ANU RISK MANAGEMENT ONLINE GUIDE
51
ANU RISK MANAGEMENT ONLINE GUIDE November 2020 CGRO Version 1.0
Transcript of ANU RISK MANAGEMENT ONLINE GUIDE
ANU RISK MANAGEMENT ONLINE GUIDE
November 2020 CGRO Version 1.0
Table of Contents RISK MANAGEMENT PROCESS – DETAILED STEPS ........................................................................................................ 4
Step 1: Establish the context ........................................................................................................................................ 4
Step 2: Identify the risks ............................................................................................................................................... 5
Step 3: Analyse the risk ................................................................................................................................................ 6
Step 4: Evaluate the risk ............................................................................................................................................... 7
Step 5: Treat the risk .................................................................................................................................................... 8
Document the risk treatment plan ....................................................................................................................... 9
Implement agreed treatments ............................................................................................................................. 9
Assess the level of residual risk ............................................................................................................................ 9
Monitoring and review ................................................................................................................................................10
Communication and Consultation .............................................................................................................................. 11
ANU Risk Categories………………………………………………………………………………………………………………………………………......12
ANU Risk Matrix.......................................................................................................................................................20
SDZ User Guide: Navigating the Risk Workspace.....................................................................................................24
ANU Risk Assessment Template...............................................................................................................................47
ANU Risk Appetite Statement 2020-21.....................................................................................................................48
RISK MANAGEMENT GUIDE OVERVIEW
The guide provides practical guidance for risk assessment and mitigation in the day to day operations at the Colleges, Schools, Service Division, Controlled Entities and third party collaborators to comply with the University’s Risk management Policy and Enterprise Risk Management Framework (ERMF) requirements.
The guide is for all Australian National University staff, Visiting and Honorary Appointments (VaHA), volunteers, affiliates, students, contractors, controlled entities and persons authorised to undertake university related business.
The guide:
Explains How to apply the 4 stages of risk assessment with detailedsteps outlining each stage;
Explains how to rate a risk; Provides examples of risk consideration; Provides risk assessment templates; Explains How to use the SDZ online risk module to record
and update risks; Provides Links to legislation and best practices
Users can simply click on the chapter names in the index document to access a specific chapter. The Chapters are divided into sections to enable end-users to search relevant topics of specific interests.
Yes, the guide must be complied to meet minimum risk management requirements.
However, the University values innovative initiatives, and will support processes at the local area that demonstrate improved implementation of the University’s ERMF.
The guide is maintained by the Corporate Governance and Risk Office (CGRO) and is reviewed every three years in line with the review of the Risk Management Policy. Please email [email protected] with any queries relating to the guide.
What is the purpose of the Guide?
Who is the Guide for?
What is in the Guide?
How should the Guide be used?
Do I need to comply with the Guide?
Who maintains the
Guide?
RISK MANAGEMENT PROCESS – DETAILED STEPS
To facilitate the assessment and review of risks using the SDZ online Risk Module, you will need to contact your local area risk champion in the first instance to request for access. Alternative you can email [email protected]
Step 1: Establish the context
Establishing the context sets the framework within which the risk assessment should be undertaken, understanding the reasons for carrying out the risk assessment, and provides the backdrop of circumstances against which risks can be identified and assessed.
In establishing the context, stakeholders must understand the initiative and identify any internal and/or external factors that could impact on the achievement of the objective.
Questions to ask when establishing the context may include:
• What is being assessed? – is it a newcontract, partnership, program project,event?
• Who are the stakeholders? – Identify areasthat are or might be impacted by this objectiveand seek their input. Ensure appropriatedelegations are being exercised at this earlystage.
• Is there background information? - Acomprehensive context is important, andtherefore it may be useful to identifyinformation that is not immediately availablesuch as:
o Audit reports, inspections, site visitreports
o Personal experience (of staff, students,others)
o Corporate knowledge & ‘institutionalmemory’
o Previous event investigations or reportso Surveys, questionnaires and checklistso Insurance claim reportso Local or international experienceo Expert judgment (internal University
expertise&/or external expertise)o Committee/Working group minutes
4
Step 2: Identify the risks
To identify risks, a list of factors that could prevent, degrade, or delay the University, College, School, Service Division or business area from achieving its objectives must be developed.
Aim also to identify the issues associated with not pursuing an opportunity; that is, the risk of doing nothing and missing an opportunity.
‘Brainstorming’ will always produce a broad range of ideas and all things should be considered as potential risks.
Risks can also be identified through other business operations including policy and procedure development, internal and external audits, customer complaints, incidents and systems analysis.
For details on how to complete the Identify Risk section in SDZ, refer to the SDZ Risk User Guide in Appendix 3.
The University’s risk category listing is a useful tool to assist with determining the appropriate category of risk when identifying risks in the SDZ online tool. Details of the ANU strategic and operational risk categories and case studies on how to identify and articulate risks are in Appendix 1.
Key questions to ask when identifying the risk: • What might go wrong to prevent
achievement of the objectives• Why would the risk eventuate and
the factors that could causes the risk• What is the impact of the risk to the
University or local area ie does therisk have follow on effects to otherareas of the University. If so do youneed to collaborate with the areasthat could be affected for acomprehensive assessment.
5
Step 3: Analyse the risk
In analysing the risk determine the: • cause of the risk and potential consequences of the risk occurring• inherent risk rating, using the ANU risk matrix. (which is the raw or untreated risk; inherent in a
process or activity without doing anything to reduce the likelihood or consequence).
For details on how to complete the Analyse Risk section in SDZ, refer to the SDZ Risk User Guide in Appendix 3.
• Use the University Risk Matrix in Appendix2 to determine the inherent risk rating byassessing the likelihood and consequencedescriptors that are most appropriate forthe risk.
• The assessment of likelihood andconsequence is mostly subjective, but canbe informed by data or informationcollected, audits, inspections, personalexperience, corporate knowledge orinstitutional memory of previous events,insurance claims, surveys and a range ofother available internal and externalinformation.
• Likelihood – there are 5 likelihooddescriptors of the risk occurring: rare,unlikely, possible, probable or almostcertain.
• Consequence – there are 5 consequenceor potential impact descriptors of therisk occurring: insignificant, minor,moderate, major or extreme.
6
Step 4: Evaluate the risk
In SDZ, this stage is embedded in the Risk Treatment section. For details on how to complete the Risk Treatment section in SDZ, refer to the SDZ Risk User Guide in Appendix 3.
Decide whether there are existing controls in place to mitigate the risk and if the control in place are effective.
Decide if the risk is acceptable or unacceptable in its current state and if further action is required to mitigate the risk.
Whether a risk is acceptable or unacceptable relates to the University’s appetite to tolerate the risk; before it is mitigated/treated in order to achieve the desired objectives.
The University’s risk appetite statement document in Appendix 5 is a guide to assist in understanding the amount of risk the University is willing to accept in order to achieve its strategic objectives.
• For controls to be considered, there needs tobe evidence that measures have beenimplemented and are operating effectively.
• Simply referencing existing policies,procedures, delegation, legislation or trainingprograms etc. is not a control.
In evaluating the risk consider: • accepting the risk and existing controls• not undertaking or proceeding with the event,
activity, project or initiative• actively treating the risk
A risk may be acceptable or tolerable in the following circumstances: • No treatment is available• Treatment costs are prohibitive (especially if
level of risk is low and does not warrant usingresources to treat it)
• The opportunities involved significantlyoutweigh the threats
• For complex or more widespread risks, afacilitated workshop involving the Risk Office isoften helpful and using an experiencedfacilitator to lead the discussion may helpprovide another objective perspective.
7
Step 5: Treat the risk
In SDZ, this stage is embedded in the Risk Treatment section. For details on how to complete the Risk Treatment section in SDZ, refer to the SDZ Risk User Guide in Appendix 3.
Treating the risk involves selecting measures that either mitigating the risk or strengthen current controls. This element incorporates evaluating the options, preparing treatment / action plans and implementation of those plans.
Any risk rated as high or extreme and have controls recorded as less than effective must have a treatment plan put in place. These risks need to be monitored closely and reported based on the ANU Risk Management Plan in the ERMF.
• Determine if a specific treatment isnecessary or whether the risk can beadequately treated through standard day-to-day procedures and activities whichalready have embedded controls.
• Determine the goal in treating this risk:
o reduce the likelihoodo reduce the consequenceo transfer the risk (eg to an insurer
or contractor) oro avoid it completelyo accept the level of risk based on
informed decision
• Treat the risk based on the goals above
• Determine the residual risk which is thelikelihood and consequence of the riskoccurring after it has been treated.
• The residual risk rating is generally lowerthan the original risk rating otherwise thetreatments were not effective. Theresidual risk should be documented,monitored and reviewed.
If the goal is to reduce the likelihood of the risk, then you may need to adjust what is happening or might be planned:
• If it is not possible to change the approach of the project or activity, then it may be possible to takesome other intervening action to mitigate the event’s occurrence or reduce the likelihood of thethreat.
• Understanding the nature of the risk event and how it occurs will make it easier to identify anypossible intervening actions that would operate to reduce the risk.
If the goal is to reduce the consequence or impact of the risk, then contingency plans might be required to respond to a threatening event if it occurs. This planning may be undertaken in combination with other controls.
8
If the goal is to share the risk, with another party, such as an insurer or contractor, such arrangement should be formally recorded – whether through a contract or agreement. Sharing the risk does not remove our obligations and does not avoid us suffering consequential damage if something unexpected happens.
If the goal is to eliminate or avoid the risk altogether then the options are limited to changing the project materially, choosing alternative approaches or processes to render the risk irrelevant or abandoning the activity or partner or program. It is not often that a risk can be eliminated completely and balance is an important part of the risk assessment exercise (please note: this does not refer to safety type risks or hazards).
If a decision is made to accept or tolerate the risk, due to the low likelihood or minor consequences of the risk event, or the fact that the cost of effectively controlling the risk is unjustifiably high or that the opportunity outweighs the risk, these decisions must be documented as a record for future reference. The University acknowledges that in pursuing its strategic objectives measured risk taking is both acceptable and appropriate.
The University’s risk appetite statement document in appendix 5 provides guidance on the acceptable level of risk to take.
Evaluate treatment options and assess their feasibility - that is, will they stop or reduce what they are meant to stop or reduce?
• Will the treatment trigger any other risks? For example, a sprinkler system installed to counter firerisk may cause water damage, presenting a different risk requiring consideration or management.
• Are the controls beneficial or cost efficient? Does the cost of implementing the treatment outweighthe cost that would flow from the risk materialising without the control?
• The cyclical process of treating a risk, deciding whether residual risk levels are tolerable andassessing the effectiveness of that treatment are all case-by-case assessments that depend on agood understanding of the risk and a focus on the end objective of the activity being assessed.
Document the risk treatment plan
Information that needs to be included in the SDZ treatment plan section includes:
• description of the selected treatment• treatment / action owner and manager responsible for implementing the plan• time frames for implementation• status report on progress of the treatment
Implement agreed treatments
Once any options requiring authorisation for resourcing, funding or other actions have been approved, treatments should be implemented by those identified as having the responsibility to do so. The person assigned with the primary responsibility for the risk, is ultimately accountable for the treatment of the risk.
Assess the level of residual risk
The level of residual risk refers to the likelihood and consequence of the risk occurring after the risk has been treated. The residual risk rating is generally lower than the original risk rating otherwise the treatments were not effective. The residual risk should be documented, monitored and reviewed.
For details on how to complete risk treatment in SDZ refer to the SDZ User Guide in Appendix 3.
9
Monitoring and review
Once risks have been identified, analysed, and the agreed treatments implemented, an appropriate monitoring and reporting regime needs to be established to provide assurance that the treatment has been effective and now helps to control the risk.
Some risk treatments will of course become embedded into daily practices and methods of work. Each local area is encouraged to identify a process that allows key risks within their area to be monitored and discussed at team, division, schools, college, working group or committee.
Given the diverse and dynamic nature of the University’s environment, it is important to be alert to emerging risks as well as monitoring known risks.
Colleges, School, Service Divisions, Business Units and Controlled Entities should:
• Ensure there is a consistent process forreviewing risk and treatments in their areaof responsibility to ensure that treatmentsor controls are still effective andappropriate.
• Embed risk management as an agenda itemat management or committee meetings andavoid the need for separate processes.
• Identify emerging risks, and changingcircumstances which may result in somerisks increasing or decreasing.
• Refer to the ANU Risk Management Plan inThe ERMF for the review and reporting cycle.
• The Risk Module within SDZ is able togenerate Risk Summary Reports and adashboard summary of risks by area orportfolio. These reports, which reflect therisk profile for the area, can be used forlocal area reporting and to supplementformal/annual reports.
10
Communication and Consultation
Effective communication and consultation is essential to ensure that those responsible for implementing risk management, and those with a vested interest, understand the basis on which decisions are made and the reasons why particular treatment options are selected.
Risk management is enhanced through effective communication and consultation between management and their respective operational teams, when all parties understand each other's perspectives and, where appropriate, are actively involved in decision-making.
A collaborative and consultative team approach - through staff awareness and education sessions is more likely to:
• Help establish the context appropriately;• Ensure the interests of all stakeholders
are understood and considered;• Ensure that risks are adequately
identified;• Bring together different areas of
expertise when assessing or analysingrisks;
• Ensure that different, and sometimesopposing, views are appropriatelyconsidered when defining risk criteriaand in evaluating risks;
• Help secure endorsement and supportfor a treatment plan; and
• Enhance any change managementprocesses associated with the risk
11
The ANU Risk categories are designed as high level prompts to enable staff to select the appropriate category of risk when identifying risks in the SDZ online tool. The risk categories reflect both strategic and operational risks faced by the University. The risk categories are split across three levels - Tier 1 captures the broad areas of strategic risks and Tier 2 and Tier 3 captures the operational risk categories. Detailed examples on how to use this tool to identify and articulate risks are provided through two scenarios below. The examples are neither exhaustive nor prescriptive and should only be used as a prompt, in the identification of risks.
ANU RISK CATEGORIES
12
Case Study 1 (Restructure)
Context:
The Australian National University has restructured the business operations of the University, merging and consolidating formerly disparate functions into new business units. The unit that you lead has not changed personnel or operating budget, however, a range of additional administrative tasks that were performed elsewhere are now your responsibility.
Objective:
Your unit will continue to operate with the same staffing levels and incorporate the new processes into the business processes of your unit.
Current Status:
1) Your staff have most of the skills required to perform the new tasks with only a fewexceptions.
2) There is no additional money available in your operating budget and there is no access todiscretionary funds.
3) The staff that used to perform those functions are unavailable for a former handover ororientation/knowledge transfer process.
Case Study:
The following pages demonstrate how the ANU Risk Profile might be used to assist in the planning and development of strategies to achieve objectives by acting as a valuable reference point to identify risks and begin to develop strategies for their management.
The examples drawn out are designed to act as prompts for staff to consider the risks posed by any change in approach, including the reallocation of effort and resources in pursuit of this objective.
13
GOVERNANCE
LEADERSHIPINTERNAL CONTROLS
COMPLIANCE
INFORMATION TECHNOLOGY
RESEARCH, TEACHING & LEARNING REPUTATION
DATA SECURITYMAINTENANCE & MANAGEMENT
FINANCIAL MANAGEMENT
INCOME/ FUNDING EXPENDITURE
BUSINESS ADMINISTRATION
SITE SECURITYINFRASTRUCTURE &
ASSETS
RESEARCH
STUDENTS
BRAND
PEOPLE
STAFF CONTRACTORS/VISITORS
EXTERNAL AFFAIRS
AUSTRALIAN NATIONAL UNIVERSITY – RISK PROFILE(restructure)
Staff Safety and Wellbeing
Benefits and Conditions
Culture and Conduct
Industrial Relations
Data Quality
Data Quantity
BusinessContinuity
Facilities Maintenance and
Support
Organisational Structure
Business Unit Performance
Management Reporting
Culture
Change Management
Risk Framework and Policies
BUSINESS MANAGEMENT
External Reporting
TEACHING AND LEARNING
14
DATA
Management Reporting
Industrial Relations
Data Quality
Business Unit Performance
Risk Framework and Policies
COMPLIANCE
External Reporting
Data Quantity
Culture
Change Management
BUSINESS ADMINISTRATION
INFRASTRUCTURE AND ASSETS
Facilities Maintenance and
Support
Culture and Conduct
PEOPLEGOVERNANCE
STAFF
Staff Safety and Wellbeing
Benefits and Conditions
LEADERSHIP
INTERNAL CONTROLS
Organisational Structure
Business Continuity
INFORMATION TECHNOLOGY
There is a risk to staff safety if relevant licenses are not in place and workplace training are not conducted
There is a risk in attracting staff if pay and conditions are not well managed
There is a risk that the new business unit structures fail to meet University’s business needs and generate further inefficiencies.
There is a risk that existing business continuity arrangements do not account for the new business functions of the unit.
There is a risk that management reporting lines become less clear as a result of the restructure and that reporting is less effective than previously
There is a risk that the quality of data produced by the business unit is lessened due to increased workload
There is a risk that there will be industrial disputation if employment matters are not managed fairly and equitably
There is a risk that business unit performance is compromised due to the changes in workload and function
There is a risk that current risk framework and policies do not account for the new business functions of the unit.
There is a risk that the business unit is unable to meet reporting deadlines due to higher workload
There is a risk that there is insufficient data provided to the new business unit to conduct the new business functions
There is a risk that the culture of the new business unit is negatively impacted by the changes and does not lend itself to performing the new functions effectively
There is a risk that the change management arrangements of the ANU fail to take account of the changes and enterprise wide operations are impacted
There is a risk that the facilities available to the newly formed business unit do not take account of the new functions and critical infrastructure is missing
There is a risk to culture and staff satisfaction if discriminatory and harassing conduct are not managed and eliminated
15
Case Study 2 (Industry Engagement)
Context:
The Australian National University Executive has determined that the ANU should diversify and increase revenue by strengthening its ties with the private sector. This will include formal research partnerships with major corporations and industry groups.
Objective:
ANU will successfully approach three major corporations or industry groups and formalise an agreement to conduct research on behalf of, or with these entities. The University expects to generate upwards of $5m within two years and continually increase this over time.
Current Status:
1) Historically, the ANU has focused upon research grants within the public sector with far lessinteraction with the private sector than competitors in other Australian capital cities.
2) The focus upon building relationships with the private sector is to both diversify revenuestreams and generate significant additional revenue for the ANU.
3) The ANU currently has few formal research relationships with private sector companies orrepresentative entities (e.g. the Australian Chamber for Commerce and Industry, BusinessCouncil of Australia etc.)
Case Study:
In the following example, you have been tasked with developing productive and financially rewarding research opportunities with the private sector. You have been instructed to explicitly consider the risks that these changes in research partnerships will generate.
The following pages demonstrate how the ANU Risk Profile might be used to assist in the planning and development of strategies to achieve objectives by acting as a valuable reference point to identify risks and begin to develop strategies for their management.
The examples drawn out are designed to act as prompts for staff to consider the risks posed by any change in approach, including the reallocation of effort and resources in pursuit of this objective.
16
GOVERNANCE
LEADERSHIPINTERNAL CONTROLS
COMPLIANCE
INFORMATION TECHNOLOGY
RESEARCH, TEACHING & LEARNING REPUTATION
DATA SECURITYMAINTENANCE & MANAGEMENT
FINANCIAL MANAGEMENT
INCOME/ FUNDING EXPENDITURE
BUSINESS ADMINISTRATION
SITE SECURITYINFRASTRUCTURE &
ASSETS
RESEARCH
STUDENTS
BRAND
PEOPLE
STAFF CONTRACTORS/VISITORS
EXTERNAL AFFAIRS
AUSTRALIAN NATIONAL UNIVERSITY – RISK PROFILE(industry engagement)
Stakeholder Engagement
Benefits and Conditions
International recognition
Research Income
Diversification
Quality of Research
External Reviews and QA
Ethics
Misconduct (Research)
Facilities Maintenance and
Support
Intellectual Property Management
InsuranceDistribution of
Funds
Organisational Structure
Culture
Change Management
Conflict of Interest
BUSINESS MANAGEMENT
TEACHING AND LEARNING
Value for Money
Cost-overrunsReputation for postgraduate
excellence
17
Misconduct (Research)
EXTERNAL AFFAIRS
Stakeholder Engagement
BUSINESS ADMINISTRATION
Facilities and Maintenance
INFRASTRUCTURE & ASSETS
Intellectual Property Management
PEOPLE
STAFF
Benefits and Conditions
FINANCIAL MANAGEMENT
INCOME/FUNDING
EXPENDITURE
Diversification
Research Income
Distribution of Funds
Value for Money
Cost-overruns
RESEARCH, TEACHING AND
LEARNING
External Review and QA
Quality of Research
Ethics
RESEARCH
REPUTATION
BRAND
International Recognition
Reputation for postgraduate
excellence
There is a risk that there are insufficient established links to enable timely and effective quality assurance or external reviews
There is a risk that ANU lacks sufficient expertise to perform research into private sector issues with the same diligence and expertise as the public sector research
There is a risk that research ethics could be compromised due to the pressure to obtain funding and commence research
There is a risk that University’s international reputation for very high quality research is diminished by a failure/ lower quality of the private sector research
There is the risk that newer types of research lead to conduct outside acceptable standards or conduct not covered by current ANU standards
There is a risk that the ANU reputation for excellence is undermined by a shift in focus
There is a risk that the ANU fails to engage with the appropriate stakeholders from an unfamiliar sector
There is the risk that the ANU loses favour with the public sector as the research provider of choice
There is a risk that the current facilities and infrastructure cannot cope with increased demand for resources or are not fit for (new) purpose
There is a risk that new types of commercially lucrative IP is generated and insufficiently protected and less profitable than it could be
There is a risk that the ANU is unable to attract or retain academic staff with the skill sets needed for the research or education
There is a risk that focus upon diversification across sectors leads to insufficient diversification within sectors.
There is a risk that the change in focus leads to a net reduction in research income for the ANU
There is a risk that the change in focus and increased costs leads to sub-optimal distribution of funds to other areas of the ANU in the short to medium term
There is a risk that the new research fails to generate enough income (directly or indirectly) to justify the expenditure upon it’s creation
There is a risk that the relatively unknown nature of the new research function leads to the unit significantly exceeding its operational budget
18
COMPLIANCE
Conflict of Interest
LEADERSHIP
Change Management
Culture
Organisational Structure
GOVERNANCE
INTERNAL CONTROLS
Insurance
There is a risk that the current insurance arrangements at the ANU provide insufficient coverage for different types of research
There is a risk that the ANU forms relationships with corporate entities where significant volumes of staff have a financial or other vested interest within that entity
There is a risk that the change towards a different model of research operations
There is a risk that the organisational structure is not sufficiently set up, or flexible enough to operate effectively and meet the needs of the new functional areas
There is a risk that the strong historical public sector and public good focus of the ANU generates tensions within the ANU academia
19
ANU Risk Matrix
What is a risk matrix and why should you be using one?
A key part of any risk assessment is evaluating or rating the risks that have been identified to consider whether it is acceptable and if further treatment measures need to be put in place. A risk matrix is used to map out the severity of a risk by assessing the consequence and likelihood of it occurring.
The ANU Risk Assessment Matrix is a 5x5 grid with a range of consequence and likelihood descriptors against risk categories that would affect the University’s operations. This risk matrix is the endorsed framework for assessing risks at all levels within the university, strategic or operational.
The Project Management Risk Matrix is designed to assess consequence and likelihood of specific risks relating to projects at the University.
Both the matrix and accompanying definitions and escalation protocols are designed to provide staff with guidance about what to do (monitor or treat the risk) and where to escalate the risk (i.e. to line manager or higher).
The ERMF requires for a risk to be evaluated twice:
• At the inherent level – to rate the risk in its current state, before any controls are put in place• At the residual level – to rate the risk after controls have been implemented and additional treatment measures put in place.
The figure below describes the risk rating descriptors and mitigation action relating to each risk rating.
20
Consequence
Categories of Risk Extreme (5) Major (4) Modest (3) Minimal (2) Insignificant(1)
Reputation and Brand
- Reputation and standing of the Universityaffected nationally and internationally
- Serious public or media outcry (International coverage)
- Reputation impacted with majority of keystakeholders
- Significant breakdown in strategic and/orbusiness partnerships
- Council attention required
- Embarrassment for the University,including adverse media coverage
- Significant adverse public or nationalmedia coverage
- Reputation impacted with a significantnumber of stakeholders
- Breakdown in strategic and/or businesspartnership
- VC and Executive attention required
- Student and/or community concern- Heavy local media coverage- Reputation impacted with some
stakeholders.
- Issue raised by students and/orlocal press
- Minor adverse local public ormedia attention.
- Reputation affected with only asmall number of stakeholders.
- Little or no adverse mediacoverage
- Issue resolved promptly byday to day managementprocesses
- Little or no stakeholderinterest.
Regulatory
- Major systemic non-conformance (includingthrough activities contracted or third partyproviders) resulting in loss of TEQSA license, other key license or accreditation.
- Significant penalties or regulator sanctions.
- Systemic non-conformance (includingthrough activities contracted or thirdparty providers) resulting in suspensions or conditional licenses.
- Penalties or regulator sanctions.
- Serious one off non-conformance(including through activities contracted or third party providers) resulting insuspensions or conditional licenses.
- Minor or no penalties.
- One off non-conformance(including through activitiescontracted or third partyproviders).
- University receives warning orother notice from regulatoryauthority to rectify non-conformance.
- Minor non-conformance(including through activitiescontracted or third partyproviders) rectified internally.
- Unlikely to result in adverseregulatory response or action.
University Performance (service quality, operations, business interruption
and infrastructure)
- Extreme event with potential to lead tofailure of most objectives or collapse ofpart of the business.
- School viability threatened by loss /lack ofstudents or loss of a significant number ofresearch or consultancy clients
- Disruption to services causing campusclosure or key business closure for > 2weeks (check against CMT Plan)
- Interruption to critical infrastructureservices or operations for > 2 weeks
- Major event that with prioritized andfocused management, will be endured.
- Service issue contributing to loss ofEFSLs, course viability threatened orloss of some research and consultancyclients.
- Disruption to teaching/courseschedules or key business activities for> 1 week.
- Interruption to critical infrastructure,services or operations for > 1 week
- Significant event, which needs to bemanaged under special circumstances.
- Service issue contributing to loss ofEFSLs, or loss of research orconsultancy projects.
- Disruption to a number of operationalareas between 2-5 days
- Critical service interruption not backwithin the agreed timeframe
- An event, the impact of which canbe absorbed throughmanagement effort.
- Service issue contributing to smallloss of EFSLs or small loss ofresearch or consultancy projects.
- Some disruption to operationalactivity not exceeding 2 days
- Local interruption only, serviceloss to localized operations
- An event the impact of whichcan easily be absorbedthrough normal activity.
- Repeat theme complaints at aschool level and / or one ormore registered formalcomplaints.
- Disruption of < 1 day tolectures or research or otheroperational activity
- No interruption toinfrastructure services
Financial ( Strategic) Financial impact >$50M Financial impact >$30M and <$50M Financial impact >$10M and <$30M Financial impact >$5M and <$10M Financial impact <$1M
Financial ( Operational) > 20% deviation from approved budget forDivision, College or Research School.
> 50% loss of research projects
11-20% deviation from approved budgetfor Division, College or School.
30 - 50% loss of research projects
6-10% deviation from approved budgetfor Division, College or School.
10 - 29 % loss of research projects
5 % deviation from approved budget for Division, College or School.
5 - 9 % loss of research projects
Less than 1% deviation from approved budget for Division, College or School.
< 5% loss of research projects
Health, Wellbeing and Safety - Multiple fatalities- Multiple life threatening injuries- Multiple significant/severe irreversible
disability
- Single fatality- Single severe irreversible disability to
one or more persons
-Serious, discharge of pollutant.-Source of community annoyancewithin general neighbourhood thatrequires remedial action.
-Short term, detrimental effect onthe environment or social impact.- Minor discharge of pollutantswithin local neighbourhood.
-No lasting detrimental effect onthe environment i.e. Harm,nuisance, noise, fumes, odour,dust emissions of short-termduration.
Likelihood Almost Certain (5) Multiple over 12 months
Probability: >90% Extreme
(25) Extreme
(20) High (15)
High (10)
Moderate (5)
Probable( 4) Once every 12 months Probability: 61-90%
Extreme (20)
High (16)
High (12)
Moderate (8)
Moderate (4)
Possible (3) Once every 1 - 5 years Probability: 21 - 60%
High (15)
High (12)
Moderate (9)
Moderate (6)
Low (3)
Unlikely (2) Once every 5-10 years Probability: 5 - 20%
High (10)
Moderate (8)
Moderate (6)
Low (4)
Low (2)
Rare (1) Occurrence: Once every 20 years Probability: < 5%
Moderate (5)
Moderate (4)
Low (3)
Low (2)
Low (1)
ANU Risk Assessment Matrix
21
Consequence
Categories of Risk Extreme (5) Major (4) Modest (3) Minimal (2) Insignificant(1)
TIME
- Severe impact to schedule, and/or missedcritical fixed delivery dates.- Project halted, major delay.- Duration increased >30%.
- Key milestones missed and significantdelay to project delivery date.- Timeline is behind schedule with a keydate or critical missed.- Duration increased >10%.
-Critical tasks not completed on time.-Likely downstream impacts to projecttimelines and delivery dates.-Timeline is behind schedule-Duration increased >5%.
-Non-critical tasks are not completed ontime.-Short delay.-Duration increased >2%.
-Insignificant delays,minimal impact onproject timeline.-Little or no delay.
COST
-Financial loss or budget overrun of >20% ofproject budget.-Cumulative value of change requests and/orvariations exceeds 50% of the budgetedproject contingency.
-Financial loss or budget overrun of 11-20% of project budget.- Cumulative value, of change requestsand/or variations exceeds 25% of thebudgeted project contingency.
-Financial loss or budget overrun of 6-10% of project budget.-Cumulative value of change requestsand/or variations exceeds 10% ofbudgeted project contingency.
-Financial loss or budget overrun of 2-5%of project budget.
-Financial loss or budgetoverrun of less than 1% ofproject budget.
QUALITY - Severe impacts on the quality of theproduct or service delivered.-Without remediation the product isconsidered to be unstable and not fit forproduction use.
-Considerable impact on quality of output.-Requires significant additional efforteither during or post project to achieveacceptable levels of performance.
-Moderate impact on the quality ofoutput.-Additional activities or cost required toremedy quality issues.
-Minor impact to the quality of theoutput, remedied without additionalcost.
-Insignificant impact onoverall quality of productor service.-No action required toachieve plannedbusiness outcomes
SCOPE
-Severe impact to project deliverables withmore than 2 ‘must have’ features not beingdelivered.-Product or service does not deliver the keyintended outcomes for the business. -Sustained and significant loss of businessefficiency.
-Major impact to deliverables with 1 or 2‘must have’ features not delivered.-Requires significant workarounds orinability to meet needs.-Significant loss of business efficiency.-Numerous and/or major hazards areidentified.
-Moderate impact to deliverables - ‘couldhave’ functionality not delivered.-Reputation damage or moderatecultural impact-Loss of business efficiency.
-Minor impact on deliverables, and ‘niceto have’ functionality.-No impact to intended outcomes someworkarounds in place.-Some adverse public reaction or culturalimpact.
-No impact on project deliverables. -All intendedoutcomes areachievable.
RESOURCES -Severe impact to approved project-Resources requiring significantly moreresources for an extended period of time toachieve the agreed project outcomes.
-Major impact to approved project-resourcing requiring multiple additionalresources with an overall increase ofeffort.-Insufficient adequately skilled dedicatedproject resources.
-Moderate impact to approved project- resourcing requiring additional short- term resource and increase in overalleffort.-Insufficient adequately skilled dedicatedproject resources.
-Minor impact to approved project-resourcing requiring additional resource
and increase in overall effort.
-Insignificant impact toresourcing, manageablewithin the overallbaseline for projectdelivery.
BENEFIT AND OUTCOMES
-Critical benefits will not be realised by theproject.-Significantly reduced probability ofattaining primary objectives.-Variation and scope changes significantlyerode expected benefits.
-Major impact on ability to realise benefits.-Significant additional work required toachieve benefits.-Incident/events/variations greatly reduceattainment of primary objectives.
-Moderate impact on ability to realisebenefits.-Additional effort and manual tasksrequired to achieve benefits.-Reduced likelihood of attaining primaryobjectives.
-Minor impact in ability to realiseplanned benefits.-Some of the less fundamentalbenefits may not be fully realised.
-No impact in overallability to realise plannedbenefits.-Additional effort orworkarounds required toachieve the intendedbenefits.
CONTRACTOR RELATIONSHIP - Legal recourse initiated. - Executive intervention. - Resolved at senior management level. - Resolved at working level. - Either party is irritatedbut no formal complaints.
Likelihood Almost Certain (5) Multiple over 12 months
Probability: >90% Extreme
(25)Extreme
(20)High (15)
High (10)
Moderate (5)
Probable( 4) Once every 12 months Probability: 51-70%
Extreme (20)
High (16)
High (12)
Moderate (8)
Moderate (4)
Possible (3) Once every 1 - 5 years Probability: 21 - 50%
High (15)
High (12)
Moderate (9)
Moderate (6)
Low (3)
Unlikely (2) Once every 5-10 years Probability: 5 - 20%
High (10)
Moderate (8)
Moderate (6)
Low (4)
Low (2)
Rare (1) Once every 20 years Probability: < 5%
Moderate (5)
Moderate (4)
Low (3)
Low (2)
Low (1)
Project Risk Assessment Matrix
22
Risk Rating Descriptors and Escalation Action RequirementsRisk Rating Score Description Action Required
Extreme 20 - 25
Risks that significantly exceed the acceptable tolerance and need urgent and immediate attention.
University Executive responsibility, immediate treatment required
• Escalate to the responsible University Executive member immediately with adetailed treatment plan.
• Report to the Vice-Chancellor, Council and its relevant sub-committees.• For matters relating to health, well-being and safety, activity must cease until
written approval is obtained.
High 10 - 16
Risks that exceed the risk acceptance threshold and require proactive management.
College GM/Service Division Director/Head of School responsibility. Treatment required
• Escalate to responsible management immediately with detailed treatment plan toreduce risks to an acceptable level within 3 months.
• Report to Executive and ARMC as appropriate.• For matters relating to health, well-being and safety, activity must cease until
written approval is obtained
Moderate 5 - 9
Risks that are within the acceptable threshold and require active monitoring.
College GM/Service Division Director/Head of School responsibility. Treatment required
• Escalate to responsible management immediately with detailed treatmentplan to reduce risks to an acceptable level within 3-6 months.
Low 1 - 4 Risks that are below the acceptable threshold and do not require active management.
Local line management responsibility, treatment not required
• Significant management effort should not be directed towards these risks.
23
Corporate Governance and Risk Office Contact: [email protected]
SDZ User Guide : Navigating the Risk Workspace
24
Risk Module: SDZ WorkspaceAllows Service Divisions, Colleges, Schools and Controlled Entities to:
• Identify, Analyse, Evaluate & Treat risks• Provides real time risk reporting and through a Dashboard module• Allows escalation and monitoring of risks online
25
Risks
You can add risks either via the:
– Business Planning Module ( where you capture risks along side your businessplan initiatives)
or
– Risk Management Module (where you capture your operational BAU risks ).Manually created risk registers will be uploaded through this module.
This guide will take you through both the options .
26
Risk Management ModuleOption 1 :
27
In the Risk Management Module, select your Portfolio/College/ Service Division
28
Select “Add New” to add a risk register - for example a College operational risk register
29
After filling out the below details, select “Save”
30
The risk will now appear on the this page. Select ‘Edit’ to complete risk identification process.
31
After filling out the below details, click on “Complete profile”
Links:Strategic Risk Register linkEnterprise Risk Management Framework link
Selecting ‘complete profile’ will take you to Risk Identification window.
32
Risk Identification: Overview
33
Analysis Tab- Determine Cause and Consequence
Link:University Strategic Plan link
34
Analysis Tab- Cause . You have two options:
1) Select new cause description
Link:Enterprise Risk Management Framework link
2) Add cause description not listed
35
Analysis Tab- Consequence. You have two options:
1) Select new consequence or 2) Add consequence not listed
Link:Enterprise Risk Management Framework link 36
Analysis tab- Determine Inherent Risk Rating
Link:Enterprise Risk Management Framework link 37
Analysis Tab - Determine Existing ControlsYou have two options:
1) Add new controls
38
Analysis Tab - Determine Existing Controls
2) Add controls not listed
39
Treatment Tab – Treat Risk - Add treatment
Link:Enterprise Risk Management Framework link
40
Once you have a added treatment, you should revisit the treatment six monthly to update the status of this treatment
41
Update the status of the treatment
42
Treatment tab - Determine Residual Risk
Link:Enterprise Risk Management Framework link
43
Option 2 :Business Planning Module
44
In the Business Planning Module, select your Portfolio/College/ Service Division Plan by clicking “ Edit Plan”
45
Under the risk tab of an initiative, click on “ Add Risk”Follow the steps from slides 7 to 20.
46
Risk Assessment Template
As an alternative to directly keying risks into SDZ Risk Management module, if your area is assessing risks for the first time, it is encouraged that you use the risk assessment template below to collate risks for discussion and review, to ensure information in all columns is agreed by risk owner/manager before uploading to the SDZ risk module. Once the risks are populated into SDZ, any subsequent updates can be made online.
47
ANU Risk Appetite Statements 2020-2021
Risk Category Principle Statements Application of Principle Statements Zero Low Moderate High 0 1 2 3 4 5 6
Value & Culture The University has NO APPETITE for intentional breach of its values and Code of Conduct.
The University has NO APPETITE for discrimination based on gender, sexuality, ethnicity and culture.
The University has NO APPETITE for violence, sexual misconduct, harassment, bullying and any other inappropriate behaviour that contravenes our values.
The University has NO APPETITE for fraud, corruption and misuse of office or resources.
• We have no tolerance for implicit orexplicit gender bias and discriminatorypractices in the progression of academicand professional staff.
• We have no tolerance of fraud orcorruption and the University will take allreasonable steps to prevent, detect andrespond to fraud.
• We have no tolerance for inappropriatestaff and student behaviour, that impacton the University’s culture andreputation.
• We have very low tolerance forirresponsible use of University resources.
The University has a HIGH APPETITE for a collaborative, collegiate, performance-focused, agile and flexible culture that will enable organisational change to happen more readily and productively.
• We have a high tolerance for investmentin innovative solutions that increaseefficiency in systems and processes acrossboth academic and professional activities.
Reputation & Brand The University recognises that reputation is critical to our brand and marketing position and has
LOW APPETITE for activities that put our reputation in jeopardy.
• We have very low tolerance fordiminution of the University's credibilitynationally or internationally, resulting in aloss of confidence by government, keystakeholders, partners and thecommunity.
• We have very low tolerance forconditions imposed by donors which mayimpact on the University’s key values.
48
ANU Risk Appetite Statements 2020-2021
Risk Category Principle Statements Application of Principle Statements Zero Low Moderate High 0 1 2 3 4 5 6
Governance & Legal Compliance
The University has LOW APPETITE for material breaches of law, regulations and statues including those relating to teaching, research and medical ethics.
• We have no tolerance for deliberate orpurposeful violations of legislative orregulatory requirements.
• We have low tolerance for breach ofprivacy obligations to students, staff andstakeholders
• We have moderate tolerance for non-compliance with internal policies andprocedures.
Work health & Safety
The University has a VERY LOW APPETITE for practices that put the health and safety of our staff, students, contractors and visitors at risk.
• The University aspires to ZERO harm andhas very low tolerance for threats to thephysical safety and security of staff,students and visitors on campus.
The University has a LOW APPETITE for activities that degrade the campus environment and compromise on workplace health and safety.
• The University is focused on protecting itscampus environment and has low tolerance for inappropriate handling of hazardous materials on its campuses.
Information, systems & security
The University has a LOW APPETITE for any cyber threats that may lead to loss of strategic and critical systems or information relating to staff, students, research or other University operations.
• The University strives to minimisesignificant operational disruptions tocritical support/enabling services and hasa very low tolerance for unmanagedinformation security breaches.
• We have a low tolerance for activities,events or behaviours that adverselyimpact on the confidentiality, integrityand availability of all University data.
49
ANU Risk Appetite Statements 2020-2021
Risk Category Principle Statements Application of Principle Statements Zero Low Moderate High 0 1 2 3 4 5 6
Service Delivery (operations, infrastructure & assets)
The University has a LOW APPETITE for insufficient preparation to mitigate disruption to service delivery.
We have a very low tolerance for practices or unmanaged activities that result in:
• Damage to property/assets resulting incritical business failure.
• Significant loss to research, includingresearch resources, outcomes (actual orpotential) and time.
• Delays in teaching & learning activities resulting in deliverables not being achieved and/or widespread student dissatisfaction.
• Disruption to services causing campus closure or key business closure.
• Significant operational disruptions tocritical support/enabling services.
Financial Sustainability
The University has LOW APPETITE for pursuing initiatives that puts at risk the financial sustainability of the University over the medium to long term.
The University has a LOW APPETITE for application of capital that is not planned and executed in a sustainable and prudent manner.
• We have very low tolerance for systemiccontrol failures or breakdowns andunexplained variances to administeredfinances.
• We have a moderate tolerance fordiversification of revenue streams frompotential external sources, throughcommercially viable arrangements andstrategic industry partnerships.
• We have a low tolerance for incurringsignificant expenditure and moderate tolerance for increased borrowing tosupport financial sustainability underappropriate governance and oversightstructures.
50
ANU Risk Appetite Statements 2020-2021
Risk Category Principle Statements Application of Principle Statements Zero Low Moderate High 0 1 2 3 4 5 6
Teaching & Learning Subject to maintaining excellence in teaching quality, the University has a HIGH APPETITE for investment in scholarships and pathways to enable our programs to be accessible by a diverse range of students, innovation to our teaching models and providing equitable access to our courses for Indigenous Australians, students from low SES, regional and remote backgrounds, through targeted activities.
The University also has a HIGH APPETITE to attract top academic talent to the University.
• We have a very low tolerance indeclining teaching standards andcurriculum which threatens theUniversity’s standards of excellence.
• We have a very low tolerance for erosionof our position in international rankings.
• We have a low tolerance for actions thatresult in sustained negative impact on thestudent experience.
• We have a low tolerance for the lack ofagility in responding to changes in thetertiary education sector.
Research & Innovation
Subject to maintaining excellence in research quality and ethical standards, the University has a HIGH APPETITE
for programs to drive entrepreneurship, innovation, and high quality research outcomes.
The University has low tolerance for:
• A culture averse to entrepreneurship andpartnering with industry.
• Lack of willingness to compete in the growthmarket of public-private partnerships.
University’s Risk Appetite
University’s Risk Tolerance
51
