View Current

Risk Management Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose

(1) The purpose of this Policy is to establish the expectations and approach to risk management at Charles Sturt University (the University) as part of the University's governance responsibilities and obligations under Section 19 (1B) of the Charles Sturt University Act 1989 and also the Voluntary Code of Best Practice for the Governance of Australian Universities by Universities Australia.

(2) The objectives of this Policy are to:

  1. develop an inclusive and risk aware culture whilst maintaining institutional innovation and agility to identify and realise opportunities;
  2. establish a consistent, systematic and demonstrable approach to risk management at the University;
  3. incorporate organisational risk management as part of the University's strategic planning and management process;
  4. integrate the management of risks into day-to-day management and accountability processes; and
  5. define clear roles and responsibilities for managing risks at the University.


(3) The University is a relatively young institution operating in the highly competitive and fluid Australian Higher Education system. In order to achieve its strategic objectives, the University needs to make decisions by proactively managing risks and maximising the opportunities presented. The University inclusive, insightful, impactful and inspiring, as it continues to develop its reputation and profile.

(4) The University has a commitment to its communities, students, staff and its reputation, which is intended to result in a globally recognised university and graduates who exist to help create a community that is truly interconnected through scholarship, knowledge, skills, values and culture. 

(5) Effective risk management, supported by efficient, effective and robust business processes, is necessary to successfully achieve the University's strategic objectives. This allows the University to identify risks to be managed to acceptable levels or capitalise on arising opportunities.


(6) This Policy applies to all academic and professional staff of the University, controlled entities, partnerships, contractors and adjunct staff.

Top of Page

Section 2 - Glossary

(7) For the purpose of this Policy, the University has adopted the following definitions:

  1. Risk - means the effect of uncertainty on objectives;
  2. Risk Management - means coordinated activities to direct and control an organisation with regard to risk;
  3. Risk Management Process - means the systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk;
  4. Inherent Risk - means an assessment of the risk exposure without reference to risk controls;
  5. Control Risk – means an assessment of the risk exposure with the identified controls in place and operating. Controls should be measurable. 
  6. Residual Risk - refers to the risk remaining after implementation of risk treatment;
  7. Risk Appetite - refers to the degree of risk, on a broad-based level, that the organisation is willing to pursure or retain;
  8. Senior Executives - refers to Deputy Vice-Chancellors, Chief Financial Officer and Executive Director, Human Resources, in accordance with clause 3 of the Delegations and Authorisations Policy;
  9. the Standard - refers to the Australian and New Zealand Standard for risk management, AS/NZS ISO 31000:2009; and
  10. Managers - refers to a Primary or Secondary Manager or Manager, as defined in clause 3 of the Delegations and Authorisations Policy.
Top of Page

Section 3 - Policy

Risk Management Standard

(8) The University has adopted its risk management framework in accordance with the Australian and New Zealand Standard for risk management, AS/NZS ISO 31000:2009 (the Standard).


Risk Management Principles

(9) The risk management framework is based on the 11 principles identified in the Standard:

  1. create and protect value;
  2. be an integral part of organisational processes;
  3. be part of decision making;
  4. explicitly address uncertainty;
  5. be systematic, structured and timely;
  6. based on the best available information;
  7. be tailored;
  8. take into account human and cultural factors;
  9. be transparent and inclusive;
  10. be dynamic, iterative and responsive to change; and
  11. facilitate continual improvement of the University.

Risk Management Process

(10) A consistent and transparent risk management process, has been established to assist responsible parties at the University to effectively manage risks. The risk management process adopted by the University is illustrated in the Risk Management Process diagram. Procedural steps and guidance for implementation of the risk management model are detailed in the Risk Register Procedure.

Risk Assessment

(11) Risks identified will be categorised based on established risk categories defined in the Risk Register Procedure. Risks identified are analysed to determine their degree of influence on the achievement of objective(s), hence forming its inherent risk rating.

(12) The level of inherent, control and residual risk ratings will be assessed by the respective risk owners based on the Risk Ratings Matrix and Likelihood Ratings Guide appended to the Risk Register Procedure.

(13) In pursuing and managing opportunities and risks, the University recognises the need to define its risk appetite for established risk categories which will be reviewed periodically against the current University Strategy and external environment. The University's risk appetite is documented in the Risk Appetite Statement.

(14) Risks will be evaluated against established risk appetite and risk rating levels.

Risk Treatment, Monitoring and Reporting

(15) Where risks rated are not within risk appetite or target risk levels, further risk treatments are expected to be formulated to reduce the risk to an acceptable level.

(16) Decisions to accept risks which are beyond risk appetite and target risk levels will be made at the Vice-Chancellor's Leadership Team level and monitored, and reported to the Finance, Audit and Risk Committee.

(17) University risks will be monitored on an on-going basis at the respective Budget Centre level. Organisational wide risk reporting processes will be established through existing management and governance structures to challenge risk profiles and integrity of the risk management process.

Integration with Existing Risk Management Processes

(18) The risk management principles and approach described in this Policy will be embedded within existing processes where a systematic risk management practice already exists, e.g. project management, entering into ventures or partnerships and procurement of large contracts.

(19) Where specific governance or legislative obligations to assess and manage risk exist, e.g. Workplace Health and Safety, and Research Ethics and Integrity, a systematic approach to manage risks in these areas, which aligns as much as practicable to this Policy, will be established.


University Council

(20) The University Council has primary responsibility under Section 19 (1B) of the Charles Sturt University Act 1989 for:

  1. overseeing risk management (including risk assessment) across the University and its controlled entities;
  2. promoting a culture that supports strategically driven decision making within a framework of public accountability;
  3. determining the risk appetite of the University and the University's attitude to risks with respect to particular major issues;
  4. approving major policies in relation to risk management; and
  5. approving major decisions affecting the University's risk profile or exposure.

Finance, Audit and Risk Committee

(21) The Finance, Audit and Risk Committee is responsible, on behalf of the University Council, under the Governance (Finance, Audit and Risk Committee) Rule 2015, for oversighting and granting relevant approvals with respect to risk activities.


(22) The Vice-Chancellor is accountable to the Council for risk management and responsible for ensuring the:

  1. identification and management of the strategic opportunities and risks faced by the University, including the provision of adequate and timely information to the University Council principally through the Finance, Audit and Risk Committee;
  2. identification and appropriate management of operational risks throughout the University through the development and implementation of operational policies and procedures for risk management.

Senior Executive

(23) Members of the Senior Executive are responsible for ensuring that the risk management processes are implemented in their respective areas of responsibility. This includes:

  1. ensuring key strategic and operational risks within their areas of responsibility are identified and documented as required in this policy and associated documents;
  2. accepting ownership of the risks identified and be satisfied that the appropriate risk mitigation strategies are in place to manage risks to acceptable levels;
  3. escalating and reporting significant risks to the Vice-Chancellor; and
  4. ensuring the inclusion of risk management responsibilities in duty statements, induction, professional development and performance management processes for all staff within their areas of responsibility.


(24) Managers of the University are responsible for incorporating risk management into their standard management practices by:

  1. understanding the University's risk management principles and foster a risk aware culture within their areas of responsibility;
  2. identifying and determining appropriate actions to address risks within their area of responsibility in accordance with University policies and procedures;
  3. documenting their risk management processes by developing and maintaining a register of risks;
  4. upward reporting of significant emerging or residual risks; and
  5. ensuring the inclusion of risk management responsibilities in duty statements, induction, professional development and performance management processes for all staff within their area of responsibility.

Project Managers

(25) Project Managers of the University are responsible for incorporating organisational risk management into their project management methodology and practices by:

  1. understanding and employing the University's risk management framework and methodologies in the delivery of projects;
  2. identifying appropriate risk mitigation strategies to manage risks to an acceptable level; and
  3. upward escalation (where required) and reporting of significant emerging risks to the Project Sponsor or Control Group.

Risk Management Function

(26) The role of the Risk Management function is to facilitate and provide advice on the implementation of the elements of the University's Risk Management Policy and continuously improve the University's Risk Management framework. This includes:

  1. establishing supporting processes, tools and advice to facilitate effective risk management;
  2. facilitating an annual principal risk assessment for the identification, assessment and reporting of the University's risk profile to the Vice-Chancellor's Leadership Team and the Finance, Audit and Risk Committee; and
  3. reviewing risk registers prepared by budget centres for completeness, accuracy, clarity and quality of risk information; and
  4. working with staff across the University to assist with the embedding of risk management processes into operational, management and strategic processes. 

Internal Audit Function

(27) The role of the Internal Audit function is to provide advice through the conduct of internal audit activities on the effectiveness of the mitigation controls or strategies for managing risk in the University.

(28) Internal Audit will also assess the effectiveness of risk management practices across the University against the Risk Management Policy and Procedure and related processes.

All Academic and Professional Staff Members

(29) Staff members (including contractors and adjunct staff) are required to be aware of the University’s risk management framework and contribute towards building a strong risk management culture. This includes:

  1. undertaking responsibility to perform tasks and duties diligently and effectively, contributing to effective operational risk management;
  2. bringing to the attention of their managers/supervisors:
    1. risks within their areas of operation which may not be well mitigated and may affect the performance and reputation of the University; and
    2. risks that should be escalated according to the Risk Matrix.

Directors of Controlled Entities, Centres and Institutes

(30) Directors of controlled entities, research centres and institutes are responsible for overseeing the risk management practices in their organisations’ according to this Policy.


(31) The University Council, through the Finance, Audit and Risk Committee will monitor and evaluate the University's performance in relation to risk management. This will be informed by an annual assessment facilitated by Internal Audit covering:

  1. the effectiveness of the implementation of the risk management framework across the University and its controlled entities;
  2. the awareness of managers and staff of their responsibilities, including appropriate professional development and performance management in relation to risk management;
  3. the existence of risk assessments for all major activities, including all commercial activities;
  4. the identification of risk management responsibilities in duty statements, induction, professional development and performance management processes for all staff of the University and its controlled entities; and
  5. the currency of the strategic risk assessment, including the effectiveness of controls and the completion and effectiveness of the associated treatments.


(32) The Council is the only authority that may approve this Policy and other policies relating to risk management. (Refer to the Delegations and Authorisations Policy - Schedule 1: Delegation GOV7.)


(33) This Policy will be reviewed annually.

Top of Page

Section 4 - Procedure

(34) Refer to the Risk Register Procedure.

Top of Page

Section 5 - Guidelines

(35) Nil.