risk management framework...annual review of the risk management framework, the risk appetite and...

1

Risk Management Framework

Version Approved by Approval date Effective date Next full review

V3 Risk Committee of Council 29 Nov 2019 29 Nov 2019 Nov 2020

Framework

Purpose The risk management framework details the requirements for identifying, managing and monitoring uncertainty to maximise upside and minimise the downside of risk

Scope The Framework applies to all UNSW business, including those of its Controlled Entities.

Are Local Documents on this subject permitted?

☒ Yes, however Local Documents must be consistent with this

University-wide Document.

☐ No

Framework

1. Executive Summary

Effective risk management is critical to sound governance1, building a consistent appetite for and robust culture in risk, improving decision making and enhancing outcomes and accountability. When adopted and integrated by an organisation, risk information provides insights into and transparency over material operational, change/growth, disruptive and emerging risks.

Aligning to ISO 31000:2018 Risk Management - Guidelines2, UNSW’s risk management framework (Framework) will measure its success against the value creation principles (Refer to Figure 1) and its ability to support the University in identifying and consistently analysing risks and opportunities inherent in the updated Strategy 2025 and in all University operations. Risk at UNSW will be defined as the effect of uncertainty on objectives.

The process of risk assessment outlined in this Framework has been designed to support and build efficiency in decision making, ensuring alignment to objectives and integration of principles into existing processes, analysis of key factors that influence decisions and the take up of opportunities. A key output is the University’s enhanced capability to focus resourcing and effort on priority endeavours, matching scarce resources to achieve the Strategy 2025.

This framework is the foundation for building the value of risk management; empowering people to effectively manage and / or leverage off uncertainty.

2. Objectives

2.1. Objectives

The framework details the requirements for identifying, managing and monitoring uncertainty. It clarifies how risk and opportunity are considered in strategic planning, review, approval and execution of University, (and controlled entities [the University]) initiatives and the monitoring of operational performance. The Framework, adopting the ISO 31000:2018 principles (Figure 1), addresses how we will embed the management of risk into our culture and practices and, by doing so, support the Executive and Council in making informed decisions and provide assurance that a robust risk management approach is adopted across the University.

Framework objectives include:

• Enhanced decision making; evidenced by adoption and integration of the Risk Appetite into strategic decision making and operational monitoring processes.

• Strong engagement in and ownership of risk by our people evidenced by a maturing risk culture. This culture will support clarity over the roles and responsibilities of people and

1 ASX Corporate Governance Principles and Recommendations, ed 4, Feb 2019 2 ISO 31000:2018 Risk Management – Principles and guidelines

2

governance forums, enable consistent review of and discussions regarding potential risks and co-ordination of people and activities.

• Integrated risk assessment process that adds value to the University, evidenced by the tailoring and integration of the assessments into existing processes and for context relevance, people are competent in carrying out the process and management seek to review and understand the output of risk assessments

• Maturing risk culture that embraces risk management principles into our cultural norms, evidenced by the consideration of risk as part of ‘doing business’ and reflected in discussions and questions regarding activities and initiatives.

Figure 1 ISO 310000 2018 Value Creation and Protection Principles:

3. Framework Architecture

Our Framework has been designed to align with the governance framework practices and reporting, to accommodate the organisational structure and to meet the requirements of ISO 31000:2018 Risk Management Guidelines. This Framework will inform other specialist risk functions, such as Compliance, IT, Cyber, Treasury, Insurable Risk and Safety, so they can conform to it whilst also ensuring compliance with the applicable standards and regulations related to their discipline.

Five elements make up the framework:

1. The Risk Management Statement and Strategic Risk Appetite (Section 6)

2. The Risk Management Process (Section 7)

3. Communicating and Reporting Risk Information (Section 8)

4. Risk Accountability across the University (Section 9)

5. Monitoring and Review of the Framework (Section 10)

To ensure the ongoing relevance of our framework, four continuous improvement activities are integrated into the design and review components. They are:

1. Continual review of risk tools and practices by seeking feedback from ‘users’, champions and sponsors following the conduct of risk sessions.

3

2. Annual review of the Framework and its objectives against industry standards and innovations

3. Annual review of stakeholders to ascertain how the adoption of risk practices has added value to University strategic, change/growth and operational performance

4. Annual confirmation of the University’s commitment to the Risk Management Strategy and aspirational targets

4. Application

The University (including controlled entities) will be supported by the Risk Function to enable them to embrace and adopt the Framework’s requirements. Newly established or acquired operations will be required to comply with the requirements within 12 months of being established or acquired.

This Framework applies to the management of all types of risk at all levels across the University. All specialist risk frameworks will be informed by and conform to this Framework, including, but not limited to:

• Project Risk Management, including Strategic Initiative Feasibility and Business Case risk analysis and Infrastructure Risk Management

• Health and Safety Risk Management, including safety research approvals

• Academic Risk Management

• Insurable Risk Management

• Treasury Risk Management

• Fraud and Corruption Prevention

• Incident and Crisis Management/ Business Resilience

• Compliance Risk Management

• IT Risk and Cyber Security

• Procurement Risk Management

• Event Risk Management

A key design focus has been the ability for Faculties and Divisional Portfolios to apply a consistent risk assessment approach whilst enabling tailoring of forms to align to their Faculty/Portfolio and unique activity requirements.

4.1. Risk Management Calendar

To support the Risk Committee in executing its charter and the University in implementing industry leading practice a series of activities are required. These are outlined in the Risk Management Calendar, Figure 2. Not listed in the calendar are the risk assessments and capability building activities that will occur as and when projects and/or initiatives are identified and those scheduled to support the enterprise risk profile updates.

Requirement: All University and its controlled entities will adopt the requirements of the University’s Risk Management Framework.

4

Figure 2 The Risk Management Annual Calendar of major activities

5. Responsibilities

Throughout the University, key roles and governance forums will take on responsibilities for actioning the requirements of this framework. This includes.

• Council, Sub-Committees and Governance Structures, that set the University’s tone, will be responsible for setting the risk appetite, reviewing the enterprise risk profiles and adequacy of controls, and approving the risk management framework

• Faculties, Divisions and Executives will be responsible for monitoring their strategic and operational risk performance and ensuring the capability to execute risk mitigation initiatives

• The Risk Function will be responsible for ensuring the Risk Management Framework captures and translates leading risk practices to the activities of the University, competency to manage risk is appropriate throughout the University and risk information is accurate, mature and comprehensive to support the University Executives and Council and its Sub-Committees in decision making and the management of risk

• Internal and external audit will provide independent reviews, the output of which will contribute to risk information and evaluation of control effectiveness

The interplay of the above groups is reflected in COSO: the three lines of defence3, Figure 3.

Figure 3: University’s Three Lines of Defence

3 Leveraging COSO across the three lines of defence, The Institute of Internal Auditors, 2015

Qtr 1Confirm risk review schedules and risk maturity action plan with Faculty, Divisions and Controlled Entities.

Hold the Annual Joint Committee Risk Workshop

Complete a deep dive into an agreed material strategic risk or potential disruptor for presentation to the RC

Prepare and submit the required RC reports

Conduct project and strategic initiative risk reviews as required

Conduct scheduled risk training

Present to the Senior Leadership Group on an agreed Risk Leadership Topic

Qtr 2

Update the University Risk Profile with a focus on control effectiveness, secure endorsement from Senior Leadership Group and Management Board prior to RC submission.

Complete a deep dive into the effectivess of a sub-set risk framework e.g. Fraud and Corruption Prevention


Conduct project and or strategic initiative risk reviews as required


Qtr 3Participate in the Insurance Program renewal



Present to the Senior Leadership Group on an agreed Risk Leadership Topic


Contribute to the development of the IA plan

Qtr 4

Annual review of the Risk Management Framework, the Risk Appetite and related sub-speciality risk areas, e.g. IT Risk and Cyber Security Framework

Evaluation and update of the rolling 3 year Risk Management Strategy

Rebase Strategic Risk Profile as part of the strategic planning process



Executive Management (MB & SLT)

Governing Body / Council / Risk & Audit Committees

1st Line of Defence 2nd Line of Defence 3rd Line of Defence

Day-to-day risk management decisions

Front line adoption of the risk and specialist risk frameworks

Appropriately skilled and trained workforce

Current and salient policies, procedures and governance

Challenge to 1st line regarding financial, compliance, quality, IT

and risk controls Safety reviews and audits

Independent reviews, inspections and Investigations

Specialist advice and training

Internal Audit

Ex

tern

al A

ud

it / Re

gu

lato

rs

5

6. University’s Risk Management statement and strategic risk appetite

6.1. Intent

The Risk Management Statement is a core element of UNSW’s governance. The University is committed to build a risk aware culture that is supported by a tailored, practical and integrated approach to the identification and management of uncertainty inherent in our strategy, operations and the global environment in which we exist. This commitment is backed by ensuring appropriate risk capabilities of our people.

6.2. How risk is defined at the University.

Adopting the ISO 31000:2018 Standard’s definition of risk, risks will describe uncertainties in an event or condition that, if it is realised, will affect (positively or negatively) the achievement of one or more of the updated Strategy 2025 objectives. The magnitude of a risk will be assessed by qualifying the nature of the impact (positive or negative), its likelihood of occurrence, the effectiveness of existing controls and the speed at which the risk will impact the University.

6.3. Objectives of Risk Management.

Risk Management objectives include:

• Providing risk tools that are customised and integrated into University processes whilst enabling consistency in the application of risk management principles. Most noticeably these include but are not limited to:

a. Strategic planning

b. Anticipating and implementing strategic change initiatives, new commercial activities, ventures and projects

c. Assessing and introducing academic or administration changes to courses or processes, respectively

d. Reviewing and approving research opportunities and grants.

e. Reviewing and assessing compliance controls and performance.

• Building the required capability across the University to enable personnel to identify, assess and mitigate risks through providing tailored risk education and training

• Enhancing the risk culture through embedding a consistent application of the University’s Risk Appetite into all strategic decision processes and facilitating salient risk discussions.

• Ensuring a consistent structure for review and monitoring of treatment actions for those high and very high risks with a less than effective control environment and a potential to immediately impact (positively or negatively) the University’s operations.

• Ensuring the ongoing review and interrogation of the risk management performance against, available data/indicators, industry leading practices and feedback from stakeholders.

6.4. Definition and Purpose of Risk Appetite Statement (RAS)

The Risk Appetite defines the type and degree of risk it is willing to accept to achieve the University’s strategy and operational aspirations. Its purpose is to guide University governance bodies, executive and staff in decision making. It does so by defining the boundaries for risk taking, thereby aligning decisions to the risk appetite.

These boundaries detail the principles and metrics, both quantitative and qualitative, that, when reviewed as a collective, assist in decision making. The draft RAS is to be used to review any activity that may impact the University and its controlled entities at an enterprise level.

6.5. Approach to Risk Appetite

The University supports a positive risk culture, where individuals are empowered to take measured risks to achieve the strategic priorities and to act within UNSW Behaviours. Conversely, activities that materially threaten the viability of the University and its strategy will not be supported.

6

Implementation of the RAS requires consideration of the risk appetite parameters as part of the strategic initiative feasibility and approval processes and as part of the operational decision making for governance and management forums.

Where an initiative or operational performance outcome falls into the tolerance range (i.e. where an initiative or operational outcome may impact the stated appetite but does not fall within the ‘unacceptable/no appetite statement), a risk evaluation is required. Mitigation actions must demonstrate how they will re-align the initiative or performance to the RAS. This is outlined in the diagram below:

Figure 4 Applied Risk Appetite process NOTE: Refinement of the UNSW RAS is currently underway to address:

• Limited connection between the RAS guidance and metrics to decision-making processes

• Limited ability to translate the RAS guidance and metrics to monitoring of operational performance and reporting

This area will be updated once ratified by the Management Board (MB), Senior Leadership Team (SLT) and endorsed by the Risk Committee.

6.6. Unacceptable Risk Outcomes – No Appetite

‘No Appetite’ qualifications reflect the actions that are contrary to the Strategy 2025 and our UNSW Behaviours. These include, but will be revised as part of the RAS review:

• Activity that compromises the University’s legal and regulatory obligations

• Situations where those interacting with the University are recklessly harmed

• Research funded by tobacco or gambling organisations

1 2 3

Where there are areas of uncertainty, the risk and mitigations will be identified and demonstrate how the initiative or operation will be delivered within appetite. This information will be central to the decision making.

Given the context of the initiative or operational task, ensure lead and lag indicators are clearly identified and demonstrate alignment with the RAS.

Is the Strategic Initiative within RAS?

Are Operations performing within

RAS?

YES

NO

Are performance

monitoring metrics clear?

YES

NO

Decision-making authority

approval.

Are Governance Forums identified as responsible

for monitoring performance against RAS?

Are the Strategic Initiative metrics clear?

Where the remedial actions do NOT address the issues then:

Initiative may not be approved.

Governance Forum increase scrutiny, escalate or cease

operation.

YES

Clarify the Governance Forum responsible for monitoring the endeavor and those persons accountable for delivering the endeavor within RAS.

NO

7

• Activities that compromise the University’s academic quality and integrity for staff and students

• Adverse impacts on the University’s reputation

• Actions that adversely impact the University’s financial resilience

8

Table 1. University’s qualitative risk appetite and tolerance areas. (To be determined)

Reputation

Research advancement

Innovation

Student Experience

.

Partnerships /Stakeholder

High performing and engaged workforce

Finance & Capital resilience

Sustainable Campus

Strategic Priorities Risk Appetite Parameters

9

7. Risk Management Process

Risk analysis and management is central to any Risk Management Framework. The process to conduct a risk assessment will follow the ISO 31000 approach as depicted in the diagram below. The detailed process, tools and guidance for conducting a risk assessment is provided in the ‘Risk Management Process’ document. Figure 5: Risk Management Process aligned to ISO 31000: 2018

7.1. Monitoring the Risks

Given that a risk assessment is a snapshot of time, clarifying who and how the University will monitor and manage the ongoing exposure/potential is a critical element of the process.

In the planning phase of conducting a risk assessment, the appropriate structure and timeframe for review of risks is confirmed. When the risk assessment process is contained within a procedure, the delegation of authority and process owners will help govern the management of unresolved issues.

However, in order to provide consistency in the governance and oversight of risk by the SLT and MB, an accountability matrix for oversight been established. This is set out in Table 2.

Determination of the level and frequency of review is based on three metrics: the residual risk rating, the control effectiveness rating and the velocity rating.

When monitoring or reviewing a risk we will review:

• The nature and rating of risk given changes to external or internal environments

• The effectiveness of any changes to the control environment and the need for additional controls.

• The need to add new, alter or retire existing risks and or controls.

Requirement: Where a risk assessment is required, our Risk Management Process is adopted

Scope, Context & Criteria

Communicate

10

Table 2 Priority for Treating Group Level Risk

Residual Risk

Risk Control Effectiveness

Velocity Action

Management Action Timeframe to establish critical control

Governance Oversight

Frequency

A: Very High

= Effective All Expectation that ongoing continuous improvement and monitoring is in place

N/A Risk Committee of Council (RC)

Quarterly via normal/exception

reporting

A: Very High

< Effective

Immediate & Short Term

Take action to reduce rating & exposure by building control effectiveness

3 months

MB & SLT

RC

Monthly


reporting

Long Term Take action to reduce rating & exposure by building control effectiveness

6 months

MB & SLT

RC

Monthly


reporting

B: High = Effective All Expectation that ongoing continuous improvement and monitoring is in place

N/A

Dean / DVC / VP

MB & SLT

Via normal/exception

reporting

Quarterly

B: High < Effective


Build control effectiveness in keeping with the business plan

3 months

Dean / DVC /VP

MB & SLT

RC

Monthly

Quarterly


reporting

Long Term Build control effectiveness in keeping with the business plan

6 months

Dean / DVC / VP Executive

RC

Via normal/exception

reporting

C: Moderate

< Effective


Build control effectiveness in keeping with all other priorities

6 months

Director / HOS

As part of performance monitoring Long Term

Build control effectiveness in keeping with the business plan

12 months

D. Minor < Effective All Build control effectiveness in keeping with all other priorities

18 months Director / HOS As part of

performance monitoring

D: Low < Effective All

Lower priority. Build control effectiveness as part of usual business improvement Monitoring will be required.

18 months Risk Owner

As part of performance monitoring

8. Communicating and Reporting Risk Information

8.1. Reporting the risks

Risk reporting will occur at various levels across the University: 1. Analysis of the risks for each Faculty, Division, Controlled Entity and project: The Risk Profile.

The risk profile captures the core information about risks related to a Faculty, Division, Controlled Entity or project. This includes, the description, ratings and current and future actions associate with a risk. To draw out insights and issues for each area, their risk information is consolidated and presented as risk profile dashboard.

11

2. A one-page overview of the risk profile: The Risk Frontier. This view of risks will capture the known risks, change and growth risks and emerging risks (Table 3). The Risk Frontier draws from the risk profiles and discussion with Senior Executives of the area on key internal and external emerging and or disruptive developments/trends. Table 3: Example of the Risk Frontier:

Known Risks (Risks arising from delivering core

services)

Growth / Change Risks (Risks arising from growth and

change initiatives)

Emerging Risks (Risks from internal and external

emerging / disruptive developments or trends)

The prevention and detection controls for academic fraud lags the speed at which innovative options are made available to students.

On-line and digital learning programs and the opportunities they provide are compromised by competing priorities.

Future students’ and employers’ expectations on skill competency and work-readiness are not met by future UNSW graduates.

3. An enterprise view of the University and its Controlled Entities risks: The Enterprise Risk Profile.

This report will contain an Enterprise Risk Frontier that draws on the above two reports. It will provide additional commentary on the material risks. It will detail:

• Why the risk is important to the University and key Faculties and Divisions

• Changes to key mitigation strategies and risk environment

• Changes to Key Risk Indicator metrics (that include lead and lag indicators)

• Progress on agreed action to mitigate downside and pursue upside

In addition to including the relevant risk metrics in the commentary of a material risk, the collective set of risk indicators will be provided as an appendix to this report. The appendix will reflect changes over time and include commentary from relevant stakeholders on the implications of the change.

8.2. Risk Escalation

The escalation of risk takes two forms: 1. the routine escalation of those risks with sub-optimal control environments (section 7.6) 2. the immediate escalation of emergency and ‘crisis’ events. This is captured under the Incident

and Crisis Management Framework which embeds the risk ratings and Strategic Risk Appetite.

8.3. Annual Risk Plans

Faculty and Divisional Risk Plans are agreed annually. These plans are based on an assessment of the area’s risk maturity and their risk profile and are designed to enhance their performance in managing and monitoring risk exposures. The plan lists the agreed risk projects, a risk profiling schedule and identifies the sponsors and champions and team accountabilities. This process will be embedded into the Annual and Mid-year review process.

8.4. Relationship between Internal Audit and Risk Management

A valuable source of process risk and control information is found in the activities of Internal Audit. This information supports the risk profiling activity and provides assurance around key controls. Conversely, the information captured by risk provides an important input for the annual internal audit program and also for each audit. The relationship between the two functions is provided in Figure 6.

12

Figure 6 Relationship between Internal Audit and Risk.

9. Building Risk Capabilities

The central Risk Management team are accountable for identifying, building and maintaining the appropriate level of risk capability across the University. To achieve this, a matrix of key roles, critical to the management of risk, is matched to the nature of training to be provided. In addition, people in these roles will be invited to attend thought leadership sessions and strategic planning days.

Figure 7 Three legs to build capability.

The approach to building capability will draw on:

1. Learn – Acquire knowledge and skills through formal learning experiences, including e-learns, face-to-face training and formal mentoring arrangements.

2. Master – Apply the knowledge by

developing and refining the skills and

tools, providing feedback to enhance our

capabilities.

3. Lead – Become a champion within the

business, coaching others to make best

practice a cultural norm.

Risk Capability

Lead

The Risk Profiles capture the uncertainties in delivering against strategy and objectives.

As such, they are a valuable source for Internal Audit in developing their annual

plan and in the preparation of each audit.

Internal Audit identifies and evaluates controls and works with the stakeholders

to agree mitigation actions. This work is a valuable input into risk

assessments and in building roust risk profiles.

Process Risks

Captured in the School and Operational level risk assessments contained in

BAU processes

Faculty, CE and Divisional Risk Profiles

Linked to thier objectives and

captured in their Risk Frontier

Enterprise Risks

Linked to strategy and

captured in the Risk Frontier

13

10. Risk Accountability

Risk Management is the responsibility of all personnel. To support the University, accountability for the implementation of the risk framework has been defined.

Accountability refers to the ultimate responsibility for actions, decisions, and management pertaining to the nominated activity. This does not mean that the function accountable must deliver the action, but it must seek assurance that the activity is or continues to be appropriate and progressing, if being established.

The functions and accountabilities that support our Governance structure for risk are listed in Table 4.

Table 4: Accountability and Responsibilities for Risk

Function Accountability

Council Maintain oversight of and gain assurance over the effective management of risk. Approve the endorsed University’s risk management framework, including the risk appetite.

Risk Committee Oversight and governance of the University’s strategic Risk Frontier and dashboard. Review and endorse the University’s risk management framework, including the risk appetite. Advise Council on the University’s performance in managing risk.

Senior Executive Leadership Team and Management Board

Active monitoring of the management of material risks and risk culture Active risk leadership and sponsorship of key risk activities. Review of the University’s strategic Risk Frontier, ensuring the salient strategic, growth and change and operational risks are represented.

Director of Risk

Ensure the University’s risk management approach reflects ‘leading practice’ and is tailored to the University’s activities. Lead the ongoing development and integration of risk management into policies, procedures, standards, templates and tools, seeking innovation to our practice. Build the capability to identify and evaluate risk across the University. Generate and submit the University Consolidated Strategic Risk Frontier and updated Risk Dashboard for discussion at the Executive and review at the Audit and Risk Committees.

Faculties and Divisions

Effective implementation (i.e. resourcing, training, conduct of assessments, integration of information into decision making and monitoring) of risk management within their Faculty or Division with the ongoing support of the Risk Function. Active leadership to drive a risk aware culture Monitoring of their Risk Management Action Plan. Generation of quarterly Risk Profiles.

Subject Matter Experts & Risk Champions

Ensure the University’s risk management approach reflects current ‘good practice’ related to their area of expertise or knowledge and the approach is tailored to the University’s activities working with the Risk Function. Support and build the capability to identify and evaluate their area of risk across the University. Participate in the conduct of risk assessments and the monitoring of action as related to their area.

11. Monitoring and Review of the Risk Management Framework

The framework will be reviewed and updated annually against industry standards and innovations and following review of the University’s performance and maturity in managing risk using the Maturity Model assessment and stakeholder feedback. The revised framework will be submitted to the Risk Committee annually for ratification.

___________________________________________________________________________________________________

Attachment A: Risk Rating Tables

The consequence table defines the nature of a potential impact that results from a risk being realised. The rating is determined by the highest rated impact irrespective of impact type.

Impact type Consequence

Academic (Research & Teaching)

Facilities & Operations

People & Community Financial Global Standing Partners & Authorities

Severe

Long term or widespread impact requiring Senior Executive and Council time and effort over multiple months and deviation from strategic plan.

Systemic academic or research fraud

Loss of signature high profile research capability

Closure of signature course

Multiple (>10) students suspended or unenrolled from courses

Multiple (>10) student’s degrees are retracted

Compromised student and research data

Multiple academic research papers are retracted

Loss of critical facilities (i.e. labs) for 1+ yr.

Critical IT systems not available for greater than 6 months and irretrievable loss of this stored data.

Data integrity/loss and IP loss associated with sensitive research and commercial endeavours

Large scale release of sensitive and personal information to public domains

Inability to deliver key project benefits / Critical operations unable to be performed

VC and/ or key Executive resigns

Board restructure

Pervasive loss of University community confidence

Reckless, work-related harm to people / Multiple work-related deaths or serious permanent disabilities

Widespread, permanent environmental harm

QILT ranking drops

Significant personal liability &/or potential custodial sentence of directors &/or employees

Fraud event ($1M)

Misappropriation of $1M funds, including Philanthropic donations

Financial loss, including teaching revenue exceeding $50M and, or have the potential to incur additional costs in more than the current year

Key 3rd party withdrawal of funding

Engagement with partners/entities not aligned with RAS – connection with tobacco and gambling industries etc.

Legal action with material basis of negligence

International and widespread prolonged (>1month) adverse media (including social media)

Global Higher Education community raise concerns over UNSW actions

Loss of provider status

Total loss of confidence by Government/ Student Community / Authorities/ Funding and Research Bodies

Key strategic partner/ alliance ceases engagement with UNSW

Major Impact requiring Senior Executive management and oversight and notification to Council.

Withdrawal of or conditions imposed on Research funds

Unable to continue research and or teaching in a FOS

Withdrawal or retraction of publications

Retraction of a student qualification

Loss of a defined group of students and research projects’ data

Partial loss of a critical facility between 6mths to 1 year

Loss of central teaching or research facilities for 3 terms

Regulatory sanction / suspension of licence / accreditation conditions

Loss of critical IT system for 1-2 terms

Sensitive and personal data released to public

Major project benefits are no longer viable / Critical operations compromised

Faculty Dean, VP or DVC termination

Single work-related death or permanent disability

Long term damage to the environment

Ongoing disruptive Industrial action (> 1 month)

Widespread Student and, or Staff body protest / outcry

Community outcry and action / Staff performance across the University eroded

Financial loss, including teaching revenue, between $20M- $50M

International and widespread short-term (1 month) adverse media (including social media)

Suspension or conditional Provider Status

Loss of standing in the Australasian Research and Academic Community visible to global partners

Investigation by ACNC, ATO, ANSTO or AONSW

Targeted enquiry or investigation by Authorities.

Widespread disaffected student community

Corporate partners (existing and potential) disassociate themselves from UNSW

Legal dispute with Corporate partner (e.g. IP and commercialization rights)

Major partner disengages

___________________________________________________________________________________________________

Impact type Consequence

Academic (Research & Teaching)

Facilities & Operations

People & Community Financial Global Standing Partners & Authorities

Substantial Impact requiring Executive oversight and HOS, Director action

Capability to complete research or teaching commitments is undermined impacting quality, cost and timeframes

Unable to continue research and or teaching in a FOS for a term

Erosion of student GPA and progression rates

Loss of a student cohort or research project’s data

New course unable to be progressed or introduced

Load sharing to support signature course and or research

A building is not able to be occupied for between 1-6 mths during teaching year

Loss of central teaching or research facilities between 1 to 2 terms

Core IT systems are inconsistently available to staff and students throughout the terms

Irretrievable loss of non-research data

Project / operations cost/time over-runs

Key person loss

Staff performance issues (>1 area of the University)

Work-related injury requiring hospitalisation

Localised environmental harm lasting >1 mth weeks

Industrial action (up to 1 month)

A student group lodges complaints

A Community group voice concerns

Legal action from a group of students, staff or community group

Financial loss between $5M - $20M

Costs and or loss unable to be consumed in the current Divisional or Faculty budget.

Adverse state-based and social media traffic (mainly spurious) lasting 2 weeks

Persistent short-term Media enquiries over the events

Australian Higher Education Community query UNSW Research and Academic Integrity

Pursuit of a new opportunity is compromised

Authorities & government register strong concerns / threaten investigation

Corporate partners (existing and potential) voice strong concerns

Breach of contracts

Enforceable penalties or civil action

Increased partner complaints

Medium Localised impact for a Divisional Unit or School

Program development deferred or not progressed

Capability to complete research or teaching commitments is compromised in the short term

Increased reliance on unexperienced casual teaching staff

Compromised access to research equipment and or facilities for 1 month

A building is not able to be occupied for 1-2 wks during term

Basic IT systems availability is unstable for staff and students for less than 1 month

Localised staff performance issues

Community member/, staff/ student legal action

Student groups register separate concerns

Work-related injury/illness requiring medical/ health prof. intervention

Localised environmental harm <1mth

Financial loss between $50k - $5M

Costs and or loss unable to be consumed in the current Unit or School budget.

Unauthorised spend up to $500K

Active adverse student social media traffic (mainly spurious) lasting 2 weeks

External queries over UNSW Research and Academic Integrity

One-off adverse media report with local coverage or intra-industry knowledge of incident

Authority formally seeks clarification.

Issue of infringement notice

Insignificant Issue that is managed as part of BAU

Unit development is postponed or not progressed

Casual teaching staff are unable to be sourced impacting quality

Research data or samples impacted but recovered within three days

Facilities are unable to be occupied for the day

Localised user group unable to access IT systems (<3 days).

IT systems do not operate efficiently

Operational performance impacting day-to-day activities or project

Disaffected group of students and or staff

Minor work-related incident requiring first aid treatment only

No material environmental harm – on-site, immediately contained, no ongoing impact

Financial loss less than $50k

Unauthorised spend up to $50k

N/A Authority registers issue only

Minor complaints that can be managed within the business unit

___________________________________________________________________________________________________

Control Effectiveness and Velocity Ratings

The Control Effectiveness rating indicates the level of maturity of controls to either mitigate The Velocity rating identified the potential speed at which the impact will the consequence or likelihood of a risk. materialise and impact the University.

Control Effectiveness

Description Velocity

Effective Controls are adequate, appropriate and effective. They provide a reasonable assurance that risks are being managed and objectives should be met.

Immediate

The impact of the risk will affect the University’s operations, its reputation and or ability to operate immediately.

Well based A few specific control weaknesses are noted. However, many controls are adequate, appropriate and effective to provide a solid basis for assurance that risks are being managed and objectives should be met.

Short Term

The impact of the risk will take up to six months to be realized and thus provides some lead time to convene a working party to prepare for and manage the expected impact.

Improvement desired

Numerous specific control weaknesses were noted. Controls evaluated are unlikely to provide reasonable assurance that risks are being managed and objectives should be met.

Long Term

The impact of the risk will take over six months to be realized and provides substantial lead time to establish a working team to plan and execute mitigation activities to manage the expected impact.

Ineffective Controls are not adequate, appropriate or effective. They do not provide reasonable assurance that risks are being managed and objectives should be met.

The likelihood rating indicates the potential for an occurrence The Likelihood and Consequence ratings provide the overall risk rating.

Likelihood Description Risk Rating Matrix

Almost Certain Expected (90+% chance) to occur in most circumstances Almost Certain

Likely Will probably occur (61- 90% chance) i.e. More likely to occur than not. Likely

Possible Possible occurrence (21-60% chance) Possible

Unlikely Remote chance of occurring (1-20% chance) Unlikely

Rare May occur in exceptional circumstances (<1% chance) Rare

Insignificant Medium Substantial Major Severe

Opportunity Description

Strong The opportunity is easily identifiable, tangible steps can be taken to realise upside.

Credible The opportunity, requires more investigation to confirm its potential and viability, however it appears to have a sound basis for upside.

Constrained The opportunity has a potential for upside, although it may be restricted and its potential limited.

___________________________________________________________________________________________________

Risk Categories

Risk categories are used to analyse and consolidate risk information by categorising them by the source of risk. They do not provide the level of detail required to understand the nature of risk. It is for this reason they are not rated.

Risk Category Includes risks related to Risk Category Includes risks related to

Strategic Strategic planning and delivery of initiatives Related external environmental and market shifts

IT / Cyber Digital services and security; Data security and IT incident response/DR

Facilities / Operational

Facilities, infrastructure, and service and project delivery by associated ‘enabling functions’; Business Resilience

People & Culture Safety and security, recruitment, retention, culture, behaviour; change readiness

Financial Financial/budget reporting & control; Treasury/Investment strategy & management

Academic (Research / Teaching)

Research and Teaching Quality, Standards and Conduct; Student progression and load

Legal/Regulatory Legislation, regulation and standards compliance and changes

Student Student experience, safety and security

Stakeholder Expectations of and engagement with third parties, i.e. partners, community, Corporates and government

Governance Reporting to and oversight by Council, sub-committees of Council and governance forums

___________________________________________________________________________________________________

Accountabilities

Responsible Officer Director of Risk

Contact Officer Director of Risk

Supporting Information

Legislative Compliance Nil

Parent Document (Policy and Procedure)

Risk Management Policy

Supporting Documents

Risk Management Procedure

Business Risk Maturity Tool

Risk Appetite Statement

Related Documents

HS329 Risk Management Procedure

Fraud and Corruption Prevention Policy

Legislative Compliance Policy

Legislative Compliance Procedure

Procurement Policy

Procurement Procedure

IT Security Policy – Information Security Management System (ISMS)

Superseded Documents Nil

File Number [For Governance Use]

Definitions and Acronyms

Insert Term Insert definition of terms used within this Guideline and expand any acronyms used. Add extra rows below as required.

Insert Term

Revision History

Version Approved by Approval date Effective date Sections modified

V3 Risk Committee of Council 29 Nov 2019 29 Nov 2019 All

Further Information This section is not published on the final PDF document. It is for website purposes only

Keywords for search engine Risk Assessment; Risk Management; Risk Appetite

FAQs and answers Include any Frequently Asked Questions and answers to be included with the Guideline (in a separate tab or section) in the Governance Policy Repository

https://www.gs.unsw.edu.au/policy/documents/HS329.pdf

https://www.gs.unsw.edu.au/policy/documents/fraudpolicy.pdf

https://www.gs.unsw.edu.au/policy/documents/legislativecompliancepolicy.pdf

https://www.gs.unsw.edu.au/policy/documents/legislativecompliancepolicy.pdf

https://www.gs.unsw.edu.au/policy/documents/legislativecomplianceprocedure.pdf

https://www.gs.unsw.edu.au/policy/documents/procurementpolicy.pdf

https://www.gs.unsw.edu.au/policy/documents/procurementprocedure.pdf

https://www.gs.unsw.edu.au/policy/documents/itsecuritypolicy.pdf