Risk Management Policy
On this page
Purpose | Scope | Principles | Policy statements | Roles and responsibilities | Definitions | Approval information | Version history | References | Risk management framework
Related documents
- Risk Management Procedure (SharePoint)
- Risk Management Framework
1. Purpose
1.1 The Risk Management Policy (the policy) outlines how UTS identifies, assesses and manages risks and opportunities. The policy is supported by the Risk Management Procedure (the procedure) (SharePoint).
2. Scope
2.1 This policy applies to all staff and affiliates (hereafter staff) and all activities conducted by or on behalf of UTS.
3. Principles
3.1 Risk arises in many forms. It can have positive or negative impacts on UTS’s ability to achieve its strategic objectives. Risk and opportunity management is recognised as an essential governance process in support of the UTS 2027 strategy and corporate plan.
3.2 UTS acknowledges that inherent risks exist in the university’s operating environment. These risks need to be considered and managed in an informed way. Managing risks effectively enhances UTS’s ability to take opportunities while understanding, managing and reducing the impact of business risks to a practical level within UTS’s risk appetite.
3.3 The establishment of a UTS risk management framework aims to effectively manage risks by:
- promoting a risk-aware culture
- providing operational advantage, insight and competitive advantage, contributing to the continued growth and success of the university
- protecting and enhancing UTS’s capabilities, assets and reputation
- providing greater certainty and confidence to internal and external stakeholders
- contributing to more efficient use and allocation of resources
- encouraging fact-driven pro-active, rather than re-active, management
- strengthening decision-making, prioritisation and planning, and
- assigning accountability and responsibility for risk.
3.4 UTS recognises that measured risk taking through informed and intelligent decision-making is both acceptable and appropriate within the boundaries defined in UTS’s risk appetite statement.
3.5 All staff across UTS’s operations are responsible for risk management. The degree and nature of this responsibility is guided by the procedure. All staff should familiarise themselves with the risks associated with their roles and responsibilities.
4. Policy statements
Risk management framework
4.1 UTS’s risk management framework (the framework) (refer Risk management framework) is consistent with the International Standard (ISO 31000:2018, Risk management — Guidelines). It embeds risk management principles into the university’s business activities, including:
- academic activities and processes
- research, change initiatives and projects
- operational, financial, strategic and planning activities, and
- legal and compliance activities.
4.2 The framework:
- identifies potential risk impacts that could affect UTS
- identifies the potential opportunity impacts in projects to provide a balanced view for decision-making purposes
- enables the consistent identification and assessment of risks
- allows for the appropriate allocation of resources and responsibilities to manage risk
- allows for the appropriate treatment and consistent management of risk (refer the procedure (SharePoint)) within a defined risk appetite, and
- is designed to provide reasonable assurance on the achievement of strategic objectives.
4.3 All UTS business processes and functions must adopt this risk management approach in line with the framework and the procedure. A commitment to risk management will form part of the annual performance and review process for key management positions.
UTS strategy: Risk inputs
4.4 The Director, Risk is responsible for analysing the wide range of internal and external risks (global, national, sectoral and local) that could affect UTS. A summary of the top emerging and external risks informs the development of the corporate plan, the UTS 2027 strategy and its supporting assumptions.
UTS risk appetite
4.5 The UTS risk appetite:
- defines the level of risk UTS is prepared to accept in pursuit of its objectives, function and strategy, and
- guides UTS leaders in their management of strategic and enterprise risks (before any risk reduction activity is deemed necessary).
4.6 The Director, Risk, in consultation with the senior executive, will establish the UTS risk appetite on an annual basis, as it relates to the university’s strategy, for approval by Council.
4.7 The annual risk appetite statement sets out the strategic and significant associated operational risks that UTS either has no appetite for, is willing to manage or is prepared to take.
4.8 The risk appetite is reflected in the risk identification, analysis, assessment and treatment processes undertaken by each faculty, unit and division in line with the procedure.
4.9 The Director, Risk, in consultation with the senior executive, will undertake a mid-year review of performance against the risk appetite statement.
4.10 The risk appetite will also inform review and application of the UTS Delegations, assurance activity and policy reviews.
Identifying, analysing, evaluating and treating risk
4.11 All faculties and units must follow the approach, set out in the procedure, for identifying, analysing, evaluating and treating risks.
UTS risk universe
4.12 The Director, Risk and the Internal Audit Director are responsible for the development and maintenance of the UTS risk universe. The risk universe is developed based on:
- the processes in operation across UTS
- risk and opportunity assessments completed within the framework
- a wide range of internal and external reports to identify emerging or new risks
- information publicly available on emerging and key risks in the university sector both nationally and internationally, and
- engaging external consultancy as appropriate to horizon scan for emerging or developing risks.
4.13 The Director, Risk and the Internal Audit Director use the risk universe to develop the university’s assurance map. The assurance map, which is securely held by the Director, Risk and the Internal Audit Director:
- visually presents all assurance activities, internal and external, as they apply to UTS’s operating model and risks, and
- sets out areas of required and/or actual assurance highlighting any areas of assurance gap or overlap over time.
4.14 The Internal Audit Director uses the assurance map to consult with the senior executive to agree an annual internal audit program and to reaffirm the 3-year strategic internal audit program. This is presented to the Audit and Risk Committee for review and approval on an annual basis.
Risk management culture
4.15 UTS is responsible for creating and enhancing a risk management culture where staff and managers of all levels are encouraged and supported to raise, discuss and mitigate risks and manage opportunities to achieve a beneficial outcome for UTS.
Risk management framework monitoring, review and improvement
4.16 The Director, Risk must, in consultation with the senior executive, undertake an annual internal review and update of the framework in order to identify and address any required operational changes, regulatory changes, risk management standards amendments and other improvements.
4.17 The Director, Risk must annually assess the framework against its objectives and ensure the framework facilitates UTS in achieving its objectives. The Director, Risk may engage a third party to perform this assessment.
4.18 The annual assessment will rotate over a 3-year cycle between a self-assessment, a peer assessment or benchmark with other New South Wales universities, and an independent assessment from an external risk management specialist. The results of the performance assessments must be reported to the Audit and Risk Committee.
4.19 Continuous monitoring and review of the university’s risk and opportunity management processes are undertaken to:
- ensure controls are effective and efficient in both design and operation
- analyse and learn lessons from events (including near misses), changes, trends, successes and failures
- identify opportunities for control or process improvements
- detect changes in the internal and external context, including changes to risk criteria and the risk itself, which can require revision of risk treatments and priorities
- identify emerging risks, and
- evaluate the accuracy of opportunity assessments and embed feedback into future opportunity assessments.
4.20 The Audit and Risk Committee is informed of any updates or changes to the framework in accordance with the Audit and Risk Committee Charter (available at Audit and Risk Committee).
Reporting requirements
4.21 Staff must address, manage and report risks in accordance with this policy, the framework and the procedure.
4.22 The Director, Risk must report to the Audit and Risk Committee in accordance with the Audit and Risk Committee Charter (available at Audit and Risk Committee).
Policy breaches
4.23 Breaches of this policy (and the procedure) are considered a failure to comply with the Code of Conduct and will be managed in line with the code.
5. Roles and responsibilities
5.1 Policy owner: The General Counsel and Executive Director, Risk and Compliance has primary oversight of this policy and is responsible for approving the Risk Management Procedure (the procedure) and other documents to support its implementation.
5.2 Policy contact: The Director, Risk is responsible for overall risk management and compliance across UTS and the implementation of the policy and the framework, including:
- embedding the risk framework across UTS
- reporting key risks, and risk management generally, to the senior executive and the Audit and Risk Committee
- advising the senior executive on emerging or significant risk exposures and on the risk management culture across UTS
- committing to, providing and overseeing the allocation of resources to enable effective risk management
- supporting communication and consultation activities by collating reports and providing advice
- providing training across UTS on applying the framework, and facilitating discussions and solutions on areas of risk uncertainty across UTS.
5.3 Implementation and governance roles:
UTS Council is responsible for the oversight of risk management at UTS, on advice from the Audit and Risk Committee, the Vice-Chancellor and other committees of Council within their terms of reference. More specifically Council will:
- assess and approve this policy
- monitor key risks and, where applicable, approve major decisions affecting UTS’s risk exposure, and
- approve the UTS risk appetite annually on advice from the Vice Chancellor and the Director, Risk.
The Audit and Risk Committee assists Council by:
- and reporting to Council on the framework, including the ongoing risk management program, policies and procedures, regular auditing and remedial action in areas of weakness, and
- evaluating the adequacy and effectiveness of the monitoring and reporting and control systems associated with risk management in accordance with its charter (available at Audit and Risk Committee).
The Academic Board, as the principal advisory body to Council on academic matters is responsible for:
- assessing academic risks, their risk ratings, mitigations and progress in implementing treatments on an annual basis for presentation to Council (refer Strategic Risk Assessment for Academic Board at Academic Board documents), and
- reviewing any academic risks presented for consideration and assessment by Council or a committee of Academic Board.
The Research Committee is responsible for considering matters relating to research governance and risk for consideration by Academic Board (refer Research Committee), including:
- reviewing action plans to address the top research risks identified for UTS
- a bi-annual review of UTS’s top research risks to consider emerging risks, actions delivered and any changes
- ensuring the research elements of the framework are implemented across faculties and relevant units
- ensuring any breach of the framework and/or compliance with any laws of obligations in relation to research risk management are investigated
- reviewing any identified material deficiencies in internal research controls to mitigate key risks that could have a university level impact if not addressed.
The Vice-Chancellor (via the General Counsel and Executive Director, Risk and Compliance) is responsible for the assignment of responsibilities in relation to risk management and:
- providing timely and adequate information to Council on the status of UTS’s key risks
- proposing, in consultation with the senior executive, the tolerance for accepting certain risks (that is the university’s risk appetite)
- assessment and analysis of key strategic risks within UTS’s operating environment to inform the development, review and maintenance of the UTS strategy, and
- the risk management culture across UTS.
The University Leadership Team is responsible for:
- overseeing the operation of this policy and the procedure in their areas of responsibility
- promoting a responsible risk management culture in their areas of responsibility, including building awareness of the framework and ensuring compliance with this policy and the procedure
- receiving and acting on reports of risk management issues from their faculties and units
- ensuring the reporting requirements set out in the procedure or as otherwise required are met by their faculties or units.
Directors, deans and other senior leaders with supervisory responsibility (including project and contract managers) are expected to:
- understand the risk management framework in place at UTS
- adopt a risk-based approach in their management
- lead by example in their risk management behaviour in the workplace, and
- ensure risk assessments are conducted for all key risks in their area, and mitigated within their control or appropriately escalated.
The Internal Audit Director is responsible for:
- validating the effectiveness of the risk management framework
- providing assurance over the control environment managing critical and high risks within the university’s risk universe, and
- maintaining and reporting on the UTS assurance map, highlighting any significant gaps in coverage or over review to relevant stakeholders.
All staff and affiliates are responsible for:
- understanding the risk management framework in place at UTS
- identifying, assessing and managing risks and opportunities in their activities in line with this policy and the procedure, and
- reporting and escalating to their manager (or direct report) any significant identified risk that is not addressed to date.
Further risk responsibilities are outlined in the Risk Management Procedure (SharePoint).
6. Definitions
The following definitions apply for this policy and all associated procedures. They are in addition to the definitions outlined in Schedule 1, Student Rules. Definitions in the singular also include the plural meaning of the word.
Affiliate is defined in the Code of Conduct.
Assurance map means the visual representation of the main sources and types of assurance activities at UTS. The map demonstrates the scope, breadth and depth of assurance coverage across the risk universe and their coordination.
Corporate plan means the university’s official priorities and targets for the coming year with a focus on implementing key components of the strategy and tracking delivery and performance.
Opportunity means a potentially favourable or beneficial event, return, outcome or condition resulting from an action or decision.
Risk is the effect (both positive and negative) of uncertainty on objectives as defined by the ISO 31000:2018, Risk management — Guidelines.
Risk appetite means the level of risk that UTS is prepared to accept or tolerate in pursuit of its objectives and strategy and before action is deemed necessary to reduce the risk. It represents a balance between the potential benefits or opportunities and the potential threats brought about by change or decision-making.
Risk assessment means the overall process of risk identification, analysis and evaluation of risks to understand the current level of risk exposure and how a risk exposure might be treated.
Risk culture means the set of shared attitudes, values and behaviours that characterises how UTS considers risk in its day-to-day operations.
Risk identification means the process of finding, recognising, understanding and describing risks.
Risk management means the systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk.
Risk management framework means the collection of formal components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management at UTS.
Risk treatment means the agreed mechanism, action and/or process to supervise, manage or modify an identified risk (for example, risk avoidance, risk reduction strategies, sharing, acceptance or control).
Risk universe means the risks that UTS faces or could face and is a formal part of the university’s risk identification process. The risk universe is not static and is regularly reviewed and updated.
University Leadership Team means the team consisting of the Vice-Chancellor, the Provost, the Deputy Vice-Chancellors, the Chief Operating Officer, deans and the Vice-President (Advancement).
Approval information
Policy contact | Director, Risk |
---|---|
Approval authority | Council |
Review date | 2025 |
File number | UR18/783 |
Superseded documents | Risk Management Policy 2011 (UR03/154) |
Version history
Version | Approved by | Approval date | Effective date | Sections modified |
---|---|---|---|---|
1.0 | Council (COU 18-2/28) | 18/04/2018 | 22/05/2018 | New policy. |
1.1 | Council (COU/22-1/14) | 16/02/2022 | 16/02/2022 | Changes and updates to reflect portfolio realignment under Fit for 2027 project and new policy ownership. |
2.0 | Council (COU/22-3/58) | 15/06/2022 | 22/06/2022 | Policy changes and updates resulting from a scheduled review. |
2.1 | Deputy Director, Corporate Governance (Delegation 3.14.2) | 24/11/2022 | 05/12/2022 | Minor change to reflect new position title of General Counsel and Executive Director, Risk and Compliance. |
2.2 | Director, Governance Support (Delegation 3.14.1) | 10/10/2023 | 12/10/2023 | Update to reflect role and responsibilities of Director, Risk. |
References
Audit and Risk Committee Charter (available at Audit and Risk Committee)
International Organisation for Standardisation: ISO 31000:2018, Risk management — Guidelines
Risk Management Procedure (SharePoint)
Strategic Risk Assessment for Academic Board (available at Academic Board documents)