2019 Risk Management Framework v6 2019 FINAL
2019 Risk Management Framework v6 2019 FINAL
2019 Risk Management Framework v6 2019 FINAL
Framework
The risk management framework details the requirements for identifying,
Purpose managing and monitoring uncertainty to maximise upside and minimise the
downside of risk
The Framework applies to all UNSW business, including those of its Controlled
Scope
Entities.
Are Local Documents on this ☒ Yes, however Local Documents must be consistent with this ☐ No
subject permitted? University-wide Document.
Framework
1. Executive Summary
Effective risk management is critical to sound governance 1, building a consistent appetite for and robust
culture in risk, improving decision making and enhancing outcomes and accountability. When adopted
and integrated by an organisation, risk information provides insights into and transparency over material
operational, change/growth, disruptive and emerging risks.
Aligning to ISO 31000:2018 Risk Management - Guidelines 2, UNSW’s risk management framework
(Framework) will measure its success against the value creation principles (Refer to Figure 1) and its
ability to support the University in identifying and consistently analysing risks and opportunities inherent in
the updated Strategy 2025 and in all University operations. Risk at UNSW will be defined as the effect of
uncertainty on objectives.
The process of risk assessment outlined in this Framework has been designed to support and build
efficiency in decision making, ensuring alignment to objectives and integration of principles into existing
processes, analysis of key factors that influence decisions and the take up of opportunities. A key output
is the University’s enhanced capability to focus resourcing and effort on priority endeavours, matching
scarce resources to achieve the Strategy 2025.
This framework is the foundation for building the value of risk management; empowering people to
effectively manage and / or leverage off uncertainty.
2. Objectives
2.1. Objectives
The framework details the requirements for identifying, managing and monitoring uncertainty. It
clarifies how risk and opportunity are considered in strategic planning, review, approval and execution
of University, (and controlled entities [the University]) initiatives and the monitoring of operational
performance. The Framework, adopting the ISO 31000:2018 principles (Figure 1), addresses how we
will embed the management of risk into our culture and practices and, by doing so, support the
Executive and Council in making informed decisions and provide assurance that a robust risk
management approach is adopted across the University.
Framework objectives include:
• Enhanced decision making; evidenced by adoption and integration of the Risk Appetite into
strategic decision making and operational monitoring processes.
• Strong engagement in and ownership of risk by our people evidenced by a maturing risk
culture. This culture will support clarity over the roles and responsibilities of people and
3. Framework Architecture
Our Framework has been designed to align with the governance framework practices and reporting,
to accommodate the organisational structure and to meet the requirements of ISO 31000:2018 Risk
Management Guidelines. This Framework will inform other specialist risk functions, such as
Compliance, IT, Cyber, Treasury, Insurable Risk and Safety, so they can conform to it whilst also
ensuring compliance with the applicable standards and regulations related to their discipline.
Five elements make up the framework:
1. The Risk Management Statement and Strategic Risk Appetite (Section 6)
2. The Risk Management Process (Section 7)
3. Communicating and Reporting Risk Information (Section 8)
4. Risk Accountability across the University (Section 9)
5. Monitoring and Review of the Framework (Section 10)
To ensure the ongoing relevance of our framework, four continuous improvement activities are
integrated into the design and review components. They are:
1. Continual review of risk tools and practices by seeking feedback from ‘users’, champions and
sponsors following the conduct of risk sessions.
2
2. Annual review of the Framework and its objectives against industry standards and
innovations
3. Annual review of stakeholders to ascertain how the adoption of risk practices has added
value to University strategic, change/growth and operational performance
4. Annual confirmation of the University’s commitment to the Risk Management Strategy and
aspirational targets
4. Application
The University (including controlled entities) will be supported by the Risk Function to enable them to
embrace and adopt the Framework’s requirements. Newly established or acquired operations will be
required to comply with the requirements within 12 months of being established or acquired.
This Framework applies to the management of all types of risk at all levels across the University. All
specialist risk frameworks will be informed by and conform to this Framework, including, but not
limited to:
• Project Risk Management, including Strategic Initiative Feasibility and Business Case risk
analysis and Infrastructure Risk Management
• Health and Safety Risk Management, including safety research approvals
• Academic Risk Management
• Insurable Risk Management
• Treasury Risk Management
• Fraud and Corruption Prevention
• Incident and Crisis Management/ Business Resilience
• Compliance Risk Management
• IT Risk and Cyber Security
• Procurement Risk Management
• Event Risk Management
A key design focus has been the ability for Faculties and Divisional Portfolios to apply a consistent
risk assessment approach whilst enabling tailoring of forms to align to their Faculty/Portfolio and
unique activity requirements.
Requirement: All University and its controlled entities will adopt the requirements of
the University’s Risk Management Framework.
3
Figure 2 The Risk Management Annual Calendar of major activities
Qtr 1
Confirm risk review schedules and risk
maturity action plan with Faculty,
Divisions and Controlled Entities.
Qtr 2
Hold the Annual Joint Committee Risk
Workshop Update the University Risk Profile with
a focus on control effectiveness,
Qtr 3
Complete a deep dive into an agreed
Qtr 4
secure endorsement from Senior
material strategic risk or potential Leadership Group and Management Participate in the Insurance Program
disruptor for presentation to the RC Board prior to RC submission. renewal
Prepare and submit the required RC Complete a deep dive into the Prepare and submit the required RC
reports effectivess of a sub-set risk framework reports Annual review of the Risk
Conduct project and strategic e.g. Fraud and Corruption Prevention Conduct project and or strategic Management Framework, the Risk
initiative risk reviews as required initiative risk reviews as required Appetite and related sub-speciality risk
Prepare and submit the required RC
areas, e.g. IT Risk and Cyber Security
Conduct scheduled risk training reports Present to the Senior Leadership
Framework
Conduct project and or strategic Group on an agreed Risk Leadership
Present to the Senior Leadership Evaluation and update of the rolling 3
initiative risk reviews as required Topic
Group on an agreed Risk Leadership year Risk Management Strategy
Topic Conduct scheduled risk training Conduct scheduled risk training
Rebase Strategic Risk Profile as part of
Contribute to the development of the the strategic planning process
IA plan
Conduct project and or strategic
initiative risk reviews as required
Conduct scheduled risk training
5. Responsibilities
Throughout the University, key roles and governance forums will take on responsibilities for actioning
the requirements of this framework. This includes.
• Council, Sub-Committees and Governance Structures, that set the University’s tone, will be
responsible for setting the risk appetite, reviewing the enterprise risk profiles and adequacy of
controls, and approving the risk management framework
• Faculties, Divisions and Executives will be responsible for monitoring their strategic and
operational risk performance and ensuring the capability to execute risk mitigation initiatives
• The Risk Function will be responsible for ensuring the Risk Management Framework
captures and translates leading risk practices to the activities of the University, competency
to manage risk is appropriate throughout the University and risk information is accurate,
mature and comprehensive to support the University Executives and Council and its Sub-
Committees in decision making and the management of risk
• Internal and external audit will provide independent reviews, the output of which will
contribute to risk information and evaluation of control effectiveness
The interplay of the above groups is reflected in COSO: the three lines of defence 3, Figure 3.
Figure 3: University’s Three Lines of Defence
3 Leveraging COSO across the three lines of defence, The Institute of Internal Auditors, 2015
4
6. University’s Risk Management statement and strategic risk appetite
6.1. Intent
The Risk Management Statement is a core element of UNSW’s governance. The University is
committed to build a risk aware culture that is supported by a tailored, practical and integrated
approach to the identification and management of uncertainty inherent in our strategy, operations and
the global environment in which we exist. This commitment is backed by ensuring appropriate risk
capabilities of our people.
5
Implementation of the RAS requires consideration of the risk appetite parameters as part of the
strategic initiative feasibility and approval processes and as part of the operational decision making
for governance and management forums.
Where an initiative or operational performance outcome falls into the tolerance range (i.e. where an
initiative or operational outcome may impact the stated appetite but does not fall within the
‘unacceptable/no appetite statement), a risk evaluation is required. Mitigation actions must
demonstrate how they will re-align the initiative or performance to the RAS. This is outlined in the
diagram below:
1 2 3
Are Governance Forums
Is the Strategic Are the Strategic identified as responsible
Initiative within RAS? Initiative metrics clear? for monitoring
performance against RAS? Decision-making
authority
YES YES approval.
YES
NO NO NO
This area will be updated once ratified by the Management Board (MB), Senior Leadership Team
(SLT) and endorsed by the Risk Committee.
6
• Activities that compromise the University’s academic quality and integrity for staff and students
• Adverse impacts on the University’s reputation
• Actions that adversely impact the University’s financial resilience
7
Table 1. University’s qualitative risk appetite and tolerance areas. (To be determined)
Research advancement
Innovation
Student Experience
.
Partnerships /Stakeholder
Sustainable Campus
8
7. Risk Management Process
Risk analysis and management is central to any Risk Management Framework. The process to conduct
a risk assessment will follow the ISO 31000 approach as depicted in the diagram below. The detailed
process, tools and guidance for conducting a risk assessment is provided in the ‘Risk Management
Process’ document.
Communicate
Scope, Context
& Criteria
9
Table 2 Priority for Treating Group Level Risk
Management
Action
Residual Risk Control Governance
Velocity Action Timeframe to Frequency
Risk Effectiveness Oversight
establish
critical control
Expectation that ongoing Quarterly via
A: Risk Committee
= Effective All continuous improvement and N/A normal/exception
Very High of Council (RC)
monitoring is in place reporting
MB & SLT Monthly
Take action to reduce rating &
Immediate &
exposure by building control 3 months RC Quarterly via
Short Term
effectiveness normal/exception
A: reporting
< Effective
Very High MB & SLT Monthly
Take action to reduce rating &
Long Term exposure by building control 6 months RC Quarterly via
effectiveness normal/exception
reporting
Dean / DVC / VP Via
Expectation that ongoing normal/exception
B: High = Effective All continuous improvement and N/A reporting
monitoring is in place
MB & SLT Quarterly
1. Analysis of the risks for each Faculty, Division, Controlled Entity and project: The Risk Profile.
The risk profile captures the core information about risks related to a Faculty, Division, Controlled
Entity or project. This includes, the description, ratings and current and future actions associate
with a risk. To draw out insights and issues for each area, their risk information is consolidated
and presented as risk profile dashboard.
10
2. A one-page overview of the risk profile: The Risk Frontier.
This view of risks will capture the known risks, change and growth risks and emerging risks
(Table 3). The Risk Frontier draws from the risk profiles and discussion with Senior Executives of
the area on key internal and external emerging and or disruptive developments/trends.
3. An enterprise view of the University and its Controlled Entities risks: The Enterprise Risk Profile.
This report will contain an Enterprise Risk Frontier that draws on the above two reports. It will
provide additional commentary on the material risks. It will detail:
• Why the risk is important to the University and key Faculties and Divisions
• Changes to key mitigation strategies and risk environment
• Changes to Key Risk Indicator metrics (that include lead and lag indicators)
• Progress on agreed action to mitigate downside and pursue upside
In addition to including the relevant risk metrics in the commentary of a material risk, the collective
set of risk indicators will be provided as an appendix to this report. The appendix will reflect
changes over time and include commentary from relevant stakeholders on the implications of the
change.
11
Figure 6 Relationship between Internal Audit and Risk.
Enterprise Risks
Linked to The Risk Profiles capture the uncertainties
strategy and
captured in the in delivering against strategy and objectives.
Risk Frontier As such, they are a valuable source for
Internal Audit in developing their annual
plan and in the preparation of each audit.
Faculty, CE
and Divisional
Risk Profiles
Linked to thier
objectives and
captured in their
Risk Frontier Process Risks
Captured in the School
and Operational level risk
Internal Audit identifies and evaluates assessments contained in
controls and works with the stakeholders BAU processes
to agree mitigation actions.
This work is a valuable input into risk
assessments and in building roust risk
profiles.
12
10. Risk Accountability
Risk Management is the responsibility of all personnel. To support the University, accountability for the
implementation of the risk framework has been defined.
Accountability refers to the ultimate responsibility for actions, decisions, and management pertaining to
the nominated activity. This does not mean that the function accountable must deliver the action, but it
must seek assurance that the activity is or continues to be appropriate and progressing, if being
established.
The functions and accountabilities that support our Governance structure for risk are listed in Table 4.
Table 4: Accountability and Responsibilities for Risk
Function Accountability
Maintain oversight of and gain assurance over the effective management of risk.
Council
Approve the endorsed University’s risk management framework, including the risk appetite.
Oversight and governance of the University’s strategic Risk Frontier and dashboard.
Risk Committee Review and endorse the University’s risk management framework, including the risk appetite.
Advise Council on the University’s performance in managing risk.
Senior Executive Active monitoring of the management of material risks and risk culture
Leadership Team Active risk leadership and sponsorship of key risk activities.
and Management Review of the University’s strategic Risk Frontier, ensuring the salient strategic, growth and
Board change and operational risks are represented.
Ensure the University’s risk management approach reflects ‘leading practice’ and is tailored to
the University’s activities.
Lead the ongoing development and integration of risk management into policies, procedures,
Director of Risk standards, templates and tools, seeking innovation to our practice.
Build the capability to identify and evaluate risk across the University.
Generate and submit the University Consolidated Strategic Risk Frontier and updated Risk
Dashboard for discussion at the Executive and review at the Audit and Risk Committees.
Effective implementation (i.e. resourcing, training, conduct of assessments, integration of
information into decision making and monitoring) of risk management within their Faculty or
Faculties and Division with the ongoing support of the Risk Function.
Divisions Active leadership to drive a risk aware culture
Monitoring of their Risk Management Action Plan.
Generation of quarterly Risk Profiles.
Ensure the University’s risk management approach reflects current ‘good practice’ related to
their area of expertise or knowledge and the approach is tailored to the University’s activities
Subject Matter
working with the Risk Function.
Experts & Risk
Support and build the capability to identify and evaluate their area of risk across the University.
Champions
Participate in the conduct of risk assessments and the monitoring of action as related to their
area.
13
Attachment A: Risk Rating Tables. (DRAFT update)
The consequence table defines the nature of a potential impact that results from a risk being realised. The rating is determined by the highest rated impact irrespective of
impact type.
___________________________________________________________________________________________________
Guideline Name] Page 1 of 18
Version: #.# Effective XX Month Year
Impact type
Academic (Research Facilities &
People & Community Financial Global Standing Partners & Authorities
& Teaching) Operations
Consequence
Substantial Capability to complete A building is not able to be Key person loss Financial loss between Adverse state-based and Authorities & government
research or teaching occupied for between 1 Staff performance issues $5M - $20M social media traffic (mainly register strong concerns /
Impact requiring commitments is undermined mth during teaching year (>1 area of the University) Costs and or loss unable spurious) lasting 2 weeks threaten investigation
Executive oversight impacting quality, cost and Loss of central teaching or to be consumed in the Persistent short-term Corporate partners (existing
and HOS, Director timeframes Work-related injury
research facilities between requiring hospitalisation current Divisional or Media enquiries over the and potential) voice strong
action Unable to continue 1 to 2 terms Faculty budget. events concerns
research and or teaching in Localised environmental
Core IT systems are harm lasting >1 mth weeks Australian Higher Breach of contracts
a FOS for a term inconsistently available to Education Community
Industrial action (up to 1 Enforceable penalties or civil
Erosion of student GPA and staff and students query UNSW Research action
progression rates throughout the terms month) and Academic Integrity
A student group lodges Increased partner
Loss of a student cohort or Irretrievable loss of non- Pursuit of a new complaints
research project’s data research data complaints opportunity is
New course unable to be Project / operations A Community group voice compromised
progressed or introduced cost/time over-runs concerns
Load sharing to support Legal action from a group
signature course and or of students, staff or
research community group
Medium Program development Compromised access to Localised staff Financial loss between Active adverse student Authority formally seeks
deferred or not progressed research equipment and performance issues $50k - $5M social media traffic (mainly clarification.
Localised impact for a Capability to complete or facilities for 1 month Community member/, Costs and or loss unable spurious) lasting 2 weeks Issue of infringement notice
Divisional Unit or research or teaching A building is not able to be staff/ student legal action to be consumed in the External queries over
School commitments is occupied for 1-2 wks current Unit or School UNSW Research and
Student groups register
compromised in the short during term separate concerns budget. Academic Integrity
term Basic IT systems Unauthorised spend up to One-off adverse media
Work-related injury/illness
Increased reliance on availability is unstable for requiring medical/ health $500K report with local coverage
unexperienced casual staff and students for less prof. intervention or intra-industry
teaching staff than 1 month knowledge of incident
Localised environmental
harm <1mth
Insignificant Unit development is Facilities are unable to be Disaffected group of Financial loss less than N/A Authority registers issue only
postponed or not occupied for the day students and or staff $50k Minor complaints that can be
Issue that is managed progressed Localised user group Minor work-related Unauthorised spend up to managed within the
as part of BAU Casual teaching staff are unable to access IT incident requiring first aid $50k business unit
unable to be sourced systems (<3 days). treatment only
impacting quality IT systems do not operate No material environmental
Research data or samples efficiently harm – on-site,
impacted but recovered Operational performance immediately contained, no
within three days impacting day-to-day ongoing impact
activities or project
___________________________________________________________________________________________________
Guideline Name] Page 2 of 18
Version: #.# Effective XX Month Year
Control Effectiveness and Velocity Ratings
The Control Effectiveness rating indicates the level of maturity of controls to either mitigate The Velocity rating identified the potential speed at which the impact will
the consequence or likelihood of a risk. materialise and impact the University.
Control Description
Velocity
Effectiveness
Controls are adequate, appropriate and effective. They provide a reasonable The impact of the risk will affect the University’s operations, its
Effective Immediate
assurance that risks are being managed and objectives should be met. reputation and or ability to operate immediately.
A few specific control weaknesses are noted. However, many controls are The impact of the risk will take up to six months to be realized
Well based adequate, appropriate and effective to provide a solid basis for assurance that Short Term and thus provides some lead time to convene a working party to
risks are being managed and objectives should be met. prepare for and manage the expected impact.
Numerous specific control weaknesses were noted. Controls evaluated are The impact of the risk will take over six months to be realized
Improvement unlikely to provide reasonable assurance that risks are being managed and and provides substantial lead time to establish a working team
Long Term
desired objectives should be met. to plan and execute mitigation activities to manage the expected
impact.
Controls are not adequate, appropriate or effective. They do not provide
Ineffective
reasonable assurance that risks are being managed and objectives should be met.
The likelihood rating indicates the potential for an occurrence The Likelihood and Consequence ratings provide the overall risk rating.
Likely Will probably occur (61- 90% chance) i.e. More likely to occur than not. Likely
Opportunity Description
The opportunity is easily identifiable, tangible steps can be taken to
Strong
realise upside.
The opportunity, requires more investigation to confirm its potential
Credible
and viability, however it appears to have a sound basis for upside.
The opportunity has a potential for upside, although it may be
Constrained
restricted and its potential limited.
___________________________________________________________________________________________________
Guideline Name] Page 3 of 18
Version: #.# Effective XX Month Year
Risk Categories
Risk categories are used to analyse and consolidate risk information by categorising them by the source of risk. They do not provide the level of detail required to
understand the nature of risk. It is for this reason they are not rated.
Risk Category Includes risks related to Risk Category Includes risks related to
Strategic
Strategic planning and delivery of initiatives IT / Cyber Digital services and security; Data security and IT incident response/DR
Related external environmental and market shifts
Facilities / Facilities, infrastructure, and service and project delivery People & Culture Safety and security, recruitment, retention, culture, behaviour; change
Operational by associated ‘enabling functions’; Business Resilience readiness
Financial/budget reporting & control; Academic (Research Research and Teaching Quality, Standards and Conduct; Student
Financial Treasury/Investment strategy & management progression and load
/ Teaching)
Legal/Regulatory
Legislation, regulation and standards compliance and Student Student experience, safety and security
changes
Expectations of and engagement with third parties, i.e. Governance Reporting to and oversight by Council, sub-committees of Council and
Stakeholder
partners, community, Corporates and government governance forums
___________________________________________________________________________________________________
Guideline Name] Page 4 of 18
Version: #.# Effective XX Month Year
Accountabilities
Supporting Information
Legislative Compliance Nil
Insert Term
Revision History
Version Approved by Approval date Effective date Sections modified
Further Information
This section is not published on the final PDF document. It is for website purposes only
Keywords for search engine Risk Assessment; Risk Management; Risk Appetite
Include any Frequently Asked Questions and answers to be included with the Guideline
FAQs and answers
(in a separate tab or section) in the Governance Policy Repository
___________________________________________________________________________________________________
Guideline Name] Page 1 of 18
Version: #.# Effective XX Month Year