1. Purpose
The Risk Management Policy (the policy) outlines the Institution’s commitment to building a risk-aware culture that supports good governance and enhances decision-making and supports the delivery of the Institution’s vision and achievement of its strategic objectives. The policy is one component of the Institution’s overarching Risk Management Framework (the framework).
2. Scope
The policy applies to all staff and to all areas of the Institution’s business.
3. Definitions
See Glossary of Terms.
4. Policy statements
4.1 Commitment and culture
The Institution is committed to building a positive risk-aware culture which includes embedding risk management at all levels of the organisation and within key decision and approval processes across its academic, operational, and strategic functions. A positive risk-aware culture brings the elements of risk management together and reflects the values, practices and tools that embed risk into the Institution’s operations.
The Institution recognises risk management is not a one-off activity and strives to maintain an ongoing focus on pro-actively engaging with risk. Effective risk management contributes to a resilient organisational culture and a robust approach to good governance.
4.2 Risk management framework
The risk management approach at the Institution aligns with AS ISO 31000:2018 Risk management — Guidelines (the risk management standard) and is holistic and organisation wide. The risk management standard defines risk management as coordinated activities to direct and control an organisation regarding risk. The different components of the risk management framework (the framework) set out the culture, processes, responsibilities, management controls and structures in place, which the Institution uses to identify, assess, and manage its risks.
4.3 Risk appetite and tolerance
The Institution has developed a Risk Appetite Statement (the statement) which is a key component of the framework. The statement articulates the Institution’s approach to the amount of risk it is willing to accept in relation to different criteria to achieve its vision and deliver its strategic objectives. The statement provides insight and understanding of the approach to risk in different parts of the business and informs Institution activities and decision making.
4.4 Risk assessment
The risk assessment methodology is set out in the framework and must be followed by all departments and teams in identifying, analysing, evaluating, and developing treatment plans for their respective risks. Guidance on how to implement the methodology in practice is available to staff in the Risk Management Guide.
4.5 Risk Register
The Institution’s Risk Register (the risk register) captures the Institution’s strategic, academic and operational risks, mitigating controls and planned actions. Individual risk owners are responsible for maintaining the currency of the risk register and periodically reviewing and updating.
5. Roles and responsibilities
| Role | Responsibility |
| Academic Board | The Academic Board oversees academic integrity and monitoring actions to mitigate potential risk’ (AB Functions 2.d.) |
| Audit, Risk and Compliance Committee (ARCC) | The ARCC oversees risk management, the annual audit program and compliance at the Institution, reporting to the Board of Directors to enable them to discharge their duties. |
| Board of Directors | The Board of Directors identifies and monitors any risks to operations and ensure that the Institution manages and mitigates those risks effectively’ (BoD function 2.g.). |
| President and Managing Director (President)
|
The President has ultimate responsibility for ensuring the implementation of, and compliance with this framework. |
| Chief Quality Officer | The Chief Quality Officer is responsible for promoting effective governance, overall risk reporting and oversight of the implementation of the framework. |
| Associate Vice President (Quality Assurance, Accreditation and Risk) | The Associate Vice President (Quality Assurance, Accreditation and Risk) administers and updates the framework including the policy and statement, and co-ordinates detailed risk reports from the risk owners. |
| Executive Management Group | The Executive Management Group monitors non-academic risks and initiate corrective actions as required’ (EMG function 2.c.). |
| Risk owners
|
Risk owners are nominated individuals responsible for leading the assessment of their assigned risks, developing appropriate treatment strategies, monitoring their risks, including emerging risks, and reporting to the relevant governance committees. |
| Managers and key staff | Managers and staff with key responsibilities such as management of information technology projects, security, work health and safety, financial management and business continuity planning, project oversight, managing a business unit, etc. are responsible for ensuring that appropriate risk management practice is an integral part of routine business management. |
| Staff | Staff are required to support a positive risk culture in the Institution, including understanding this risk management framework.
All staff are required to manage risks within the scope of their roles. This means being aware of their team’s key risks when making decisions or conducting activities within their area of responsibility and implementing controls to reduce those risks. |
6. Reporting
Risk owners are responsible for reporting on their assigned risks in accordance with the risk reporting schedule developed by the Quality Assurance and Accreditation team. In addition to reporting by risk owners, the Chief Quality Officer is responsible for reporting on risk at an organisation level.
7. Records management
Staff are responsible for managing records in accordance with the Records Management Policy and Records Management Procedures.
8. Related documents
Risk Management Framework
Risk Appetite Statement
Risk Register
Risk Management Guide
AS ISO 31000:2018 Risk management — Guidelines
Approved by Board of Directors on 29 August 2023