• Section 1 - Introduction
• Section 2 - Purpose
• Section 3 - Principles
• Section 4 - Scope
• Section 5 - Glossary
• Section 6 - Expectations
• Section 7 - Responsibility
• University Council
• Finance, Audit and Risk Committee
• Vice-Chancellor's Forum
• Executives and Managers
• Office of Internal Audit
• Section 8 - University Risk Appetite and Categories
• Appetite in Relation to Opportunities and Risks
• (a) Health, Safety and Environment
• (b) Values, Ethics and Institutional Reputation
• (c) Quality Assurance
• (d) Compliance
• (e) Business Continuity
• (f) Finance
• Section 9 - Performance
• Section 10 - Authority
• Section 11 - Review

Section 1 - Introduction

(1) Charles Sturt University (the University) will meet its commitments regionally, nationally and internationally by focusing on:

1. an enriching and supportive Student experience for its diverse range of students;
2. a Course Profile that reflects student demand and meets workforce needs; and
3. Research that creates new knowledge and practice.

(2) Effective risk management is necessary for competent strategic decision making and the conduct of efficient, effective and robust business processes, allowing the University to identify and take up opportunities while meeting required standards of accountability, compliance, probity and transparency. The University is committed to managing its opportunities and risks, as a component of its standard management responsibilities, and in the process reducing high inherent risk exposures to acceptable levels and maintaining continuity of key business processes.

Section 2 - Purpose

(3) Risk Management is a core component of the University's governance.

(4) The purpose of this Policy is to:

1. develop a culture of risk awareness whilst maintaining the institutional innovation and agility to identify and realise opportunities;
2. ensure compliance with risk management processes that are mandated by Government;
3. integrate and align risk management systems within the University's activities and business processes; and
4. encourage continuous review and improvement of the University's quality assurance and management processes.

(5) The objectives of the Risk Management Policy are to:

1. have corporate risks taken into account when making strategic management decisions;
2. see the management of operational risk is integrated into standard management and accountability processes; and
3. have staff assume appropriate responsibility for managing risks.

Section 3 - Principles

(6) This Policy is based on principles of:

1. commitment - the University is committed to the identification of opportunities and risks and their effective management;
2. disclosure - the University will identify and document opportunities and material risks in a systematic manner and take appropriate action to manage these;
3. integration - the University will integrate the Risk Management Standard (ISO 31000:2009) and achieve staff accountability through established reporting lines;
4. improvement - the University commits itself to continuous improvement of its services and its underlying business processes; and
5. inclusion - the University will provide education and guidance so as to allow all staff to undertake their responsibilities.

Section 4 - Scope

(7) The Risk Management Policy applies to Charles Sturt University as a whole, its controlled entities and all employees of the University and its controlled entities.

Section 5 - Glossary

(8) The University has adopted the following definitions:

1. Risk - effect of uncertainty on the achievement of objectives (AS/NZSISO 31000:2009).
2. Risk Management - coordinated activities to direct and control an organisation with regard to risk (ISO Guide 73:2009, definition 2.1).
3. Risk Management Process - systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk (ISO Guide 73:2009, definition 3.1).
4. Residual Risk - 'the risk remaining after implementation of risk treatment' (AS/NZS 4360:2004 - superseded standard).
5. Risk Appetite - the degree of risk, on a broad-based level, that a company or other entity is willing to accept in pursuit of its goals (Council of Sponsoring Organisations).

Section 6 - Expectations

(9) All employees of the University and its controlled entities shall comply with the Risk Management Policy, regulatory and funding body requirements. Individuals will act with regard to the wellbeing and safety of themselves and others in the University community.

(10) The University's Budget Centre will document their management of risks through a current risk register and will monitor and manage operations so as to maintain residual risks at an acceptable level. Managers of Budget Centres will, by direction from the Vice-Chancellor, assess current and emerging risks and upward report those that are assessed as "high" or "very high". Managers will, if they deem it necessary, terminate an activity that is assessed to have an unacceptably high risk.

(11) The University Auditor on behalf of University Council and the Vice-Chancellor will co-ordinate, at a minimum, an annual strategic risk assessment of the University and of entities controlled by the University. This assessment will include a review of operational risk registers prepared by Budget Centres.

(12) All significant projects and activity proposals, including commercial activities, will include a business plan incorporating a current risk analysis.

(13) Projects will be conducted using approved University methodologies which incorporate risk management.

(14) Activities for managing risks should, where practical, be consistent with the principles outlined in the Australian and New Zealand Risk Management Standard and guidance materials issued through Standards Australia.

Section 7 - Responsibility

University Council

(15) The University Council has primary responsibility under Section 19 (1B) of the Charles Sturt University Act 1989 for:

1. overseeing risk management and risk assessment across the University and its controlled entities;
2. promoting a culture that supports strategically driven decision making within a framework of public accountability;
3. setting the standards and expectations of staff with respect to ethical conduct and probity;
4. determining the risk appetite of the University and the University's attitude to risks with respect to particular major issues;
5. approving major policies in relation to risk management;
6. approving major decisions affecting the University's risk profile or exposure;
7. approving and monitoring systems of control and accountability for the University (including in relation to controlled entities);
8. approving significant University commercial activities; and
9. establishing policies and procedural principles for the University consistent with legal requirements and community expectations.

Finance, Audit and Risk Committee

(16) The Finance, Audit and Risk Committee is responsible, on behalf of the Council, under the Governance (Finance, Audit and Risk Committee) Rule 2015, for monitoring the adequacy and effectiveness of risk management processes within the University.

Vice-Chancellor's Forum

(17) The Vice-Chancellor, as the Chief Executive Officer and President, is accountable to the Council for risk management and responsible for ensuring the:

1. identification and management of the strategic opportunities and risks faced by the University, including the provision of adequate and timely information to the University Council and the Finance, Audit and Risk Committee;
2. actioning of recommendations and directions of the University Council, the NSW Auditor General and the University Auditor;
3. identification and appropriate management of operational risks throughout the University through the development and implementation of operational policies and procedures for risk management;
4. maintenance of an effective system of internal control, and an effective internal audit program, consistent with the Public Finance and Audit Act 1983;
5. satisfactory business continuity and disaster recovery planning by the University and Budget Centre, including contingency management for information technology systems, critical response planning and response readiness; and
6. review and improvement of policies and procedures on a regular basis to ensure their currency and effectiveness.

Executives and Managers

(18) Executives and managers of the University and its controlled entities are responsible for incorporating risk management into their standard management practices by:

1. identifying and determining appropriate actions to address operational and business continuity risks within their area of responsibility in accordance with University policies and procedures;
2. documenting their risk management processes by developing and maintaining a register of risks;
3. implementing actions with respect to risk management as directed by the Vice-Chancellor's Forum;
4. upward reporting of significant emerging or residual risks; and
5. ensuring the inclusion of risk management responsibilities in duty statements, induction, professional development and performance management processes for all staff of the University and its controlled entities.

Office of Internal Audit

(19) The role of the Office of Internal Audit is to provide advice on the implementation of the University's Risk Management Policy and to monitor the effectiveness of the policies and procedures for managing risk in the University. The Office of Internal Audit will report to the Finance, Audit and Risk Committee on the effectiveness of controls implemented to manage fraud, corruption and maladministration risks.

Section 8 - University Risk Appetite and Categories

Appetite in Relation to Opportunities and Risks

(20) The University is a relatively young institution operating in the highly competitive and fluid Australian Higher Education system. The institution operates on the basis of having a "low margin for error" but cannot be risk averse if it is to achieve long term objectives. That is, the University must be both nimble and innovative, as it continues to develop its reputation and profile, in the face of real constraints on current income and available savings. As such, the University must identify and maximise its opportunities at a strategic level, while exercising due caution at an operational level.

(21) In pursuing and managing strategic opportunities and risks, the University recognises the need to maintain low or very low appetite for risk in operational areas.

(a) Health, Safety and Environment

(22) The University's appetite for risks related to health and safety is very low.

(23) The University will maintain a culture of health and safety awareness and there is an expectation that Budget Centres will meet all health and safety compliance requirements.

(24) The University values the environment and will act accordingly. The University has a low risk tolerance with respect to any activity that could significantly degrade the environment.

(b) Values, Ethics and Institutional Reputation

(25) The University appetite for risks related to values, ethics and institutional reputation is very low. The University will not compromise its reputation and values by either short term or long term expediency.

(26) Institutional reputation is also derived from the experience of students and researchers. For this reason operational registers and project proposals should consider student experience and researcher experience as key value drivers.

(c) Quality Assurance

(27) The University recognises that the quality of its research, its courses, the experiences of its students and its other services is fundamentally linked to its reputation and financial status. As such its risk appetite in relation to quality assurance is low.

(28) The University expects accountability and continuous improvement in relation to quality of service at all levels within the institution. The University must be able to demonstrate to external stake holders a transparent level assurance on relevant standards.

(d) Compliance

(29) Within this risk category, the University's risk appetite is low. As a good corporate citizen, the University seeks to comply with relevant statutory requirements to the best of its endeavours.

(30) This statement is made with the understanding that the seriousness of particular compliance requirements may vary depending upon the relationship of the requirement with other risk categories. The University will look to satisfy compliance requirements in the simplest and most effective way possible.

(e) Business Continuity

(31) The University's risk appetite is low with respect to the operation of key University systems, infrastructure and retention of the skills and knowledge of key personnel. Operational plans, together with supporting risk management documentation, should clearly define mitigating strategies to ensure ongoing delivery of critical activities and supporting services.

(f) Finance

(32) The University's appetite for financial risk at an operational level is low. The University recognises its financial strength and sustainability as being critical to its future.

(33) Strategically, the University may accept a moderate level of financial risk with respect to new projects and endeavours. Financial risks and rewards are to be weighed by senior executives against both short and long term strategic and operational priorities.

Section 9 - Performance

(34) The University Council, principally through the Finance, Audit and Risk Committee will monitor and evaluate the University's performance in relation to risk management. This will be informed by an annual assessment facilitated by the Office of Internal Audit covering:

1. the effectiveness of the implementation of risk management policies and procedures across the University and its controlled entities;
2. the awareness of managers and staff of their responsibilities, including appropriate professional development and performance management in relation to risk management;
3. the existence of risk management plans for all major activities, including all commercial activities;
4. the identification of risk management responsibilities in duty statements, induction, professional development and performance management processes for all staff of the University and its controlled entities; and
5. the currency of the corporate risk assessment.

Section 10 - Authority

(35) The Vice-Chancellor, delegated executives and delegated managers may approve risk management procedures and guidelines that are not inconsistent with this Policy.

Section 11 - Review

(36) This Policy will be reviewed every year.