetite and tolerance for risks.
  2. Receive reports from the Vice Chancellor’s Risk and Compliance Committee (VCRCC) on management’s identification and assessment of risks to UQ’s strategic and operational objectives and the effectiveness of processes to appropriately manage these risks.
  3. Advise Senate on significant issues and changes to the University’s risk profile.
  4. Receive advice upon the effectiveness of the Enterprise Risk Management Framework on an annual basis, the level of compliance and risks which are not being managed to Senate- approved tolerance levels.

3.3     Vice Chancellor’s Risk and Compliance Committee (VCRCC)

The VCRCC provides assurance to the Vice-Chancellor and President and the SR&AC on the effectiveness of UQ’s risk management and compliance frameworks and practices and on significant risk or compliance issues. In addition to risk and compliance, the VCRCC also provides oversight of assurance, investigations and occupational health and safety functions.

3.4     University Senior Management Group (USMG)

Under the ERMF, members of the USMG are responsible for:

  1. Assessing and managing the risks to their portfolio’s objectives and strategies;
  2. Maintaining risk registers in the approved format and ensuring the accuracy and currency of their risk registers;
  3. Monitoring and reviewing their risks and controls with sufficient frequency to ensure the currency of their risk profile and ongoing effectiveness of controls;
  4. Providing timely and positive assurance on the management of their risks and on the effectiveness of the General Management Controls;
  5. Facilitating annual reviews of their material risks and controls by ERS and any other ad hoc reviews of risks and controls that ERS may undertake to meet SR&AC, VCC or VCRCC needs, and ensuring that any deficiencies identified through the review and assurance processes are promptly rectified; and
  6. Ensuring their direct reports undertake steps 1 to 6 above for their respective areas of responsibility.

3.5     Enterprise Risk Services (ERS)  

The ERS is responsible for ensuring that the ERMF is implemented across the University and effective oversight is maintained through regular reporting on material risks. More specifically, the ERS is responsible for facilitating the assessment of and providing reports to the VCRCC, VCC and the SR&AC, at intervals decided by them on:

  1. UQ’s key Current Risks (based on Managed Risk Levels i.e. the level of risk remaining after considering the effectiveness of the existing controls or risk treatments) and their management.
  2. The effectiveness of the General Management Controls.
  3. Key emerging risks.

 

4.0    Monitoring and Review

Overall, management is responsible for effective risk management with Enterprise Risk Services being an enabling function, and internal audit providers of independent assurance.

Under the oversight and direction of senior executives and the Senate, the following three separate groups of people within the University will undertake monitoring and review activities to assess and ensure effective and efficient risk management and controls.

While each group has its own monitoring and review objectives and scope consistent with their respective roles in the organisation, there will be ongoing communication and consultation amongst them to ensure effective and efficient monitoring and reviews at each level and avoidance of duplications. 

4.1 Management

Managers will monitor and review their operational activities, risks and controls to ensure effective and efficient performance, governance, risk management and compliance. Monitoring and reviews performed at this level will be the most detailed and generally embedded in the routine processes, procedures and activities of front line operating management. 

4.2 Heads of Enabling Functions

In addition to their ‘Management’ obligations noted above, Heads of Enabling Functions (corporate and academic support services) will monitor and review their function-specific risks across the University and ensure the ongoing effectiveness of the related controls including policies and procedures.

4.3 Internal Audit

Internal Audit is responsible for providing independent assurance over internal controls, including General Management Controls, and risk management practices University wide.

5.0    Recording and Reporting

Risk owners will record pertinent information and data relating to their risks and controls in the risk register format prescribed in Appendix E.

The following reports on risks and controls will be produced:

Report Title

 

Report Content

Report Producer

Report Recipient

Frequency

Key Current Risks

The key risks of the University based on their Managed Risk Levels (current risk levels) at the time of reporting, including the specific controls managing these risks and any additional proposed controls to reduce the risks to Target Risk Levels (acceptable risk levels).  

 

ERS in consultation with USMG, VCRCC and VCC

 

USMG, VCRCC and SR&AC

Quarterly

(or more frequently based on  VCRCC and SR&AC meeting schedules)

Key Emerging Risks

 

The key emerging risks of the University and what preparatory work or pre-emptive actions (if any) management has decided to take.

 

ERS in consultation with USMG, VCRCC and VCC

 

USMG, VCRCC and SR&AC

6 monthly

General Management Controls

The effectiveness of the GMCs per each USMG member and overall at University level.

 

ERS in consultation with USMG and VCRCC

 

USMG, VCRCC and SR&AC

Annually

6.0 Appendix

6.1 Appendix A - Risk Appetite Statement - 'Non-Negotiables' 

The following risk appetite statements should be seen as ‘non-negotiables’. Should any management decision potentially cause a non-negotiable to be outside of tolerance, the matter should be referred to Senate for guidance:

Ref

Category / Subcategory

Principle Statement/s

The University ……

Application of Principle Statement/s having regard to…. 1

1.

Reputation

  • Recognises that reputation is critical to our brand and market positioning and has a VERY LOW risk appetite for risk in any of its activities that puts our reputation and ‘social licence to operate’ in jeopardy; or could lead to loss of confidence by key stakeholders.
  • Reputation should be assessed in terms of our aspirations as a national and global leader in research and teaching and learning, and as a valued corporate citizen.
  • Maintaining our international rankings as critical in attracting funding, students and academic talent.     

2.

Governance, Legal & Compliance

  • Has a ZERO risk appetite for intentional and material breaches of statutes, regulation and professional standards including those relating to research or medical ethics.
  • Has ZERO risk tolerance for criminal breaches, fraud and corruption, misuse of office or similar related activities.
  • Has a ZERO risk appetite for risks relating to actions that may put critical course accreditations and/or standards of operations in jeopardy.
  • A VERY LOW risk tolerance for breach of our privacy obligations to students, staff and other stakeholders.
  • Seek opportunities to efficiently and effectively meet the requirements of internal policies and procedures.

 

3

UQ Values

  • Has ZERO risk appetite for intentional and material breaches of UQ Values and Code of Conduct.
  • Has a ZERO appetite for unlawful discrimination based on gender, ethnicity, culture, etc.
  • Has a ZERO risk appetite for sexual violence, sexual misconduct, harassment, bullying, and any other inappropriate behaviour and activities that puts our Culture of Respect in jeopardy.

 

4.

Safety

  • Aspires to ZERO harm and is open to innovation and prudent investment in strategies to protect the health and wellbeing of our staff, students and visitors with a focus on the prevention of high risk hazards.
  • Has ZERO tolerance for safety management standards or practices that put the health and safety of our staff, students and visitors at risk
  • Supports a strong safety culture and expects employees to take personal responsibility for their own wellbeing. 

5.

Financial Sustainability

  • Has a VERY LOW risk appetite for pursuing any strategy that puts at risk the financial sustainability of the University over the medium to long term.
  • Has a LOW appetite for application of capital that is not planned and executed in a sustainable and prudent manner.
  • A MODERATE appetite to increase revenue diversity via international students, research income and revenue from industry partnerships.
  • Seeks opportunities to increase the level of philanthropic support to the University.


1 This column provides further guidance supporting the Principle statement(s) and / or provides more specific statements where appropriate.

The following definitions apply in interpreting the RAS:

Zero

Very Low

Low

Moderate

High (Opportunity Seeking)

All reasonably practical and affordable measures to eliminate the risk must be taken.

All reasonably practical and affordable measures to minimise the risk must be taken. A strong preference for strategies and plans with minimal risk exposure.

Preferring risk mitigation to the rewards of taking risk. Safe approaches should be taken but the cost of implementing controls should be evaluated to ensure they achieve a worthwhile level of risk mitigations.

Can accept a degree of uncertainty in order to achieve an intended outcome providing that reasonable steps are taken to mitigate any potential loss.

Wiling for risks to be taken even if there is high uncertainty in order to gain highly valued reward/s. Focus is on achieving the reward/s but with due consideration of the non-negotiables

 

6.2 Appendix B - Risk Categories (subject to Senate approval of proposed RAS)

#

Risk Category

Subcategories

1

Strategic

  • Statutory functions and powers as defined by the UQ Act
  • Strategic targets, outputs and outcomes
  • Operating Model

2

Research & Knowledge Transfer

  • Research resources and capabilities including staff and funding
  • Quality of research outcomes
  • Research integrity and ethics
  • Safety and security of research facilities and experiments

3

Teaching & Learning

  • Teaching resources and capabilities including staff and funding
  • Quality of teaching outcomes
  • Teaching integrity and ethics
  • Assessment integrity and ethics

4

Students

  • Student experience and retention
  • Student outcomes including employability
  • Student behaviour, safety and well being

5

Growth and Commercialisation

  • Innovation and opportunities, including with partners
  • Competitiveness including market share, demand and capabilities
  • Investment projects and programs
  • Adaptability and change management

6

Stakeholders, Relationships and Reputation

  • Brand /image, credibility/trust, attractiveness
  • Constructive, respectful and mutually beneficial relationships
  • Actual and potential benefits – donations/endowments, support, etc.
  • External engagement

7

People, Safety and Culture

  • Wellbeing and safety
  • Equity and diversity
  • Selection rigour
  • Capabilities, productivity and performance
  • Retention, development and progression
  • Industrial relations
  • UQ Values

8

Financial

  • Financial position
  • Financial performance
  • Budgeting and forecasting
  • Accounting, Reporting and Disclosure integrity

9

Governance, Legal and Compliance

  • Statutory approvals, licences, permits and certificates
  • Legal and contractual rights and powers
  • Oversight, monitoring, review and assurance activities and capabilities
  • Ethics and integrity, (corrupt conduct, fraud)

10

Assets (non-IT)

  • Security
  • Quality/Integrity /Reliability
  • Availability / operational capabilities
  • Performance (optimum utilisation)

11

Systems and Information Management

  • Authenticity/ integrity / reliability of systems and information;
  • Security and Accessibility;
  • Availability and useability;
  • Productivity
  • Agility (future needs)

12

Enabling Operations

  • Performance (effective and efficient)
  • Resilience / continuity of operations

6.3 Appendix C - Risk Measurement Tables and Matrix

6.3.1 Likelihood Table 

Rating

Likelihood

Definition

Probability

5

Very High

Almost certain; extremely likely

> 90%

4

High

Very Likely; will probably occur

60% - 90%

3

Medium

Likely to happen

40% - 59%

2

Low

Possible but unlikely

10% - 39%

1

Very Low

Conceivable but extremely unlikely

<10%

[See section 6.3.4 for Consequence Rating Table]

 

6.3.2  Total Risk Matrix

LIKELIHOOD RATING

CONSEQUENCES RATING [see Table 5.3.4]
refer note 1

Insignificant

[1]

Minor

[2]

Moderate

[3]

Major

[4]

Critical

[5]

Very High [5]

Medium

Medium

High

Extreme

Extreme

High [4]

Low

Medium

High

High

Extreme

Medium [3]

Low

Low

Medium

High

Extreme

Low [2]

Low

Low

Medium

Medium

High

Very Low [1]

Low

Low

Low

Medium

High

Note 1; With reference to Table 5.3.4 - note 2; if lower level specific impact types and/or adjusted consequence levels for Financial and/or Operations impact types have been used, the total risk rating needs to be reported by stating the organisational level of the assessment before the risk rating; e.g. Faculty-High, Project-Medium, School-Extreme, etc.

6.3.3 Risk Action Table

The final decision on ‘Extreme’ or ‘High’ MRL ratings will be subject to further consultation by ERS with relevant VCC members before inclusion in any reports to executive leadership and the Senate.

Overa​ll Assessed MRL

Recommended Action

Immediate Response to OHS Risk

(refer to OHS Risk Management Procedure for specific action requirements)

Oversight / Reporting level

Extreme

  If the MRL indicates a potential breach of Senate approved RAS, advise ERS immediately.

  Develop a Risk Management Action Plan and implement proposed controls/treatments as soon as practicable to lower the MRL to an acceptable TRL.

 Confirm effectiveness and timely implementation to ERS as per agreed action plan.

Task must not proceed. Appropriate and prompt action must be taken to reduce the risk to an acceptable level.

 

Vice Chancellor, VCRCC, VCC & SR&AC

High

  If MRL within RAS, accept risk and document the reasons.

 If outside of RAS, develop a Risk Management Action Plan and implement proposed controls/treatments as soon as practicable to lower the MRL to the TRL.

 Confirm effectiveness and timely implementation to ERS as per agreed action plan.

Task can only proceed in extraordinary circumstances** and provided there is authorization by relevant Head of Function* and a plan is in place to promptly reduce the risk to an acceptable level.

 

Relevant USMG member

(the risk may be reported by ERS to Vice Chancellor, VCRCC, VCC and SR&AC)

 

Medium

  If MRL within RAS, accept risk and document the reasons.

  If outside of RAS, develop a Risk Management Action Plan and implement proposed controls/treatments as soon as practicable to lower the MRL to the TRL.

  Regularly review existing controls for effectiveness and introduce new or changed controls if cost is justifiable.

  Develop and implement action plan, if new or changed controls are proposed, followed by re-assessment of new risk level after implementation.

Task can proceed upon approval of the risk assessment by relevant Line Manager or Supervisor is received. 

It is recommended that a plan is developed to reduce the risk within a reasonable timeframe.

 

Relevant USMG member

and

relevant Head of Function*

 

Low

  Maintain and monitor existing controls to ensure they continue to be effective;

  Monitor internal and external changes in the portfolio’s environment.

Task can proceed upon approval of the risk assessment by relevant Line Manager or Supervisor is received. 
 

Relevant Line Manager or Supervisor

At each organisational level (e.g. faculty, institute, school, project, function, division, team), management has to identify their portfolio’s or project’s top risks and demonstrate the effective management of these risks.

* Relevant Head of Function; Head of school, Institute Deputy Director or Division Director

** Extraordinary circumstances are opportunities for the University that align with its strategic mission and RAS.

 

6.3.4 Consequence Rating Table
(Where there are multiple types of impacts, use the highest rating for scoring risk) 

 

IMPACT  TYPE

1

INSIGNIFICANT

2

MINOR

3

MODERATE

4

MAJOR

5

CRITICAL
(potential RAS breach within 1 year)

STRATEGIC

Critical KPIs are a subset of UQ KPIs

  Negligible but has potential  to adversely impact UQ critical KPI/s

<5% of critical KPIs have a negative variation

  5% to <15% of critical KPIs have a negative variation

  15%-25% of critical KPIs have a negative variation

  >25% of critical KPIs have a negative variation

REPUTATION

Key stakeholders:

· Students

· Staff

· Alumni

· Government; all levels of domestic and foreign governments

· Unions

· Community

  Negligible impact. Ad hoc mentions or rumours of a negative event on social media.

 

  Adverse local and social media coverage for a brief time

  Small pockets of student protests

  Adverse capital city media coverage.

  Students and staff (including staff unions) publicly express their disapproval and disappointment at UQ.

 

  Adverse and sustained State media coverage; public perception of UQ suffers.

  Calls for management reform including removal of some executives

  Key stakeholders threaten to remove their association with and support for UQ.

  Prolonged and adverse national media coverage, undermining public confidence in UQ

  Major student uprising; calls for government   intervention; executives publicly chastised by community leaders

  Key stakeholders  disassociate themselves from UQ

CULTURE /

UQ VALUES

  Some non-management staff unaware of and/or not behaving in accordance with UQ Values

 

  Instances of management decisions or behaviour inconsistent with UQ Values and ‘One-UQ culture;

 

  Widespread staff perception that management does not always prioritise UQ Values;

  Noticeable reduction in staff morale

  Management displaying and/or tolerating behaviour that is inconsistent with UQ Values;

  Widespread low staff morale; Valued staff consistently leaving UQ

  UQ Values/Code of Conduct visibly and significantly compromised;

  Prolonged and significant adverse impact on UQ culture;

  Inability to retain and/or attract critical staff

COMPLIANCE

  Breach of local standard operating procedures but not of any mandatory policies or procedures

  Ad hoc, as opposed to systemic, breaches of policies  and procedures but not of laws or regulations

  Breach of any laws/licenses, including a notifiable breach resulting in recommendations and active monitoring by regulator/s

  Instances of breach of Operational policies

  Prosecution

  UQ fined ≤$1M

  Show cause notice from regulator

  Enforceable undertaking

  Significant and systemic breach of Academic policies

  Prosecution with potential for executives to be jailed

  UQ fined >$1M

  Loss of critical licence/accreditation

  Significant and systemic breach of Governance policies

HEALTH, SAFETY & WELLNESS
(Physical & Mental, including Personal Security)

  Near miss event

  No injury or illness

 

  First Aid injury or illness

  Biological / Chemical spill

  Moderate injury or illness

  Biological exposure

  Reversible impairment

  Serious injury or illness

  Lost time injury

  Temporary impairment

  Dangerous incident

  Permanent impairment

  Fatality / fatalities

FINANCIAL

Measured as adverse impact on budgeted annual EBIT (Note 2)

Adverse impact of;

 <$500K

 

Adverse impact of;

$500K to <$10M

Adverse impact of;

$10M to <$25M

 

Adverse impact of;

$25M - $50M

 

Adverse impact of;

>$50M

 

OPERATIONS
(Note 2)

  Insignificant impact on operations; issue/s quickly resolved

  Minor and brief impact on non-critical operations;

  Loss or damage to non-critical assets

  Minor and brief impact on critical operations;

  Significant damage to non-critical assets;

  Some damage to critical assets

  Significant impact on critical operations;

  Significant damage to critical assets

  Significant, irrecoverable impact on critical operations for more than 1 week;

  Business interruption leading to other ‘critical consequence 5’ impact(s)

  Major loss/destruction of assets

Note 2: to provide meaningful risk ratings for risk assessments other than at UQ level (e.g. faculty, institute, school, function, division, project), the ‘Financial’ and ‘Operations’ impact levels may be adjusted to better reflect the seriousness of the risks. Furthermore, lower level specific impact types with corresponding consequence levels, may be introduced to provide more granular information. For guidance on how to report the total risk rating for these adjusted impact types and consequence ranges, refer to paragraph 5.3.2 ‘Total Risk Matrix’ - Note 1. 

 

Appendix D – General Management Controls (GMCs)

The GMCs are inherent to the general management functions of leading, directing, planning, organizing, staffing, coordinating and controlling any organisation. These controls form the foundations of the University’s internal control system and help provide a robust, systematic and perpetual defence against threats to achieving the University’s objectives. The GMCs should be implemented and assessed for their effectiveness at the UQ level and any of the lower levels including faculties, schools, institutes, functions, divisions, teams and projects. 

#

Control Objective

Principal Question (All ‘Yes’ responses must be supported by verifiable evidence)

1

Clarity of objectives, strategies and KPIs

§  Have the objectives and strategies been clearly defined, aligned, prioritised and communicated to those who need to know?

2

Stakeholder management

§  Have the primary stakeholders been identified and strategies put in place to recognise and protect their rights and develop respectable, equitable and mutually beneficial relationships with them?

3

Enabling organisational structure

§  Does the organisational structure facilitate the effective and timely implementation of the strategy and the monitoring, measuring and reporting of performance?

4

Proper plans and budgets

 

§  Are there approved plans and budgets for all objectives, strategies, initiatives/projects and have these plans and budgets been communicated to those who need to know?

5

Clarity of roles, responsibilities and accountabilities

(Note 3)

§  Are the roles, responsibilities and accountabilities for the delivery of prioritised objectives and outcomes clearly articulated and assigned to individuals or teams?

6

Capable staff

§  Are the management and other pivotal/critical roles staffed by competent people?

7

Authority and delegations

§  Do managers and staff have appropriate authorities/delegations and mandate to achieve the objectives/outcomes expected of them?

8

Supportive culture

§  Do managers and staff behave in accordance with UQ Values and the Code of Conduct?

9

Safety

§  Are processes and protocols in place to protect people from harm?

10

Compliance

§  Is there a robust process in place to demonstrate compliance with applicable laws and regulations and are regulatory breaches (if any) recorded, reported and promptly rectified?

11

Security of assets

§  Is there effective security over assets including systems, information and vital records?

12

Performance monitoring and reporting 

§  Are performances against KPIs and plans measured, monitored and reported on and timely actions taken to remedy any gaps in performance?

13

Responsible use of resources

§  Are there controls in place to ensure responsible, sustainable use and management of University resources including natural resources?

14

Appropriate records and reports

§  Are records and reports required for business and/or legal/regulatory reasons produced and are they relevant, reliable and timely?

15

Continuity of operations

§  Are there robust plans and processes in place to ensure continuity of business-critical operations?

16

Supervision, Monitoring and Reviews

§  Is there effective supervision, monitoring and reviews of the performance of staff, systems, processes and controls and prompt remediation of any unfavourable variances?

17

Management Assurance

§  Does management provide assurance, through its own reviews and assessments, to demonstrate effective and efficient performance, governance, risk management and compliance?

Appendix E – Template for Risk Register and Risk Management Plan 

 

 

1.0

Risk Title

 

Risk Category

 

Risk Owner/s

 

 

Risk Identification

Risk Analysis

Existing Controls/ Treatments and their Effectiveness

Context / Objective

Risk Description

Threats and Vulnerabilities

Consequences

 

 

 

 

 

 

Inherent Risk Level (IRL)

L

C

R

 

Managed Risk Level (MRL)

L

C

R

 

Target Risk Level (TRL)

L

C

R

                                                                                                            

                                                                                         

 

Proposed Risk Treatments to Align MRL to TRL

USMG Member responsible for implementing proposed treatment/s

Date/s for full implementation

1.      

 

 

 

2.      

 

 

 

3.              

 

 

 

4.              

 

 

 

 

 

 

 

Custodians
Director, Governance and Risk
Mr Suresh Chand

Forms

Printer-friendly version

No forms in this topic.
Custodians
Director, Governance and Risk
Mr Suresh Chand
Custodians
Director, Governance and Risk
Mr Suresh Chand