1
Risk Management Framework
Version Approved by Approval date Effective date Next full review
V3 Risk Committee of Council 29 Nov 2019 29 Nov 2019 Nov 2020
Framework
Purpose The risk management framework details the requirements for identifying, managing and monitoring uncertainty to maximise upside and minimise the downside of risk
Scope The Framework applies to all UNSW business, including those of its Controlled Entities.
Are Local Documents on this subject permitted?
☒ Yes, however Local Documents must be consistent with this
University-wide Document.
☐ No
Framework
1. Executive Summary
Effective risk management is critical to sound governance1, building a consistent appetite for and robust culture in risk, improving decision making and enhancing outcomes and accountability. When adopted and integrated by an organisation, risk information provides insights into and transparency over material operational, change/growth, disruptive and emerging risks.
Aligning to ISO 31000:2018 Risk Management - Guidelines2, UNSW’s risk management framework (Framework) will measure its success against the value creation principles (Refer to Figure 1) and its ability to support the University in identifying and consistently analysing risks and opportunities inherent in the updated Strategy 2025 and in all University operations. Risk at UNSW will be defined as the effect of uncertainty on objectives.
The process of risk assessment outlined in this Framework has been designed to support and build efficiency in decision making, ensuring alignment to objectives and integration of principles into existing processes, analysis of key factors that influence decisions and the take up of opportunities. A key output is the University’s enhanced capability to focus resourcing and effort on priority endeavours, matching scarce resources to achieve the Strategy 2025.
This framework is the foundation for building the value of risk management; empowering people to effectively manage and / or leverage off uncertainty.
2. Objectives
2.1. Objectives
The framework details the requirements for identifying, managing and monitoring uncertainty. It clarifies how risk and opportunity are considered in strategic planning, review, approval and execution of University, (and controlled entities [the University]) initiatives and the monitoring of operational performance. The Framework, adopting the ISO 31000:2018 principles (Figure 1), addresses how we will embed the management of risk into our culture and practices and, by doing so, support the Executive and Council in making informed decisions and provide assurance that a robust risk management approach is adopted across the University.
Framework objectives include:
• Enhanced decision making; evidenced by adoption and integration of the Risk Appetite into strategic decision making and operational monitoring processes.
• Strong engagement in and ownership of risk by our people evidenced by a maturing risk culture. This culture will support clarity over the roles and responsibilities of people and
1 ASX Corporate Governance Principles and Recommendations, ed 4, Feb 2019 2 ISO 31000:2018 Risk Management – Principles and guidelines
2
governance forums, enable consistent review of and discussions regarding potential risks and co-ordination of people and activities.
• Integrated risk assessment process that adds value to the University, evidenced by the tailoring and integration of the assessments into existing processes and for context relevance, people are competent in carrying out the process and management seek to review and understand the output of risk assessments
• Maturing risk culture that embraces risk management principles into our cultural norms, evidenced by the consideration of risk as part of ‘doing business’ and reflected in discussions and questions regarding activities and initiatives.
Figure 1 ISO 310000 2018 Value Creation and Protection Principles:
3. Framework Architecture
Our Framework has been designed to align with the governance framework practices and reporting, to accommodate the organisational structure and to meet the requirements of ISO 31000:2018 Risk Management Guidelines. This Framework will inform other specialist risk functions, such as Compliance, IT, Cyber, Treasury, Insurable Risk and Safety, so they can conform to it whilst also ensuring compliance with the applicable standards and regulations related to their discipline.
Five elements make up the framework:
1. The Risk Management Statement and Strategic Risk Appetite (Section 6)
2. The Risk Management Process (Section 7)
3. Communicating and Reporting Risk Information (Section 8)
4. Risk Accountability across the University (Section 9)
5. Monitoring and Review of the Framework (Section 10)
To ensure the ongoing relevance of our framework, four continuous improvement activities are integrated into the design and review components. They are:
1. Continual review of risk tools and practices by seeking feedback from ‘users’, champions and sponsors following the conduct of risk sessions.
3
2. Annual review of the Framework and its objectives against industry standards and innovations
3. Annual review of stakeholders to ascertain how the adoption of risk practices has added value to University strategic, change/growth and operational performance
4. Annual confirmation of the University’s commitment to the Risk Management Strategy and aspirational targets
4. Application
The University (including controlled entities) will be supported by the Risk Function to enable them to embrace and adopt the Framework’s requirements. Newly established or acquired operations will be required to comply with the requirements within 12 months of being established or acquired.
This Framework applies to the management of all types of risk at all levels across the University. All specialist risk frameworks will be informed by and conform to this Framework, including, but not limited to:
• Project Risk Management, including Strategic Initiative Feasibility and Business Case risk analysis and Infrastructure Risk Management
• Health and Safety Risk Management, including safety research approvals
• Academic Risk Management
• Insurable Risk Management
• Treasury Risk Management
• Fraud and Corruption Prevention
• Incident and Crisis Management/ Business Resilience
• Compliance Risk Management
• IT Risk and Cyber Security
• Procurement Risk Management
• Event Risk Management
A key design focus has been the ability for Faculties and Divisional Portfolios to apply a consistent risk assessment approach whilst enabling tailoring of forms to align to their Faculty/Portfolio and unique activity requirements.
4.1. Risk Management Calendar
To support the Risk Committee in executing its charter and the University in implementing industry leading practice a series of activities are required. These are outlined in the Risk Management Calendar, Figure 2. Not listed in the calendar are the risk assessments and capability building activities that will occur as and when projects and/or initiatives are identified and those scheduled to support the enterprise risk profile updates.
Requirement: All University and its controlled entities will adopt the requirements of the University’s Risk Management Framework.
4
Figure 2 The Risk Management Annual Calendar of major activities
5. Responsibilities
Throughout the University, key roles and governance forums will take on responsibilities for actioning the requirements of this framework. This includes.
• Council, Sub-Committees and Governance Structures, that set the University’s tone, will be responsible for setting the risk appetite, reviewing the enterprise risk profiles and adequacy of controls, and approving the risk management framework
• Faculties, Divisions and Executives will be responsible for monitoring their strategic and operational risk performance and ensuring the capability to execute risk mitigation initiatives
• The Risk Function will be responsible for ensuring the Risk Management Framework captures and translates leading risk practices to the activities of the University, competency to manage risk is appropriate throughout the University and risk information is accurate, mature and comprehensive to support the University Executives and Council and its Sub-Committees in decision making and the management of risk
• Internal and external audit will provide independent reviews, the output of which will contribute to risk information and evaluation of control effectiveness
The interplay of the above groups is reflected in COSO: the three lines of defence3, Figure 3.
Figure 3: University’s Three Lines of Defence
3 Leveraging COSO across the three lines of defence, The Institute of Internal Auditors, 2015
Qtr 1Confirm risk review schedules and risk maturity action plan with Faculty, Divisions and Controlled Entities.
Hold the Annual Joint Committee Risk Workshop
Complete a deep dive into an agreed material strategic risk or potential disruptor for presentation to the RC
Prepare and submit the required RC reports
Conduct project and strategic initiative risk reviews as required
Conduct scheduled risk training
Present to the Senior Leadership Group on an agreed Risk Leadership Topic
Qtr 2
Update the University Risk Profile with a focus on control effectiveness, secure endorsement from Senior Leadership Group and Management Board prior to RC submission.
Complete a deep dive into the effectivess of a sub-set risk framework e.g. Fraud and Corruption Prevention
Prepare and submit the required RC reports
Conduct project and or strategic initiative risk reviews as required
Conduct scheduled risk training
Qtr 3Participate in the Insurance Program renewal
Prepare and submit the required RC reports
Conduct project and or strategic initiative risk reviews as required
Present to the Senior Leadership Group on an agreed Risk Leadership Topic
Conduct scheduled risk training
Contribute to the development of the IA plan
Qtr 4
Annual review of the Risk Management Framework, the Risk Appetite and related sub-speciality risk areas, e.g. IT Risk and Cyber Security Framework
Evaluation and update of the rolling 3 year Risk Management Strategy
Rebase Strategic Risk Profile as part of the strategic planning process
Conduct project and or strategic initiative risk reviews as required
Conduct scheduled risk training
Executive Management (MB & SLT)
Governing Body / Council / Risk & Audit Committees
1st Line of Defence 2nd Line of Defence 3rd Line of Defence
Day-to-day risk management decisions
Front line adoption of the risk and specialist risk frameworks
Appropriately skilled and trained workforce
Current and salient policies, procedures and governance
Challenge to 1st line regarding financial, compliance, quality, IT
and risk controls Safety reviews and audits
Independent reviews, inspections and Investigations
Specialist advice and training
Internal Audit
Ex
tern
al A
ud
it / Re
gu
lato
rs
5
6. University’s Risk Management statement and strategic risk appetite
6.1. Intent
The Risk Management Statement is a core element of UNSW’s governance. The University is committed to build a risk aware culture that is supported by a tailored, practical and integrated approach to the identification and management of uncertainty inherent in our strategy, operations and the global environment in which we exist. This commitment is backed by ensuring appropriate risk capabilities of our people.
6.2. How risk is defined at the University.
Adopting the ISO 31000:2018 Standard’s definition of risk, risks will describe uncertainties in an event or condition that, if it is realised, will affect (positively or negatively) the achievement of one or more of the updated Strategy 2025 objectives. The magnitude of a risk will be assessed by qualifying the nature of the impact (positive or negative), its likelihood of occurrence, the effectiveness of existing controls and the speed at which the risk will impact the University.
6.3. Objectives of Risk Management.
Risk Management objectives include:
• Providing risk tools that are customised and integrated into University processes whilst enabling consistency in the application of risk management principles. Most noticeably these include but are not limited to:
a. Strategic planning
b. Anticipating and implementing strategic change initiatives, new commercial activities, ventures and projects
c. Assessing and introducing academic or administration changes to courses or processes, respectively
d. Reviewing and approving research opportunities and grants.
e. Reviewing and assessing compliance controls and performance.
• Building the required capability across the University to enable personnel to identify, assess and mitigate risks through providing tailored risk education and training
• Enhancing the risk culture through embedding a consistent application of the University’s Risk Appetite into all strategic decision processes and facilitating salient risk discussions.
• Ensuring a consistent structure for review and monitoring of treatment actions for those high and very high risks with a less than effective control environment and a potential to immediately impact (positively or negatively) the University’s operations.
• Ensuring the ongoing review and interrogation of the risk management performance against, available data/indicators, industry leading practices and feedback from stakeholders.
6.4. Definition and Purpose of Risk Appetite Statement (RAS)
The Risk Appetite defines the type and degree of risk it is willing to accept to achieve the University’s strategy and operational aspirations. Its purpose is to guide University governance bodies, executive and staff in decision making. It does so by defining the boundaries for risk taking, thereby aligning decisions to the risk appetite.
These boundaries detail the principles and metrics, both quantitative and qualitative, that, when reviewed as a collective, assist in decision making. The draft RAS is to be used to review any activity that may impact the University and its controlled entities at an enterprise level.
6.5. Approach to Risk Appetite
The University supports a positive risk culture, where individuals are empowered to take measured risks to achieve the strategic priorities and to act within UNSW Behaviours. Conversely, activities that materially threaten the viability of the University and its strategy will not be supported.
6
Implementation of the RAS requires consideration of the risk appetite parameters as part of the strategic initiative feasibility and approval processes and as part of the operational decision making for governance and management forums.
Where an initiative or operational performance outcome falls into the tolerance range (i.e. where an initiative or operational outcome may impact the stated appetite but does not fall within the ‘unacceptable/no appetite statement), a risk evaluation is required. Mitigation actions must demonstrate how they will re-align the initiative or performance to the RAS. This is outlined in the diagram below:
Figure 4 Applied Risk Appetite process NOTE: Refinement of the UNSW RAS is currently underway to address:
• Limited connection between the RAS guidance and metrics to decision-making processes
• Limited ability to translate the RAS guidance and metrics to monitoring of operational performance and reporting
This area will be updated once ratified by the Management Board (MB), Senior Leadership Team (SLT) and endorsed by the Risk Committee.
6.6. Unacceptable Risk Outcomes – No Appetite
‘No Appetite’ qualifications reflect the actions that are contrary to the Strategy 2025 and our UNSW Behaviours. These include, but will be revised as part of the RAS review:
• Activity that compromises the University’s legal and regulatory obligations
• Situations where those interacting with the University are recklessly harmed
• Research funded by tobacco or gambling organisations
1 2 3
Where there are areas of uncertainty, the risk and mitigations will be identified and demonstrate how the initiative or operation will be delivered within appetite. This information will be central to the decision making.
Given the context of the initiative or operational task, ensure lead and lag indicators are clearly identified and demonstrate alignment with the RAS.
Is the Strategic Initiative within RAS?
Are Operations performing within
RAS?
YES
NO
Are performance
monitoring metrics clear?
YES
NO
Decision-making authority
approval.
Are Governance Forums identified as responsible
for monitoring performance against RAS?
Are the Strategic Initiative metrics clear?
Where the remedial actions do NOT address the issues then:
Initiative may not be approved.
Governance Forum increase scrutiny, escalate or cease
operation.
YES
Clarify the Governance Forum responsible for monitoring the endeavor and those persons accountable for delivering the endeavor within RAS.
NO
7
• Activities that compromise the University’s academic quality and integrity for staff and students
• Adverse impacts on the University’s reputation
• Actions that adversely impact the University’s financial resilience
8
Table 1. University’s qualitative risk appetite and tolerance areas. (To be determined)
Reputation
Research advancement
Innovation
Student Experience
.
Partnerships /Stakeholder
High performing and engaged workforce
Finance & Capital resilience
Sustainable Campus
Strategic Priorities Risk Appetite Parameters
9
7. Risk Management Process
Risk analysis and management is central to any Risk Management Framework. The process to conduct a risk assessment will follow the ISO 31000 approach as depicted in the diagram below. The detailed process, tools and guidance for conducting a risk assessment is provided in the ‘Risk Management Process’ document. Figure 5: Risk Management Process aligned to ISO 31000: 2018
7.1. Monitoring the Risks
Given that a risk assessment is a snapshot of time, clarifying who and how the University will monitor and manage the ongoing exposure/potential is a critical element of the process.
In the planning phase of conducting a risk assessment, the appropriate structure and timeframe for review of risks is confirmed. When the risk assessment process is contained within a procedure, the delegation of authority and process owners will help govern the management of unresolved issues.
However, in order to provide consistency in the governance and oversight of risk by the SLT and MB, an accountability matrix for oversight been established. This is set out in Table 2.
Determination of the level and frequency of review is based on three metrics: the residual risk rating, the control effectiveness rating and the velocity rating.
When monitoring or reviewing a risk we will review:
• The nature and rating of risk given changes to external or internal environments
• The effectiveness of any changes to the control environment and the need for additional controls.
• The need to add new, alter or retire existing risks and or controls.
Requirement: Where a risk assessment is required, our Risk Management Process is adopted
Scope, Context & Criteria
Communicate
10
Table 2 Priority for Treating Group Level Risk
Residual Risk
Risk Control Effectiveness
Velocity Action
Management Action Timeframe to establish critical control
Governance Oversight
Frequency
A: Very High
= Effective All Expectation that ongoing continuous improvement and monitoring is in place
N/A Risk Committee of Council (RC)
Quarterly via normal/exception
reporting
A: Very High
< Effective
Immediate & Short Term
Take action to reduce rating & exposure by building control effectiveness
3 months
MB & SLT
RC
Monthly
Quarterly via normal/exception
reporting
Long Term Take action to reduce rating & exposure by building control effectiveness
6 months
MB & SLT
RC
Monthly
Quarterly via normal/exception
reporting
B: High = Effective All Expectation that ongoing continuous improvement and monitoring is in place
N/A
Dean / DVC / VP
MB & SLT
Via normal/exception
reporting
Quarterly
B: High < Effective
Immediate & Short Term
Build control effectiveness in keeping with the business plan
3 months
Dean / DVC /VP
MB & SLT
RC
Monthly
Quarterly
Quarterly via normal/exception
reporting
Long Term Build control effectiveness in keeping with the business plan
6 months
Dean / DVC / VP Executive
RC
Via normal/exception
reporting
C: Moderate
< Effective
Immediate & Short Term
Build control effectiveness in keeping with all other priorities
6 months
Director / HOS
As part of performance monitoring Long Term
Build control effectiveness in keeping with the business plan
12 months
D. Minor < Effective All Build control effectiveness in keeping with all other priorities
18 months Director / HOS As part of
performance monitoring
D: Low < Effective All
Lower priority. Build control effectiveness as part of usual business improvement Monitoring will be required.
18 months Risk Owner
As part of performance monitoring
8. Communicating and Reporting Risk Information
8.1. Reporting the risks
Risk reporting will occur at various levels across the University: 1. Analysis of the risks for each Faculty, Division, Controlled Entity and project: The Risk Profile.
The risk profile captures the core information about risks related to a Faculty, Division, Controlled Entity or project. This includes, the description, ratings and current and future actions associate with a risk. To draw out insights and issues for each area, their risk information is consolidated and presented as risk profile dashboard.
11
2. A one-page overview of the risk profile: The Risk Frontier. This view of risks will capture the known risks, change and growth risks and emerging risks (Table 3). The Risk Frontier draws from the risk profiles and discussion with Senior Executives of the area on key internal and external emerging and or disruptive developments/trends. Table 3: Example of the Risk Frontier:
Known Risks (Risks arising from delivering core
services)
Growth / Change Risks (Risks arising from growth and
change initiatives)
Emerging Risks (Risks from internal and external
emerging / disruptive developments or trends)
The prevention and detection controls for academic fraud lags the speed at which innovative options are made available to students.
On-line and digital learning programs and the opportunities they provide are compromised by competing priorities.
Future students’ and employers’ expectations on skill competency and work-readiness are not met by future UNSW graduates.
3. An enterprise view of the University and its Controlled Entities risks: The Enterprise Risk Profile.
This report will contain an Enterprise Risk Frontier that draws on the above two reports. It will provide additional commentary on the material risks. It will detail:
• Why the risk is important to the University and key Faculties and Divisions
• Changes to key mitigation strategies and risk environment
• Changes to Key Risk Indicator metrics (that include lead and lag indicators)
• Progress on agreed action to mitigate downside and pursue upside
In addition to including the relevant risk metrics in the commentary of a material risk, the collective set of risk indicators will be provided as an appendix to this report. The appendix will reflect changes over time and include commentary from relevant stakeholders on the implications of the change.
8.2. Risk Escalation
The escalation of risk takes two forms: 1. the routine escalation of those risks with sub-optimal control environments (section 7.6) 2. the immediate escalation of emergency and ‘crisis’ events. This is captured under the Incident
and Crisis Management Framework which embeds the risk ratings and Strategic Risk Appetite.
8.3. Annual Risk Plans
Faculty and Divisional Risk Plans are agreed annually. These plans are based on an assessment of the area’s risk maturity and their risk profile and are designed to enhance their performance in managing and monitoring risk exposures. The plan lists the agreed risk projects, a risk profiling schedule and identifies the sponsors and champions and team accountabilities. This process will be embedded into the Annual and Mid-year review process.
8.4. Relationship between Internal Audit and Risk Management
A valuable source of process risk and control information is found in the activities of Internal Audit. This information supports the risk profiling activity and provides assurance around key controls. Conversely, the information captured by risk provides an important input for the annual internal audit program and also for each audit. The relationship between the two functions is provided in Figure 6.
12
Figure 6 Relationship between Internal Audit and Risk.
9. Building Risk Capabilities
The central Risk Management team are accountable for identifying, building and maintaining the appropriate level of risk capability across the University. To achieve this, a matrix of key roles, critical to the management of risk, is matched to the nature of training to be provided. In addition, people in these roles will be invited to attend thought leadership sessions and strategic planning days.
Figure 7 Three legs to build capability.
The approach to building capability will draw on:
1. Learn – Acquire knowledge and skills through formal learning experiences, including e-learns, face-to-face training and formal mentoring arrangements.
2. Master – Apply the knowledge by
developing and refining the skills and
tools, providing feedback to enhance our
capabilities.
3. Lead – Become a champion within the
business, coaching others to make best
practice a cultural norm.
Risk Capability
Lead
The Risk Profiles capture the uncertainties in delivering against strategy and objectives.
As such, they are a valuable source for Internal Audit in developing their annual
plan and in the preparation of each audit.
Internal Audit identifies and evaluates controls and works with the stakeholders
to agree mitigation actions. This work is a valuable input into risk
assessments and in building roust risk profiles.
Process Risks
Captured in the School and Operational level risk assessments contained in
BAU processes
Faculty, CE and Divisional Risk Profiles
Linked to thier objectives and
captured in their Risk Frontier
Enterprise Risks
Linked to strategy and
captured in the Risk Frontier
13
10. Risk Accountability
Risk Management is the responsibility of all personnel. To support the University, accountability for the implementation of the risk framework has been defined.
Accountability refers to the ultimate responsibility for actions, decisions, and management pertaining to the nominated activity. This does not mean that the function accountable must deliver the action, but it must seek assurance that the activity is or continues to be appropriate and progressing, if being established.
The functions and accountabilities that support our Governance structure for risk are listed in Table 4.
Table 4: Accountability and Responsibilities for Risk
Function Accountability
Council Maintain oversight of and gain assurance over the effective management of risk. Approve the endorsed University’s risk management framework, including the risk appetite.
Risk Committee Oversight and governance of the University’s strategic Risk Frontier and dashboard. Review and endorse the University’s risk management framework, including the risk appetite. Advise Council on the University’s performance in managing risk.
Senior Executive Leadership Team and Management Board
Active monitoring of the management of material risks and risk culture Active risk leadership and sponsorship of key risk activities. Review of the University’s strategic Risk Frontier, ensuring the salient strategic, growth and change and operational risks are represented.
Director of Risk
Ensure the University’s risk management approach reflects ‘leading practice’ and is tailored to the University’s activities. Lead the ongoing development and integration of risk management into policies, procedures, standards, templates and tools, seeking innovation to our practice. Build the capability to identify and evaluate risk across the University. Generate and submit the University Consolidated Strategic Risk Frontier and updated Risk Dashboard for discussion at the Executive and review at the Audit and Risk Committees.
Faculties and Divisions
Effective implementation (i.e. resourcing, training, conduct of assessments, integration of information into decision making and monitoring) of risk management within their Faculty or Division with the ongoing support of the Risk Function. Active leadership to drive a risk aware culture Monitoring of their Risk Management Action Plan. Generation of quarterly Risk Profiles.
Subject Matter Experts & Risk Champions
Ensure the University’s risk management approach reflects current ‘good practice’ related to their area of expertise or knowledge and the approach is tailored to the University’s activities working with the Risk Function. Support and build the capability to identify and evaluate their area of risk across the University. Participate in the conduct of risk assessments and the monitoring of action as related to their area.
11. Monitoring and Review of the Risk Management Framework
The framework will be reviewed and updated annually against industry standards and innovations and following review of the University’s performance and maturity in managing risk using the Maturity Model assessment and stakeholder feedback. The revised framework will be submitted to the Risk Committee annually for ratification.
___________________________________________________________________________________________________
Attachment A: Risk Rating Tables
The consequence table defines the nature of a potential impact that results from a risk being realised. The rating is determined by the highest rated impact irrespective of impact type.
Impact type Consequence
Academic (Research & Teaching)
Facilities & Operations
People & Community Financial Global Standing Partners & Authorities
Severe
Long term or widespread impact requiring Senior Executive and Council time and effort over multiple months and deviation from strategic plan.
Systemic academic or research fraud
Loss of signature high profile research capability
Closure of signature course
Multiple (>10) students suspended or unenrolled from courses
Multiple (>10) student’s degrees are retracted
Compromised student and research data
Multiple academic research papers are retracted
Loss of critical facilities (i.e. labs) for 1+ yr.
Critical IT systems not available for greater than 6 months and irretrievable loss of this stored data.
Data integrity/loss and IP loss associated with sensitive research and commercial endeavours
Large scale release of sensitive and personal information to public domains
Inability to deliver key project benefits / Critical operations unable to be performed
VC and/ or key Executive resigns
Board restructure
Pervasive loss of University community confidence
Reckless, work-related harm to people / Multiple work-related deaths or serious permanent disabilities
Widespread, permanent environmental harm
QILT ranking drops
Significant personal liability &/or potential custodial sentence of directors &/or employees
Fraud event ($1M)
Misappropriation of $1M funds, including Philanthropic donations
Financial loss, including teaching revenue exceeding $50M and, or have the potential to incur additional costs in more than the current year
Key 3rd party withdrawal of funding
Engagement with partners/entities not aligned with RAS – connection with tobacco and gambling industries etc.
Legal action with material basis of negligence
International and widespread prolonged (>1month) adverse media (including social media)
Global Higher Education community raise concerns over UNSW actions
Loss of provider status
Total loss of confidence by Government/ Student Community / Authorities/ Funding and Research Bodies
Key strategic partner/ alliance ceases engagement with UNSW
Major Impact requiring Senior Executive management and oversight and notification to Council.
Withdrawal of or conditions imposed on Research funds
Unable to continue research and or teaching in a FOS
Withdrawal or retraction of publications
Retraction of a student qualification
Loss of a defined group of students and research projects’ data
Partial loss of a critical facility between 6mths to 1 year
Loss of central teaching or research facilities for 3 terms
Regulatory sanction / suspension of licence / accreditation conditions
Loss of critical IT system for 1-2 terms
Sensitive and personal data released to public
Major project benefits are no longer viable / Critical operations compromised
Faculty Dean, VP or DVC termination
Single work-related death or permanent disability
Long term damage to the environment
Ongoing disruptive Industrial action (> 1 month)
Widespread Student and, or Staff body protest / outcry
Community outcry and action / Staff performance across the University eroded
Financial loss, including teaching revenue, between $20M- $50M
International and widespread short-term (1 month) adverse media (including social media)
Suspension or conditional Provider Status
Loss of standing in the Australasian Research and Academic Community visible to global partners
Investigation by ACNC, ATO, ANSTO or AONSW
Targeted enquiry or investigation by Authorities.
Widespread disaffected student community
Corporate partners (existing and potential) disassociate themselves from UNSW
Legal dispute with Corporate partner (e.g. IP and commercialization rights)
Major partner disengages
___________________________________________________________________________________________________
Impact type Consequence
Academic (Research & Teaching)
Facilities & Operations
People & Community Financial Global Standing Partners & Authorities
Substantial Impact requiring Executive oversight and HOS, Director action
Capability to complete research or teaching commitments is undermined impacting quality, cost and timeframes
Unable to continue research and or teaching in a FOS for a term
Erosion of student GPA and progression rates
Loss of a student cohort or research project’s data
New course unable to be progressed or introduced
Load sharing to support signature course and or research
A building is not able to be occupied for between 1-6 mths during teaching year
Loss of central teaching or research facilities between 1 to 2 terms
Core IT systems are inconsistently available to staff and students throughout the terms
Irretrievable loss of non-research data
Project / operations cost/time over-runs
Key person loss
Staff performance issues (>1 area of the University)
Work-related injury requiring hospitalisation
Localised environmental harm lasting >1 mth weeks
Industrial action (up to 1 month)
A student group lodges complaints
A Community group voice concerns
Legal action from a group of students, staff or community group
Financial loss between $5M - $20M
Costs and or loss unable to be consumed in the current Divisional or Faculty budget.
Adverse state-based and social media traffic (mainly spurious) lasting 2 weeks
Persistent short-term Media enquiries over the events
Australian Higher Education Community query UNSW Research and Academic Integrity
Pursuit of a new opportunity is compromised
Authorities & government register strong concerns / threaten investigation
Corporate partners (existing and potential) voice strong concerns
Breach of contracts
Enforceable penalties or civil action
Increased partner complaints
Medium Localised impact for a Divisional Unit or School
Program development deferred or not progressed
Capability to complete research or teaching commitments is compromised in the short term
Increased reliance on unexperienced casual teaching staff
Compromised access to research equipment and or facilities for 1 month
A building is not able to be occupied for 1-2 wks during term
Basic IT systems availability is unstable for staff and students for less than 1 month
Localised staff performance issues
Community member/, staff/ student legal action
Student groups register separate concerns
Work-related injury/illness requiring medical/ health prof. intervention
Localised environmental harm <1mth
Financial loss between $50k - $5M
Costs and or loss unable to be consumed in the current Unit or School budget.
Unauthorised spend up to $500K
Active adverse student social media traffic (mainly spurious) lasting 2 weeks
External queries over UNSW Research and Academic Integrity
One-off adverse media report with local coverage or intra-industry knowledge of incident
Authority formally seeks clarification.
Issue of infringement notice
Insignificant Issue that is managed as part of BAU
Unit development is postponed or not progressed
Casual teaching staff are unable to be sourced impacting quality
Research data or samples impacted but recovered within three days
Facilities are unable to be occupied for the day
Localised user group unable to access IT systems (<3 days).
IT systems do not operate efficiently
Operational performance impacting day-to-day activities or project
Disaffected group of students and or staff
Minor work-related incident requiring first aid treatment only
No material environmental harm – on-site, immediately contained, no ongoing impact
Financial loss less than $50k
Unauthorised spend up to $50k
N/A Authority registers issue only
Minor complaints that can be managed within the business unit
___________________________________________________________________________________________________
Control Effectiveness and Velocity Ratings
The Control Effectiveness rating indicates the level of maturity of controls to either mitigate The Velocity rating identified the potential speed at which the impact will the consequence or likelihood of a risk. materialise and impact the University.
Control Effectiveness
Description Velocity
Effective Controls are adequate, appropriate and effective. They provide a reasonable assurance that risks are being managed and objectives should be met.
Immediate
The impact of the risk will affect the University’s operations, its reputation and or ability to operate immediately.
Well based A few specific control weaknesses are noted. However, many controls are adequate, appropriate and effective to provide a solid basis for assurance that risks are being managed and objectives should be met.
Short Term
The impact of the risk will take up to six months to be realized and thus provides some lead time to convene a working party to prepare for and manage the expected impact.
Improvement desired
Numerous specific control weaknesses were noted. Controls evaluated are unlikely to provide reasonable assurance that risks are being managed and objectives should be met.
Long Term
The impact of the risk will take over six months to be realized and provides substantial lead time to establish a working team to plan and execute mitigation activities to manage the expected impact.
Ineffective Controls are not adequate, appropriate or effective. They do not provide reasonable assurance that risks are being managed and objectives should be met.
The likelihood rating indicates the potential for an occurrence The Likelihood and Consequence ratings provide the overall risk rating.
Likelihood Description Risk Rating Matrix
Almost Certain Expected (90+% chance) to occur in most circumstances Almost Certain
Likely Will probably occur (61- 90% chance) i.e. More likely to occur than not. Likely
Possible Possible occurrence (21-60% chance) Possible
Unlikely Remote chance of occurring (1-20% chance) Unlikely
Rare May occur in exceptional circumstances (<1% chance) Rare
Insignificant Medium Substantial Major Severe
Opportunity Description
Strong The opportunity is easily identifiable, tangible steps can be taken to realise upside.
Credible The opportunity, requires more investigation to confirm its potential and viability, however it appears to have a sound basis for upside.
Constrained The opportunity has a potential for upside, although it may be restricted and its potential limited.
___________________________________________________________________________________________________
Risk Categories
Risk categories are used to analyse and consolidate risk information by categorising them by the source of risk. They do not provide the level of detail required to understand the nature of risk. It is for this reason they are not rated.
Risk Category Includes risks related to Risk Category Includes risks related to
Strategic Strategic planning and delivery of initiatives Related external environmental and market shifts
IT / Cyber Digital services and security; Data security and IT incident response/DR
Facilities / Operational
Facilities, infrastructure, and service and project delivery by associated ‘enabling functions’; Business Resilience
People & Culture Safety and security, recruitment, retention, culture, behaviour; change readiness
Financial Financial/budget reporting & control; Treasury/Investment strategy & management
Academic (Research / Teaching)
Research and Teaching Quality, Standards and Conduct; Student progression and load
Legal/Regulatory Legislation, regulation and standards compliance and changes
Student Student experience, safety and security
Stakeholder Expectations of and engagement with third parties, i.e. partners, community, Corporates and government
Governance Reporting to and oversight by Council, sub-committees of Council and governance forums
___________________________________________________________________________________________________
Accountabilities
Responsible Officer Director of Risk
Contact Officer Director of Risk
Supporting Information
Legislative Compliance Nil
Parent Document (Policy and Procedure)
Risk Management Policy
Supporting Documents
Risk Management Procedure
Business Risk Maturity Tool
Risk Appetite Statement
Related Documents
HS329 Risk Management Procedure
Fraud and Corruption Prevention Policy
Legislative Compliance Policy
Legislative Compliance Procedure
Procurement Policy
Procurement Procedure
IT Security Policy – Information Security Management System (ISMS)
Superseded Documents Nil
File Number [For Governance Use]
Definitions and Acronyms
Insert Term Insert definition of terms used within this Guideline and expand any acronyms used. Add extra rows below as required.
Insert Term
Revision History
Version Approved by Approval date Effective date Sections modified
V3 Risk Committee of Council 29 Nov 2019 29 Nov 2019 All
Further Information This section is not published on the final PDF document. It is for website purposes only
Keywords for search engine Risk Assessment; Risk Management; Risk Appetite
FAQs and answers Include any Frequently Asked Questions and answers to be included with the Guideline (in a separate tab or section) in the Governance Policy Repository