This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.
Section 1 - Background and Purpose
(1) This Policy establishes the framework, language, roles and responsibilities for managing risk at La Trobe University.
(2) This Procedure provides the framework for effective risk decision making that maximises the achievement of opportunities whilst preventing and minimising the impact of undesirable threats. Effective engagement with risk is critical to the achievement of the University’s Strategic Plan.
(3) Effective risk management will be implemented by:
- Creating a robust and ethical culture where risk informs all management decision making, driving excellence in corporate governance;
- Applying risk management practices as part of strategic, business planning and day-to-day decision making. It is essential that there is strong linkage of risks management activity with business plans to increase the likelihood of success of all business plans;
- Facilitating consideration of the balance of cost and benefit in the pursuit of investment initiatives;
- Informing the effective allocation of resources to control risks that could prevent the achievement of objectives;
- Assisting the University to operate safely and securely;
- A robust governance framework to guide and assess the compliance of risk management activity across the University;
- Providing assurance to senior management and the Council that critical strategic, enterprise and operational risks are managed effectively.
Top of PageSection 2 - Scope
(4) Applies to:
- All campuses of the University;
- All staff, students, Council members, contractors, honorary and adjunct staff;
- All activities under the control or direction of the University, whether conducted on or off university property.
Top of PageSection 3 - Policy Statement
(5) Business decisions at La Trobe need to be made in the face of substantial uncertainty and ambiguity in the dynamic and rapidly changing higher education environment. To prosper in this operating context the University needs to take actions which will expose it to risk. The focus of the University is to ensure a sound understanding of the risks that it faces, so that it can maximise benefits and minimise negative outcomes in the achievement of the strategic plan. Decisions need to be informed by a comprehensive understanding of the nature of these risks and an explicit acceptance of which risks we are comfortable taking and which risks must be controlled and managed.
(6) This policy establishes a structured approach to the management of risk across the University, based upon the International Standard for Risk Management (AS/NZS ISO 31000:2018). This approach includes a consistent process for the identification, assessment, treatment and monitoring of risk.
(7) La Trobe University implements risk management practices to enable better management decision making, so it can be sustainable and grow responsibly. It is the responsibility of all staff to embed risk management in their day-to-day work, so that risk decision making is a business enabler to support operations and the achievement of strategic initiatives. The implementation of risk management practices are intended to enable an effective risk culture by developing expertise and capability across the University.
Top of PageSection 4 - Procedures
(8) This Procedure establishes the requirements for the implementation of a Risk Management (RM) framework, terminology, required systems, training, reporting protocols, risk acceptance and roles and responsibilities for managing risk at La Trobe University.
A Common Process for Risk Management (RM)
(9) The common process for the management of risk across the University is based upon and modified from the International Standard for RM (AS/NZS ISO31000:2018). This approach includes a consistent process for the identification, assessment, treatment and monitoring of risk.
(10) Some areas of the University may require a specific or customised approach to RM, for example as required by regulation, industry standards, or contracts with third parties. These instances are dealt with on a case by case basis with the General Counsel & Director of Assurance. Any variations initially approved by the General Counsel & Director of Assurance are required to be approved by Senior Executive Group (SEG) prior to implementation. However, each approach must, at a minimum, align to the RM Procedure to ensure a holistic RM approach is implemented across the University. It is the responsibility of all staff, including management, to ensure that RM is embedded across all decision making and day to day operations.
Risk Profile Structure and Responsibilities
(11) La Trobe University manages a diverse range of risks, both tactical and strategic. To ensure the right level of management attention is applied to each risk, they are divided and managed within a number of discrete risk profiles. The outcomes of the risk assessments should be considered against the University risk appetite to indicate whether the residual level of risk is acceptable. Annexure 1 illustrates the risk profiles, their interrelationship and the corresponding La Trobe management tiers responsible for their maintenance. Detailed below are specific requirements of each profile.
Risk Appetite
(12) Risk, Audit and Insurance is responsible for the planning and facilitation of the annual refresh of the risk appetite as per the Annual Risk Planning and Review Cycle in Annexure 2:
- The risk appetite statement should clearly state the level of risk the University is preferred to take for each category and / or sub category
- The Senior Executive Group (SEG) and the CGRIASC will participate in the annual workshop to develop/update the risk appetite.
Strategic Risk Profile
Maintenance
(13) Risk, Audit and Insurance is responsible for the planning and facilitation of the annual refresh of the strategic risk profile, upon the completion the annual refresh of Future Ready:
- The profile should be focused on risk to and from the strategic plan;
- The Senior Executive Group (SEG) and the CGRIASC will participate in the annual workshop to development and refresh the profile;
- It is the responsibility of Risk, Audit and Insurance to finalise the profile and report to SEG and CGRIASC in accordance with the annual risk cycle in Annexure 2.
Enterprise Risk Profile
Maintenance
(14) Risk, Audit and Insurance is responsible for the planning and facilitation of the quarterly review and annual refresh of the enterprise risk profile following the completion of the operational and strategic profiles
- The profile should be developed based on risks identified in the strategy related to operations and those risks identified in operational profiles which if they were to materialise would cause La Trobe significant consequences
- The Senior Executive Group will be involved in a quarterly review and annual refresh process to update the profile
- It is the responsibility of Risk, Audit and Insurance to finalise the profile and report it to SEG and CGRIASC in accordance with the annual risk cycle in Annexure 2.
Operational Risk Profile
Maintenance
(15) The Manager of each Business Unit (BU) is responsible for the quarterly review and annual refresh of their operational risk profile
- Risk, Audit and Insurance is responsible for the facilitation and/or observation of the risk process for at least one quarter annually to ensure consistency with the RM Process
- The profile should be developed based on risks associated with the delivery of the BU’s annual business plans
- All BU management should be involved in the quarterly review and annual refresh process to update the profile. Typically this would be via a facilitated workshop
- It is the responsibility of the BU manager to ensure that the profile is reported to the Governance & Planning Department and Risk, Audit and Insurance in accordance with the annual risk cycle in Annexure 2
- It is the responsibility of Risk, Audit and Insurance to provide proactive advice and oversight of the process. It is the responsibility of the head of each BU to comply with the requirements of the annual risk cycle in preparing their operational risk profiles on an annual basis, refer to Annexure 2.
Corporate Governance, Risk, Internal Audit and Safety Committee Responsibilities
(16) A committee of Council, the Corporate Governance, Risk, Internal Audit and Safety Committee (CGRIASC) is tasked with general oversight of governance matters on behalf of the Council and its accountabilities are defined in the CGRIASC Terms of Reference.
(17) The CGRIASC is responsible for ensuring that the annual risk management review and reporting cycle is completed, which includes:
- Annual review and approval of the risk management policy, procedure and process
- Annual review and approval of the risk appetite and its alignment with strategic initiatives
- Reviewing and approving, at least annually, risk profiles including strategic, enterprise and highlights (key risks) from operational risk profiles
- Reviewing, recommending and approving, the oversight and monitoring of internal processes for managing risk and ensuring that risk exposures of all types, across the University, are being managed effectively through the operation and implementation of the Risk Management Procedure and Process
- An annual and forward looking internal audit plan that adopts a risk-based approach to ensure assessment that management controls are operating effectively.
(18) The key RM responsibilities of the CGRIASC are summarised in the diagram in Annexure 1.
Business Unit Heads
(19) Providing effective oversight to the strategic and operational functions of the University, to ensure that risk is appropriately managed via the establishment of appropriate structures, processes and informed decision making:
- Reviewing and considering, at least annually, the structure of risk exposures that are faced by the University as a whole (strategic and enterprise risk profiles) and ensuring that appropriate treatment actions are in place;
- Establishing appropriate delegations to ensure that the effective management of risk is cascaded through their areas of responsibility;
- Ensuring operational management and employees within their BU implement an effective risk process, so that risk management is an enabler which informs all day to day decision making.
Risk, Audit and Insurance
(20) Partnering with BU’s and collaboratively working together to embed risk management processes and culture throughout the University:
- Developing and enhancing processes, methodologies and a common language to identify, assess and manage risks of importance (review and update the Risk Management Policy, Procedure and Process at least annually);
- Updating, at least quarterly, strategic and enterprise risk profiles and reporting these to senior management and the CGRIASC, including a highlight report of risks residing outside of risk appetite and changes to the risk profile in accordance with the annual risk cycle in Annexure 2
- Proactive education and provide assistance to all areas and campuses of the University for their risk management activities including:
- Ensuring that all areas and campuses complete, at least quarterly, RM reviews to identify risks and review treatment plans for current risks;
- Completing risk identification at the operational level at least quarterly (usually via team meeting agenda item, and escalating to Risk, Audit and Insurance where risks are outside of risk appetite thresholds;
- At least annually physically attend and observe the RM process discussion occurring in each BU to ensure University wide consistency;
- Where risks are identified as a strategic or enterprise risk, escalating them to the appropriate risk profile and ensuring they are reviewed and reported at the next review of these profiles;
- Where a risk is identified to be outside of tolerance and an enterprise risk, ensuring that it is reported to the Risk and Assurance Manager in the first instance for a preliminary review. Based on the initial review, the risk may be escalated to the General Counsel & Director of Assurance or CGRIASC for review / acceptance. Upon their review, the appropriateness of treatment options should be evaluated, and the success of the implementation of these to minimise the risk should be tracked;
- These risks should be reported to the CGRIASC's next meeting for review and / or acceptance that the University can accept a risk outside of risk tolerance thresholds;
- Facilitating an improved understanding of risk information in key decision making and governance processes for all areas and campuses;
- Ensuring that a consistent RM system is used to identify, manage risks, record risks and associated treatment activities;
- Completing performance reviews by exception as required to review controls and process environments in place for strategic and enterprise risk profiles;
- Developing a yearly RM training, education and capability development calendar and plan to ensure that all staff are capable to complete their risk responsibilities.
Top of PageSection 5 - Definitions
(21) Consequence: Outcome of an event affecting objectives:
- An event can lead to a range of consequences;
- A consequence can be certain or uncertain and can have positive or negative effects on objectives;
- Consequences can be expressed qualitatively or quantitatively.
(22) Risk management: Coordinated activities to direct and control an organisation with regard to risk.
(23) Risk appetite: the amount and type of risk that the University is willing to take in order to meet its strategic objectives.
(24) Risk: Effect of uncertainty on objectives:
- An effect is a deviation from the expected - positive and/or negative
- Objectives can have different aspects such as financial, health and safety, and environmental goals and can apply at different levels such as strategic, organisation-wide, project, product, and process
- Risk is often characterised by reference to potential events, consequences, or a combination of these and how they can affect the achievement of objectives
- Risk is often expressed in terms of a combination of the consequences of an event or a change in circumstances, and the associated likelihood of occurrence.