• Section 1 - Key Information
• Section 2 - Purpose
• Section 3 - Scope
• Section 4 - Key Decisions
• Section 5 - Policy Statement 
• Section 6 - Procedures
• Part A - A Common Process for Risk Management
• Part B - Risk Appetite
• Part C - Risk Profile Structure
• Enterprise Risk Profile
• Operational Risk Profile
• Part D - Responsibilities
• Corporate Governance, Risk, Internal Audit and Safety Committee
• Senior Executive Group
• Risk, Audit and Insurance Team
• Section 7 - Definitions
• Section 8 - Authority and Associated Information

Section 1 - Key Information

Section 2 - Purpose

(1) This Policy establishes the framework, language, roles and responsibilities for managing risk at La Trobe University (University).

Section 3 - Scope

(2) Applies to:

1. all campuses of the University;
2. all staff, students, Council members, contractors and volunteers; and
3. all activities under the control or direction of the University, whether conducted on or off university property. 

(3) This Policy should be read in conjunction with the University’s Risk Management Framework.

Section 4 - Key Decisions

Section 5 - Policy Statement 

(4) Business decisions at the University need to be made in the face of substantial uncertainty and ambiguity in the dynamic and rapidly changing higher education environment. To prosper in this operating context the University needs to take actions which will expose it to risk. The focus of the University is to ensure a sound understanding of the risks that it faces, so that it can maximise benefits and minimise negative outcomes in the achievement of its objectives. Decisions need to be informed by a comprehensive understanding of acceptable risk taking and where risk must be controlled, transferred or avoided.

(5) The University’s risk management approach is underpinned by the following guiding principles:

1. creating a risk-aware culture, where the identification, assessment and management of risk is acknowledged as a driver of positive outcomes;
2. applying risk management practices as part of strategic, business planning and day-to-day decision making;
3. facilitating consideration of the balance between risk and benefit in the pursuit of investment initiatives;
4. informing the effective allocation of resources to control risks that could prevent the achievement of objectives;
5. assisting the University to operate safely and securely;
6. implementing a robust governance framework to guide and assess the compliance of risk management activity across the University; and
7. providing assurance to senior management and Council that strategic and significant operational risks are managed effectively.

Section 6 - Procedures

Part A - A Common Process for Risk Management

(6) The common process for the management of risk across the University is based upon and modified from the International Standard for Risk Management (AS/NZS ISO31000:2018). This approach includes a consistent process for the identification, assessment, treatment and monitoring of risk.

(7) The University's Risk Management Framework outlines the procedures for ensuring compliance with this Policy.

(8) It is the responsibility of all staff, including management, to ensure that risk management is embedded across all decision making and day-to-day operations.

Part B - Risk Appetite

(9) The University’s Risk Appetite Statement broadly articulates the level of risk that the University is willing to accept or retain in the pursuit of its objectives.  It includes guiding principles that outline the University’s position on risk taking with respect to specific risk categories and subcategories. The University recognises that this document cannot specify the risk appetite for every possible scenario and therefore, it is designed to guide strategic and tactical decision making.  In addition, it enables management to better identify opportunities for further risk taking or identify areas where unacceptable risk taking may be occurring.

Part C - Risk Profile Structure

(10) The University manages a diverse range of risks, both strategic and operational. To ensure the right level of management attention is applied to each risk, they are divided and managed within discrete risk profiles. 

Enterprise Risk Profile

(11) The University’s Enterprise Risk Register (ERR) has been developed and is regularly updated to address relevant strategic and operational risks which, if they were to materialise, would result in significant consequences for the University.

(12) The Risk, Audit and Insurance team is responsible for the planning and facilitation of the quarterly review and annual refresh of the ERR.

Operational Risk Profile

(13) Operational Risk Registers (ORRs) are owned and managed by the respective business areas. These registers serve as an important risk management tool for identifying, assessing and managing risks that may impede the operations of a business area or jeopardise the achievement of its strategic objectives, as well as those of the University.

(14) The Portfolio or Division Head, depending on the structure of the ORR, is responsible for the biannual review of their respective register.

(15) All senior leaders within each area should participate in the biannual review of their ORR.

(16) The Risk, Audit and Insurance team will participate in one of the two reviews with each business area to provide guidance and support as required.

Part D - Responsibilities

Corporate Governance, Risk, Internal Audit and Safety Committee

(17) A committee of Council, the Corporate Governance, Risk, Internal Audit and Safety Committee (CGRIASC), is tasked with general oversight of governance matters on behalf of Council and its accountabilities are defined in the CGRIASC Terms of Reference.

Senior Executive Group

(18) The Senior Executive Group (SEG) is responsible for overseeing the strategic and operational functions of the University, ensuring that risks are appropriately managed through the establishment of appropriate structures, processes and informed decision making in accordance with the requirements of this Policy.  In addition, the responsibilities of SEG members include:

1. attending quarterly meetings organised by the Risk, Audit and Insurance team to review and update, as required, the residual risk rating, controls and treatment plan for each of the University’s enterprise risks;
2. participating in the annual workshops facilitated by the Risk, Audit and Insurance team to review the University’s Assurance Map and Risk Appetite Statement;
3. establishing appropriate delegations to ensure that the effective management of risk is cascaded through their areas of responsibility; and
4. ensuring that senior management within their respective portfolios implement effective risk processes, so that risk management is an enabler which informs all day-to-day decision making.

Risk, Audit and Insurance Team

(19) The Risk, Audit and Insurance team works closely with business areas to develop, implement and support effective risk management processes and to promote a culture of risk awareness throughout the University. Their responsibilities include:

1. developing and enhancing processes, methodologies and a common language to identify, assess and manage strategic and operational risks;
2. developing, facilitating the implementation and continuous improvement of the University’s Risk Management Framework;
3. reporting of risk activities to CGRIASC and SEG, which encompasses various tasks including, but not limited to:
   1. quarterly review of the Enterprise Risk Register;
   2. annual review of the Risk Appetite Statement;
   3. annual review of the Assurance Map; 
   4. quarterly internal audit updates; and
4. ensuring the completion of a biannual internal audit plan that adopts a risk-based approach to ensure the effectiveness of management controls;
5. providing guidance and advice to support risk management activities across the various business areas, promoting continuous improvement and accountability;
6. collaborating with Portfolios and Divisions across the University to ensure that ORRs are thoroughly reviewed and updated at least twice annually; and
7. providing risk management training to enhance risk-aware behaviour and ensure consistent application of the Risk Management Framework across the University.

Section 7 - Definitions

(20) For the purpose of this Policy and Procedure:

(21) Risk: means the effect of uncertainty on objectives. An effect is a deviation from the expected, either positive or negative.  Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances or knowledge) and the associated likelihood of occurrence.

(22) risk appetite: means the amount and type of risk that the University is willing to accept or retain to achieve its objectives.

(23) risk management: means coordinated activities to direct and control the University with regard to risk.

(24) risk profile: means a description of any set of risks. The set of risks can contain those that relate to the whole University (enterprise risk profile), part of the University (eg, portfolios, divisions, schools) or as otherwise defined (eg, specific project or event).

Section 8 - Authority and Associated Information

(25) This Policy is made under the La Trobe University Act 2009.