(1) This procedure supports the Risk Management Policy and describes the methodology and processes to guide, direct and support a consistent approach to risk management across Charles Sturt University (the University). (2) See the Risk Management Policy. (3) This procedure supports the Risk Management Policy. (4) All staff actively engage in risk management in their areas of responsibility with many day-to-day decisions involving an element of risk. (5) Often, once a risk has been identified, it can be prevented, controlled and managed through business-as-usual operations. In some situations, even though a risk has been identified, no action will be taken and the risk is accepted by the appropriate risk owner in accordance with the University's Risk Appetite Statement. (6) All relevant stakeholders must be consulted when managing risk. This provides the decision-maker with as much relevant information as is available and facilitates implementation by ensuring that the reasons for the decision taken are understood. (7) The University’s approach to risk management is to identify, assess, treat, monitor and review, and report. (8) Risks are described as potential uncertain events that could lead to adverse impacts to the University's strategic objectives and reputation, students and staff. Risks can be either threats or opportunities missed. (9) To analyse and consolidate risk information, risks are classified using the following risk categories (as outlined in the Risk Appetite Statement): (10) Risk identification occurs at various levels and stages within the University: (11) Identified risks must be documented in the relevant portfolio, faculty and divisional RSCA risk register. (12) The Risk and Compliance Unit is responsible for coordinating the following RCSA risk registers: (13) The RCSA risk register is an output of the RCSA process that documents the University's current exposure to risks. It includes information such as risk category, description, controls, inherent and residual risk ratings, risk appetite and risk treatments. (14) Identified risks are assessed to determine the potential causes and sources in order to analyse the likelihood of the risk event occurring and potential severity of its consequences using the Risk Matrix, defined in the Risk Management Guidelines. This initial assessment provides an inherent risk rating that is the risk exposure prior to the implementation of controls. (15) Analysis should also consider the design, performance and effectiveness of existing internal controls, processes and governance structures. Risk analysis may draw from a range of quantitative and qualitative techniques to generate a residual risk rating. Residual risk is the exposure after controls have been implemented. (16) Risks will be evaluated to determine whether or not residual risks are within the University's risk appetite: (17) A risk owner will be applied to each risk, with responsibility for managing the risk. (18) Further guidance on completing the risk assessment process is outlined in the Risk Management Guidelines. (19) Risk treatments must be applied for risks that exceed the University's risk appetite for the relevant risk category (see clause 9). (20) Risk treatment options include: (21) Selecting appropriate risk treatment actions must balance benefit and cost and should bring the residual risk rating in line with the risk appetite when implemented effectively. (22) Risk treatment actions must be documented and agreed upon with the relevant risk owner. (23) Where no viable risk treatment option is available to reduce risk exposure, the Vice-Chancellor may propose to the Council, via the Audit and Risk Committee, that the risk be accepted. (24) Risk appetite exceptions submitted to Council must include: (25) Further guidance on the risk treatment process at the University is outlined in the Risk Management Guidelines. (26) Risk monitoring and review ensure that the risk management process is operating effectively. Monitoring and review can be formal or informal, and include the risk control self-assessment process, independent reviews (e.g. internal audit) and continuous informal reviews (e.g. discussing emerging risks in meetings). (27) Portfolio and division/faculty senior leaders review a summary of their RCSA risk registers at least quarterly. (28) All staff must identify and assess risks before commencing new activities and report risk upwards to their supervisor as part of day-to-day operational activities. (29) Where risks rated medium, high or very high using the Risk Matrix have been realised (the risk occurs and is now an issue) or where a risk breaches the University's Risk Appetite Statement, staff must also report the risk to the Risk and Compliance Unit. Examples of risks to be escalated include but are not limited to: (30) RCSA risk registers act as central repositories of risk data, including context, risk ratings, treatments and risk management responsibilities and accountabilities. The Risk and Compliance Unit will maintain RCSA risk registers at the University level, portfolio level and individual division/faculty level. (31) By consistent application of the RCSA process, the self-assessments act as the basis for internal risk reporting to enable decision makers to meet their risk management obligations. Risk control self-assessments also provide data and information for reporting to external stakeholders, where applicable (such as regulators or external auditors). (32) In line with the Risk Appetite Statement, the Risk and Compliance Unit will monitor and report to the Executive Leadership Team and Audit and Risk Committee on: (33) Risk owners are accountable for ensuring that risks within their management structure are managed in accordance with the University's Risk Appetite Statement. (34) A guide to risk ownership is outlined below: (35) Each risk owner is responsible for: (36) Managing risks associated with partners is a key part of the University's risk management framework to mitigate operational, financial, reputational and information security risks that may arise from engagements with vendors, third-party education arrangements and partners. (37) The University’s risk management process (of identifying, assessing, treating, monitoring and reviewing risks) applies to the University's engagement with third parties and supports the University's resilience against disruptions, maintains compliance with regulatory requirements and protects the integrity of operations in line with the University's risk appetite. (38) Managing third-party risk involves due diligence during onboarding, ongoing monitoring, contractual safeguards, and incident response planning tailored to the risk associated with the relationship. (39) Responsibility for managing third-party risk is aligned with the portfolio engaging with the third party. (40) Risk mitigation activities during onboarding, ongoing and offboarding of third parties, coupled with regular reporting and oversight, ensure that third-party risks are systematically addressed and align with the University's risk appetite. (41) In line with the Risk Management Policy and the ‘three lines’ model of risk governance, the first, second and third lines must obtain adequate assurance that key controls highlighted during the RCSA process are effective, to ensure that: (42) The Risk and Compliance Unit will prepare an annual assurance plan in consultation with members of the Executive Leadership Team and approved by the Audit and Risk Committee. The annual assurance plan will include targeted assurance reviews, internal audits and known assurance activities conducted by external parties, and will be informed by: (43) Each compliance assurance review should include the following stages: (44) Following the issue of a compliance assurance review report, management will identify risk treatment actions to address recommendations made within the report, where applicable. Treatments will be captured by the Risk and Compliance Unit and included in the enterprise actions register. (45) The Risk and Compliance Unit will report the progress against the annual assurance plan to the Executive Leadership Team and Council committees. (46) Internal audit activities will be conducted to support third line assurance. Internal audits will be conducted and reported in line with the Internal Audit Charter and Internal Audit Manual. (47) The University maintains an enterprise actions register (EAR) to record and monitor the remediation of risk-related actions. Actions represent existing instances of non-compliance, gaps or improvement opportunities in operational controls and processes, and proactive measures required to reduce the likelihood/impact of risks in accordance with the University's risk appetite. (48) Each action recorded on the EAR will be assigned an action owner by senior management, responsible for the timely completion of agreed actions to mitigate the identified risk. (49) The Risk and Compliance Unit manages the EAR and provides status reporting to action owners, Executive Leadership Team and Council committees. (50) Reporting on actions is crucial from a risk accountability perspective. When actions taken to address risk are documented and reported, it provides a clear record of the steps that have been taken to manage and mitigate actual and potential issues. This accountability ensures that staff members or teams are held accountable for their roles in risk management, facilitates communication about the progress of risk treatment efforts, and supports the overall risk culture of the University. (51) The University supports education and training as an essential mechanism in developing and maturing its risk and compliance culture. (52) The University implements education and training programs to increase awareness of risk and compliance and the responsibilities of managers and staff to understand and fulfill their obligations. (53) See the: (54) This procedure uses terms defined in the Risk Management Policy.Risk Management Procedure
Section 1 - Purpose
Scope
Section 2 - Policy
Section 3 - Procedures
Risk identification
Risk assessment
Risk treatment
Risk monitoring and review
Risk reporting
Risk owners
Third-party risks
Assurance management process
Internal audit
Enterprise actions register
Education and training
Section 4 - Guidelines and supporting documents
Top of PageSection 5 - Glossary
Section 6 - Document context
Compliance drivers
NA
Review requirements
As per Policy Framework Policy
Document class
Governance
View Current
This is the current version of this document. To view historic versions, click the link in the document's navigation bar.