Corporate Risk Management Rule

Transcription

1 1. Corporate Risk Management at the University Types of Corporate Risk Corporate Risk Appetite Statement 4 2. Scope, Roles and Responsibilities Scope of the Corporate Risk Management Role of the Council of the University of New England Role of the Audit & Risk Committee of Council Role of the Vice-Chancellor & CEO Role of Executive or Management Responsible for a Function or Business Unit Role of Project Owners Role of the Audit & Risk Directorate 7 3. Corporate Risk Management Principals Application of Good Judgement Mandated Corporate Risk Management Language Key Information You Need to Know First 10 What are the Objectives? 10 What is Our Corporate Risk Appetite Approach for the Objective? 10 What Strategy Are We Using to Achieve the Objective? 10 How Will Communication and Consultation Occur? 11 How Will Corporate Risk Information Be Updated? Corporate Risk Identification and Assessment Step One: Identify Corporate Risks 12 What Are the Corporate Risks to Our Objectives? Step Two: Identify Existing Controls 12 Information Required for Describing an Existing Control Step Three: Assess Control Performance and Level of Corporate Risk Exposure 13 Rating an Existing Controls Performance 14 Rating the Performance of the Overall Control Environment 14 Rating the Likelihood of a Corporate Risk Occurring 15 Rating the Impact of a Corporate Risk Occurring 15 Identify the Level of Corporate Risk Exposure Faced by the Objective 16 Evaluating Whether the Exposure to a Corporate Risk is Acceptable 17 Page 1 of 44

2 4.4 Step Four: Identifying Corporate Risk Treatments 18 Promoting a Risk Treatment on Implementation and Activation Step Five: Communicating & Reviewing Corporate Risk Information and Exposure 20 Communicating Corporate Risk Information 20 Corporate Risk Management Database 20 Updating Corporate Risk Information Development and Guidance Administration Data 22 Appendix 1: Mandated Corporate Risk Management Language 23 Appendix 2: Corporate Risk Documentation Templates 24 Corporate Risk Assessment 24 Corporate Risk Assessment Proposed Treatments to Reduce Future Risk Exposure 25 Corporate Risk Governance Report 26 Corporate Risk Register Log of Key Dates 26 Appendix 3: Authority, Responsibility and Communication Guides 27 Guide to Identifying Authority & Responsibility 27 An Example of Assigned Authority & Responsibility 27 Guide to the Flow of Corporate Risk Communication 28 Appendix 4: Project - Corporate Risk Management Cheat Sheet 29 Appendix 5: Corporate Risk Identification and Assessment Process Map 30 Step One: Identify Corporate Risks 30 Step Two: Identify Existing Controls 32 Step Three: Assess Control Performance and Level of Corporate Risk Exposure 34 Step Four: Identifying Corporate Risk Treatments 36 Step Five: Review Corporate Risk Information and Exposure 38 Appendix 6: Glossary of Corporate Risk Management Terms 40 Page 2 of 44

3 1. Corporate Risk Management at the University When we work to achieve an objective we don't always get the results we expect. The goal of corporate risk management is to increase our ability to succeed, by managing the implications of uncertainty on our efforts. Uncertainty results from deficiencies in our information, knowledge or understanding regarding our strategy for achieving an objective. Corporate risk management processes reduce or contain uncertainty through risk assessing our strategies and communicating the findings. 1.1 Types of Corporate Risk Three types of corporate risk have been identified for the University. Corporate risk types relate to the type of University objective being risk assessed. Type One Corporate Strategic Risk: Corporate strategic risks are risks to the achievement of the University s strategic objectives. These risks are directly related to strategic priorities, directions and targets set out in the University of New England s strategic plan. Corporate strategic risks are identified and managed by the Vice-Chancellor & CEO in consultation with the Senior Executive and Council. Type Two Corporate Operational Risk: Corporate operational risks are risks to the achievement of the University s operational objectives. These risks are directly related to the operational priorities and targets for the University s business units (this includes Schools, Directorates, Departments, Centres and Institutes). Corporate operational risks are identified and managed by the Executive or Manager in charge of the business unit in consultation with business unit staff. Type Three Corporate Project Risk: Corporate project risks are risks to the achievement of the University s project objectives. These risks are directly related to the purpose, objectives and benefits of a project as set out in the project business case and/or plan. Corporate project risks are identified and managed by the Project Owner in consultation with the Project Manager and key stakeholders. NOTE: Hazard Risk Management is not covered under this framework. Workplace Health, Safety and Wellbeing risk management processes for the elimination or minimization of hazards is managed under a separate University policy and framework. For guidance on WHS contact the Work Health and Safety Representative (WHSR) for your area, or the UNE Health and Safety Consultant within Human Resource Services. Page 3 of 44

4 1.2 Corporate Risk Appetite Statement The purpose of the corporate risk appetite statement is to express the University s attitude towards its exposure or vulnerability to corporate risk. It defines the amount of risk the University will willingly expose itself to, in pursuit of an organisational objective. The University s appetite for exposure is correlated with the influence an objective has on the overall success of the University, as well as the University s willingness to push boundaries to achieve the objective. Approach One Risk averse approach to achieving a vital objective: The University deems achieving this objective vital for its operation. The impact of not achieving this objective will be a reduction in the University s current performance. All reasonable effort is to be made by UNE representatives to ensure this objective is prioritised, and achieved in full. In carrying out the strategy required to achieve this objective, the University is willing to accept minimally controlled exposure to low levels of corporate risk. The following is required for corporate risks with a medium risk exposure level or above, that will impact on achieving an objective that has a risk averse approach: Detail on the corporate risk and monitoring of our exposure to it, is to be communicated through the Audit & Risk Directorate to the Vice-Chancellor & CEO, and Council; The control environment for the corporate risk is to be rigorously enforced and monitored; and Where feasible, corporate risk treatments to further reduce the Universities future exposure to the corporate risk are to be identified, implemented and activated. Approach Two Balanced approach to achieving a sustainable growth objective: The University deems achieving this objective important for the sustainability of the University. Not achieving this objective will constrain or make stagnant the University s growth towards a sustainable operational outcome. All reasonable effort is to be made by UNE representatives to ensure this objective is achieved. In carrying out the strategy required to achieve this objective, the University is willing to accept minimally controlled exposure to medium levels of corporate risk. The following is required for corporate risks with a high risk exposure level or above, that will impact on achieving an objective that has a balanced approach: Detail on the corporate risk and monitoring of our exposure to it, is to be communicated through the Audit & Risk Directorate to the Vice-Chancellor & CEO and Council; The control environment for the corporate risk is to be enforced and monitored; and Corporate risk treatments to further reduce the Universities future exposure to the risk are to be investigated. Where operational constraints allow, the University should implement and activate treatments that will significantly enhance the existing control environment. Page 4 of 44

5 Approach Three Positive Risk taking approach to achieving a competitive objective: The University deems achieving this objective important for the University s competitive edge. Not achieving this objective will impede the University s competitive growth in the higher education sector. All reasonable effort is to be made by UNE representatives to enable this objective to be achieved. In carrying out the strategy required to achieve this objective, the University is willing to accept minimally controlled exposure to medium levels of corporate risk. The following is required for corporate risks with a high risk exposure level or above, that will impact on achieving an objective that has a positive risk taking approach: Detail on the corporate risk and monitoring of our exposure to it, is to be communicated through the Audit & Risk Directorate to the Vice-Chancellor & CEO and Council; and The control environment for the corporate risk is to be enforced and monitored. 2. Scope, Roles and Responsibilities 2.1 Scope of the Corporate Risk Management All UNE representatives are to comply with the corporate risk management rule. The UNE representative responsible for the management of a UNE function, business unit, or realisation of project objectives, is responsible for identifying, managing and communicating the corporate risks to the objectives of that function, business unit or project. UNE representatives involved in identifying and managing corporate risks, are to do so in accordance with the corporate risk management framework. The framework allows for UNE representatives to practice good judgment in tailoring the application of the frameworks guidance to fit all University functions. Where the framework mandates a specific practice or language be adhered to, this is clearly stated. 2.2 Role of the Council of the University of New England The Council of the University of New England (Council) oversees the management and assessment of corporate risk across the University. Council has the function of approving the corporate risk management rule, and monitoring its associated framework, as a system of control and accountability for the University. This is in accordance with the University of New England Act. Council s responsibilities Approve: Monitor: Corporate risk management rule; Corporate strategic risks; Corporate risk appetite statement; and Significant corporate operational risks; Register of corporate strategic risks. Significant corporate project risks; and Application and administration of the corporate risk management rule and framework. Page 5 of 44

6 2.3 Role of the Audit & Risk Committee of Council Audit and Risk Committee of Council acts on behalf of Council in reviewing the University s corporate risk management, and reports its findings to Council. Audit & Risk Committee responsibilities Review and report findings to Council on: Review and endorse to Council for approval: Corporate strategic risks; Corporate risk management rule; Significant corporate operational risks; Corporate risk appetite statement; and Significant corporate project risks; and Register of corporate strategic risks. Application and administration of the corporate risk management rule and framework. Review and endorse to the Director ARD for approval: Corporate risk management framework. 2.4 Role of the Vice-Chancellor & CEO The Vice-Chancellor & CEO has responsibility for the implementation of corporate risk management practices across the University, and for ensuring significant risks are communicated and responded to. Vice-Chancellor & CEO s responsibilities Identify, Monitor & Communicate: Corporate risks to the University s strategic objectives (strategic risks); The corporate risk appetite approach to each strategic objective and associated strategic risks; The control environment for each strategic risk. This should be done in consultation with Senior Executive and Council, and with the support of the Audit & Risk Directorate. Ensure: Approval of the corporate risk management rule & framework; Council oversight of the management and assessment of corporate risk across the University; Adherence to the corporate risk management rule by UNE representatives; Application of the corporate risk management framework by UNE representatives; and Provision of corporate risk management administration and guidance across the University by the Audit & Risk Directorate. 2.5 Role of Executive or Management Responsible for a Function or Business Unit The Executive or Management in charge of a University function or business unit (including Schools, Directorates, Departments, Centres and Institutes), are responsible for the management of the risks to the operational objectives of that function or business unit. Page 6 of 44

7 Executive & Management responsibilities Identify, Monitor & Communicate: Corporate risks to the operational objectives they have authority over (operational risks); The corporate risk appetite approach to each operational objective and associated operational risks; The control environment for each operational risk. This should be done in consultation with function or business unit staff, and with the support of the Audit & Risk Directorate. Ensure: Application of the corporate risk management framework within their area of management responsibility. 2.6 Role of Project Owners Project Owners have responsibility for the management of risks to the realisation of project objectives they have authority over. Project Owners Responsibilities Identify, Monitor & Communicate: Corporate risks to the project objectives they have authority over (project risks); The corporate risk appetite approach to each project objective and associated project risks; The control environment for each project risk. This should be done in consultation with the Project Manager and key stakeholders, and with the support of the Audit & Risk Directorate. 2.7 Role of the Audit & Risk Directorate The Audit and Risk Directorate has responsibility for administering and providing guidance on, the corporate risk management rule, framework and practices, as a system of control and accountability for the University. Audit & Risk Directorate s responsibilities Develop, administer & provide guidance on: Monitor and report to the Vice-Chancellor & CEO and Council on: Corporate risk management rule; Corporate risk management framework; and The University s management and assessment of corporate risk. Corporate strategic risks; General management and assessment of corporate risk across the University. Significant corporate operational risks; and Significant corporate project risks. Page 7 of 44

8 3. Corporate Risk Management Principals The corporate risk management framework is based on the International Organization for Standardization (ISO) standard for risk management: ISO 31000:2009 Risk Management - Principles and guidelines. This framework s processes and procedures follow the risk management methodology outlined below: Communication and consultation UNE wide consultation on the Corporate Risk Management Rule ARC endorsement and Council approval of the Corporate Risk Management Rule ARC and VC & CEO endorsement and Director ARD approval of the Corporate Risk Management Senior Executive and VC & CEO consultation on the Corporate Risk Appetite Statement ARC endorsement and Council approval of the Corporate Risk Appetite Statement VC & CEO identification of, and Senior Executive consultation on, strategic risks ARC endorsement and Council approval of strategic risks Establishing the context Corporate Risk Management Corporate Risk Appetite Statement Risk assessment Risk identification Step 1: Identify corporate risks Risk analysis Step 2: Identify existing controls Risk evaluation Step 3: Assess control performance and risk ratings Risk treatment Step 4: Identify corporate risk treatments Monitoring and review Step 5: Review corporate risk information and exposure Regular monitoring of risks to University objectives by staff responsible for achieving those objectives Regular monitoring of existing controls and treatments by staff responsible for the controlling measure Project Owner and Project Control Board review of project risks Executive and Management review of operational risks VC & CEO, ARC and Council review of strategic risks ARD review of corporate risks ARD review of Corporate Risk Management Rule & ARC = Audit & Risk Committee of Council ARD = Audit & Risk Directorate 3.1 Application of Good Judgement The corporate risk management framework allows for UNE representatives to practice good judgment in tailoring the application of the framework. This is in acknowledgement to the purpose of corporate risk management to enhance, rather than obstruct, our ability to achieve objectives. Good judgment is to be used to ensure the following are in proportion to the University s efforts to achieve the associated objective: The complexity and extent of the corporate risk management needed; and The appropriate performance required from the control environment. Page 8 of 44

9 3.2 Mandated Corporate Risk Management Language To ensure consistency and avoid confusion when describing corporate risks to the University, many of the terms used in this framework are mandated. When applying risk management in their role, UNE representatives must adhere to the mandated language where mandated language is specified. Below is a summary of the mandated language: Identifying Corporate Risks Corporate Risk Types Strategic Operational Project Corporate Risk Appetite Approaches Risk averse Balanced Positive Risk taking Identifying and Assessing the Control Environment for a Corporate Risk Types of Controlling Measures Control Performance Ratings Existing control Effective Risk treatment Sound Types of Existing Controls Minimal Rule procedure Unsatisfactory Policy procedure Non-existent Business unit process Ad hoc process Monitoring process Review process Benchmarking Assessing the Level of Corporate Risk Exposure Corporate Risk Likelihood Ratings Almost Certain Likely Possible Unlikely Almost Never Corporate Risk Impact Ratings Severe Major Moderate Minor Insignificant Corporate Risk Exposure Levels Critical High Medium Low Very Low Corporate Risk Evaluation Ratings Acceptable Unacceptable Implementation and Activation of Corporate Risk Treatments Indicator of Treatments Purpose Indicator of Treatment Status Enhance Promoted Avoid As Planned Share Delayed Off Track Not Started No Status Page 9 of 44

10 Reporting on the Review of Corporate Risk Exposure Trend in Our Exposure to the Corporate Risk Increased exposure Decreasing exposure Is occurring No change Initial Assessment 3.3 Key Information You Need to Know First Before beginning to identify the corporate risks to our objectives, there is key information you need to know first. This information defines the objectives, gives context to the environment in which we work, and influences what you identify as risks. What are the Objectives? To identify corporate risks you need a clear understanding of the objectives we are working to achieve. Objectives should already be identified within organisational planning documents. If this is not the case, you will need to consult with colleagues to define the agreed objectives for your function, business unit or project. Take the time to consider if each objective is clearly stated. If the objective is obscure, clarify the meaning of the objective before proceeding. Objectives should be identified in the following organisational planning documents: Strategic objectives: The University s targets for achieving strategic priorities and direction, as stated in the strategic plan; Operational objectives: Operational targets for business units to achieve within a planning cycle, as stated in business unit operational plans and annual budget planning; and Project objectives: Aim or purpose of a project as stated in the project business case and/or plan. What is Our Corporate Risk Appetite Approach for the Objective? Each organisational objective is to be coupled with a corporate risk appetite approach to achieving the objective. Apply good judgment in assessing whether achieving the objective is: Vital for continued operation at UNE s current performance level. If so, a risk averse approach is required in implementing our strategy for achieving the objective; Important for growth towards a sustainable operational outcome for UNE. If so, a balanced approach is required in implementing our strategy for achieving the objective; or Important for UNE s growth towards a competitive advantage in the higher education sector. If so, a positive risk taking approach is required in implementing our strategy for achieving the objective. What Strategy Are We Using to Achieve the Objective? There is usually more than one way to achieve an objective, the method we choose to take forms our strategy. This strategy will reflect the operational constraints we are working within, a set of outcomes that define our objective, and our plan to accomplish these outcomes. Corporate risks arise from the implications of our chosen strategy. Knowing our strategy for achieving an objective allows you to identify the risks that strategy exposes our objectives to. Page 10 of 44

11 How Will Communication and Consultation Occur? Risk, being the effect of uncertainty, results from deficiencies in our information and understanding. For corporate risk management to be successful in influencing decision making, risk information needs to be communicated in a timely and effective manner. Knowing in advance what you need to communicate, influences how much detail your risk documentation needs to collect. Knowing in advance who needs to be involved in decision making, and who needs to be informed, sets your consultation and communication priorities. Deciding how you will communicate and consult, impacts the level of influence your risk management information has on decision making. Communication and consultation needs to follow these basic principles: Communicate risk information when it is most relevant; Communicate simply, in common language, and abstain from the use of professional jargon; Present the most important information first; and Communicate openly to keep all stakeholders informed. How Will Corporate Risk Information Be Updated? Exposure to corporate risk is never stagnant. Progress towards an objective and changes in our operating environment, will change our objectives exposure to risk. To capture important changes in our risk exposure, you will need to periodically monitor existing control performance and review risk exposure levels. Corporate risk monitoring and review should focus on: Identifying changing exposure to, and management priority of, existing risks; Identifying newly emerging risks; Ensuring existing controls are operating and performing as expected; and Detecting changes that influence the feasibility of proposed risk treatments. Updates to corporate risk information from monitoring and review should be recorded and reported, as appropriate, to all stakeholders. 4. Corporate Risk Identification and Assessment This framework section (Section 4) and the process map in Appendix 5 have been developed to guide you through the process of corporate risk identification and assessment. A brief project risk management guide has been included in Appendix 4. The corporate risk identification and assessment process is broken down into the following 5 steps: Step 1. Identifying corporate risk s to the achievement of a University objective; Step 2. Identifying measures that are currently in place to control our exposure to a risk; Step 3. Providing an assessment of the amount of exposure we face from a risk; Step 4. Identifying plans to conduct work that will reduce our future exposure to a risk; and Step 5. Reviewing corporate risk information so that it is of ongoing benefit to decision making. Page 11 of 44

12 4.1 Step One: Identify Corporate Risks Corporate risks are the effect of our uncertainty about how to manage events or changes which have implications on our ability to achieve objectives. We may not be able to influence or stop an event or change occurring, but we can dictate how we react to that event or change. What Are the Corporate Risks to Our Objectives? It is easy to confuse a corporate risk s cause or consequence for the risk itself. To reduce this confusion simultaneously establish a risk s cause and consequence s as you identify the risk. Given what you understand of an objective, our strategy for achieving the objective and stakeholder engagement, identify the following: What is an event or change that has the potential to have large implications on our ability to achieve this objective? Generally there is a corporate risk associated with every event or change you identify that has the potential to have large implications on our ability to achieve an objective. What is responsible for producing this event or change? This is the cause of the corporate risk; What are the consequences of this event or change occurring that we want to avoid? These are the consequences of the corporate risk; and What effect does not knowing if we can appropriately manage the implications of this event or change, have on our ability to achieve this objective? This is the corporate risk. 4.2 Step Two: Identify Existing Controls Measures for controlling corporate risk take two distinct forms, existing controls or risk treatments. Existing controls reduce or contain our current exposure to a corporate risk; Risk treatments are potential measures for the future management of risk exposure. (See section 4.4) Only existing controls reduce or contain how exposed the University is to a corporate risk. In order to understand the extent of our vulnerability, existing controls need to be identified and assessed. This is vital information for determining how exposed our objective is, and is essential in identifying which risk treatments will be most beneficial. Existing controls are defined as measures that are in place and actively modifying (reducing or containing) the University's exposure to the corporate risk you are associating the control with. If a control is in the planning, implementation or testing phase (not fully active), it is not an existing control; and/or If a control is active in modifying a related risk, but is not directly involved in actively modifying exposure to the corporate risk you are associating it with, it is not an existing control on that risk. Existing controls can include procedures, practices, processes, technology, techniques, methods, or devices that modify the University s exposure to a corporate risk. Page 12 of 44

13 Information Required for Describing an Existing Control Different existing controls may be known by the same name. In order to distinguish the correct control from others, sufficient information needs to be collected to form a unique identifier for each control. The information used for describing an existing control is as follows: Name of the existing control The title the control in known by; Type of existing control The type of function the control performs (Types of Existing Controls); Document reference A published control s document name and record reference number; Authority over the control Business area that administers and enforces the control; and Responsibility for the control Position responsible for applying the control to the corporate risk. Not all existing controls have published documentation. Published documentation refers to documented guidance that is known by, and readily accessible to, those who are to apply the control. Types of Existing Controls Type Rule procedure Policy procedure Business unit control Ad hoc control Monitoring process Review process Benchmarking Definition Documented procedure under an approved Council Rule. Documented procedure under an approved Vice-Chancellor Policy, or Documented procedure under an approved Academic Board Policy. Business unit controls are measures that are pre-defined and have procedural reference documentation. NOTE: Business unit controls are measures for the conduct of operations within the set annual business unit budget and staffing allocation. Ad hoc business unit controls are measures that are not pre-defined and have no procedural reference documentation. NOTE: Ad hoc business unit controls are measures for the conduct of operations within the set annual business unit budget and staffing allocation. Documented process for monitoring a business activity, during the conduct of that activity. NOTE: Monitoring processes that are defined in the procedures under a Rule or Policy should be identified for control type purposes as a Monitoring process. Documented process for the review of a business activity, after the completion of that activity. NOTE: Review processes that are defined in the procedures under a Rule or Policy should be identified for control type purposes as a Review process. Survey of UNE business activity performance measured against similar assumed or known industry performance. 4.3 Step Three: Assess Control Performance and Level of Corporate Risk Exposure The University s exposure to a corporate risk is influenced by the risk s existing controls. A control s purpose is to reduce or contain the most significant aspects of our risk exposure. The most efficient controls manage our exposure to consequences we want to avoid, that arise from a risk occurring. Page 13 of 44

14 Rating an Existing Controls Performance Before assigning a rating to the performance of an existing control, use your knowledge of the control and good judgment to determine: Is the existing control appropriate for its purpose in managing this risk? To determine if a control is appropriate you will need to establish if the control has the capacity to reduce or contain the consequences that we want to avoid, to an amount we think is suitable, given the effort and cost of applying the control. How well is the control currently performing it purpose relative to its potential to perform its purpose at UNE? The input a control receives and the way a control is executed, will influence its maximum potential capacity to function. When assessing how well a control is performing, assess its current performance compared to its maximum capacity to perform within the University s operating environment. Once you have decided how appropriate an existing control is, and you have assessed the controls performance, assign the control a performance rating: Control Performance Ratings Rating Effective Sound Minimal Unsatisfactory Non-existent Definition The existing control is appropriate for the corporate risk, and is achieving the majority of its intended capacity to modify exposure to the corporate risk. The existing control is appropriate for the corporate risk, and is achieving some of its intended capacity to modify exposure to the corporate risk. NOTE: The existing control has the capacity to perform better. Corporate risk treatments should be targeted at increasing the controls capacity. The existing control is not currently appropriate for the corporate risk, or is only achieving a small amount of its intended capacity to modify exposure to the corporate risk. NOTE: The existing control requires alteration to perform better. Corporate risk treatments should be targeted at reengineering the control into a more appropriate controlling measure. The existing control is inappropriate for the corporate risk. NOTE: The existing control should be removed from this risk s control environment. Corporate risk treatments should be targeted at replacing the control with more appropriate controlling measures. No existing controls are in place to modify our exposure to the corporate risk. NOTE: Used as an assessment of the overall existing control environment only. NOTE: Corporate risk treatments should be targeted at implementing and activating appropriate controlling measures. Rating the Performance of the Overall Control Environment The control environment is the accumulative influence of all existing controls on our exposure to a corporate risk. This singular assessment is used to communicate the status of a corporate risk s overall control environment for evaluation and reporting purposes. Using good judgment and your knowledge of the existing controls, assign a single overall control performance rating to the risk s control environment (See section 4.3.1). This control environment performance rating should be based on the performance of the most important or relied on controls, Page 14 of 44

15 as well as being an average rating of all controls. If there are no identifiable existing controls for a corporate risk, the control environment is non-existent and receives a rating of non-existent. Rating the Likelihood of a Corporate Risk Occurring The likelihood of a corporate risk reflects the potential frequency of the corporate risk occurring. To determine the likelihood you need an understanding of what s influencing the University s exposure to the risk. These influences will come from: The predominance of the cause of the corporate risk. (see section 4.1.1) Is the University experiencing an increase or decrease in the prevalence of this cause, or is it always present? Does experiencing the cause, always lead to the corporate risk occurring or only sometimes? and The University s existing control environment s ability to prevent the corporate risk occurring. (See sections 4.2 and 4.3.1) Do any of the existing controls influence or stop the cause, or the risk, from occurring? How well are these preventative controls performing their purpose? Assign a likelihood rating to the risk based on the predominance of the risk s cause, and the ability of the risk s control environment to prevent the risk occurring: Corporate Risk Likelihood Ratings Rating Almost Certain Likely Possible Unlikely Almost Never Definition This corporate risk is being actualised or it is expected to occur in the current control environment: Multiple times within a 12 month period; or More than 80% of the time. In the current control environment the corporate risk is expected to occur: Once within a 12 month period; or 61% 80% of the time. In the current control environment the corporate risk will probably occur: Within a 5 year period; or 31% 60% of the time. In the current control environment the corporate risk may occur: Within a 10 year period; or 5% 30% of the time. In the current control environment the corporate risk will only occur in exceptional or unforeseen circumstances. Rating the Impact of a Corporate Risk Occurring A corporate risk s impact is the effect on the objective from the consequences, if the corporate risk occurs. To determine the impact rating you need an understanding of the objective s vulnerability to the effect of the risk s consequences. What will experiencing the consequences mean for the University s ability to achieve the objective? (See section 4.1.1) Page 15 of 44

16 Do any of the existing controls soften the blow to the objective, from the consequences of the risk occurring? (See sections 4.2 and 4.3.1) Assign an impact rating to the corporate risk based on the vulnerability of the objective to the effect of the consequences, and the ability of the existing controls to soften the consequences effect: Corporate Risk Impact Ratings Rating Severe Major Moderate Minor Insignificant Definition The impact from the consequences of the corporate risk, if they were to occur, would result in the objective being unachievable. The impact from the consequences of the corporate risk, if they were to occur, would render a significant proportion, or component, of the objective unachievable. The impact from the consequences of the corporate risk, if they were to occur, would significantly obstruct our ability to achieve the objective. The impact from the consequences of the corporate risk, if they were to occur, would significantly delay or impair our ability to achieve the objective. The impact from the consequences of the corporate risk, if they were to occur, can be managed by the University so as to not impede the achievement of the objective. Identify the Level of Corporate Risk Exposure Faced by the Objective The exposure level provides an indicator of a corporate risk s influence on the University s ability to achieve its objective. As a risk increases in potential frequency or effect, the magnitude of the University s exposure to the corporate risk increases. Corporate Risk Exposure Heat Map Likelihood Rating Impact Rating Identify the level of risk exposure an objective faces to a corporate risk, by plotting the risk s likelihood and impact ratings on the set matrix (See sections and 4.3.4). The intersection of the likelihood column and impact row indicates the risk exposure level: Page 16 of 44

17 Matrix of Corporate Risk Exposure Levels Likelihood Almost Never Unlikely Possible Likely Almost Certain Severe High High High Critical Critical Major Medium Medium High High Critical Moderate Low Medium Medium High High Impact Minor Low Low Low Medium Medium Insignificant Very Low Very Low Low Low Low Evaluating Whether the Exposure to a Corporate Risk is Acceptable Whether a corporate risk is acceptable or unacceptable depends on the University s perception of its current ability to manage the risk. As a rule accepting the risk means finding the current circumstances acceptable, not accepting the risk indicates the University needs to improve the current situation. Factors that affect whether a corporate risk is deemed acceptable or unacceptable include: The corporate risk appetite approach assigned to achieving the objective being risk assessed; The level of risk exposure the University objective has to the corporate risk (this is dependent on the performance of the risks control environment); and The strategy for achieving the objective, including the influence of operational constraints. Using good judgment and your knowledge of the objective being risk assessed, provide a corporate risk evaluation rating for the risk: Corporate Risk Evaluation Ratings Rating Acceptable Unacceptable Definition The current level of exposure the objective faces from the corporate risk is acceptable, or manageable within current standard business operations. The current level of exposure to the corporate risk is acceptable in regards to the corporate risk appetite approach to the objective; or The University has made an educated decision to accept the burden of the current exposure to our objective from the corporate risk. Risk treatments do not need to be applied to the risk. The control environment should be enforced and monitored, and changes in our exposure to the risk communicated. The University s ability to achieve its objective is unacceptably exposed to the influence of the corporate risk. Our current management of the risk needs to be improved. The current level of exposure the objective faces to the corporate risk is unacceptable given the corporate risk appetite approach to the objective; or Page 17 of 44

18 The University needs to act to reduce our objective s future exposure to the corporate risk to enable the objective to be achieved. Risk treatments should be applied in line with resource allocation to reduce the objective s future exposure to this risk. Where treatments cannot be applied, a full explanation of why this is the case needs to be provided. The control environment should be enforced and monitored, and changes in our exposure to the risk communicated. 4.4 Step Four: Identifying Corporate Risk Treatments Not all corporate risks need risk treatment. Treatments are proposed measures, undergoing development, implementation, or activation which once in place will reduce or contain our future exposure to a risk. Risk treatments treat deficiencies in the University s current ability to manage risk, if no changes are needed in our management of risk, no treatments are needed. Where treatments are needed, they are to be identified, monitored and reported alongside (but separate from) a risk s existing controls. Treatments should be targeted to make the largest possible difference to our risk exposure, given the effort and cost of applying the treatment. A treatment s target should reflect the cause of the corporate risk, the performance of the risk s existing control environment and the University s ability to influence both. Information used to document risk treatments is as follows: Name of the risk treatment The title the treatment in known by; Purpose The purpose of a treatment, and how the treatment is to accomplish this purpose. This framework provides rating based indicators for a treatment s purpose (Indicator of Treatments Purpose). Detail on how the treatment will go about changing the control environment, or the cause of a risk, should also be documented; Approvals Statement of whether all approvals needed to develop, implement and activate the treatment has been officially provided / received (Indicator of Yes, No or Partially). Funding - Statement of whether all funding needed to develop, implement and activate the treatment has been officially allocated to the treatment (Indicator of Yes, No or Partially). Due date The timeframe in which the treatment is expected to be implemented and activated; Status The status of progress towards treatment implementation and activation (Indicator of Treatment Status); Authority over the treatment Business area that is implementing and will activate the treatment; and Responsibility for the treatment Position responsible for aligning the treatment s purpose with reducing our future exposure to the corporate risk. Indicator of Treatments Purpose Indicator Enhance existing controls Definition An enhancement to the control environment performance, to further reduce the likelihood or impact of consequences we want to avoid occurring. The prevailing circumstances are such that: The current level of exposure to this risk is deemed unacceptable; and Page 18 of 44

19 It is a more efficient use of resources to enhance the corporate risk s control environment, over changing strategy to avoid the cause of the risk; and Operational constraints allow for the enhancement of the control environment for this corporate risk. Avoid a cause Share the impact from a consequence Changing strategy to avoid the cause of the corporate risk and remove our objectives exposure to the impact of the consequences occurring. The prevailing circumstances are such that: The current level of exposure to this risk is deemed unacceptable; and It is a more efficient use of resources to change strategy and avoid the cause of the corporate risk, over enhancing the risk s control environment; and Operational constraints will allow for implementation of an alternative strategy to achieving the objective, which avoids the cause of this risk. Sharing the burden of the consequences impact with another party or parties (i.e. contract, insurance etc.). The prevailing circumstances are such that: The current level of exposure to this risk is deemed unacceptable; and It is a more efficient use of resources to share the burden of the consequences impact, over changing strategy or applying other enhancements to the risk s control environment; and Operational constraints will allow for corporate risk sharing to be applied. Indicator of Treatment Status Indicator Promoted As Planned Delayed Off Track Not Started No Status Definition The treatment is implemented, activated and is modifying our exposure to the corporate risk. Progress towards implementation and activation of the corporate risk treatment is on track as planned. There is a delay in implementing or activating the corporate risk treatment. The delay is being addressed, the treatment is expected to be implemented and activated in full at a later time than originally planned. Large setbacks have occurred in the implementation or activation of the corporate risk treatment; or A significant component of the treatment is not likely to be implemented or activated. As planned, implementation of the corporate risk treatment has yet to commence. No status update has been provided on this corporate risk treatment. Promoting a Risk Treatment on Implementation and Activation Once an enhancing or sharing treatment has been implemented and is active, it is absorbed into the corporate risk s existing control environment. Where a treatment s purpose was to improve an existing Page 19 of 44

20 control, it may increase the existing control s performance rating. If its purpose was to form a new control, the new control is to be added to the risk s existing controls. Where a treatment s purpose is to avoid the cause of a risk, the treatment could change the corporate risks faced by the University. This may mean the University s objectives are no longer exposed to an original risk, or the consequences of a risk occurring may be significantly different. Regardless of the purpose of a risk treatment, a treatment s implementation, activation and promotion should prompt a corporate risk review. 4.5 Step Five: Communicating & Reviewing Corporate Risk Information and Exposure For corporate risk management to fulfil its purpose in benefiting decision making, up-to-date risk information needs to be available to the decision makers. To achieve this, risk information needs to be communicated and updated in a timely and effective manner. A guide to the flow of corporate risk communication is available in Appendix 3 of this framework. Communicating Corporate Risk Information Corporate risk information is best communicated using a table based risk report accompanied by a brief executive summary. All corporate risk reports at the University must use the Mandated Corporate Risk Management Language prescribed in this framework (See section 3.2 or Appendix 1). Communication should reflect the objective being assessed and the nature of the risk faced by the University. Significant risks faced by University objectives whether strategic, operational or project, are to be reported through the Audit & Risk Committee to the University Council (See sections 2.2 & 2.3). Reporting of corporate risks to the University s key governance committees (University Council and Council Committees or the Academic Board and Academic Board Committees), must: Be in the form of the mandated Corporate Risk Governance Report (See Appendix 2), or be generated from the Corporate Risk Management Database; Be backed up by a corporate risk assessment (See optional template available in Appendix 2), which may be requested by the Committee or Committee Secretariat; Use the Mandated Corporate Risk Management Language prescribed in this framework (See section 3.2 or Appendix 1); and Where information required for the mandated Corporate Risk Governance Report is unknown or unassessed, the associated report fields are to be left blank. Corporate Risk Management Database The corporate risk management database houses key corporate risk management data for aggregated management and reporting purposes. The database does not replicate the corporate risk management process and is used to document the outcomes of the process rather than replace it. For advice on using the Corporate Risk Management Database contact the Audit & Risk Directorate (ARD) at risk.mgt@une.edu.au. Updating Corporate Risk Information A review of corporate risk information should: Follow on from changes that have influenced or impacted the objective, corporate risk, existing controls or treatments; Precede and inform the review of strategic, operational or project objectives; and / or Page 20 of 44

21 Precede and inform significant strategic, operational or project decision making. Corporate risk reviews need to capture important changes in risk exposure and reflect the results of existing control and risk treatment monitoring. Corporate risk monitoring and review should focus on: Identifying changing exposure to objectives, and management priority of existing risks; Identifying newly emerging risks; Ensuring existing controls are operating and performing as expected; and Detecting changes that influence the feasibility of proposed risk treatments. Once a review of corporate risk information has been conducted, the outcome of the review is to be communicated. Risk review reports should indicate the trend the University is experiencing in its risk exposure. Trends are a reflection of changes that have influenced a corporate risk since it was last reported. This will include the University s changing ability to manage each risk as well as significant changes in external forces. Trend in Our Exposure to a Corporate Risk Trend Symbol* Definition Increasing Exposure Decreasing Exposure Is Occurring No Change Initial Assessment Wingdings:241 in red Wingdings:242 in green Wingdings:171 in red Wingdings:243 in black Wingdings:159 in black Our exposure to the corporate risk has increased since it was last reported Our exposure to the corporate risk has decreased since it was last reported This corporate risk has been actualised and is a live issue for the University Our exposure to the corporate risk has not changed since it was last reported This is the first report on a new addition to the corporate risk register * The language used in the Trend in Our Exposure to a Corporate Risk Use table is mandatory, but use of the symbols is not. If you use the symbols for reporting purposes, the report must include a legend that aligns the symbol to the mandated trend term. An example of this is provided below: Symbol Trend in Our Exposure to a Corporate Risk Increasing Exposure Decreasing Exposure Is Occurring No Change Initial Assessment 5. Development and Guidance The Audit & Risk Directorate (ARD) continually advances the University s corporate risk management towards a mature and business appropriate process. ARD works with business units and University representatives to tailor application of the corporate risk management framework to suit the needs Page 21 of 44