View Current

Risk Management Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Objective and Scope

(1) UNE’s Risk Management Framework supports the consistent application of risk management across the institution.

(2) While the outcomes of all activities and decisions are inherently subject to some level of uncertainty, a consistent enterprise risk management approach helps ensure UNE has in place:

  1. risk controls and measures aligned to agreed risk appetite to manage  strategic and high level planning and decision making with potential to impact reputation, competitiveness, stakeholder experience, organisational practice, underlying services and/or financial and organisational sustainability; and
  2. risk controls and treatments aligned to agree risk tolerance, to manage the level of uncertainty of outcomes in business as usual operations (for example risk to safety, risk of loss/waste/fraud, risk to business continuity and risk of regulatory non-compliance).

(3) This Policy applies to and are to be observed by all UNE Representatives.

(4) Within this Policy:

  1. Part A - describes the Risk Management Framework;
  2. Part B - outlines the Principles of Risk Management at UNE; and
  3. Part C - provides guidance on Risk Management Practice.

Part A - Risk Management Framework

(5) The key elements of UNE’s Risk Management Framework are:

  1. UNE’s Risk Management Policy (this document and its associated information and annexures) set out the principles of risk management, roles and responsibilities, and expectations for application of risk at UNE;
  2. UNE’s Risk Management Practice identifies the approach and terminology to be used in risk identification and assessment at UNE as well as the systems and tools for recording and reporting risks; and how UNE supports a risk culture to synthesise risk information for application in planning and other decision making, determining risk appetite and risk tolerance, and reviewing risk exposure, maturity and culture.

Part B - Principles of Risk Management

(6) UNE aims to support effective risk management by implementing a principled approach consistent with AS ISO 31000:2018 Risk Management - Guidelines.

(7) Risk management at UNE will be:

  1. integrated into all parts of UNE’s activities so as to inform decision making;
  2. structured so as to provide consistent and comparable results and support a shared understanding;
  3. contextualised to UNE’s external and internal experience and focused on orientating decision making to support the achievement of UNE’s set objectives and goals;
  4. inclusive, involving stakeholders and considering their knowledge views and perceptions so as to be familiar and relevant in its presentation;
  5. dynamic, recognising that risk emerges, changes or disappears due to changes in internal and external forces, and that the role of risk management includes anticipating, detecting,  acknowledging and responding to those changes in a way which helps UNE achieve its objectives;
  6. supported by best available information and considering future expectations, while taking into account limitations and uncertainties;
  7. recognised as influenced by human behaviour and culture; and
  8. continually improved though learning and experience.

Part C - Risk Management Practice

Risk Management Approach

(8) UNE’s approach to risk management involves the key stages outlined in Table 1.

(9) Risk Management at UNE requires the use of consistent terminology and language to support shared understanding of risk assessments and to help compare and assess multiple risks. Refer to Annexure 1 of this Policy for the risk terminology to be used at UNE by all UNE Representatives.

Table 1 – Risk Management Approach (see also Annexure 1 to this Policy for detailed steps and terminology

1. Context
2. Identify
3. Analyse
4. Evaluate
5. Treat
6. Actions (Monitor)
7. Report
Establish the context for the risk
Identify the risk and consequence categories
Analyse what would cause the risk to occur
Describe existing controls, type and effectiveness
Use risk matrix to determine risk consequences
Identify how risk will be treated and plan for treatment, assign responsibilities
Set notifications, review dates, escalation roles
Monitor and review risk and treatment plan
Agree report program, incorporate risk in dashboards;
Share and communicate key risk

Support for Risk Management Practice

(10) Risk Management is the responsibility of all Managers and Supervisors within the University and is applied as a key part of due diligence informing decision making. Specific roles in risk management are outlined in table 2 below.

(11) The Governance Division helps coordinate risk management practice via:

  1. developing, in consultation with stakeholders and decision makers, the risk policies and associated information; 
  2. providing advice on and facilitating the implementation of risk management and risk identification across the University; and 
  3. supporting induction to UNE risk management practice and discussion of risk identification concepts and tools.

(12) Managers should be aware that subject matter expertise for different areas of risk may reside in different areas of the University for example:

  1. Academic Risks – Education Quality Directorate
  2. Facility or Place-based risks and Emergency Management – Estate and Built Environment
  3. Finance Risks – Finance
  4. Fraud and Control Risk – Internal Audit
  5. Information and Cyber Security Risk – Technology and Digital Services
  6. Strategic Risks – Office of Strategy and Management
  7. Work Health and Safety Risk - People and Culture.

(13) Advice and support to help with the implementation of the risk management is available via

Table 2 – Key Roles and Responsibilities in Risk Management

Role / Body
Council monitors strategic and key organisation risks and the overall institution risk exposure profile. Council, in conjunction with the Vice-Chancellor and Chief Executive Officer and Senior Executive agree the risk appetite associated with strategic priorities and key result areas (KRAs). Council members consider risk in Council decision making and strategic planning
Audit and Risk Committee of Council
Audit and Risk Committee oversees the risk management and control environment and approves policies relating to risk. The Committee reports to Council regarding UNE’s risk exposure profile, the control environment, emerging risks and those key risks which may be outside of agreed appetite or tolerance levels.
Vice-Chancellor and Chief Executive Officer
The Vice-Chancellor and Chief Executive Officer is responsible for reporting key emerging and risks, highlighting significant changes to risk exposure, to the Audit and Risk Committee. The Vice-Chancellor and Chief Executive Officer monitors the development of a positive risk culture (including level of risk maturity) and ensures that key management decisions and planning activities have considered risks.
Senior Executive
Senior Executive have specific responsibilities for monitoring risk exposure profiles within the portfolio and for the projects, and reporting key risks or risk changes to the Vice-Chancellor and Chief Executive Officer. Senior Executive consider risk in decision making including when prioritising projects, operational activities and resource allocation. Senior Executive may plan and budget for development of subject matter expertise relating to the risk activities within their areas
Chief Risk Officer
The Chief Risk Officer is the senior manager accountable for the policies and frameworks to enabling the efficient and effective oversight of significant risks or opportunities within organisational units. The Chief Risk Officer supports a positive risk culture by providing advice and programs of induction and training. The Chief Risk Officer at UNE is the Director Governance and University Secretary.
Governance Division
The Governance Division supports the implementation of the risk framework, risk system and outreach and support. Advice, support and training regarding risk can be requested via
UNE Managers
Managers at UNE are responsible for identifying, assessing, managing and communicating the key risks to achievement of department, operations or project objectives or to academic standards, within the risk management system.
UNE Managers are required to consider risk in decision-making and planning and to report to Senior Managers any areas of concern.
UNE Representatives
UNE Representatives should be aware of the risk associated with the business processes, projects or functions they are involved in, as well as the expectations for reporting and monitoring corporate risks. Key contacts for specific types of risk related matters or information is provided below. UNE Representatives should be sought Help and information regarding risk should be sought initially from their supervisor or manager.

Risk Culture

(14) UNE promotes a positive risk culture by supporting risk application in decision-making and supporting transparent reporting and discussions about risk levels and required actions. This means:

  1. Risks are routinely considered by UNE Managers to inform decision making, when planning & designing, and when reviewing progress or compliance management;
  2. Risks are reviewed regularly by those Managers responsible for objectives and quality outcomes, and reported on and communicated within relevant teams and to senior managers and governance bodies to support understanding and awareness;
  3. Risks that do not have controls or treatments that help manage risk within agreed risk tolerance (operational objectives) or risk appetite (strategic objectives) are to be escalated to the next level of management for discussion regarding priority and to agree management actions that need to be undertaken;
  4. Senior Managers will monitor the risk exposure profile or holistic view of risk associated with a business objective, risk category or risk type to help prioritise activities and actions; and
  5. Managers at UNE will have access to training and support to assist them in effective risk management practice.
Top of Page

Section 2 - Quality Assurance

(15) The implementation of this Policy will be supported and measured, by

  1. UNE will periodically review its overall risk maturity so as to ensure that the level of understanding, engagement and application of risk practice at UNE meets expectations.
  2. Periodic reporting to the Vice-Chancellor and Chief Executive Officer and to Council (including Audit and Risk Committee of Council) on organisational risks informed by stakeholder views and perceptions.


(16) Managers are responsible for ensuring that

  1. all records relating to identification, assessment and management of organisational risks are allocated a Records Container (send request to; and
  2. Risk information is entered to the Enterprise Risk Management system.

(17) The Chief Risk Officer is responsible for ensuring the data within the Enterprise Risk Management system is recorded in UNE’s approved Records Management System on a quarterly basis.

(18) Where Risk Reports are provided to University Committees, the Committee Secretary is responsible for recording the reports in the applicable Committee containers in the Records Management System.

Top of Page

Section 3 - Authority and Compliance

(19) The Council, pursuant to Section 29 of the University of New England Act 1993 (NSW) makes this University Policy.

(20) UNE Representatives must observe this Policy in relation to University matters.

(21) The Policy Steward, the Director Governance and University Secretary, is authorised to develop associated documents and toolkits or manuals to support this Policy.

(22) This Policy operates as and from the Effective Date.

(23) Previous policy on corporate risk management and related documents are replaced and have no further operation from the Effective Date of this new Policy.

(24) UNE Risk Management Policy and the principles and framework outlined within are based on AS ISO 31000:2018 Risk Management - Guidelines. This Policy supports UNE to achieve compliance requirements including those within the University of New England Act 1993 (NSW) and the Higher Education Standards Framework (Threshold Standards) Act 2015.

(25) Notwithstanding the other provisions of this University Policy, the Vice-Chancellor and Chief Executive Officer may approve an exception to the Policy where the Vice-Chancellor and Chief Executive Officer determines the application of the Policy would otherwise lead to an unfair, unreasonable or absurd outcome. Approvals by the Vice-Chancellor and Chief Executive Officer under this clause will be documented in writing and must state the reason for the exception.

Top of Page

Section 4 - Definitions (specific to this Policy)

(26) Risk is a preventable event or condition with unacceptable consequences. In the UNE context this means: a potential event or condition that is preventable, and will impact the University's objectives by either, providing a positive opportunity that would be unacceptable for UNE not to take, or exposing UNE to a negative threat that would be unacceptable for UNE to experience. 

(27) Risk Management is the activity of perceiving, understanding and managing risks so as to orientate operations and decision-making towards the achievement of set objectives and goals. The University actively promotes risk management through compliance with legislation and regulation, the application and adherence to modern professional standards and ways of working and the application and adherence to the UNE Risk Management Policy.

(28) Risk Management Practice means the actions and activities undertaken to identify, assess, and manage the exposure to, and impact of, a risk.