2019 Risk Management Framework v6 2019 FINAL

Download as pdf or txt
Download as pdf or txt
You are on page 1of 18

Risk Management Framework

Version Approved by Approval date Effective date Next full review


X.X [to be completed] XX Month Year XX Month Year Month Year

Framework
The risk management framework details the requirements for identifying,
Purpose managing and monitoring uncertainty to maximise upside and minimise the
downside of risk

The Framework applies to all UNSW business, including those of its Controlled
Scope
Entities.

Are Local Documents on this ☒ Yes, however Local Documents must be consistent with this ☐ No
subject permitted? University-wide Document.

Framework

1. Executive Summary
Effective risk management is critical to sound governance 1, building a consistent appetite for and robust
culture in risk, improving decision making and enhancing outcomes and accountability. When adopted
and integrated by an organisation, risk information provides insights into and transparency over material
operational, change/growth, disruptive and emerging risks.
Aligning to ISO 31000:2018 Risk Management - Guidelines 2, UNSW’s risk management framework
(Framework) will measure its success against the value creation principles (Refer to Figure 1) and its
ability to support the University in identifying and consistently analysing risks and opportunities inherent in
the updated Strategy 2025 and in all University operations. Risk at UNSW will be defined as the effect of
uncertainty on objectives.
The process of risk assessment outlined in this Framework has been designed to support and build
efficiency in decision making, ensuring alignment to objectives and integration of principles into existing
processes, analysis of key factors that influence decisions and the take up of opportunities. A key output
is the University’s enhanced capability to focus resourcing and effort on priority endeavours, matching
scarce resources to achieve the Strategy 2025.
This framework is the foundation for building the value of risk management; empowering people to
effectively manage and / or leverage off uncertainty.

2. Objectives

2.1. Objectives
The framework details the requirements for identifying, managing and monitoring uncertainty. It
clarifies how risk and opportunity are considered in strategic planning, review, approval and execution
of University, (and controlled entities [the University]) initiatives and the monitoring of operational
performance. The Framework, adopting the ISO 31000:2018 principles (Figure 1), addresses how we
will embed the management of risk into our culture and practices and, by doing so, support the
Executive and Council in making informed decisions and provide assurance that a robust risk
management approach is adopted across the University.
Framework objectives include:
• Enhanced decision making; evidenced by adoption and integration of the Risk Appetite into
strategic decision making and operational monitoring processes.
• Strong engagement in and ownership of risk by our people evidenced by a maturing risk
culture. This culture will support clarity over the roles and responsibilities of people and

1 ASX Corporate Governance Principles and Recommendations, ed 4, Feb 2019


2 ISO 31000:2018 Risk Management – Principles and guidelines
1
governance forums, enable consistent review of and discussions regarding potential risks
and co-ordination of people and activities.
• Integrated risk assessment process that adds value to the University, evidenced by the
tailoring and integration of the assessments into existing processes and for context
relevance, people are competent in carrying out the process and management seek to review
and understand the output of risk assessments
• Maturing risk culture that embraces risk management principles into our cultural norms,
evidenced by the consideration of risk as part of ‘doing business’ and reflected in discussions
and questions regarding activities and initiatives.

Figure 1 ISO 310000 2018 Value Creation and Protection Principles:

3. Framework Architecture
Our Framework has been designed to align with the governance framework practices and reporting,
to accommodate the organisational structure and to meet the requirements of ISO 31000:2018 Risk
Management Guidelines. This Framework will inform other specialist risk functions, such as
Compliance, IT, Cyber, Treasury, Insurable Risk and Safety, so they can conform to it whilst also
ensuring compliance with the applicable standards and regulations related to their discipline.
Five elements make up the framework:
1. The Risk Management Statement and Strategic Risk Appetite (Section 6)
2. The Risk Management Process (Section 7)
3. Communicating and Reporting Risk Information (Section 8)
4. Risk Accountability across the University (Section 9)
5. Monitoring and Review of the Framework (Section 10)
To ensure the ongoing relevance of our framework, four continuous improvement activities are
integrated into the design and review components. They are:
1. Continual review of risk tools and practices by seeking feedback from ‘users’, champions and
sponsors following the conduct of risk sessions.
2
2. Annual review of the Framework and its objectives against industry standards and
innovations
3. Annual review of stakeholders to ascertain how the adoption of risk practices has added
value to University strategic, change/growth and operational performance
4. Annual confirmation of the University’s commitment to the Risk Management Strategy and
aspirational targets

4. Application
The University (including controlled entities) will be supported by the Risk Function to enable them to
embrace and adopt the Framework’s requirements. Newly established or acquired operations will be
required to comply with the requirements within 12 months of being established or acquired.
This Framework applies to the management of all types of risk at all levels across the University. All
specialist risk frameworks will be informed by and conform to this Framework, including, but not
limited to:
• Project Risk Management, including Strategic Initiative Feasibility and Business Case risk
analysis and Infrastructure Risk Management
• Health and Safety Risk Management, including safety research approvals
• Academic Risk Management
• Insurable Risk Management
• Treasury Risk Management
• Fraud and Corruption Prevention
• Incident and Crisis Management/ Business Resilience
• Compliance Risk Management
• IT Risk and Cyber Security
• Procurement Risk Management
• Event Risk Management

A key design focus has been the ability for Faculties and Divisional Portfolios to apply a consistent
risk assessment approach whilst enabling tailoring of forms to align to their Faculty/Portfolio and
unique activity requirements.

Requirement: All University and its controlled entities will adopt the requirements of
the University’s Risk Management Framework.

4.1. Risk Management Calendar


To support the Risk Committee in executing its charter and the University in implementing industry
leading practice a series of activities are required. These are outlined in the Risk Management
Calendar, Figure 2. Not listed in the calendar are the risk assessments and capability building
activities that will occur as and when projects and/or initiatives are identified and those scheduled to
support the enterprise risk profile updates.

3
Figure 2 The Risk Management Annual Calendar of major activities

Qtr 1
Confirm risk review schedules and risk
maturity action plan with Faculty,
Divisions and Controlled Entities.
Qtr 2
Hold the Annual Joint Committee Risk
Workshop Update the University Risk Profile with
a focus on control effectiveness,
Qtr 3
Complete a deep dive into an agreed
Qtr 4
secure endorsement from Senior
material strategic risk or potential Leadership Group and Management Participate in the Insurance Program
disruptor for presentation to the RC Board prior to RC submission. renewal
Prepare and submit the required RC Complete a deep dive into the Prepare and submit the required RC
reports effectivess of a sub-set risk framework reports Annual review of the Risk
Conduct project and strategic e.g. Fraud and Corruption Prevention Conduct project and or strategic Management Framework, the Risk
initiative risk reviews as required initiative risk reviews as required Appetite and related sub-speciality risk
Prepare and submit the required RC
areas, e.g. IT Risk and Cyber Security
Conduct scheduled risk training reports Present to the Senior Leadership
Framework
Conduct project and or strategic Group on an agreed Risk Leadership
Present to the Senior Leadership Evaluation and update of the rolling 3
initiative risk reviews as required Topic
Group on an agreed Risk Leadership year Risk Management Strategy
Topic Conduct scheduled risk training Conduct scheduled risk training
Rebase Strategic Risk Profile as part of
Contribute to the development of the the strategic planning process
IA plan
Conduct project and or strategic
initiative risk reviews as required
Conduct scheduled risk training

5. Responsibilities
Throughout the University, key roles and governance forums will take on responsibilities for actioning
the requirements of this framework. This includes.
• Council, Sub-Committees and Governance Structures, that set the University’s tone, will be
responsible for setting the risk appetite, reviewing the enterprise risk profiles and adequacy of
controls, and approving the risk management framework
• Faculties, Divisions and Executives will be responsible for monitoring their strategic and
operational risk performance and ensuring the capability to execute risk mitigation initiatives
• The Risk Function will be responsible for ensuring the Risk Management Framework
captures and translates leading risk practices to the activities of the University, competency
to manage risk is appropriate throughout the University and risk information is accurate,
mature and comprehensive to support the University Executives and Council and its Sub-
Committees in decision making and the management of risk
• Internal and external audit will provide independent reviews, the output of which will
contribute to risk information and evaluation of control effectiveness

The interplay of the above groups is reflected in COSO: the three lines of defence 3, Figure 3.
Figure 3: University’s Three Lines of Defence

Governing Body / Council / Risk & Audit Committees

Executive Management (MB & SLT)


External Audit / Regulators

1st Line of Defence 2nd Line of Defence 3rd Line of Defence

Day-to-day risk management


Challenge to 1st line regarding
decisions
financial, compliance, quality, IT
Front line adoption of the risk and
and risk controls
specialist risk frameworks
Safety reviews and audits Internal Audit
Appropriately skilled and trained
Independent reviews, inspections
workforce
and Investigations
Current and salient policies,
Specialist advice and training
procedures and governance

3 Leveraging COSO across the three lines of defence, The Institute of Internal Auditors, 2015
4
6. University’s Risk Management statement and strategic risk appetite

6.1. Intent
The Risk Management Statement is a core element of UNSW’s governance. The University is
committed to build a risk aware culture that is supported by a tailored, practical and integrated
approach to the identification and management of uncertainty inherent in our strategy, operations and
the global environment in which we exist. This commitment is backed by ensuring appropriate risk
capabilities of our people.

6.2. How risk is defined at the University.


Adopting the ISO 31000:2018 Standard’s definition of risk, risks will describe uncertainties in an event
or condition that, if it is realised, will affect (positively or negatively) the achievement of one or more of
the updated Strategy 2025 objectives. The magnitude of a risk will be assessed by qualifying the
nature of the impact (positive or negative), its likelihood of occurrence, the effectiveness of existing
controls and the speed at which the risk will impact the University.

6.3. Objectives of Risk Management.


Risk Management objectives include:
• Providing risk tools that are customised and integrated into University processes whilst
enabling consistency in the application of risk management principles. Most noticeably these
include but are not limited to:
a. Strategic planning
b. Anticipating and implementing strategic change initiatives, new commercial activities,
ventures and projects
c. Assessing and introducing academic or administration changes to courses or
processes, respectively
d. Reviewing and approving research opportunities and grants.
e. Reviewing and assessing compliance controls and performance.
• Building the required capability across the University to enable personnel to identify, assess
and mitigate risks through providing tailored risk education and training
• Enhancing the risk culture through embedding a consistent application of the University’s
Risk Appetite into all strategic decision processes and facilitating salient risk discussions.
• Ensuring a consistent structure for review and monitoring of treatment actions for those high
and very high risks with a less than effective control environment and a potential to
immediately impact (positively or negatively) the University’s operations.
• Ensuring the ongoing review and interrogation of the risk management performance against,
available data/indicators, industry leading practices and feedback from stakeholders.

6.4. Definition and Purpose of Risk Appetite Statement (RAS)


The Risk Appetite defines the type and degree of risk it is willing to accept to achieve the University’s
strategy and operational aspirations. Its purpose is to guide University governance bodies, executive
and staff in decision making. It does so by defining the boundaries for risk taking, thereby aligning
decisions to the risk appetite.
These boundaries detail the principles and metrics, both quantitative and qualitative, that, when
reviewed as a collective, assist in decision making. The draft RAS is to be used to review any activity
that may impact the University and its controlled entities at an enterprise level.

6.5. Approach to Risk Appetite


The University supports a positive risk culture, where individuals are empowered to take measured
risks to achieve the strategic priorities and to act within UNSW Behaviours. Conversely, activities that
materially threaten the viability of the University and its strategy will not be supported.

5
Implementation of the RAS requires consideration of the risk appetite parameters as part of the
strategic initiative feasibility and approval processes and as part of the operational decision making
for governance and management forums.
Where an initiative or operational performance outcome falls into the tolerance range (i.e. where an
initiative or operational outcome may impact the stated appetite but does not fall within the
‘unacceptable/no appetite statement), a risk evaluation is required. Mitigation actions must
demonstrate how they will re-align the initiative or performance to the RAS. This is outlined in the
diagram below:

Figure 4 Applied Risk Appetite process

1 2 3
Are Governance Forums
Is the Strategic Are the Strategic identified as responsible
Initiative within RAS? Initiative metrics clear? for monitoring
performance against RAS? Decision-making
authority
YES YES approval.
YES

Are Operations Are performance


performing within monitoring metrics
RAS? clear?

NO NO NO

Where there are areas of


Clarify the Governance
uncertainty, the risk and Given the context of the Forum responsible for
mitigations will be identified initiative or operational task, monitoring the endeavor
and demonstrate how the ensure lead and lag and those persons
initiative or operation will be indicators are clearly accountable for delivering
delivered within appetite. This identified and demonstrate the endeavor within RAS. Initiative may not be
information will be central to alignment with the RAS.
the decision making. approved.
Governance Forum increase
Where the remedial actions do NOT address the issues then: scrutiny, escalate or cease
operation.

NOTE: Refinement of the UNSW RAS is currently underway to address:


• Limited connection between the RAS guidance and metrics to decision-making processes
• Limited ability to translate the RAS guidance and metrics to monitoring of operational
performance and reporting

This area will be updated once ratified by the Management Board (MB), Senior Leadership Team
(SLT) and endorsed by the Risk Committee.

6.6. Unacceptable Risk Outcomes – No Appetite


‘No Appetite’ qualifications reflect the actions that are contrary to the Strategy 2025 and our UNSW
Behaviours. These include, but will be revised as part of the RAS review:
• Activity that compromises the University’s legal and regulatory obligations
• Situations where those interacting with the University are recklessly harmed
• Research funded by tobacco or gambling organisations

6
• Activities that compromise the University’s academic quality and integrity for staff and students
• Adverse impacts on the University’s reputation
• Actions that adversely impact the University’s financial resilience

7
Table 1. University’s qualitative risk appetite and tolerance areas. (To be determined)

Strategic Priorities Risk Appetite Parameters


Reputation

Research advancement

Innovation

Student Experience
.

Partnerships /Stakeholder

High performing and engaged workforce

Finance & Capital resilience

Sustainable Campus

8
7. Risk Management Process
Risk analysis and management is central to any Risk Management Framework. The process to conduct
a risk assessment will follow the ISO 31000 approach as depicted in the diagram below. The detailed
process, tools and guidance for conducting a risk assessment is provided in the ‘Risk Management
Process’ document.

Figure 5: Risk Management Process aligned to ISO 31000: 2018

Communicate

Scope, Context
& Criteria

7.1. Monitoring the Risks


Given that a risk assessment is a snapshot of time, clarifying who and how the University will monitor
and manage the ongoing exposure/potential is a critical element of the process.
In the planning phase of conducting a risk assessment, the appropriate structure and timeframe for
review of risks is confirmed. When the risk assessment process is contained within a procedure, the
delegation of authority and process owners will help govern the management of unresolved issues.
However, in order to provide consistency in the governance and oversight of risk by the SLT and MB,
an accountability matrix for oversight been established. This is set out in Table 2.
Determination of the level and frequency of review is based on three metrics: the residual risk rating,
the control effectiveness rating and the velocity rating.
When monitoring or reviewing a risk we will review:
• The nature and rating of risk given changes to external or internal environments
• The effectiveness of any changes to the control environment and the need for additional controls.
• The need to add new, alter or retire existing risks and or controls.

Requirement: Where a risk assessment is required, our Risk Management Process is


adopted

9
Table 2 Priority for Treating Group Level Risk
Management
Action
Residual Risk Control Governance
Velocity Action Timeframe to Frequency
Risk Effectiveness Oversight
establish
critical control
Expectation that ongoing Quarterly via
A: Risk Committee
= Effective All continuous improvement and N/A normal/exception
Very High of Council (RC)
monitoring is in place reporting
MB & SLT Monthly
Take action to reduce rating &
Immediate &
exposure by building control 3 months RC Quarterly via
Short Term
effectiveness normal/exception
A: reporting
< Effective
Very High MB & SLT Monthly
Take action to reduce rating &
Long Term exposure by building control 6 months RC Quarterly via
effectiveness normal/exception
reporting
Dean / DVC / VP Via
Expectation that ongoing normal/exception
B: High = Effective All continuous improvement and N/A reporting
monitoring is in place
MB & SLT Quarterly

Dean / DVC Monthly


MB & SLT Quarterly
Immediate & Build control effectiveness in
3 months
Short Term keeping with the business plan. RC Quarterly via
B: High < Effective normal/exception
reporting
Dean / DVC Via
Build control effectiveness in Executive normal/exception
Long Term 6 months
keeping with the business plan. reporting
RC
Immediate & Build control effectiveness in As part of
6 months
C: Short Term keeping with all other priorities. performance
< Effective Director / HOS
Moderate Build control effectiveness in monitoring
Long Term 12 months
keeping with the business plan.
As part of
Build control effectiveness in
D. Minor < Effective All 18 months Director / HOS performance
keeping with all other priorities.
monitoring
Lower priority. Build control As part of
effectiveness as part of usual performance
D: Low < Effective All 18 months Risk Owner
business improvement Monitoring monitoring
will be required.

8. Communicating and Reporting Risk Information

8.1. Reporting the risks


Risk reporting will occur at various levels across the University:

1. Analysis of the risks for each Faculty, Division, Controlled Entity and project: The Risk Profile.
The risk profile captures the core information about risks related to a Faculty, Division, Controlled
Entity or project. This includes, the description, ratings and current and future actions associate
with a risk. To draw out insights and issues for each area, their risk information is consolidated
and presented as risk profile dashboard.

10
2. A one-page overview of the risk profile: The Risk Frontier.
This view of risks will capture the known risks, change and growth risks and emerging risks
(Table 3). The Risk Frontier draws from the risk profiles and discussion with Senior Executives of
the area on key internal and external emerging and or disruptive developments/trends.

Table 3: Example of the Risk Frontier:

Known Risks Growth / Change Risks Emerging Risks


(Risks arising from delivering core (Risks arising from growth and (Risks from internal and external
services) change initiatives) emerging / disruptive
developments or trends)
The prevention and detection On-line and digital learning Future students’ and
controls for academic fraud programs and the employers’ expectations on
lags the speed at which opportunities they provide skill competency and work-
innovative options are made are compromised by readiness are not met by
available to students. competing priorities. future UNSW graduates.

3. An enterprise view of the University and its Controlled Entities risks: The Enterprise Risk Profile.
This report will contain an Enterprise Risk Frontier that draws on the above two reports. It will
provide additional commentary on the material risks. It will detail:

• Why the risk is important to the University and key Faculties and Divisions
• Changes to key mitigation strategies and risk environment
• Changes to Key Risk Indicator metrics (that include lead and lag indicators)
• Progress on agreed action to mitigate downside and pursue upside

In addition to including the relevant risk metrics in the commentary of a material risk, the collective
set of risk indicators will be provided as an appendix to this report. The appendix will reflect
changes over time and include commentary from relevant stakeholders on the implications of the
change.

8.2. Risk Escalation


The escalation of risk takes two forms:
1. the routine escalation of those risks with sub-optimal control environments (section 7.6)
2. the immediate escalation of emergency and ‘crisis’ events. This is captured under the Incident
and Crisis Management Framework which embeds the risk ratings and Strategic Risk Appetite.

8.3. Annual Risk Plans


Faculty and Divisional Risk Plans are agreed annually. These plans are based on an assessment of
the area’s risk maturity and their risk profile and are designed to enhance their performance in
managing and monitoring risk exposures. The plan lists the agreed risk projects, a risk profiling
schedule and identifies the sponsors and champions and team accountabilities. This process will be
embedded into the Annual and Mid-year review process.

8.4. Relationship between Internal Audit and Risk Management


A valuable source of process risk and control information is found in the activities of Internal Audit.
This information supports the risk profiling activity and provides assurance around key controls.
Conversely, the information captured by risk provides an important input for the annual internal audit
program and also for each audit. The relationship between the two functions is provided in Figure 6.

11
Figure 6 Relationship between Internal Audit and Risk.

Enterprise Risks
Linked to The Risk Profiles capture the uncertainties
strategy and
captured in the in delivering against strategy and objectives.
Risk Frontier As such, they are a valuable source for
Internal Audit in developing their annual
plan and in the preparation of each audit.
Faculty, CE
and Divisional
Risk Profiles
Linked to thier
objectives and
captured in their
Risk Frontier Process Risks
Captured in the School
and Operational level risk
Internal Audit identifies and evaluates assessments contained in
controls and works with the stakeholders BAU processes
to agree mitigation actions.
This work is a valuable input into risk
assessments and in building roust risk
profiles.

9. Building Risk Capabilities


The central Risk Management team are accountable for identifying, building and maintaining the
appropriate level of risk capability across the University. To achieve this, a matrix of key roles, critical
to the management of risk, is matched to the nature of training to be provided. In addition, people in
these roles will be invited to attend thought leadership sessions and strategic planning days.
Figure 7 Three legs to build capability.
The approach to building capability will
draw on: Lead
1. Learn – Acquire knowledge and skills
through formal learning experiences,
including e-learns, face-to-face training
and formal mentoring arrangements.
2. Master – Apply the knowledge by
developing and refining the skills and Risk
tools, providing feedback to enhance our Capability
capabilities.
3. Lead – Become a champion within the
business, coaching others to make best
practice a cultural norm.

12
10. Risk Accountability
Risk Management is the responsibility of all personnel. To support the University, accountability for the
implementation of the risk framework has been defined.
Accountability refers to the ultimate responsibility for actions, decisions, and management pertaining to
the nominated activity. This does not mean that the function accountable must deliver the action, but it
must seek assurance that the activity is or continues to be appropriate and progressing, if being
established.
The functions and accountabilities that support our Governance structure for risk are listed in Table 4.
Table 4: Accountability and Responsibilities for Risk

Function Accountability
Maintain oversight of and gain assurance over the effective management of risk.
Council
Approve the endorsed University’s risk management framework, including the risk appetite.
Oversight and governance of the University’s strategic Risk Frontier and dashboard.
Risk Committee Review and endorse the University’s risk management framework, including the risk appetite.
Advise Council on the University’s performance in managing risk.
Senior Executive Active monitoring of the management of material risks and risk culture
Leadership Team Active risk leadership and sponsorship of key risk activities.
and Management Review of the University’s strategic Risk Frontier, ensuring the salient strategic, growth and
Board change and operational risks are represented.
Ensure the University’s risk management approach reflects ‘leading practice’ and is tailored to
the University’s activities.
Lead the ongoing development and integration of risk management into policies, procedures,
Director of Risk standards, templates and tools, seeking innovation to our practice.
Build the capability to identify and evaluate risk across the University.
Generate and submit the University Consolidated Strategic Risk Frontier and updated Risk
Dashboard for discussion at the Executive and review at the Audit and Risk Committees.
Effective implementation (i.e. resourcing, training, conduct of assessments, integration of
information into decision making and monitoring) of risk management within their Faculty or
Faculties and Division with the ongoing support of the Risk Function.
Divisions Active leadership to drive a risk aware culture
Monitoring of their Risk Management Action Plan.
Generation of quarterly Risk Profiles.
Ensure the University’s risk management approach reflects current ‘good practice’ related to
their area of expertise or knowledge and the approach is tailored to the University’s activities
Subject Matter
working with the Risk Function.
Experts & Risk
Support and build the capability to identify and evaluate their area of risk across the University.
Champions
Participate in the conduct of risk assessments and the monitoring of action as related to their
area.

11. Monitoring and Review of the Risk Management Framework


The framework will be reviewed and updated annually against industry standards and innovations and
following review of the University’s performance and maturity in managing risk using the Maturity Model
assessment and stakeholder feedback.
The revised framework will be submitted to the Risk Committee annually for ratification.

13
Attachment A: Risk Rating Tables. (DRAFT update)

The consequence table defines the nature of a potential impact that results from a risk being realised. The rating is determined by the highest rated impact irrespective of
impact type.

Impact type Academic


Facilities &
(Research & People & Community Financial Global Standing Partners & Authorities
Operations
Consequence Teaching)
Severe Systemic academic or Loss of critical facilities VC and/ or key Executive Fraud event ($1M) Engagement with Total loss of confidence by
research fraud (i.e labs) for 1+ yr. resigns Misappropriation of $1M partners/entities not aligned Government/ Student
Long term or Loss of signature high Critical IT systems not Board restructure funds, including with RAS – connection with Community / Authorities/
widespread impact profile research capability available for greater than Philanthropic donations tobacco and gambling Funding and Research
requiring Senior Pervasive loss of University industries etc. Bodies
Closure of signature 6 months and irretrievable community confidence Financial loss, including
Executive and Council loss of this stored data. Legal action with material Key strategic partner/ alliance
time and effort over course Reckless, work-related harm teaching revenue
Data integrity/loss and IP exceeding $50M and, or basis of negligence ceases engagement with
multiple months and Multiple (>10) students to people / Multiple work- UNSW
deviation from suspended or unenrolled loss associated with related deaths or serious have the potential to International and widespread
strategic plan. from courses sensitive research and permanent disabilities incur additional costs in prolonged (>1month) adverse
commercial endeavours more than the current media (including social media)
Multiple (>10) student’s Widespread, permanent year
degrees are retracted Large scale release of environmental harm Global Higher Education
sensitive and personal Key 3rd party withdrawal community raise concerns
Compromised student information to public QILT rankings drop of funding over UNSW actions
and research data domains Significant personal liability Loss of provider status
Multiple academic Inability to deliver key &/or potential custodial
research papers are project benefits / Critical sentence of directors &/or
retracted operations unable to be employees
performed
Major Withdrawal of or Partial loss of a critical Faculty Dean, VP or DVC Financial loss, including International and widespread Investigation by ACNC, ATO,
conditions imposed on facility between 6mths to termination teaching revenue, short-term (1 month) adverse ANSTO or AONSW
Impact requiring Research funds 1 year Single work-related death or between $20M- $50M media (including social media) Targeted enquiry or
Senior Executive Unable to continue Loss of central teaching permanent disability Suspension or conditional investigation by Authorities.
management and research and or teaching or research facilities for 3 Provider Status
oversight and Long term damage to the Widespread disaffected
in a FOS terms environment Loss of standing in the student community
notification to Council.
Withdrawal or retraction Regulatory sanction / Ongoing disruptive Industrial Australasian Research and Corporate partners (existing
of publications suspension of licence / action (> 1 month) Academic Community visible and potential) disassociate
Retraction of a student accreditation conditions to global partners themselves from UNSW
Widespread Student and, or
qualification Loss of critical IT system Staff body protest / outcry Legal dispute with Corporate
Loss of a defined group for 1-2 terms partner (e.g. IP and
Community outcry and
of students and research Sensitive and personal action / Sstaff performance commercialization rights)
projects’ data data released to public across the University eroded Major partner disengages
Major project benefits are
no longer viable / Critical
operations compromised

___________________________________________________________________________________________________
Guideline Name] Page 1 of 18
Version: #.# Effective XX Month Year
Impact type
Academic (Research Facilities &
People & Community Financial Global Standing Partners & Authorities
& Teaching) Operations
Consequence
Substantial Capability to complete A building is not able to be Key person loss Financial loss between Adverse state-based and Authorities & government
research or teaching occupied for between 1 Staff performance issues $5M - $20M social media traffic (mainly register strong concerns /
Impact requiring commitments is undermined mth during teaching year (>1 area of the University) Costs and or loss unable spurious) lasting 2 weeks threaten investigation
Executive oversight impacting quality, cost and Loss of central teaching or to be consumed in the Persistent short-term Corporate partners (existing
and HOS, Director timeframes Work-related injury
research facilities between requiring hospitalisation current Divisional or Media enquiries over the and potential) voice strong
action Unable to continue 1 to 2 terms Faculty budget. events concerns
research and or teaching in Localised environmental
Core IT systems are harm lasting >1 mth weeks Australian Higher Breach of contracts
a FOS for a term inconsistently available to Education Community
Industrial action (up to 1 Enforceable penalties or civil
Erosion of student GPA and staff and students query UNSW Research action
progression rates throughout the terms month) and Academic Integrity
A student group lodges Increased partner
Loss of a student cohort or Irretrievable loss of non- Pursuit of a new complaints
research project’s data research data complaints opportunity is
New course unable to be Project / operations A Community group voice compromised
progressed or introduced cost/time over-runs concerns
Load sharing to support Legal action from a group
signature course and or of students, staff or
research community group

Medium Program development Compromised access to Localised staff Financial loss between Active adverse student Authority formally seeks
deferred or not progressed research equipment and performance issues $50k - $5M social media traffic (mainly clarification.
Localised impact for a Capability to complete or facilities for 1 month Community member/, Costs and or loss unable spurious) lasting 2 weeks Issue of infringement notice
Divisional Unit or research or teaching A building is not able to be staff/ student legal action to be consumed in the External queries over
School commitments is occupied for 1-2 wks current Unit or School UNSW Research and
Student groups register
compromised in the short during term separate concerns budget. Academic Integrity
term Basic IT systems Unauthorised spend up to One-off adverse media
Work-related injury/illness
Increased reliance on availability is unstable for requiring medical/ health $500K report with local coverage
unexperienced casual staff and students for less prof. intervention or intra-industry
teaching staff than 1 month knowledge of incident
Localised environmental
harm <1mth
Insignificant Unit development is Facilities are unable to be Disaffected group of Financial loss less than N/A Authority registers issue only
postponed or not occupied for the day students and or staff $50k Minor complaints that can be
Issue that is managed progressed Localised user group Minor work-related Unauthorised spend up to managed within the
as part of BAU Casual teaching staff are unable to access IT incident requiring first aid $50k business unit
unable to be sourced systems (<3 days). treatment only
impacting quality IT systems do not operate No material environmental
Research data or samples efficiently harm – on-site,
impacted but recovered Operational performance immediately contained, no
within three days impacting day-to-day ongoing impact
activities or project

___________________________________________________________________________________________________
Guideline Name] Page 2 of 18
Version: #.# Effective XX Month Year
Control Effectiveness and Velocity Ratings
The Control Effectiveness rating indicates the level of maturity of controls to either mitigate The Velocity rating identified the potential speed at which the impact will
the consequence or likelihood of a risk. materialise and impact the University.
Control Description
Velocity
Effectiveness
Controls are adequate, appropriate and effective. They provide a reasonable The impact of the risk will affect the University’s operations, its
Effective Immediate
assurance that risks are being managed and objectives should be met. reputation and or ability to operate immediately.
A few specific control weaknesses are noted. However, many controls are The impact of the risk will take up to six months to be realized
Well based adequate, appropriate and effective to provide a solid basis for assurance that Short Term and thus provides some lead time to convene a working party to
risks are being managed and objectives should be met. prepare for and manage the expected impact.
Numerous specific control weaknesses were noted. Controls evaluated are The impact of the risk will take over six months to be realized
Improvement unlikely to provide reasonable assurance that risks are being managed and and provides substantial lead time to establish a working team
Long Term
desired objectives should be met. to plan and execute mitigation activities to manage the expected
impact.
Controls are not adequate, appropriate or effective. They do not provide
Ineffective
reasonable assurance that risks are being managed and objectives should be met.

The likelihood rating indicates the potential for an occurrence The Likelihood and Consequence ratings provide the overall risk rating.

Likelihood Description Risk Rating


Matrix
Almost Certain Expected (90+% chance) to occur in most circumstances Almost Certain

Likely Will probably occur (61- 90% chance) i.e. More likely to occur than not. Likely

Possible Possible occurrence (21-60% chance) Possible

Unlikely Remote chance of occurring (1-20% chance) Unlikely

Rare May occur in exceptional circumstances (<1% chance) Rare

Insignificant Medium Substantial Major Severe

Opportunity Description
The opportunity is easily identifiable, tangible steps can be taken to
Strong
realise upside.
The opportunity, requires more investigation to confirm its potential
Credible
and viability, however it appears to have a sound basis for upside.
The opportunity has a potential for upside, although it may be
Constrained
restricted and its potential limited.

___________________________________________________________________________________________________
Guideline Name] Page 3 of 18
Version: #.# Effective XX Month Year
Risk Categories
Risk categories are used to analyse and consolidate risk information by categorising them by the source of risk. They do not provide the level of detail required to
understand the nature of risk. It is for this reason they are not rated.

Risk Category Includes risks related to Risk Category Includes risks related to

Strategic
Strategic planning and delivery of initiatives IT / Cyber Digital services and security; Data security and IT incident response/DR
Related external environmental and market shifts
Facilities / Facilities, infrastructure, and service and project delivery People & Culture Safety and security, recruitment, retention, culture, behaviour; change
Operational by associated ‘enabling functions’; Business Resilience readiness
Financial/budget reporting & control; Academic (Research Research and Teaching Quality, Standards and Conduct; Student
Financial Treasury/Investment strategy & management progression and load
/ Teaching)
Legal/Regulatory
Legislation, regulation and standards compliance and Student Student experience, safety and security
changes
Expectations of and engagement with third parties, i.e. Governance Reporting to and oversight by Council, sub-committees of Council and
Stakeholder
partners, community, Corporates and government governance forums

___________________________________________________________________________________________________
Guideline Name] Page 4 of 18
Version: #.# Effective XX Month Year
Accountabilities

Responsible Officer Chief of Strategic Initiatives

Contact Officer Director of Risk

Supporting Information
Legislative Compliance Nil

Parent Document (Policy


Nil
and Procedure)

Risk Management Process


Supporting Documents Risk Maturity Model
Risk Appetite

Project Risk Management


Health and Safety Risk Management, including safety research approvals
Academic Risk Management
Insurable Risk Management
Treasury Risk Management
Related Documents Fraud and Corruption Prevention
Incident and Crisis Management/ Business Resilience
Compliance Risk Management
IT Risk and Cyber Security
Procurement Risk Management
Event Risk Management

Superseded Documents Nil

File Number [For Governance Use]

Definitions and Acronyms


Insert definition of terms used within this Guideline and expand any acronyms used. Add
Insert Term
extra rows below as required.

Insert Term

Revision History
Version Approved by Approval date Effective date Sections modified

#.# [to be completed] [to be completed] [to be completed] [to be completed]

Further Information
This section is not published on the final PDF document. It is for website purposes only

Keywords for search engine Risk Assessment; Risk Management; Risk Appetite

Include any Frequently Asked Questions and answers to be included with the Guideline
FAQs and answers
(in a separate tab or section) in the Governance Policy Repository

___________________________________________________________________________________________________
Guideline Name] Page 1 of 18
Version: #.# Effective XX Month Year

You might also like