Enterprise Risk Management - Policy

Printer-friendly version

1. Purpose and Objectives

The international standard for Risk Management ISO 31000:2009 has been adopted by Standards Australian and Standards New Zealand as AS/NZS ISO 31000:2009 and has been used as a basis for the University of Queensland’s approach to managing risk.

UQ recognizes that managing risk is an integral part of good management practice and is committed to its application at all levels of the organisation.

2. Definitions, Terms, Acronyms

Risk - the effect (positive or negative) of uncertainty on objectives.  Risk is considered with reference to possible consequences and likelihood of occurrence.

Risk Management - coordinated activities to direct and control an organisation with regard to risk

Risk Owner - person or entity with the accountability and authority to manage a risk

Strategic risks - risks associated with the achievement of strategic goals

Operational risks - risks associated with the day-to-day operations of the business.

3. Policy Scope/Coverage

This policy applies to all UQ staff and organisational units.

4. Policy Statement

Risk Management is a tool used to support the achievement of strategic and operational goals of the University. The risk management framework provides a standardised approach to assessing risk at any level of the organisation.

Risk management

  • creates and protects value by contributing to the achievement of objectives and improved performance,
  • is an integral part of organisational processes, from strategic planning, project management and day to day activities,
  • forms part of the decision making process, allowing informed choices between alternative courses of action with different risk profiles,
  • explicitly addresses “uncertainty”,
  • is systematic, structured, timely,
  • is based on the best available information, and acknowledges limitations of data,
  • is adopted based on the University’s risk profile, and risk appetite in given situations,
  • recognises the impact of human, cultural and environmental factors on objectives,
  • includes perspectives of all stakeholders, not just management,
  • is dynamic and responsive to change to continue to take account of new or emerging risks, and
  • is continually improving as the organisation grows.

5. Framework and Responsibility

All staff are accountable for ensuring that risks are appropriately managed within their area of responsibility.

The University has adopted a 'three lines of defence' assurance model as part of its governance, risk and compliance frameworks.  The three lines of defence is actively supported and guided  by Senate through Senate Risk Committee, and Executive  through Vice Chancellor's Risk and Compliance Committee and implemented as follows:

  • UQ'S operational management  has ownership, responsibility and accountability for identification, assessment, and management of risk and ensuring compliance. (First Line of Defence)
  • Enterprise Risk, Occupational Health and Safety, Compliance and other relevant risk-oversight functions are responsible for facilitating, monitoring, and supporting effective risk management and compliance practices by operational management. (Second line of Defence)
  • Internal audit, Investigations and other internal and external audit and review functions are responsible for providing assurance on the effectiveness of controls and identifying breakdowns and systemic issues in risk and compliance. (Third Line of Defence)

5.1 Senate Risk Committee

In accordance with its charter, the Senate Risk Committee provides advice and assurance to Senate on the effectiveness of the University's Enterprise Risk Management Framework and the management of risk.

5.2 Vice-Chancellor's Risk and Compliance Committee (VC RCC)

The VC RCC is made up of members from the University Senior Management, and one independent external expert appointed by the Chair.

According to its Terms of Reference the VC RCC responsibilities are to:

  • provide assurance to the Senate Risk Committee that the UQ Risk Management Policy and Framework and associated procedures, ensure that the University can effectively identify, assess, manage and monitor risk;
  • receive reports from Enterprise Risk in relation to risk management activities, with particular focus on major or university wide risk areas including but not limited to: finance, major projects and commitments, occupational health and safety, incident and crisis management, and fraud and corruption; and
  • discuss and report to the Senate Risk Committee significant risk issues or changes to the University’s risk profile.

5.3 University senior management

The members of senior management are accountable for ensuring (as part of the first line of defence):

  • that risks are considered as part of strategic and operational plans within their area of responsibility,
  • that risks are documented and assessed within the University risk management framework and that appropriate actions are identified to manage the risks, and
  • that risk treatments are proportionate to the level of risk the university is willing to take.

5.4 Enterprise Risk Unit

The Enterprise Risk Unit, lead by the Associate Director - Enterprise Risk is responsible for:

  • providing information, guidance and tools to all levels of management on the risk management framework,
  • supporting management in carrying out their risk responsibilities,
  • reporting to the VC RCC,
  • attending Senate Risk Committee
  • assisting with the development of the risk based internal audit plan, and
  • ensuring continual improvement of the risk management framework.

6. Risk Appetite

In pursuing its strategic objectives, the University encourages educated and informed risk taking. UQ recognises that taking risk is a critical part of our day-to-day activities. Effective management of those risks is what will set us from our competitors and lead to success.

To do this we must understand;

  • What risks we are willing to take, and
  • How much risk is appropriate in the circumstances.

7. Risk Management Process

7.1 Strategic risks

Strategic risks are identified as part of the strategic planning processes. Identifying uncertainty surrounding the achievement of strategic goals allows processes to be put into place to either capitalise on opportunities or mitigate threats as they arise.

7.2 Operational risks

Operational risks are those risks associated with day-to-day activities. The risk may arise from internal or external sources. Whilst the formal review of risks is conducted annually, operational risks should be reviewed at any time when there is a change in procedures, or new uncertainty is identified.

The risk management process, as detailed in the Enterprise Risk Management Procedure is summarised in the diagram below. It can be applied to any level of risk within the organisation, from strategic processes down to individual projects.

7.3 UQ consolidated risks

After taking into account strategic risks and operational risks, the Vice-Chancellors Risk and Compliance committee will consider a consolidated view of significant risks across the University. This consolidated view categorises a number of risk observations from a variety of sources to form an overall UQ Risk view. It is more than just a sum of the operational risks. It is not designed to replace all other risk management activities but rather complement them with a consolidated view.

The Consolidated Risk Register is not a fixed and finite list, but rather one that moves and changes as the organisation and its external influences change.

8. Compliance

UQ has compliance obligations under the Financial Accountability Act 2009 (the Act) which outlines a number of accountable officer and statutory body functions, one of which is the establishment and maintenance of an appropriate system of risk management (section 61).

The Financial and Performance Management Standard 2009 (the Standard), section 28, prescribes that UQ's risk management system must provide for:

  • mitigating the risk to the University and the State from unacceptable costs or losses associated with the operations of the University, and
  • managing the risks that may affect the ability of the university to continue to provide services.

The Higher Education Standards Framework also requires that “the higher education provider’s corporate governing body regularly monitors potential risks to the higher education provider’s higher education operations and ensures the higher education provider has strategies to mitigate risks that may eventuate”. (Para 3.4).

Director, Corporate Operations
Mr Jeremy Crowley


Enterprise Risk Management - Procedures

Printer-friendly version

1. Purpose and Objectives

These procedures outline the process and steps for conducting risk assessments in accordance with the Enterprise Risk Management Policy.

2. Definitions, Terms, Acronyms

Risk - the effect (positive or negative) of uncertainty on the achievement of objectives. Risk is considered with reference to possible consequences and likelihood of occurrence.

Risk appetite - the amount and type of risk that an organization is willing to pursue or retain in pursuit of strategic objectives (ISO Guide 73:2009).

Risk assessment - includes the steps to identify the risk, analyse its likelihood and consequence of occurrence, and evaluate the priority for action.

Risk tolerance - readiness to bear the risk after risk treatment in order to achieve objectives.

Risk treatment - specific actions taken to modify the likelihood or consequence of the risk being realised. Treatments options include avoid, accept, remove, amend, or share.

Risk velocity - the time it takes for an event to change a risk from “uncertain” to “certain” in its effect on objectives.

3. Procedures Scope/Coverage

These procedures apply to all UQ staff and activities. Defined terms within this procedure may be different in other UQ policies. For example "risk" and "risk assessment" have specific definitions and applications within the Occupational Health and Safety (OH&S) context. For specific OH&S risk assessment procedures refer to PPL 2.30.01 Occupational Health and Safety Risk Management.

4. Procedures Statement

The University follows the international standard for risk management ISO 31000:2009 as a basis for our approach to managing risk.

The purpose of this procedure is to provide an overview of key concepts of risk management, and guidance on how it can be applied to UQ operations.  Where more specific guidance is provided in other UQ policies or procedures, that guidance should be applied first.

Queensland Treasury offers additional guidance to statutory bodies in their publication A Guide to Risk Management.

5. Risk

Risk is the effect of uncertainty on the achievement of objectives. If we know for certain the outcome of a particular action then it is not a risk, but more likely an issue. Where an element of uncertainty exists, then there are risks.

Within UQ’s enterprise risk management framework, risk is considered to encompass both threats and opportunities. Risk is not all downside, and by considering the upside of risk we are better placed to understand the uncertainty being faced.

Risk is considered at both the strategic and operational level within the University. No activity is too small to ensure good risk management practices are followed.

5.1 Risk management process

As shown in the table below (adapted from AS/NZS ISO 31000), the risk management process consists of seven steps. Each step of the risk management process is discussed in detail in this procedure.

The key elements of the risk management process are:

  • establishing the context,
  • risk assessment;
    • risk identification,
    • risk analysis,
    • risk evaluation,
  • risk treatment,
  • communication and consultation, and
  • monitoring and review.

For simplicity, these steps are discussed within this procedure as a linear sequence. The process however is not linear, and requires a dynamic interrelated approach. Each part can be conducted simultaneously, and requires action to be clarified and refined along the way. A risk-based approach requires reflection and challenge to be effective.

The documentation of the risk management process is generally performed using a risk register. There are many different ways to present a risk register while still capturing the important details. A number of examples of risk registers and a blank risk register template can be accessed from this link.

5.1.1 Establish the context

Understanding the context, setting the boundaries or scope for what should and shouldn't be considered in the risk process. In establishing the context, consideration should be given to:

  • defining objectives of the activity or area,
  • considering external and internal influences,
  • understanding assumptions, and
  • the risk appetite and tolerance levels for the activity (discussed further at 5.2 Risk Appetite).

5.1.2 Risk assessment

The activities of identification, analysis and evaluation make up the “risk assessment” part of the risk management process, and are the responsibility of the risk owner. The risk owner is specific to the assessment and may be the project manager, chief investigator, organisational unit head, or other staff member with responsibility and accountability for the activities or area being considered.

Step 1: Risk Identification

Risk identification involves the risk owner developing a broad list of risks based on those events that may create, enhance, prevent, degrade, accelerate or delay the achievement of the objectives. It can express both negative and positive impacts, and should include events that may or may not be within the control of the risk owner. Identified risks can then be grouped into categories for ease of reference and comparability across UQ. A prompt list of common categories and risk management approach is provided in UQ Risk Prompt List. This list is not considered exhaustive, nor should it replace specific risk assessment activities, but may be used to prompt discussions.

Methods commonly used to enhance risk identification include:

  • Environmental scans – looking at various influences on the activity, internal, external, economic, political, legal, cultural, technical,
  • Brainstorming activities with cross-sectional staff,
  • Future-casting exercises, and
  • Benchmarking against other organisational units or other universities.

Step 2: Risk Analysis

Risk analysis involves the risk owner developing an understanding of the risk and how it may impact the organisation. It is expressed in terms of the consequence and likelihood of the risk occurring.

Consequence - considers what could happen if the risk was realised. The UQ risk assessment process allows consequence to be expressed as either positive or negative. UQ’s guide to assessing consequences is included in Consequence and Likelihood Table.

Likelihood - considers the probability of the occurrence. Often expressed in terms of how frequently it has been seen in the past. UQ’s guide to assessing likelihood is included in Consequence and Likelihood Table.

Risk Matrix - UQ adopts a 5 x 5 Risk Matrix to analyse risk.

Using the table below, a risk assessment rating is determined by selecting the relevant risk Consequence (negative or positive values on the x axis) matched with the appropriate risk Likelihood (values of rare to almost certain on the y axis).

Risk Assessment Ratings

L - Low

M - Moderate

H - High

S - Significant

(click on matrix to see enlarged view)

Depending upon the complexity of the risks being considered, and the detail required in the risk assessment, the analysis stage can be either a one- or two-step process. The two-step process involves considering:

  • Inherent risk - that is, the risk that exists prior to any internal controls being implemented to manage the risk, and
  • Residual risk - that is, the risk which remains after risk treatments have been put in place, and are operating effectively to manage the risk.

The advantages of using this two-step analysis approach is that it highlights excessive or ineffective controls, and ensures that the risk owner is conscious of the exposure if the controls fail.

The one stage process only assesses risk at the residual risk level, and does not allow for separate consideration of the effectiveness of controls.

Step 3: Risk Evaluation

Risk evaluation involves considering the identified and assessed risks to determine which risks require treatment and priorities for attention.

To determine whether a risk is tolerable the assessed level of risk is compared with a risk tolerance. For example, if the risk is rated High, and its risk tolerance is Medium, then further risk treatments are required.  Within a risk register treatments can then be prioritised for action.

This step is an iterative process between evaluating the residual risk and considering the impact of proposed risk treatments.

5.1.3 Risk treatment

Once the risk has been assessed (steps 1-3 above), efficient and effective risk treatments must be determined.

Risk treatments must be proportionate to both the risk being faced and the University’s tolerance for that type of risk. It isn’t about managing the risk away completely, but rather modifying the risk in some way so that the positive outcomes are maximised, and negative outcomes are minimised. Most documented risk treatments reflect the controls embedded in UQ policies and procedures. Where policies and procedures are sufficient to explain the nature of the risk treatment, then the risk management process references the relevant policy or procedures.

Some risk treatment options include:

  • avoiding the risk by ceasing the activity
  • accepting the risk in order to pursue an opportunity
  • removal of the source of risk (using an alternative input)
  • making amendments to change the likelihood of the event occurring (eg OH&S controls are often designed to prevent the event occurring)
  • making amendments to change the consequences from the event (eg contracts with limited liability)
  • sharing the risks with others (eg via contract or insurance).

When choosing risk treatments, consider:

  • the balance between costs and benefits, including but not limited to financial, reputational, environmental and social,
  • interdependencies which may exist, where failure to manage a risk in one area may then negatively impact another,
  • values, perceptions, moral and ethical obligations, and
  • secondary risks created as a consequence of the introduction of risk treatments.

5.1.4 Monitor and review

The process of monitoring and reviewing is continuous and involves regular checking or surveillance of risks and their proposed treatment. Some forms of review will be ad hoc, and others more structured into a periodic process. For example, operational risk registers for institutes, faculties and major central divisions are formally reviewed annually, but should be updated and revised as risks change.

A review of risks should consider whether:

  • controls are operating as they were planned,
  • circumstances have changed that exposes the unit to greater or less risk, and
  • there are any lessons which can be learnt from past events.

The internal audit function has a role at UQ in assessing the effectiveness of controls over high risk activities.

5.1.5 Communicate and consult

Communication, consultation and feedback is not a separate stage in the process, but rather a continuous activity throughout the risk assessment cycle. Communicating with key stakeholders throughout the process helps to make the University's approach to risk management transparent and subject to wider scrutiny.  Stakeholders may be internal or external to the university.  Risk assessments are also shared between projects in order to identify common risks and treatment options.  Risk Assessments should be considered as a university record and stored with documentation relating to the activity, eg via TRIM.

5.2 Risk appetite

The University articulates its appetite for risk against its top eight consolidated risk categories through consultation with the Vice-Chancellor's Risk and Compliance Committee and the Senate Risk Committee. The risk appetite should also be determined within all major projects, new endeavours or significant organisational change.

5.3 Other considerations

Since different risks will manifest at different rates, risk velocity is another useful measure to consider. Risk velocity describes how quickly positive or negative consequences are realised in the event that uncertainty becomes certain. Risk velocity is measured as slow, medium or fast. By considering risk velocity, risk owners can ensure that the risk treatments put in place are appropriately responsive.

Specific or additional treatments for high velocity events may include:

  • Actions which are agile and responsive to change
  • Preventative rather than detective controls
  • Predictive risk indicators
  • Activities which support business continuity management.

Specific or additional treatments for low velocity events may include:

  • Traditional detective controls
  • Use of longitudinal reviews and responses
  • More strategic and long term actions
  • Risk indicators which are trend based.

6. Assistance

The Enterprise Risk Unit at UQ is available to provide information, guidance and tools to assist in applying these procedures.

Director, Corporate Operations
Mr Jeremy Crowley


Printer-friendly version
Risk Assessment Examples - Form

Risk Assessment Examples - Form

Printer-friendly version

The Enterprise Risk Unit sharepoint site contains blank templates and examples of risk registers that can be used as reference documents when conducting a risk assessment.

Click the link below to login to the sharepoint site using your UQ username and password.

Director, Corporate Operations
Mr Jeremy Crowley
Risk Consequence and Likelihood Tables - Form

Risk Consequence and Likelihood Tables - Form

Printer-friendly version

When conducting a UQ risk assessment, use this guide to determine risk likelihood and consequence.

Director, Corporate Operations
Mr Jeremy Crowley
Risk Prompt List - Form

Risk Prompt List - Form

Printer-friendly version

When conducting a risk assessment, use this list as a prompt to determine the breadth of activities requiring consideration.

Attached File: 
Director, Corporate Operations
Mr Jeremy Crowley
Director, Corporate Operations
Mr Jeremy Crowley
Director, Corporate Operations
Mr Jeremy Crowley