Policy

Enterprise Risk Management Framework - Policy

Printer-friendly version
Body

1.0   Purpose and Scope

1.1   Context

Risk is the ‘effect of uncertainty on objectives’[1] where effect is a deviation from the expected outcome. Risk may be caused by a single event or a set of circumstances that affect, adversely (threats) or beneficially (opportunities), the achievement of objectives.

In the context of risk management, uncertainty exists when there is an inadequate or incomplete knowledge or understanding of an event, its likelihood and/or its consequence.

Risk management refers to the set of principles, framework, culture, processes and coordinated activities to direct and control an organisation with regard to the many risks that can affect its ability to achieve its objectives. Effective risk management increases the likelihood of achieving objectives, identifying and pursuing opportunities and avoiding or minimising unexpected harms.

1.2   Risk Management Obligations

Risk management at the University of Queensland (UQ or the University) is guided by the International Standard ISO31000:2018 – ‘Risk Management Guidelines’ and seeks to comply with the following state and federal legislation relating to risk management:

  • Financial Accountability Act 2009 (Qld) – requires the establishment and maintenance of an appropriate system of risk management.

  • Financial and Performance Management Standard 2009 (Qld) – prescribes that UQ's risk management system must provide for mitigating the risk to the University and the State from unacceptable costs or losses associated with the operations of the University, and managing the risks that may affect the ability of the University to continue to provide services.

  • Higher Education Standards Framework (Threshold Standards) 2015 – requires that risks to higher education operations are identified and material risks managed and mitigated effectively.

  • Crime and Corruption Act 2001 (Qld) – refers to corruption risks and development of prevention strategies.

  • Work Health and Safety Act 2011 (Qld) – requires that risks are eliminated, and if not reasonably practicable to be eliminated, then minimised as far as reasonably practicable.

1.3   Risk Management Objectives

Risk management at UQ is:

  • an enabling management function overseen by the Senate and undertaken by managers and staff at all levels of the University and in all aspects of its operations; and

  • contextual (i.e. risks are assessed against specific objectives) and recognises that uncertainty could affect objectives adversely and/or beneficially.  

UQ’s risk management objectives are to facilitate the achievement of its strategic and operational objectives including:

  • Value creation and protection;

  • Effective and efficient performance and compliance; and

  • The development, enhancement and protection of its strategic and operational capabilities.

Enterprise Risk Management Framework

UQ’s Enterprise Risk Management Framework (ERMF) provides the overall framework, direction and oversight for the systematic, disciplined and consistent identification and assessment of risks (including opportunities) and for their effective and efficient management.

The ERMF comprises this policy, Senate and management commitment to effective risk management, people and relationships that enable a risk‑aware culture and the objectives and strategies that provide the context for risk assessment and management.

The following diagram highlights the core elements of UQ’s Enterprise Risk Management Framework and helps demonstrate that risk management at UQ is:

  • An enabling management function, supported by input from staff at all levels, dedicated to the achievement of UQ’s strategic and operational objectives and priorities while operating within the Senate-approved risk appetite and tolerance levels.

  • Contextual (i.e. risks are assessed against specific objectives) and recognises that uncertainty could affect objectives adversely and/or beneficially.

  • Built on and supported by the following five ‘pillars’:

  1. Senate’s expectations and risk appetite.

  2. Management/ leadership commitment and support for risk management function, organisational culture and relationships.

  3. External compliance obligations relating to risk management.

  4. Risk management objectives, strategies, mandate and accountabilities.

  5. Risk management resources, plans, processes and activities.

 

1.4   Scope and Application

The ERMF applies to all categories of risk across the whole of UQ, including controlled entities, and its operations. It demonstrates the Senate and the Vice-Chancellor and President’s commitment to and support for effective and efficient risk management.

In addition to the ERMF, more detailed risk management governance documents with additional requirements will exist for certain risk domains, e.g. Health, Safety and Wellness and Information Technology Services. These more detailed risk governance documents are consistent with and give further effect to the ERMF.

2.0   Key Requirements

To demonstrate effective and efficient risk management, UQ will:

Risk appetite

Manage its risks in alignment with the risk appetite statement (RAS) approved by the Senate and towards the achievement of its strategic and operational objectives. Appendix A contains an overview of UQ’s RAS. It is important to note that:

  1. The RAS is not an exhaustive list that addresses every eventuality, but provides general guidelines. Management and staff are expected to be prudent and apply good judgement in interpreting the RAS to make sensible, risk-based decisions in the best interest of the University and its stakeholders.

  2. Risk Categories and their associated appetite statements do not operate in isolation to each other. Decisions will need to be taken with due consideration of all relevant appetite statements. It is acknowledged that in some circumstances the appetite statements may appear to be conflicting. Where this is the case, a trade-off in risk will be required in order to achieve the most beneficial outcome and Enterprise Risk Services (ERS) should be advised.

  3. External obligations, budget constraints and the impact of external influences must be considered to determine the optimal treatment plan to manage particular risks.

Risk management culture

Create and continually enhance a constructive risk management culture in which staff and managers at all levels are encouraged and supported to raise and respectfully discuss risks, issues and opportunities towards beneficial outcomes.

Enterprise-wide approach

Adopt an enterprise approach to risk management and ensure its risk management framework, processes and practices:

  1. Explicitly address “uncertainty” in relation to the achievement of objectives and priorities with a view to reducing the variability of outcomes.

  2. Are context-driven (i.e. based on specific objectives).

  3. Recognise the impact of human, cultural and environmental factors on University objectives.

  4. Are systematic, structured, timely and consistent with UQ’s Governance & Management Framework.

  5. Are transparent and inclusive i.e. risk assessment and management activities and decisions include perspectives of all stakeholders, not just management’s.

  6. Enable risk management to be an integral part of management thinking, discussions and decision making and help management find the right balance amongst risk, cost and value.

  7. Are integrated into all organisational processes, activities and practices including strategic and operational planning, project management and day-to-day operations and that risks are sufficiently documented in relevant plans and reports.

  8. Help safeguard assets both tangible and intangible.

  9. Protect the integrity of financial accounting and reporting.

  10. Are based on the best available information and recognise any limitations with the underlying data. 

  11. Are dynamic, iterative, responsive to change and continually improving.

  12. Are efficient and where feasible, harness technology to support risk management.

  13. Facilitate the continual improvement and enhancement of the University. 

Roles and responsibilities

Ensure clarity of roles, responsibilities and accountabilities for effective risk management including monitoring, reviews and provision of assurance on risks and controls.

Compliance

Adopt a risk-based approach to demonstrating compliance including coordination of regulatory and compliance matters across the University.

Investments

Embed risk management in its investment processes and decisions to help identify, prioritise, assess and pursue viable opportunities in a systematic and disciplined manner.

Risk Matrix

Assess its risks using the Risk Matrix (Appendix D) and record the risks and controls in a risk register (format prescribed in Appendix E).

General Management Controls

Manage its risks through the design, development and implementation of effective and efficient controls, including General Management Controls (GMCs) as defined in Appendix C. All risks will be managed at a level as low as reasonably practicable and on a legally justifiable and cost/benefit basis with a financial and business outcome focus. Risk management options include (but are not limited to): risk elimination; risk avoidance; risk transfer (through insurance or contracts); and risk retention or acceptance with proper management.

Resilience and capability

Build resilience and requisite capabilities to anticipate, prepare, respond, rapidly recover and minimise adverse impacts from critical incidents, including possible but hard to predict risks.

Reporting

Provide meaningful and useful reports and assurance to senior management and the Senate on risks and controls. Potential systemic, UQ-wide risk exposures and/or risk trends observed by other Functions (e.g. Internal Audit, Integrity & Investigations, Health, Safety and Wellness, Finance and Business, Human Resources) and any material changes in existing risk profiles and controls, are to be advised to Enterprise Risk for consideration in these risk reports.

Internal Audit

To the extent feasible, integrate risk management and Internal Audit activities by ensuring that Internal Audit’s annual plans and programs of work give sufficient consideration to the primary risks and controls of the University and provide assurance on their effectiveness.

Ongoing review

Continually review and optimise its risk management function, framework, processes and practices.

3.0   Roles, Responsibilities and Accountabilities

3.1   Senate

The Senate is the University's governing body and accountable for the effective and efficient governance of the University. The Senate approves the University's risk appetite.

3.2   Senate Risk and Audit Committee

The role of the Senate Risk and Audit Committee (SR&AC) is to oversee the assessment and management of risks. The Committee’s responsibilities in relation to enterprise risk include:

  1. Review the tone and risk culture of UQ, and promote robust discussion around risk appetite and tolerance for risks.

  2. Receive reports from the Vice Chancellor’s Risk and Compliance Committee (VCRCC) on management’s identification and assessment of risks to UQ’s strategic and operational objectives and the effectiveness of processes to appropriately manage these risks.

  3. Advise Senate on significant issues and changes to the University’s risk profile.

  4. Receive annual advice upon the effectiveness of the ERMF, including whether risks are being managed in accordance with RAS.

3.3   Vice Chancellor's Risk and Compliance Committee (VCRCC)

The VCRCC provides assurance to the Vice-Chancellor and President and the SR&AC on the effectiveness of UQ’s risk management and compliance frameworks and practices and on significant risk or compliance issues. In addition to risk and compliance, the VCRCC also provides oversight of assurance, investigations and work health and safety functions.

3.4   University Senior Management Group (USMG)

Under the ERMF, members of the USMG are responsible for:

  1. Assessing and managing the risks to their portfolio’s objectives and strategies;

  2. Maintaining risk registers in the approved format and ensuring the accuracy and currency of their risk registers;

  3. Monitoring and reviewing their risks and controls with sufficient frequency to ensure the currency of their risk profile and ongoing effectiveness of controls;

  4. Providing timely and positive assurance on the management of their risks and on the effectiveness of the General Management Controls;

  5. Facilitating annual reviews of their material risks and controls by ERS and any other ad hoc reviews of risks and controls that the ERS may undertake to meet SR&AC, VCC or VCRCC needs, and ensuring that any deficiencies identified through the review and assurance processes are promptly rectified; and

  6. Ensuring their direct reports undertake steps 1 to 5 above for their respective areas of responsibility.

3.5   Enterprise Risk Services (ERS)

The ERS is responsible for ensuring that the ERMF is implemented across the University and effective oversight is maintained through regular reporting on material risks. More specifically, the ERS is responsible for facilitating the assessment of and providing reports to the VCRCC, VCC and the SR&AC, at intervals decided by them on:

  1. UQ’s Top Risks based on Managed Risk Levels (MRL) (i.e. the level of risk remaining after considering the effectiveness of the existing controls or risk treatments) and their management.

  2. The effectiveness of the General Management Controls.

  3. Key emerging risks.

  4. UQ’s key risk indicators.

4.0   Monitoring and Review

Management is responsible for effective risk management with the ERS being an enabling function, and Internal Audit providing objective assurance.

Under the direction of senior executives and the Senate, the following three cohorts within the University will undertake monitoring and review activities to assess and ensure effective and efficient risk management and controls.

While each group has its own monitoring and review objectives and scope consistent with their respective roles in the organisation, there will be ongoing communication and consultation amongst them to ensure effective and efficient monitoring and reviews at each level and avoidance of duplications. 

Management

Managers will monitor and review their operational activities, risks and controls to ensure effective and efficient performance, governance, risk management and compliance. Monitoring and reviews performed at this level will be the most detailed and generally embedded in the routine processes, procedures and activities of front line operating management. 

Heads of Enabling Functions

In addition to their ‘Management’ obligations noted above, Heads of Enabling Functions (corporate and academic support services) will monitor and review their function-specific risks across the University and ensure the ongoing effectiveness of the related controls including policies and procedures.

Internal Audit

Internal Audit is responsible for providing objective assurance over internal controls, including General Management Controls, and risk management practices University wide.

5.0   Recording and Reporting

Risk owners will record pertinent information and data relating to their risks and controls in the risk register format prescribed in Appendix E.

 

The following reports on risks and controls will be produced:

Report Title

 

Report Content

Report Producer

Report Recipient

Frequency

Top Risks

The key risks of the University based on their Managed Risk Levels (current risk levels) at the time of reporting, including the specific controls managing these risks and any additional proposed controls to reduce the risks to Target Risk Levels (acceptable risk levels).  

 

ERS in consultation with USMG, VCRCC and VCC

 

USMG, VCRCC, VCC, and SR&AC

Yearly full review, half yearly progress updates, and quarterly major changes to the risk profile if applicable

Key Emerging Risks

 

The key emerging risks of the University and what preparatory work or pre-emptive actions (if any) management has decided to take.

ERS in consultation with USMG, VCRCC and VCC

USMG, VCRCC, VCC, and SR&AC

As necessary, with yearly full review

Key Risk Indicators

The key risk indicators based on the RAS for non-negotiables and strategic themes and enablers.

 

ERS in consultation with USMG, VCRCC and VCC

USMG, VCRCC, VCC, and SR&AC

Yearly

General Management Controls (GMCs)

The effectiveness of the GMCs per each USMG member and overall at University level.

 

ERS in consultation with USMG and VCRCC

USMG, VCRCC, VCC, and SR&AC

On a rolling basis and thereafter annually


6.0   Appendix

6.1   Appendix A - Risk Appetite Statement (RAS)

The following definitions apply in interpreting the RAS:

Zero

Very Low

Low

Moderate

High

(Opportunity Seeking)

Risk is unacceptable. All reasonably practical and affordable measures to eliminate or avoid the risk must be taken.

All reasonably practical and affordable measures to minimise the risk must be taken. A strong preference for strategies and plans with minimal risk exposure.

Preferring risk mitigation to the rewards of taking risk. Safe approaches should be taken but the cost of implementing controls should be evaluated to ensure they achieve a worthwhile level of risk mitigations.

Can accept a degree of uncertainty in order to achieve an intended outcome providing that reasonable steps are taken to mitigate any potential loss.

Wiling for risks to be taken even if there is high uncertainty in order to gain highly valued reward/s. Focus is on achieving the reward/s but with due consideration of the non-negotiables

RAS – ‘Non-Negotiables’

The following risk appetite statements should be seen as ‘non-negotiables’. Should any management decision potentially cause a non-negotiable to be outside of tolerance, the matter should be referred to Senate for guidance:

#

Category / Subcategory

Principle Statement/s

The University ……

Application of Principle Statement/s having regard to…. [a]

1

Reputation

  • Recognises that reputation is critical to our brand and market positioning and has a VERY LOW risk appetite for risk in any of its activities that puts our reputation and ‘social licence to operate’ in jeopardy; or could lead to loss of confidence by key stakeholders.
  • Reputation to be assessed in terms of our aspirations as a national and global leader in research and teaching and learning, and as a valued corporate citizen.
  • Maintaining our international rankings as critical in attracting funding, students and academic talent.     

2

Governance, Legal & Compliance

  • Has a ZERO tolerance for intentional and material breaches of laws, regulation, statutes and professional standards including those relating to teaching, research and medical ethics.
  • Has a ZERO tolerance for criminal breaches, fraud and corruption, misuse of office or similar related activities.
  • Has a ZERO tolerance for risks relating to actions that may put critical course accreditations and/or standards of operations in jeopardy.
  • A VERY LOW risk tolerance for breach of our privacy obligations to students, staff and other stakeholders.
  • Seeking opportunities to efficiently and effectively meet the requirements of internal policies and procedures.

 

3

UQ Values

  • Has a ZERO tolerance for intentional and material breaches of UQ Values and Code of Conduct.
  • Has a ZERO tolerance for unlawful discrimination based on gender, sexuality, ethnicity, culture, etc.
  • Has a ZERO tolerance for violence, sexual misconduct, harassment, bullying, and any other inappropriate behaviour and activities that puts our Culture of Respect in jeopardy.
  • Cultivate a cohesive and positive culture and an operating environment that is performance-based, customer-focussed, entails ethical decision making and helps direct organisational effort, energy and resources towards the promotion, protection and overall success of UQ.  

4

Health and Safety

  • Aspires to ZERO harm and is open to innovation and prudent investment in strategies to protect the health and wellbeing of our staff, students and visitors with a focus on the elimination, and if not reasonably practicable to be eliminated, then minimisation of high risk hazards.
  • Has ZERO tolerance for safety management standards or practices that put the health and safety of our staff, students and visitors at risk.
  • Management supporting and leading a strong safety culture and expects employees to take personal responsibility for their own wellbeing. 

5

Financial Sustainability

  • Has a VERY LOW risk appetite for pursuing any strategy that puts at risk the financial sustainability of the University over the medium to long term.
  • Has a LOW appetite for application of capital that is not planned and executed in a sustainable and prudent manner.
  • A MODERATE appetite to increase revenue diversity and net growth activities via international students, research income and revenue from industry partnerships.
  • Seeking opportunities to increase the level of philanthropic support to the University.

6

Critical Operations

  • Has a VERY LOW tolerance for insufficient prevention and preparedness by management to avoid or minimise major disruptions to critical operations.
  • Has a VERY LOW tolerance for significant loss to research including research resources, outcomes (actual or potential) and time.
  • Has a VERY LOW tolerance for irrecoverable delays in teaching & learning activities resulting in semester deliverables not being achieved and/or widespread student dissatisfaction due to unfavourable changes as a result of the disruption.
  • Has a VERY LOW tolerance for significant operational disruptions to critical support/enabling operations and functions.
  • Has a HIGH appetite for a comprehensive, coordinated and focused approach to effectively respond to and efficiently recover from disruptive incidents.

[a] This column provides further guidance supporting the Principle statement(s) and / or provides more specific statements where appropriate.

RAS - 'Strategic Themes & Enablers'

In addition to the above ‘non-negotiables’, the following statements provide guidance that will help in making risk-based decisions.

#

Category / Subcategory

Principle Statement/s

The University ……

7

Organisational Culture

 

  • Has a HIGH appetite to establish a collaborative, collegiate, performance-focused, agile and flexible culture that will enable organisational change to happen more readily and productively.
  • Has a HIGH appetite to realise the benefits of diversity across gender, culture, ethnicity, etc. in our student and staff cohort.

8

Research and Knowledge Transfer

  • Subject to maintaining exemplary quality and ethical standards, the University has a HIGH appetite to engage in research activities where there is a reasonable likelihood of achieving a positive outcome for external partners, researchers and the University.

9

Teaching, Learning & Research Training

  • Subject to maintaining exemplary academic and ethical standards, the University has a HIGH appetite to develop and deliver programs, courses and modes of delivery where there is a reasonable likelihood of achieving a positive outcome for the University, for students and future employers of our graduates.
  • Has a HIGH appetite to maintain the quality of our student intake.

10

 

Partnerships

  • Has a MODERATE TO HIGH appetite to leverage capacity and capability via internal and external partnerships, where this contributes to our strategic priorities.

11

Workforce Capability

  • Has a HIGH appetite to support strategies that build and sustain the appropriate culture, capabilities and resilience of our people.
  • Subject to cost and affordability considerations, has a HIGH appetite to recruit, retain and develop the best quality staff for all research, teaching and operational roles.
  • Has a LOW risk appetite to tolerate staff under-performance and expects management to take timely action whilst ensuring that staff are provided with reasonable opportunity and support to improve performance.

12

Systems and Information Management

  • Recognises the critical need to protect and has a VERY LOW risk tolerance for activities, events or behaviours that adversely impact on the confidentiality, integrity and availability of all critical business information.
  • Has a HIGH appetite to invest in innovative solutions that increase efficiency in systems and processes across both academic and enabling activities.

13

Asset Management

  • Has a ZERO tolerance for substandard campuses that do not meet applicable legal and regulatory compliance requirements.
  • Has a HIGH appetite for optimal utilisation of assets and for their proper maintenance.

6.2   Appendix B - Risk Categories

#

Risk Category

Subcategories

1

Strategic

  • Statutory functions and powers as defined by the UQ Act
  • Strategic targets, outputs and outcomes
  • Operating Model

2

Research & Knowledge Transfer

  • Research resources and capabilities including staff and funding
  • Quality of research outcomes
  • Research integrity and ethics
  • Safety and security of research facilities and experiments

3

Teaching & Learning

  • Teaching resources and capabilities including staff and funding
  • Quality of teaching outcomes
  • Teaching integrity and ethics
  •  Assessment integrity and ethics

4

Students

  • Student experience and retention
  • Student outcomes including employability
  • Student behaviour, safety and well being

5

Growth and Commercialisation

  • Innovation and opportunities, including with partners
  • Competitiveness including market share, demand and capabilities
  • Investment projects and programs
  • Adaptability and change management

6

Stakeholders, Relationships and Reputation

  • Brand /image, credibility/trust, attractiveness
  • Constructive, respectful and mutually beneficial relationships
  • Actual and potential benefits – donations/endowments, support, etc.
  • External engagement

7

People, Safety and Culture

  • Wellbeing and safety
  • Equity and diversity
  • Selection rigour
  • Capabilities, productivity and performance
  • Retention, development and progression
  • Industrial relations
  • UQ Values

8

Financial

  • Financial position
  • Financial performance
  • Budgeting and forecasting
  • Accounting, Reporting and Disclosure integrity

9

Governance, Legal and Compliance

  • Statutory approvals, licences, permits and certificates
  • Legal and contractual rights and powers
  • Oversight, monitoring, review and assurance activities and capabilities
  • Ethics and integrity, (corrupt conduct, fraud)

10

Assets (non-IT)

  • Security
  • Quality/Integrity /Reliability
  • Availability / operational capabilities
  • Performance (optimum utilisation)

11

Systems and Information Management

  • Authenticity/ integrity / reliability of systems and information
  • Security and Accessibility
  • Availability and useability
  • Productivity
  • Agility (future needs)

12

Enabling Operations

  • Performance (effective and efficient)
  • Resilience / continuity of operations


6.3   Appendix C - General Management Controls (GMCs)

The GMCs are inherent to the general management functions of leading, directing, planning, organizing, staffing, coordinating and controlling any organisation. These controls form the foundations of the University’s internal control system and help provide a robust, systematic and perpetual defence against threats to achieving the University’s objectives. The GMCs should be implemented and assessed for their effectiveness at the UQ level and any of the lower levels including faculties, schools, institutes, controlled entities, functions, divisions, teams and projects.

 

#

Control Objective

Principal Question (All ‘Yes’ responses must be supported by verifiable evidence)

1

Clarity of objectives, strategies and KPIs

  • Have the objectives and strategies been clearly defined, aligned, prioritised and communicated to those who need to know?

2

Stakeholder management

  • Have the primary stakeholders been identified and strategies put in place to recognise and protect their rights and develop respectable, equitable and mutually beneficial relationships with them?

3

Enabling organisational structure

  • Does the organisational structure facilitate the effective and timely implementation of the strategy and the monitoring, measuring and reporting of performance?

4

Proper plans and budgets

 

  • Are there approved plans and budgets for all objectives, strategies, initiatives/projects and have these plans and budgets been communicated to those who need to know?

5

Clarity of roles, responsibilities and accountabilities

(Note 3)

  • Are the roles, responsibilities and accountabilities for the delivery of prioritised objectives and outcomes clearly articulated and assigned to individuals or teams?

6

Capable staff

  • Are the management and other pivotal/critical roles staffed by competent people?

7

Authority and delegations

  • Do managers and staff have appropriate authorities/delegations and mandate to achieve the objectives/outcomes expected of them?

8

Supportive culture

  • Do managers and staff behave in accordance with UQ Values and the Code of Conduct?

9

Safety

  • Are processes and protocols in place to protect people from harm?

10

Compliance

  • Is there a robust process in place to demonstrate compliance with applicable laws and regulations and are regulatory breaches (if any) recorded, reported and promptly rectified?

11

Security of assets

  • Is there effective security over assets including systems, information and vital records?

12

Performance monitoring and reporting 

  • Are performances against KPIs and plans measured, monitored and reported on and timely actions taken to remedy any gaps in performance?

13

Responsible use of resources

  • Are there controls in place to ensure responsible, sustainable use and management of University resources including natural resources?

14

Appropriate records and reports

  • Are records and reports required for business and/or legal/regulatory reasons produced and are they relevant, reliable and timely?

15

Continuity of operations

  • Are there robust plans and processes in place to ensure continuity of business-critical operations?

16

Supervision, Monitoring and Reviews

  • Is there effective supervision, monitoring and reviews of the performance of staff, systems, processes and controls and prompt remediation of any unfavourable variances?

17

Management Assurance

  • Does management provide assurance, through its own reviews and assessments, to demonstrate effective and efficient performance, governance, risk management and compliance?

Note 3:   Accountability refers to the decision maker’s obligation to explain the use of delegated authority towards the achievement of agreed objectives and outcomes.
               Responsibility refers to the obligation to perform specific actions, under the instruction of and/or for the accountable party, towards the achievement of agreed objectives and outcomes.

6.4   Appendix D - Risk Matrix

Enterprise Risk Matrix A3.pdf

6.5   Appendix E - Template for Risk Register and Risk Management Plan

6.6   Appendix F - Definitions, Terms and Acronyms

ERMF – Enterprise Risk Management Framework.

RAS – Risk Appetite Statement.

ERS – Enterprise Risk Services.

GMCs – General Management Controls.

IRL – Inherent Risk Level (It is the level of risk assuming there are no controls specifically designed and implemented to manage that particular risk).

MRL – Managed Risk Level (It is the level of risk taking into consideration the total effectiveness of all the existing controls or risk treatments that act upon that risk).

TRL – Target Risk Level (It is the desired (or acceptable) level of risk considering the University’s risk appetite and tolerance levels, to be achieved via implementation of proposed controls).

SR&AC – Senate Risk and Audit Committee.

VCRCC – Vice Chancellor’s Risk and Compliance Committee.

VCC – Vice-Chancellor’s Committee.

USMG – University Senior Management Group.


[1] ISO 31000:2018

Custodians
Director, Governance and Risk Mr Suresh Chand

Procedures

UQ Incident Management - Procedures

Printer-friendly version
Body

1.0                Purpose and Scope

1.1    Context

UQ’s operations are dependent on and influenced by many aspects of the university, such as:

  • A wide and very large scope of activities and services related to both teaching and research.

  • Multiple campuses.

  • Off campus activities and services both in Australia and abroad.

  • Large number of buildings, facilities, research equipment and other infrastructure.

  • Involvement of many people; staff, students, visitors and wider community.

Given this large scope of influences and dependencies impacting the university’s daily operations, business interruptions are likely to occur from time to time.  Disruptive incidents often result in a localised operational disruption only but sometimes can cause a critical incident when multiple areas are negatively impacted requiring a coordinated response, or in very rare circumstances result in a crisis where a strategic executive response is required.

1.2   Purpose & Scope

The purpose of this procedure is to ensure that the university builds adequate resilience and requisite capabilities to anticipate, prepare, respond, rapidly recover and minimise adverse impact from disruptive incidents, including hard to predict disruptions.  It takes into consideration potential impacts of a disruptive incident to people, assets, the local community, the environment and UQ’s reputation.

This procedure applies to actual or potentially imminent adverse incidents and events impacting on UQ, including its controlled entities.

1.3   Objectives

  • Anticipate threats to UQ’s strategic objectives.

  • Develop capabilities to prevent, prepare for, promptly respond to and rapidly recover from events that disrupt and threaten UQ.

  • Empower and develop the capabilities of individual leaders to manage disruption events and threats.

  • Integrate all levels of incident, risk and disruption management to create a consistent and enterprise wide approach. 

  • Build on and support existing organisational knowledge, skills and systems to ensure practical adoption of business resilience and critical incident management principles and capabilities.

2.0                Process and Key Controls

2.1   Incident management process

UQ has adopted the PPRR (Prevention, Preparedness, Response, and Recovery) comprehensive approach as the process for managing all phases before, during and after disruptive incidents.

The approach is continuous and all managers must understand and perform their roles and responsibilities related to all four phases of the process.

 

 

2.2   Enterprise incident response structure

UQ has a tiered enterprise incident response structure to ensure an integrated, scalable, enterprise wide and consistent response to disruptive incidents. The structure applies to all university operations and activities.

An incident response can initially be activated from all levels within the response structure (refer figure below). Once activated the response structure operates hierarchically.

Managers should understand:

  • Their individual roles and responsibilities within the structure.

  • Teams, plans and procedures to be activated at each level.

  • Their responsibility to report and/or escalate incidents to the next level above.

Enterprise incident response structure

 

 

2.3   Initial incident assessment and response

Incident assessment is a key component of incident management and ensures the appropriate level of response is activated.

Incident assessment must occur prior to activating a response at any level within the incident response structure.

Incident assessment at UQ is based on a combination of 10 key trigger incidents and critical consequences defined by the UQ Enterprise Risk Matrix.

The Initial Crisis Response Tool for Management guides managers through:

  • Assessment of trigger incidents.

  • Assessment of actual or potentially imminent consequences.

  • Required notifications and escalation of incident.

  • Required activation of teams, plans and processes.

3.0                Key Requirements

Disruptive incidents push activities from business as usual into the incident management process. This process is driven through three key requirements:

  • Formation of teams.

  • Implementation of plans.

  • Adherence to response priorities.

3.1   Teams

Level 1 - Local Response Teams (LRT)

  • Responsible for immediate response to incidents to protect people, assets, infrastructure, operations and/or services.

  • Local response managers are responsible for the direction of their staff and resources.

  • Utilise emergency response plans, incident response plans, business continuity plans and standard operating procedures to respond.

  • Report up to relevant senior manager and the UIMT (if activated).

Level 2 – University Incident Management Team (UIMT)

  • Responsible for senior management control and coordination over multiple UQ functions and ensures an adequate enterprise wide response to incidents.

  • Operates under the requirements of the University Incident Management Plan (UIMP).

  • Reports up to the Crisis Management Team (if activated) and coordinates down through the LRTs.

  • Team composition is scalable and flexible and determined by the incident response assessment.

  • See appendix 7.1 for UIMT basic composition.

Level 3 – Crisis Management Team (CMT)

  • Responsible for providing executive leadership in response to abnormal and unstable situations that threaten UQ’s strategic objectives, reputation or viability.

  • Sets the strategic objectives of the response and recovery.

  • Communicates with the Senate and is focussed on the medium to long term impacts.

  • Directs down through the UIMT.

  • Operates under the requirements of the Crisis Management Plan (CMP).

  • Team composition is scalable and flexible and determined by the incident response assessment.

  • See appendix 7.2 for CMT basic composition.

3.2   Plans

Plans detail and structure response and recovery actions and tasks. They exist at all levels of the incident response structure and are developed, practiced and tested during the preparedness phase.

Plan hierarchy

 

 

Plans within the Incident Management Process are:

Plan

Objective

Responsibility

Crisis Management Plan (CMP)

Informs and structures the VCC response to abnormal and unstable situations that threaten UQs strategic objectives, reputation and/or viability.

The CMP is developed, implemented and maintained by Enterprise Risk Services on behalf of the COO.

University Incident Management Plan (UIMP)

Coordinates and guides the senior management response to incidents that impact more than one university function, critical building and/or essential service.

The UIMP is developed, implemented and maintained by Enterprise Risk Services on behalf of the D/COO.

Communications Response Plan (CRP)

Informs and structures timely, consistent and accurate messaging that supports strategic and operational objectives.

The CRP is developed, implemented and maintained by OMC.

Local Response Plan (LRP)

Details and structures local and immediate response to protect people, assets, infrastructure, operations and/or services.

LRPs are developed, implemented and maintained by all functions.

Business Continuity Plan (BCP)

Details and structures tasks and actions to ensure critical business functions are maintained during and after critical incidents.

BCPs are developed, implemented and maintained by all functions, faculties and institutes.

Managers should have an understanding of the plans which they are responsible for and where they fit within the response structure.

3.3   Response priorities

During the response to an incident, individuals and teams can quickly become overwhelmed by a complex and dynamic situation. A key principle to overcome these circumstances is to prioritise and execute actions and tasks in order of importance. This ensures an appropriate, methodical and consistent response that creates time and space for managers. UQ has predefined the response priorities which will need to be followed by all managers and teams when responding to all incidents.

PRIORITY

CONSIDERATIONS

1

  PEOPLE

Ensure and account for the safety and security of people:

Students, staff, visitors and the public.

2

ASSETS & OPERATIONS

Contain, control and prevent further damage to or loss of:

Critical services, facilities and/or utilities and underlying infrastructure (e.g. electricity, water, transport, communications, security systems and/or information and information technology).

3

COMMUNITY & ENVIRONMENT

Contain, control and prevent further harm to:

  • local community and its amenities

  • environment.

4

LIABILITIES & COMPLIANCE

Assess and determine actual or potential breaches of law, regulations, contract, governance and or critical licence and/or accreditation.

Check for available insurance response options and requirements.

5

REPUTATION & BRAND

Ensure accurate and timely information is provided to key stakeholders and media to ensure their trust and confidence in UQ.

 

4.0                Roles, Responsibilities and Accountabilities

ROLE

INCIDENT MANAGEMENT PROCESS PHASE

Prevention

Preparedness

Response

Recovery

Faculty Exec Mgr.

  • Manage risks in accordance with Enterprise Risk Management Framework
  • Inform Insurance Services of any new or changes to activities, assets and/or infrastructure
  • Perform Business Impact Analysis
  • Develop and implement Business Continuity Plans (BCP) and/or Local Response Plans (as required)
  • Annually review, test and/or exercise plans
  • Activate Local Response Plans
  • Escalate incidents as required
  • Represent portfolio in the UIMT
  • Inform and consult with Insurance Services to ensure maximum claim outcomes
  • Develop and implement recovery plans
  • Activate Business Continuity Plans
  • Manage incident investigation
  • Ascertain and implement lessons learned
  • Manage potential regulatory breach with relevant authority
  • Review and update plans, teams and risk registers
  • Facilitate insurance assessment and claims

Institute Dep Dir.

Relevant direct report to DVCs/COO

Executive Dean

 

  • Support implementation of BCPs and Local Response Plans (as required)
  • Support testing and/or exercise of BCP’s and Local Response Plans
  • Escalate incidents as required
  • Represent faculty/institute in the CMT
  • Ascertain and implement lessons learned

Institute Director

DVCs

Executive Director OMC

 

  • Develop, implement and maintain Communications Response Plan (CRP)
  • Annually review, test and/or exercise CRP
  • Activate Communications Response Plan
  • Represent OMC in the UIMT and/or CMT
  • Ascertain and implement lessons learned
  • Review and update CRP and team
  • Facilitate insurance assessment and claims

Deputy COO

  • Support effective adoption of Enterprise Risk Management Framework
  • Support implementation of UIMP
  • Support testing and/or exercise of UIMT
  • Activate the UIMT
  • Escalate incidents as required
  • Chair the UIMT
  • Coordinate UIMT recovery actions and plans
  • Delegate responsibility for incident investigation
  • Ascertain and implement lessons learned
  • Facilitate insurance assessment and claims

COO

VC

  • Support effective adoption of Enterprise Risk Management Framework
  • Support testing and/or exercise of CMT
  • Activate the CMT
  • Chair the CMT
  • Ascertain and implement lessons learned

Provost

Governance and Risk

  • Develop, implement and maintain Enterprise Risk Management Framework
  • Ensure adequate insurance  program
  • Develop, implement & maintain UIMP/CMP
  • Annually test and/or exercise UIMT and CMT
  • Train use of Incident Management Procedure, CMP and UIMP
  • Support UIMT members
  • Support the D/COO in the UIMT
  • Support the COO in the CMT
  • Support UIMT/CMT recovery planning and actions
  • Coordinate lessons learned process
  • Coordinate insurance assessment and claims
  • Review insurance coverage

5.0                Monitoring, Review and Assurance

5.1   Enterprise Risk Services (ERS)

The ERS team will conduct an annual review of the effectiveness and implementation of this procedure and provide a report of findings and recommendations to the VCRCC.

6.0                Recording and Reporting

The following reports on the Incident Management Procedure will be produced:

Report Title

Report Content

Report Producer

Report Recipient

Frequency

Procedure review

Progress and effectiveness of implementation of the Incident Management Procedure throughout UQ.

Enterprise Risk Services

VCC

VCRCC

USMG

Annual

Post Incident Review

Post Exercise Review

(includes lessons learned)

Analysis of what happened, why it happened, and, what worked well, what didn’t work well and recommendations on how it can be done better.

Enterprise Risk Services

Crisis Incident:

SR&AC

Crisis and University Incidents:

VCC

VCRCC

USMG

As required post incident

Training and Exercise Logs

Outline of training/ exercise conducted.

Enterprise Risk Services

VCRCC

USMG

As required following the conduct of training and / or exercise

7.0                Appendix

7.1   University Incident Management Team (UIMT)

 

 

7.2   Crisis Management Team (CMT)

 

Custodians
Director, Governance and Risk Mr Suresh Chand

Forms

Printer-friendly version

Custodians
Director, Governance and Risk Mr Suresh Chand
Custodians
Director, Governance and Risk Mr Suresh Chand