Risk Management Policy

Approved on	Sept 10, 2001	by	Senate - Resolution S/76/2001
Last Amended	n/a	by	n/a
Responsibilities & Related Publications / Policies

PREAMBLE

Risk Management is the culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects within the Murdoch University environment.

Risk is inherent in all academic, administrative and business activities. Every member of the University community continuously manages risk. Formal and systematic approaches to managing risk have evolved and they are now regarded as good management practice. As a consequence Murdoch University acknowledges that the adoption of a strategic and formal approach to risk management will improve decision-making, enhance outcomes and accountability.

The aim of this policy is not to eliminate risk, rather to manage the risks involved in all University activities to maximise opportunities and minimise adversity. Effective risk management requires:

A strategic focus,
Forward thinking and active approaches to management,
Balance between the cost of managing risk and the anticipated benefits, and
Contingency planning in the event that mission critical threats are realised.

Risk management also provides a system for the setting of priorities when there are competing demands on limited resources.

SCOPE

This policy is not intended to duplicate existing formal and documented risk management processes. The policy is to apply to Divisions, Schools and Offices (DSO) who do not currently have formal risk management processes in place and who wish to undertake significant activities within the course of their business. Routine activities are excluded from this policy unless mandated by other policies. Examples of significant activities include, inter alia:

contracting (whether for goods, services or research) with a consideration in excess of $50,000;
academic consulting through the University or Unico,
capital procurement including strategic IT initiatives;
outsourcing, partnering or shared service arrangements of functions;
new academic offerings whether onshore or offshore;
community events held on University property or those sponsored by the University;
undertaking University business in public places;
cooperative research agreements and arrangements with third parties;
major fundraising activities; and
IP commercialisation projects.

KEY DEFINITIONS

Risk management definitions can be found in the definitions section of the Standards Australia risk management standard, AS/NZS 4360:1999 - Risk Management. The key definitions for this policy follow:

Risk

The chance of something happening that will have an impact on the achievement of the University’s objectives. Risk is measured in terms of consequences and likelihood.

Risk Assessment

The overall process of risk analysis and evaluation. This is the shaded component of the schematic diagram on page 3 of this policy.

Risk Management

The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects within the University environment.

Risk Management Process

The systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating risk.

POLICY STATEMENT

Murdoch University will maintain procedures to provide the University with a systematic view of the risks faced in the course of our academic, administrative and business activities. Where appropriate these procedures will be consistent with the Standards Australia risk management standard, AS/NZS 4360:1999 - Risk Management. This will require the University to:

Establish a context. This is the strategic, organisational and risk management context against which the rest of the risk management process in the University will take place. Criteria against which risk will be evaluated should be established and the structure of the risk analysis defined.
Identify Risks. This is the identification of what, why and how events arise as the basis for further analysis.
Analyse Risks. This is the determination of existing controls and the analysis of risks in terms of the consequence and likelihood in the context of those controls. The analysis should consider the range of potential consequences and how likely those consequences are to occur. Consequence and likelihood are combined to produce an estimated level of risk.
Evaluate Risks. This is a comparison of estimated risk levels against pre-established criteria. This enables risks to be ranked and prioritised.
Treat Risks. For higher priority risks, the University is required to develop and implement specific risk management plans including funding considerations. Lower priority risks may be accepted and monitored.
Monitor and Review. This is the oversight and review of the risk management system and any changes that might affect it. Monitoring and reviewing occurs concurrently throughout the risk management process.
Communication and Consultation. Appropriate communication and consultation with internal and external stakeholders should occur at each stage of the risk management process as well as on the process as a whole.

Schematically, the risk management process is depicted in the following diagram:

RESPONSIBILITY FOR RISK MANAGEMENT

General

Every staff member of the University is responsible for the effective management of risk including the identification of potential risks. Management (both academic and generalist) is responsible for the development of risk mitigation plans and the implementation of risk reduction strategies. Risk management processes should be integrated with other planning processes and management activities.

There is legislation in place for the management of specific risks such as Occupational Health and Safety, Equal Opportunity and Research Ethics. The Risk Management policy does not relieve the University’s responsibility to comply with other legislation. Training and facilitation will, in the first instance, be the responsibility of the Office of Internal Audit/Risk Manager in conjunction with the Office of Human Resources.

Vice Chancellor

The Vice-Chancellor is accountable for ensuring that a risk management system is established, implemented and maintained in accord with this policy. Assignment of responsibilities in relation to risk management is the prerogative of the Vice Chancellor.

Audit Committee

The Audit Committee will be accountable for the oversight of the processes for the identification and assessment of the general risk spectrum, reviewing the outcomes of risk management processes, and for advising the Senate as necessary.

Senior Executives

Senior Executives are accountable for strategic risk management within areas under their control including the devolution of the risk management process to operational managers. Collectively the Senior Executive Advisory Committee (SEAC) is responsible for:

The formal identification of strategic risks that impact upon the University’s mission;
Allocation of priorities;
The development of strategic risk management plans; and

SEAC will review progress against agreed risk management plans and will communicate this to the Audit Committee and to the University.

Executive Deans, Office Heads, Heads of Schools and Heads of Research Centres and Institutes

Executive Deans, Office Heads, Heads of Schools and Heads of Research Centres and Institutes are accountable to the Vice Chancellor via their line manager for:

Implementation of this policy within their respective areas of responsibility;
Annual reporting on the status of the risk register, insofar as it impacts on their respective responsibilities, as part of the annual planning and review cycle;
Ongoing maintenance of the risk register insofar as it impacts on their respective responsibilities; and
Ensuring compliance with risk assessment procedures.

Director Finance and Chief Financial Officer

In addition to the functions as an Office Head, this officer will be accountable for the University insurance portfolio and will ensure that a risk management plan is completed for each commercial venture. Advice will be sought, as required, from the Director Internal Audit/Risk Manager on risk management issues in relation to these matters.

Director Human Resources

In addition to the functions as an Office Head, this officer will remain accountable for the occupational health and safety and workers compensation portfolio, procedures and administration. Advice will be sought, as required, from the Director Internal Audit/Risk Manager on risk management issues in relation to these matters.

Director Internal Audit/Risk Manager

The Director Internal Audit/Risk Manager will be accountable through the Audit Committee for the implementation of this policy in key areas of the University, maintaining a programme for risk reassessment and a Risk Registers for the University. Key areas will flow from the risk management plan developed by SEAC. The Director Internal Audit/Risk Manager will provide advice to the relevant Directors on risk management matters pertaining to the University Insurance portfolio and to occupational health and safety and workers’ compensation issues.

ANNEXURES

A. Generic Sources of Risk and Their Areas of Impact.

B. Risk Definition and Classification.

C. Risk Treatment Options.

D. Risk Management Documentation.

APPROVED BY SENATE RESOLUTION 2001/XX DATED DD/MMM/2001

ANNEX A TO

RISK MANAGEMENT POLICY

APPROVED BY SENATE RESOLUTION

XXX/01 DATED

GENERIC SOURCES OF RISK AND THEIR AREAS OF IMPACT.

Identifying sources of risk and areas of impact provides a framework for risk identification and analysis. A generic list of sources and impacts will focus risk identification activities and contribute to more effective risk management.

Generic Sources of Risk

Each generic source has numerous components, any of which can give rise to a risk. Generic sources of risk include:

Commercial and legal relationships including but not limited to contractual risk, product liability, professional liability and public liability.

Economic circumstances. These can include such sources as currency fluctuations, interest rate changes, taxation and changes in fiscal policy.

Human Behaviour such as riots, strikes, sabotage.
Natural Events. These can include fire, water damage, earthquakes, vermin, disease and contamination.
Political Circumstances such as legislative changes or changes in government policy that may influence other sources of risk.
Technology and Technical Issues. Examples of this include innovation, obsolescence and reliability.
Management Activity and Control such as poor safety management, the absence of control and inadequate security.
Individual Activity including, misappropriation of funds, fraud, vandalism, illegal entry, information misappropriation and human error.

In most instances a risk source will be under the control of the DSO conducting or accountable for an activity or function. In some instances (and these are entirely circumstance driven) the risk may be spread across DSO or even outside of the University. If this is the case then the relevant parties should be consulted during the risk assessment process.

Areas of Impact

A source of risk may impact on one area only or on several areas. Areas of impact include:

Asset and resource base including personnel,
Revenue and entitlements,
Costs both direct and indirect,
People,
The community,
Performance,
Timing and schedule of activities,
The environment,
Intangibles such as reputation, goodwill and the quality of life, and
Organisational behaviour.

Risk Identification Template

The following is an example of a risk identification template.

Activity.______________________________________________________________

Areas of Impact
Assets	Revenue	Cost	People	Community	Performance	Timing	Environ-ment	Intang-ibles	Org
Commercial and Legal	ü	ü	ü			ü	ü
Economic			ü
Human Behaviour			ü	ü		ü			ü	ü
Natural Events								ü
Political					ü		ü			ü
Technology	ü		ü			ü				ü
Management Activity & Control			ü	ü			ü			ü
Individual Activity			ü	ü					ü	ü

Relevant Notes:

ANNEX B TO

RISK MANAGEMENT POLICY

APPROVED BY SENATE RESOLUTION

XXX/01 DATED

RISK DEFINITION AND CLASSIFICATION

Where possible, DSO should use quantitative data and risk expressions to measure likelihood and impact of any identified risks. In some circumstances this may not be possible nor efficient or effective. Therefore a qualitative approach is acceptable. An example of a qualitative approach follows.

Likelihood

Level	Descriptor	Description
A	Almost certain	Is expected to occur in most circumstances
B	Likely	Will probably occur in most circumstances
C	Possible	Might occur at some time
D	Unlikely	Could occur at some time
E	Rare	May occur only in exceptional circumstances

Impact

Level	Descriptor	Example Detail Description
1	Insignificant	Low financial loss, no disruption to capability, no impact on community standing.
2	Minor	Medium financial loss, minor disruption to capability, minor impact on community standing.
3	Moderate	High financial loss, some ongoing disruption to capability, modest impact on community standing.
4	Major	Major financial loss, ongoing disruption to capability, major impact on community standing.
5	Catastrophic	Mission critical financial loss, permanent disruption to capability, and ruinous impact on community standing.

Qualitative Risk Analysis Matrix – Level of Risk

For each component of the activity subject to a risk analysis, DSO should evaluate the likelihood and consequences as per the matrix below.

Consequences
A (almost certain)	H	H	E	E	E
B (likely)	M	H	H	E	E
C (moderate)	L	M	H	E	E
D (unlikely)	L	L	M	H	E
E (rare)	L	L	M	H	H

Legend

E: Extreme risk; Immediate action required.

H: High risk; Senior Management (SEAC/OCG members) attention needed.

M: Moderate risk; Management (Head of School/Office) responsibility must be specified.

L: Low risk; Manage by routine procedures.

ANNEX C TO

RISK MANAGEMENT POLICY

APPROVED BY SENATE RESOLUTION

XXX/01 DATED

RISK TREATMENT OPTIONS

Actions to Reduce or Control Likelihood

These can include but are not limited to:

i. Review and compliance programmes;

ii. Contract conditions;

iii. Formal reviews of requirements, specifications, design, engineering and operations;

iv. Inspection and process controls;

v. Investment and portfolio management;

vi. Project management;

vii. Preventative maintenance;

viii. Quality assurance, management and standards;

ix. Research and development; technological development;

x. Structured training and other programmes;

xi. Effective governance processes

xii. Strategic, operational and tactical planning processes.

xiii. Supervision;

xiv. Testing;

xv. Organisational arrangements; and

xvi. Technical controls.

Procedures to Reduce or Control Consequences

These can include but are not limited to:

i. Contingency planning;

ii. Contractual arrangements;

iii. Contract conditions;

iv. Design Features;

v. Business continuity and disaster recovery plans;

vi. Engineering and structural barriers;

vii. Fraud control planning;

viii. Minimising exposure to sources of risk;

ix. Portfolio planning;

x. Pricing policy and controls;

xi. Separation or relocation of activities and resources;

xii. Succession planning.

xiii. Insurance;

xiv. Public Relations; and

xv. Ex Gratia Payments.

ANNEX D TO

RISK MANAGEMENT POLICY

APPROVED BY SENATE RESOLUTION

XXX/01 DATED

RISK MANAGEMENT DOCUMENTATION

To manage risk properly, appropriate documentation is required.

The staff members conducting or accountable for the activity shall in the first instance conduct the risk assessment and complete the documentation. The risk assessment and documentation is to be reviewed and accepted by the manager or next in line supervisor of the area conducting or accountable for the activity. Where technical expertise or central authority is required, the risk assessment will also be reviewed and countersigned by that party.

DSO are required to maintain risk registers insofar as risks impact on their respective responsibilities. Information from these registers is to be given to the Director Internal Audit/Risk Manager who will develop and maintain a University wide risk register. As a minimum, the risk register, treatment schedule and action plan will be maintained. Specimens of these documents follow and they will be made available in electronic format.

For each risk identified, a risk register records:

i. Source;

ii. Nature;

iii. Existing controls;

iv. Consequences and likelihood;

v. Initial risk rating; and

vi. Vulnerability to external or internal factors.

A risk treatment and action plan documents the managerial controls to be adopted and contains the following information:

i. Who has responsibility for the implementation of the plan;

ii. What resources are to be used;

iii. Budget allocations;

iv. Implementation timetables; and

v. Details of the control mechanism; and

vi. Frequency of review of compliance with the treatment plan.

An electronic version of the documentation is available on CWIS at URL http://www.murdoch.edu.au/admin/policies/risk.html

RESPONSIBILITIES:
Custodian	Director, Office of Internal Audit and Risk Management
Monitoring Officer	Andrew Burchfield, Director, Office of Internal Audit and Risk Management
Information Contact	Andrew Burchfield, Director, Office of Internal Audit and Risk Management

RELATED PUBLICATIONS / POLICIES: