View Current

Risk Management Policy - Annexure 1 - Risk Approach and Terminology

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Objective

(1) The objective of this Annexure to the Risk Management Policy is to outline the University of New England’s approach to risk management and terminology to be applied in risk management practice at the University. This terminology is consistent with the Risk Management Software used by UNE.

(2) The information in this Annexure should be read in conjunction with the Risk Management Policy.

Top of Page

Section 2 - Risk Management Approach - by Stages

(3) When approaching risk management, UNE Managers are encouraged to focus on those high level risks associated with delivering key operational goals,objectives or projects within their responsibility.

  1. As a guide, a large department with its own operational plan might identify somewhere between 5 and 10 key risks, while a smaller department or team might have only a few key risks. All operational level risks can be associated with a Strategic Goal of the University (see Future Fit website).
  2. By focusing on key risks, complexity is reduced. UNE Managers benefit from being able to:
    1. actively consider risk the most important risks in operational activities;
    2. review and track effectiveness of key controls and treatments;and
    3. raise awareness of the most important risks areas within their teams.
  3. Risks that are no longer key risks (for example when an objective is no longer a priority, or a project has been finalised) are assigned a status to indicate the risk is no longer being monitored.
  4. Risk information generated or identified during risk identification, assessment and management, is to be captured in the risk management system. Risk reporting options will be more fully covered in training about the use of the risk management system. Risks assessed using a manual template (pending) should be saved to UNE’s Records Management System and transferred to the risk management system as soon as possible.

(4) The table below outlines the information/ data input requirements for the risk management stages captured within the risk management system:

Table 1 – Risk Management Approach

Stage
Step
Focus
  1. Activity
Context
Step 1
Classify the Risk
Nominate Date Risk Identified
Select Risk Owner
Select the affected Primary Business Unit
Select the affected Business Function
Select the Risk Type
Identify the Strategic Risk
Select primary Risk Category
Select affected Business Objective
Step 2
Risk Consequence Category
Select Risk Consequence Category or categories
Identify
Step 3
Describe Risk
Identify and describe the risk
Step 4
Risk Consequences
Describe the outcome if the risk is realised
Analyse
Step 5
Risk Source Causes: What would cause the risk to occur?
Select Risk Source Category
 
Evaluate
Step 6
Existing Controls: Describe the control and its effectiveness.
Describe Control
Select Control Type
Select Control Effectiveness
Select Person Responsible
Identify Key Controls
Step 7
Current Risk Rating: Level of risk with existing controls
Select Rating considering Likelihood and Impact from the Risk Matrix
Treat
Step 8
Risk Treatment Options
Select Treatment Type
Step 9
Risk Treatment Plan
Describe Risk Treatment Plan
Flag Key Controls
Step 10
Risk Treatments Responsibility – Who is responsible and by when
Select Responsible Person
Nominate Due Date
Mark % Complete
Step 11
Target Risk Rating
Select Target Rating considering Likelihood and Impact from the Risk Matrix
Actions
Step 12
Review and Manage Risk
Set Review Date
Select Escalation Officer
Update and Status
Report
Step 13
Monitor Risk
Select Risk Report
Share Risk Report and facilitate risk discussion and learning
Top of Page

Section 3 - Risk Management Terminology

(5) The following table (Table 2) outlines the language or terminology to be applied when practicing risk at UNE. Relevant terms are organised by stage.

(6) All UNE Representatives are expected to use this terminology in order to support effective conversations and a common understanding of risks.

Table 2: Risk Terminology (built into risk management software)

Stage
Term/Field
Definition/Meaning
Context
Date Identified
Date Risk is identified
Context
Risk Owner
Authorised Officer
Context
Primary Business Unit
Business Area where risk is being managed (refer organisational chart)
Context
Business Function
Function within the Unit (select function)
Context
Business Objective
Key objective relevant to business unit (select objective)
Context
Risk Tolerance
Business or Operational areas to assign risk tolerance to business objective:
  1. Low Tolerance: There is a low threshold for realisation of risk to this objective (e.g., may be a critical function or a compliance or regulatory requirement).
  2. Medium Tolerance: There is some patience for realisation of risk to this objective within agreed threshold (e.g., may be an improvement to a business as usual activity or a new process).
  3. High Tolerance: Management will be steadfast in pursuing the objective even in the face of continued risk (e.g., innovation, stretch activity).
Context
Strategic Alignment
Drop down of key strategic goals from Future Fit.
Context
Risk Appetite
Council and Senior Executive to agree risk appetite relating to key Strategic priorities (Key Action Areas) and choose associated thresholds.
  1. Risk Adverse: UNE’s focus is to actively invest in controls and treatments to minimise the uncertainty of achieving this strategic priority or goal as the consequences of the risk being realised is higher than the institution wishes to bear.
  2. Risk Acceptance: UNE accepts there is inherent risk or uncertainty in pursuing this strategic goal or priority that the aim of control/treatments will be to manage risk to within agreed upper and lower thresholds.
  3. Risk Taking: UNE is prepared to absorb a relatively high level of uncertainty and/or some failure or loss to achieve this strategic priority as potential benefits are very attractive / will have lasting, longer term rewards. Focus will be to monitor progress towards objectives and provision for some risk realisation.
Context
Risk Type
  1. External Risk: Risk relates an external force or event or change that may impact the achievement of institutional objects.
  2. Operational Risk: Risk relates to the achievement of day to day operational activities of the Institution.
  3. Project Risk: Risk relates to the achievement of objectives of a specific one off project or activity
  4. Strategic Risk: Risk relates to the achievement of overarching strategic priorities and outcomes.
Context
Risk Consequence Category
  1. Business Disruption: Business functions may be disrupted
  2. Financial: There may be a financial impact / cost
  3. Health and Safety: Health and safety may be compromised
  4. Legal and Compliance: UNE may be exposed to legal claims or penalties for non-compliance
  5. Reputation: Stakeholder perceptions and support of UNE may be impacted
  6. Research: UNE’s research standards expectations may not be met  
  7. Teaching and Learning: UNE’s teaching and learning standards expectations may not be met
Identify
Risk Description
A short description of the specific risk (user entry)
Identify
Risk Consequence
A short description of the foreseeable outcomes of the risk occurring (relevant to the risk consequence categories – above e.g. financial loss; reputational damage etc)
Analyse
Source of Risk
A short description of the source of the risk
Analyse
Source of Risk Category
  1. Compliance
  2. Performance/Quality
  3. Strategic Consequence
  4. Reputation
  5. People
  6. Financial
  7. Property or Assets
Evaluate
Controls
A short description of the key controls
Evaluate
Control Type
  1. Prevent: Control designed to help prevent the risk from occurring.
  2. Correct: Control designed to correct the risk – and stop it from occurring or reduce level of impact.
  3. Detect: Checks to observe if risk is occurring so that action can be taken if required.
Evaluate
Control Effectiveness
  1. Effective: The control is capable of applying appropriate constraint on risk.
  2. Sound: The control is in place and appears to be adequate.
  3. Minimal: There is some control but it is potentially too weak to be effective or may be unreliable.
  4. Unsatisfactory: The identified control does not is relevant or can be relied upon to treat this risk.
  5. Non-Existent: There is no obvious control in place to treat this risk
Evaluate
Control Responsible Person
Name of Person responsible for control
Evaluate
Likelihood
  1. Probable: Expected to occur at UNE within six months or has occurred at UNE or the Australian university sector in the past six months.
  2. Likely: Can be expected to occur at UNE within the next 12 months or has occurred at UNE or the Australian university sector in the past six to twelve months.
  3. Possible: Could occur at UNE within the next two years or has occurred at UNE or the Australian university sector in the past one to two years.
  4. Unlikely: May occur at UNE between the next two and five years or has occurred at UNE or the Australian university sector in the past two to five years.
  5. Rare: May occur at UNE beyond the next 5 years or has occurred at UNE or the Australian university sector more than five years ago.
Evaluate
Risk Impacts by Category
Refer Risk Matrix (note this will be able to be auto selected in risk management tool)

Financial Impact

  1. Insignificant: University wide impact (revenue shortfall or expense overrun per annum) less than 0.5%. No discernible impact on financial sustainability ratios.
  2. Minor: University wide impact (revenue shortfall or expense overrun per annum) from 0.5% to 2.5%. Minor negative change in financial sustainability ratios, which remain comfortably within target range.
  3. Moderate: University wide impact (revenue shortfall or expense overrun per annum) from 2.5% to 5%. Observed negative change in financial sustainability ratios, which are tracking near midpoint of target range.
  4. Major: University wide impact (revenue shortfall or expense overrun per annum) from 5% to 10%. Large negative change in financial sustainability ratios which are tracking at the limit or just outside of target range.
  5. Severe: University wide impact (revenue shortfall or expense overrun per annum) more than 10%. Significant negative change in financial sustainability ratios which are now outside of target range.

Student Load or Revenue Diversification Impact

  1. Insignificant: Impact on student load (commencing) that might reasonably correct by the next Trimester; change to revenue steam with little no discernible impact on overall revenue diversification ratios.
  2. Minor: Impact on student load (commencing) that might reasonably correct within the year; change to revenue steam with only a minor impact on overall result and less than 5% shift in diversification ratios.
  3. Moderate: Impact on student load (commending) that is unlikely to correct within the year and likely to impact future years (continuing); change to revenue steam with some impact on overall result and between 5% to 10% shift in diversification ratios.
  4. Major: Impact on student load (commencing) expected to be realised in the year and impact next year (continuing); change to revenue steam with some impact on overall result and between 11% and 20% shift in diversification ratios.
  5. Severe: Impact on student load that can be corrected within the year; change to revenue steam with no discernible impact on overall diversification ratios.

People Impact

  1. Insignificant: Activity or event has some impact on staff/student feedback, complaints, and/or performance issues. Any physical injury is minor and treated on campus and no incidences of sexual harassment or harm.
  2. Minor: Activity or event evidences an increase (<5%) in staff/student feedback, complaints, and/or performance issues. A physical Injury (physical or psychological) requiring medical attention off campus or one harassment or assault occurrence involving staff and/or students.
  3. Moderate: Activity or event evidences an increase (5% to <10%) in staff/student feedback, complaints, and/or performance issues. Injury (physical or psychological) to one person requiring hospitalisation or more than one harassment or assault occurrence involving staff and/or students.
  4. Major: Activity or event evidences an increase (10% to <20%) in staff/student feedback, complaints, and/or performance issues. Injury (physical or psychological) to more than one person requiring hospitalisation.
  5. Severe: Activity or event evidences an increase (20%+) in staff/student feedback, complaints, and/or performance issues. Fatality or permanent disability to one or more person/s where the University is potentially at fault.

Organisational Resilience Impact

  1. Insignificant: Limited issues managed as business as usual.
  2. Minor: Unavailability of Tier 1 systems (e.g. Moodle) leading to business disruption (less than four hours) at a critical time of the calendar (e.g.
    examinations. Unexpected turnover of a few key staff impacting capacity in
    an area).
  3. Moderate: Unavailability of Tier 1 systems (e.g. Moodle) leading to business disruption (less than one day) at a critical time of the calendar or unavailability (one to two days) of campus buildings or key persons at a critical time of the calendar. Unexpected turnover of a group of key staff in an area resulting in capacity issues for more than a few weeks.
  4. Major: Unavailability of Tier 1 systems (e.g., Moodle) leading to business disruption(more than one but less than two days) at a critical time of the calendar; or unavailability (more than two days to one week) of campus buildings or key persons at a critical time of the calendar; or industrial action lasting up to one week negatively impacting student outcomes (e.g., enrolments, withholding student grades). Unexpected turnover of a group of key staff in multiple areas impacting business performance/continuation of some operations.
  5. Severe: Unavailability of Tier 1 systems (e.g., Moodle) leading to business disruption (more than two days) at a critical time of the calendar; or unavailability (more than one week) of campus buildings or key persons at a critical time of the calendar; or Industrial action/protest lasting more than one week negatively impacting student outcomes (e.g., enrolments, withholding student grades). Unexpected turnover of a key staff in multiple areas requiring business functions to halt until resolved.

Academic Value Proposition Impact

  1. Insignificant: Adverse academic institutional measure which is identified and able to be addressed by the next teaching period and impact is managed and limited to small student cohort (eg. specific unit or course).
  2. Minor: Adverse academic institutional measure which is identified and able to be addressed by the next year and impact is managed and limited to small student cohort (eg. specific unit or course).
  3. Moderate: Adverse academic institutional measure which is identified and able to be addressed within the year and impact is managed but effects a medium sized student cohort (e.g. multiple courses, disciplines).
  4. Major: Adverse academic institutional measure which is identified and able to be addressed within 18 months and impact is complex to manage and effects medium sized student cohort (e.g. multiple courses, disciplines).
  5. Severe: Adverse academic institutional measure which is identified, is not able to be addressed within agreed period and impact is complex to manage and effects a large student cohort (e.g. majority of academic programs).

Student Academic Satisfaction Impact

  1. Insignificant: No key academic indicator ranked higher than ‘Low’ in the annual TEQSA Provider Risk Assessment and no significant student academic satisfaction measures at risk.
  2. Minor: One key indicator ranked higher than ‘Low’ in the annual TEQSA Provider Risk Assessment, and/or one significant student academic satisfaction measure at risk.
  3. Moderate: More than one key indicator ranked higher than ‘Low’ in the annual TEQSA Provider Risk Assessment; and/or more than one significant student academic satisfaction measure at risk.
  4. Major: TEQSA accreditation is renewed with one or more condition(s); Loss of accreditation or qualifications imposed by regulators/third parties for one or more flagship courses; and/or up to 33% of significant student academic satisfaction measures at risk.
  5. Severe: Suspension or loss of TEQSA accreditation to operate or provide educational services; and/or more than 33% of significant student academic satisfaction measures at risk.

Research Performance Impact

  1. Insignificant: Event which does not have a quantified impact upon the University’s research.
  2. Minor: Loss of up to 10% of the University’s research block grant or Research misconduct.
  3. Moderate: Loss of 10% to 25% of the University’s research block grant or Research misconduct that involves a breach of ethics.
  4. Major: Loss of 26% to 50% of the University’s research block grant; One or more conditions placed on UNE’s research funding.
  5. Severe: Suspension or loss of accreditation to operate or provide research services.

Facility Performance Impact

  1. Insignificant: Specific issue with utilities, places or spaces that is expected to be resolved within expected response times and without discernible impact on utility and facility‐related sustainability ratios.
  2. Minor: Limited issue with utilities, places or spaces that results in minor delays in response times and resolved within service levels and with limited or no discernible impact on utility and facility‐related sustainability ratios.
  3. Moderate: Issue impacting utilities, places or spaces performance and with a moderate impact on utility and facility‐related sustainability ratios.
  4. Major: Issue impacting multiple utilities, places or spaces performance and
    with a major impact on utility and facility‐related sustainability ratios.
  5. Severe: Issue impacting multiple utilities, places or spaces performance that
    with a major impact on utility and facility‐related sustainability ratios.

Reputation, Partnerships and Community Impact

  1. Insignificant: Ad hoc adverse regional media attention and/or an issue leading to discussions re improvements with partners, community.
  2. Minor: Two (or more) consecutive days’ adverse regional media attention and/or issues leading to informal or minor compliant(s) from a partner or community member.
  3. Moderate: Up to two consecutive days’ adverse national media attention; or Ranked in bottom 20% of Australian universities across multiple institutional measures; and/or issues leading to formal compliant(s) from a partner or community group (not upheld).
  4. Major: Sustained (more than two consecutive days to one week) adverse national media attention; or ranked in bottom 10% of Australian universities across multiple institutional measures and/or issues leading to formal compliant(s) from a partner or community group (upheld).
  5. Severe: Sustained (more than one week) adverse national media attention; or ranked last of Australian universities across multiple institutional measures; and/or issues leading to multiple formal compliant(s) from partners or community groups (some upheld). Partners and Community not wanting to engage with UNE.

Quality and Compliance Impact

  1. Insignificant: Issue relating to the quality of an outcome addressed locally as
    part of continuous improvement. Non-conformance which can be remedied internally.
  2. Minor: Issue relating to the quality of outcome with limited and temporary effect which is addressed in a timely manner locally or with help of UNE support area with recommendations for change and improvement. Breach of legislation and/or regulation without the need for a formal investigation by a regulator/external party.
  3. Moderate: Issue relating to the quality of outcome for multiple areas and/or groups of persons, or where resolution requires interim solutions while a more complex change/improvement is implemented internally. Breach of legislation and/or regulation involving a formal investigation by a regulator/external party without issuance of a formal notice or fine.
  4. Major: Issue relating to the quality of outcome for multiple areas and/or groups of persons, where rectification requires specialist external advice and or major investment in additional resources/time. Breach of legislation and/or regulation (e.g., cyber security) involving a formal investigation by a regulator/external party with issuance of a formal notice or fine.
  5. Severe: Issue relating to the quality of outcome for significant parts of the
    University/persons, where rectification requires specialist external advice and
    or major investment in additional resources/time. Breach of legislation and/or regulation that results in the maximum penalty applied by a regulator/external party. Prosecution with the potential for University Executives to be imprisoned.
Treat
Risk Treatment Type
  1. Avoid: Stop doing the actions that cause risk (e.g., don’t travel; don’t teach program overseas; don’t continue or approve the activity).
  2. Reduce: Invest in mitigation of the risk from actions (e.g., travel only in daylight or locally; review overseas provider performance/compliance more frequently; approve only part of the activity or require staged approval).
  3. Transfer: Transfer all or part of risk to a third party (e.g., invest in increased level of travel insurance; don’t take the actions directly – outsource to a third party with assigned responsibility).
  4. Accept: Accept there is a risk. Budget for cost, allow a contingency/model and accept multiple scenarios provision for each outcome.
  5. Share: Share the risk (e.g., travellers split been multiple carriers; partner or cooperate with others when undertaking the action) [Describe the actions taken considering if they help avoid/reduce/transfer/accept/share the risk: example].
Treat
Risk Treatment Plan
Describe Treatment Plan relevant to each Treatment Type
Treat
Target Risk Rating
Refer Risk Matrix and consider impact of treatments on current risk rating
Monitor
Review Date
 
  1. Review date frequency depending on risk rating and tolerance, for example:
  2. Monthly: For a risk rated as high to critical with low tolerance – frequency at least monthly
  3. Quarterly: For a risk rated moderate with low tolerance – frequency at least quarterly
  4. Six monthly: For a risk rated moderate to high to moderate with effective control environment
  5. Annually: For a risk rated low with high tolerance – frequency
 
Risk Status
  1. New: The risk has recently been added (a risk is ‘new’ for the first three months).
  2. Open: The risk has been identified and is current for the objective.
  3. Closed: The risk is no longer considered to exist or the objective to which it relates has been achieved, changed or otherwise retired.
 
Risk Trend
  1. Down: Risk rating consequence has eased
  2. Steady: Risk rating/exposure is effectively unchanged – check key controls
  3. Flag: Risk causes/impact is increasing – consider action
 
Management Action/Escalation
  1. Very Low: No action required
  2. Low: No action required
  3. Medium: Report to VCC (within 6 months)
  4. High: Report to VCC and Council (within 3 months)
  5. Extreme: Report to VCC and Council (within 1 month)
Report
Report Risk
  1. Choose Risk Report (common reports listed):
  2. Risk Register List – by Business Area/Function/by Risk Type/Strategic Risk
  3. Risk Detail Review - by Business Area/Function
  4. Risk Profile Map
  5. Overdue Treatments
  6. Overall Control Effectiveness
  7. Automate Risk Reporting (where relevant) - seek assistance from Technology & Digital Services/ Office of Strategy Management.
 
Review Risk
Risk Maturity: Monitor level of risk maturity and effectiveness of risk process and systems as part of continuous improvement.
Risk Culture: Monitor evidence of positive risk behaviours, including use of risk in decision and planning discussions including reporting, common understanding of agreed risk language, and support for persons who report risk. 
Top of Page

Section 4 - Authority and Compliance

(7) The Vice-Chancellor and Chief Executive Officer, pursuant to Section 29 of the University of New England Act 1993 (NSW) makes this Annexure to the Risk Management Policy.

(8) UNE Representatives must observe this policy in relation to University matters.

(9) The Policy Steward, the Director Governance and University Secretary, is authorised to develop associated documents and toolkits or manuals to support this Policy.

(10) This Policy operates as and from the Effective Date.

(11) UNE Risk Management Policy and the principles and framework outlined within are based on AS ISO 31000:2018 Risk Management - Guidelines. The University Policy supports UNE to achieve compliance requirements including those within the University of New England Act 1993 (NSW) and the Higher Education Standards Framework (Threshold Standards) Act 2015.

(12) Notwithstanding the other provisions of this University Policy, the Vice-Chancellor and Chief Executive Officer may approve an exception to the Policy where the Vice-Chancellor and Chief Executive Officer determines the application of the Policy would otherwise lead to an unfair, unreasonable or absurd outcome. Approvals by the Vice-Chancellor and Chief Executive Officer under this clause will be documented in writing and must state the reason for the exception.

Note: UNE’s Risk Management Software is RiskWare by PAN Software Pty Ltd.