Corporate Risk Management Rule Framework aaaaaa 1. 2. 3. 4. Corporate Risk Management at the University 3 1.1 Types of Corporate Risk 3 1.2 Corporate Risk Appetite Statement Error! Bookmark not defined. Scope, Roles and Responsibilities 6 2.1 Scope of the Corporate Risk Management Framework 6 2.2 Role of the Council of the University of New England 6 2.3 Role of the Audit & Risk Committee of Council 6 2.4 Role of the Vice-Chancellor & CEO 7 2.5 Role of Executive or Management Responsible for a Function or Business Unit 7 2.6 Role of Project Owners 8 2.7 Role of the Audit & Risk Directorate 8 Corporate Risk Management Principals 9 3.1 Application of Good Judgement 9 3.2 Mandated Corporate Risk Management Language 10 3.3 Key Information You Need to Know First 11 What are the Objectives? 11 What is Our Corporate Risk Appetite Approach for the Objective? 11 What Strategy Are We Using to Achieve the Objective? 11 How Will Communication and Consultation Occur? 12 How Will Corporate Risk Information Be Updated? 12 Corporate Risk Identification and Assessment 12 4.1 13 Step One: Identify Corporate Risks What Are the Corporate Risks to Our Objectives? 4.2 Step Two: Identify Existing Controls Information Required for Describing an Existing Control 4.3 Step Three: Assess Control Performance and Level of Corporate Risk Exposure 13 13 14 14 Rating an Existing Controls Performance 15 Rating the Performance of the Overall Control Environment 15 Rating the Likelihood of a Corporate Risk Occurring 16 Rating the Impact of a Corporate Risk Occurring 16 Identify the Level of Corporate Risk Exposure Faced by the Objective 17 Evaluating Whether the Exposure to a Corporate Risk is Acceptable 18 Page 1 of 45 Corporate Risk Management Rule Framework aaaaaa 4.4 Step Four: Identifying Corporate Risk Treatments 19 Promoting a Risk Treatment on Implementation and Activation 4.5 20 Step Five: Communicating & Reviewing Corporate Risk Information and Exposure 21 Communicating Corporate Risk Information 21 Corporate Risk Management Database 21 Updating Corporate Risk Information 21 5. Framework Development and Guidance 22 6. Administration Data 23 Appendix 1: Mandated Corporate Risk Management Language 24 Appendix 2: Corporate Risk Documentation Templates 25 Corporate Risk Assessment 25 Corporate Risk Assessment – Proposed Treatments to Reduce Future Risk Exposure 26 Corporate Risk Governance Report 27 Corporate Risk Register Log of Key Dates 27 Appendix 3: Authority, Responsibility and Communication Guides 28 Guide to Identifying Authority & Responsibility 28 An Example of Assigned Authority & Responsibility 28 Guide to the Flow of Corporate Risk Communication 29 Appendix 4: Project - Corporate Risk Management Cheat Sheet 30 Appendix 5: Corporate Risk Identification and Assessment Process Map 31 Step One: Identify Corporate Risks 31 Step Two: Identify Existing Controls 33 Step Three: Assess Control Performance and Level of Corporate Risk Exposure 35 Step Four: Identifying Corporate Risk Treatments 37 Step Five: Review Corporate Risk Information and Exposure 39 Appendix 6: Glossary of Corporate Risk Management Terms 41 Page 2 of 45 Corporate Risk Management Rule Framework aaaaaa 1. Corporate Risk Management at the University When we work to achieve an objective we don't always get the results we expect. The goal of corporate risk management is to increase our ability to succeed, by managing the implications of uncertainty on our efforts. Uncertainty results from deficiencies in our information, knowledge or understanding regarding our strategy for achieving an objective. Corporate risk management processes reduce or contain uncertainty through risk assessing our strategies and communicating the findings. 1.1 Types of Corporate Risk Three types of corporate risk have been identified for the University. Corporate risk types relate to the type of University objective being risk assessed. Type One Corporate Strategic Risk: Corporate strategic risks are risks to the achievement of the University’s strategic objectives. These risks are directly related to strategic priorities, directions and targets set out in the University of New England’s strategic plan. Corporate strategic risks are identified and managed by the Vice-Chancellor & CEO in consultation with the Senior Executive and Council. Type Two Corporate Operational Risk: Corporate operational risks are risks to the achievement of the University’s operational objectives. These risks are directly related to the operational priorities and targets for the University’s business units (this includes Schools, Directorates, Departments, Centres and Institutes). Corporate operational risks are identified and managed by the Executive or Manager in charge of the business unit in consultation with business unit staff. Type Three Corporate Project Risk: Corporate project risks are risks to the achievement of the University’s project objectives. These risks are directly related to the purpose, objectives and benefits of a project as set out in the project business case and/or plan. Corporate project risks are identified and managed by the Project Owner in consultation with the Project Manager and key stakeholders. NOTE: Hazard Risk Management is not covered under this framework. Workplace Health, Safety and Wellbeing risk management processes for the elimination or minimization of hazards is managed under a separate University policy and framework. For guidance on WHS contact the Work Health and Safety Representative (WHSR) for your area, or the UNE Health and Safety Consultant within Human Resource Services. Page 3 of 45 Corporate Risk Management Rule Framework aaaaaa Corporate Risk Appetite Statement (2017 Update) The corporate risk appetite statement communicates the limits of risk exposure deemed acceptable in the pursuit of the University’s strategic, operational, and project objectives. The statement is made up of a risk appetite scale and a table of risk management actions. The five rating risk appetite scale is used to assess the risk appetite for each objective. This assessment is based on an average of four indicators of the University’s willingness for risk taking in the pursuit of an objective. The table of risk management actions defines the level of acceptable risk exposure for each of the five risk appetite ratings. It provides clear guidance on the intensity of risk management required and the prioritisation of risk treatments for the future reduction of risk exposure. Risk Appetite Scale1 This scale works to provide a priority order to the list of objectives. Rate an objective across the four indicators: philosophy, tolerance for uncertainty, choice, and trade-off. The average result across the four ratings sets the risk appetite for that objective, indicating its relative priority. Rating Indicators of Willingness for Risk Taking in the Pursuit of an Objective Philosophy Tolerance for Uncertainty Choice Trade-off Overall risk-taking philosophy Willingness to accept uncertain outcomes or period-to-period variation When faced with multiple options, willingness to select an option that puts objectives at risk Willingness to trade off against achievement of other objectives Open Will take justified risks Fully anticipated Will choose option with highest return; accept possibility of failure Willing Flexible Will take strongly justified risks Expect some Will choose to put at risk, but will manage impact Willing under right conditions Balanced Preference for safe delivery Limited Will accept if limited and heavily out-weighed by benefits Willing only if it’s the best option for going forward Cautious Extremely conservative Low Will accept only if essential, and limited possibility/extent of failure With extreme reluctance Averse “Sacred” Avoidance of risk is a core objective Extremely low Will select the lowest risk option, always Never 1 This table has been adapted from: Quail R “Defining your taste for risk” Corporate Risk Canada 2012 Page 4 of 45 Corporate Risk Management Rule Framework aaaaaa Table of Risk Management Actions Based on an objective’s risk appetite rating, use this table to identify the acceptable level of risk exposure for risks to the objective, and the management actions connected with each appetite rating. Rating Risk Management Actions 1. Averse 1.1. In carrying out the strategy required to achieve an objective with an averse risk appetite, the University is willing to accept exposure to only low, or very low, levels of corporate risk. 1.2. Corporate risks to objectives with an averse risk appetite that have a medium or above risk exposure level are to: 1.2.1. have the control environment for the risk rigorously enforced and monitored; and 1.2.2. be reported to the Audit & Risk Directorate, the Vice-Chancellor & CEO, and Council. 1.3. Corporate risks to objectives with an averse risk appetite that have a medium risk exposure level or above are deemed undesirable. Corporate risk treatments with a demonstrated business case to further reduce the University’s future exposure to these corporate risks, are to receive 1st order prioritisation for resourcing and implementation. 2. Cautious 2.1. In carrying out the strategy required to achieve an objective with a cautious risk appetite, the University is willing to accept exposure to medium levels of corporate risk. 2.2. The University will also accept exposure to high levels of corporate risk if essential: 2.2.1. to be essential, the risk posing a high level of exposure to the objective must have a limited (unlikely or almost never) likelihood rating, and the decision to accept the high level of exposure must be clearly communicated and agreed upon. 2.3. Corporate risks to objectives with a cautious risk appetite that have a medium or above risk exposure level are to: 2.3.1. have the control environment for the risk rigorously enforced and monitored; and 2.3.2. be reported to the Audit & Risk Directorate, the Vice-Chancellor & CEO, and Council. 2.4. Corporate risks to objectives with a cautious risk appetite that have a critical risk exposure level, or a nonessential high risk exposure level, are deemed undesirable. Corporate risk treatments with a demonstrated business case to further reduce the University’s future exposure to these corporate risks, are to receive 2nd order prioritisation for resourcing and implementation. 3. Balanced 3.1. In carrying out the strategy required to achieve an objective with a balanced risk appetite, the University is willing to accept exposure to medium levels of corporate risk. 3.2. The University will also accept exposure to high levels of corporate risk if justified: 3.2.1. to be justified, the high level of exposure must be limited e.g. only one objective is exposed and the benefits of accepting the high level of exposure must be clearly communicated and accepted. 3.3. Corporate risks to objectives with a balanced risk appetite that have a medium or above risk exposure level are to: 3.3.1. have the control environment for the risk rigorously enforced and monitored; and 3.3.2. be reported to the Audit & Risk Directorate, the Vice-Chancellor & CEO, and Council. 3.4. Corporate risks to objectives with a balanced risk appetite that have a critical risk exposure level, or an unjustified high risk exposure level, are deemed undesirable. Corporate risk treatments with a demonstrated business case to further reduce the University’s future exposure to these corporate risks, are to receive 3rd order prioritisation for resourcing and implementation. 4. Flexible 4.1. In carrying out the strategy required to achieve an objective with a flexible risk appetite, the University is willing to accept exposure to all levels of corporate risk. 4.2. Corporate risks to objectives with a flexible risk appetite that have a high or critical risk exposure level are to: 4.2.1. have the control environment for the risk enforced and monitored; and 4.2.2. be reported to the Audit & Risk Directorate, the Vice-Chancellor & CEO, and Council. 5. Open 5.1. In carrying out the strategy required to achieve an objective with an open risk appetite, the University is willing to accept exposure to all levels of corporate risk. 5.2. Corporate risks to objectives with an open risk appetite that have a high or critical risk exposure level are to: 5.2.1. be reported to the Audit & Risk Directorate, the Vice-Chancellor & CEO, and Council. Page 5 of 45 Corporate Risk Management Rule Framework aaaaaa 2. Scope, Roles and Responsibilities 2.1 Scope of the Corporate Risk Management Framework All UNE representatives are to comply with the corporate risk management rule. The UNE representative responsible for the management of a UNE function, business unit, or realisation of project objectives, is responsible for identifying, managing and communicating the corporate risks to the objectives of that function, business unit or project. UNE representatives involved in identifying and managing corporate risks, are to do so in accordance with the corporate risk management framework. The framework allows for UNE representatives to practice good judgment in tailoring the application of the frameworks guidance to fit all University functions. Where the framework mandates a specific practice or language be adhered to, this is clearly stated. 2.2 Role of the Council of the University of New England The Council of the University of New England (Council) oversees the management and assessment of corporate risk across the University. Council has the function of approving the corporate risk management rule, and monitoring its associated framework, as a system of control and accountability for the University. This is in accordance with the University of New England Act. Council’s responsibilities Approve: Monitor: Corporate risk management rule; Corporate strategic risks; Corporate risk appetite statement; and Significant corporate operational risks; Register of corporate strategic risks. Significant corporate project risks; and Application and administration of the corporate risk management rule and framework. 2.3 Role of the Audit & Risk Committee of Council Audit and Risk Committee of Council acts on behalf of Council in reviewing the University’s corporate risk management, and reports its findings to Council. Audit & Risk Committee responsibilities Review and report findings to Council on: Review and endorse to Council for approval: Corporate strategic risks; Corporate risk management rule; Significant corporate operational risks; Corporate risk appetite statement; and Significant corporate project risks; and Register of corporate strategic risks. Application and administration of the corporate risk management rule and framework. Review and endorse to the Director ARD for approval: Page 6 of 45 Corporate Risk Management Rule Framework aaaaaa Corporate risk management framework. 2.4 Role of the Vice-Chancellor & CEO The Vice-Chancellor & CEO has responsibility for the implementation of corporate risk management practices across the University, and for ensuring significant risks are communicated and responded to. Vice-Chancellor & CEO’s responsibilities Identify, Monitor & Communicate: Corporate risks to the University’s strategic objectives (strategic risks); The corporate risk appetite approach to each strategic objective and associated strategic risks; The control environment for each strategic risk. This should be done in consultation with Senior Executive and Council, and with the support of the Audit & Risk Directorate. Ensure: Approval of the corporate risk management rule & framework; Council oversight of the management and assessment of corporate risk across the University; Application of the corporate risk management framework by UNE representatives; and Provision of corporate risk management administration and guidance across the University by the Audit & Risk Directorate. Adherence to the corporate risk management rule by UNE representatives; 2.5 Role of Executive or Management Responsible for a Function or Business Unit The Executive or Management in charge of a University function or business unit (including Schools, Directorates, Departments, Centres and Institutes), are responsible for the management of the risks to the operational objectives of that function or business unit. Executive & Management responsibilities Identify, Monitor & Communicate: Corporate risks to the operational objectives they have authority over (operational risks); The corporate risk appetite approach to each operational objective and associated operational risks; The control environment for each operational risk. This should be done in consultation with function or business unit staff, and with the support of the Audit & Risk Directorate. Ensure: Application of the corporate risk management framework within their area of management responsibility. Page 7 of 45 Corporate Risk Management Rule Framework aaaaaa 2.6 Role of Project Owners Project Owners have responsibility for the management of risks to the realisation of project objectives they have authority over. Project Owners Responsibilities Identify, Monitor & Communicate: Corporate risks to the project objectives they have authority over (project risks); The corporate risk appetite approach to each project objective and associated project risks; The control environment for each project risk. This should be done in consultation with the Project Manager and key stakeholders, and with the support of the Audit & Risk Directorate. 2.7 Role of the Audit & Risk Directorate The Audit and Risk Directorate has responsibility for administering and providing guidance on, the corporate risk management rule, framework and practices, as a system of control and accountability for the University. Audit & Risk Directorate’s responsibilities Develop, administer & provide guidance on: Monitor and report to the Vice-Chancellor & CEO and Council on: Corporate risk management rule; Corporate risk management framework; and The University’s management and assessment of corporate risk. Corporate strategic risks; Significant corporate operational risks; and Significant corporate project risks. General management and assessment of corporate risk across the University. Page 8 of 45 Corporate Risk Management Rule Framework aaaaaa 3. Corporate Risk Management Principals The corporate risk management framework is based on the International Organization for Standardization (ISO) standard for risk management: ISO 31000:2009 Risk Management - Principles and guidelines. This framework’s processes and procedures follow the risk management methodology outlined below: Communication and consultation UNE wide consultation on the Corporate Risk Management Rule Establishing the context Corporate Risk Management Rule Corporate Risk Management Framework Corporate Risk Appetite Statement ARC endorsement and Council approval of the Corporate Risk Management Rule Risk assessment Risk identification ARC and VC & CEO endorsement and Director ARD approval of the Corporate Risk Management Framework Step 1: Identify corporate risks Risk analysis Senior Executive and VC & CEO consultation on the Corporate Risk Appetite Statement Step 2: Identify existing controls ARC endorsement and Council approval of the Corporate Risk Appetite Statement Risk evaluation Step 3: Assess control performance and risk ratings VC & CEO identification of, and Senior Executive consultation on, strategic risks ARC endorsement and Council approval of strategic risks Risk treatment Step 4: Identify corporate risk treatments Monitoring and review Step 5: Review corporate risk information and exposure Regular monitoring of risks to University objectives by staff responsible for achieving those objectives Regular monitoring of existing controls and treatments by staff responsible for the controlling measure Project Owner and Project Control Board review of project risks Executive and Management review of operational risks VC & CEO, ARC and Council review of strategic risks ARD review of corporate risks ARD review of Corporate Risk Management Rule & Framework ARC = Audit & Risk Committee of Council ARD = Audit & Risk Directorate 3.1 Application of Good Judgement The corporate risk management framework allows for UNE representatives to practice good judgment in tailoring the application of the framework. This is in acknowledgement to the purpose of corporate risk management to enhance, rather than obstruct, our ability to achieve objectives. Good judgment is to be used to ensure the following are in proportion to the University’s efforts to achieve the associated objective: The complexity and extent of the corporate risk management needed; and The appropriate performance required from the control environment. Page 9 of 45 Corporate Risk Management Rule Framework aaaaaa 3.2 Mandated Corporate Risk Management Language To ensure consistency and avoid confusion when describing corporate risks to the University, many of the terms used in this framework are mandated. When applying risk management in their role, UNE representatives must adhere to the mandated language where mandated language is specified. Below is a summary of the mandated language: Identifying Corporate Risks Corporate Risk Types Strategic Operational Project Corporate Risk Appetite Approaches Risk averse Balanced Positive Risk taking Identifying and Assessing the Control Environment for a Corporate Risk Types of Controlling Measures Existing control Risk treatment Types of Existing Controls Rule procedure Policy procedure Business unit process Ad hoc process Monitoring process Review process Benchmarking Control Performance Ratings Effective Sound Minimal Unsatisfactory Non-existent Assessing the Level of Corporate Risk Exposure Corporate Risk Likelihood Ratings Almost Certain Likely Possible Unlikely Almost Never Corporate Risk Exposure Levels Critical High Medium Low Very Low Corporate Risk Impact Ratings Severe Major Moderate Minor Insignificant Corporate Risk Evaluation Ratings Acceptable Unacceptable Implementation and Activation of Corporate Risk Treatments Indicator of Treatments Purpose Enhance Avoid Share Indicator of Treatment Status Promoted As Planned Delayed Off Track Not Started No Status Page 10 of 45 Corporate Risk Management Rule Framework aaaaaa Reporting on the Review of Corporate Risk Exposure Trend in Our Exposure to the Corporate Risk Increased exposure Decreasing exposure Is occurring No change Initial Assessment 3.3 Key Information You Need to Know First Before beginning to identify the corporate risks to our objectives, there is key information you need to know first. This information defines the objectives, gives context to the environment in which we work, and influences what you identify as risks. What are the Objectives? To identify corporate risks you need a clear understanding of the objectives we are working to achieve. Objectives should already be identified within organisational planning documents. If this is not the case, you will need to consult with colleagues to define the agreed objectives for your function, business unit or project. Take the time to consider if each objective is clearly stated. If the objective is obscure, clarify the meaning of the objective before proceeding. Objectives should be identified in the following organisational planning documents: Strategic objectives: The University’s targets for achieving strategic priorities and direction, as stated in the strategic plan; Operational objectives: Operational targets for business units to achieve within a planning cycle, as stated in business unit operational plans and annual budget planning; and Project objectives: Aim or purpose of a project as stated in the project business case and/or plan. What is Our Corporate Risk Appetite Approach for the Objective? Each organisational objective is to be coupled with a corporate risk appetite approach to achieving the objective. Apply good judgment in assessing whether achieving the objective is: Vital for continued operation at UNE’s current performance level. If so, a risk averse approach is required in implementing our strategy for achieving the objective; Important for growth towards a sustainable operational outcome for UNE. If so, a balanced approach is required in implementing our strategy for achieving the objective; or Important for UNE’s growth towards a competitive advantage in the higher education sector. If so, a positive risk taking approach is required in implementing our strategy for achieving the objective. What Strategy Are We Using to Achieve the Objective? There is usually more than one way to achieve an objective, the method we choose to take forms our strategy. This strategy will reflect the operational constraints we are working within, a set of outcomes that define our objective, and our plan to accomplish these outcomes. Corporate risks arise from the implications of our chosen strategy. Knowing our strategy for achieving an objective allows you to identify the risks that strategy exposes our objectives to. Page 11 of 45 Corporate Risk Management Rule Framework aaaaaa How Will Communication and Consultation Occur? Risk, being the effect of uncertainty, results from deficiencies in our information and understanding. For corporate risk management to be successful in influencing decision making, risk information needs to be communicated in a timely and effective manner. Knowing in advance what you need to communicate, influences how much detail your risk documentation needs to collect. Knowing in advance who needs to be involved in decision making, and who needs to be informed, sets your consultation and communication priorities. Deciding how you will communicate and consult, impacts the level of influence your risk management information has on decision making. Communication and consultation needs to follow these basic principles: Communicate risk information when it is most relevant; Communicate simply, in common language, and abstain from the use of professional jargon; Present the most important information first; and Communicate openly to keep all stakeholders informed. How Will Corporate Risk Information Be Updated? Exposure to corporate risk is never stagnant. Progress towards an objective and changes in our operating environment, will change our objectives exposure to risk. To capture important changes in our risk exposure, you will need to periodically monitor existing control performance and review risk exposure levels. Corporate risk monitoring and review should focus on: Identifying changing exposure to, and management priority of, existing risks; Identifying newly emerging risks; Ensuring existing controls are operating and performing as expected; and Detecting changes that influence the feasibility of proposed risk treatments. Updates to corporate risk information from monitoring and review should be recorded and reported, as appropriate, to all stakeholders. 4. Corporate Risk Identification and Assessment This framework section (Section 4) and the process map in Appendix 5 have been developed to guide you through the process of corporate risk identification and assessment. A brief project risk management guide has been included in Appendix 4. The corporate risk identification and assessment process is broken down into the following 5 steps: Step 1. Identifying corporate risk’s to the achievement of a University objective; Step 2. Identifying measures that are currently in place to control our exposure to a risk; Step 3. Providing an assessment of the amount of exposure we face from a risk; Step 4. Identifying plans to conduct work that will reduce our future exposure to a risk; and Step 5. Reviewing corporate risk information so that it is of ongoing benefit to decision making. Page 12 of 45 Corporate Risk Management Rule Framework aaaaaa 4.1 Step One: Identify Corporate Risks Corporate risks are the effect of our uncertainty about how to manage events or changes which have implications on our ability to achieve objectives. We may not be able to influence or stop an event or change occurring, but we can dictate how we react to that event or change. What Are the Corporate Risks to Our Objectives? It is easy to confuse a corporate risk’s cause or consequence for the risk itself. To reduce this confusion simultaneously establish a risk’s cause and consequence’s as you identify the risk. Given what you understand of an objective, our strategy for achieving the objective and stakeholder engagement, identify the following: What is an event or change that has the potential to have large implications on our ability to achieve this objective? What is responsible for producing this event or change? This is the cause of the corporate risk; What are the consequences of this event or change occurring that we want to avoid? Generally there is a corporate risk associated with every event or change you identify that has the potential to have large implications on our ability to achieve an objective. These are the consequences of the corporate risk; and What effect does not knowing if we can appropriately manage the implications of this event or change, have on our ability to achieve this objective? This is the corporate risk. 4.2 Step Two: Identify Existing Controls Measures for controlling corporate risk take two distinct forms, existing controls or risk treatments. Existing controls reduce or contain our current exposure to a corporate risk; Risk treatments are potential measures for the future management of risk exposure. (See section 4.4) Only existing controls reduce or contain how exposed the University is to a corporate risk. In order to understand the extent of our vulnerability, existing controls need to be identified and assessed. This is vital information for determining how exposed our objective is, and is essential in identifying which risk treatments will be most beneficial. Existing controls are defined as measures that are in place and actively modifying (reducing or containing) the University's exposure to the corporate risk you are associating the control with. If a control is in the planning, implementation or testing phase (not fully active), it is not an existing control; and/or If a control is active in modifying a related risk, but is not directly involved in actively modifying exposure to the corporate risk you are associating it with, it is not an existing control on that risk. Existing controls can include procedures, practices, processes, technology, techniques, methods, or devices that modify the University’s exposure to a corporate risk. Page 13 of 45 Corporate Risk Management Rule Framework aaaaaa Information Required for Describing an Existing Control Different existing controls may be known by the same name. In order to distinguish the correct control from others, sufficient information needs to be collected to form a unique identifier for each control. The information used for describing an existing control is as follows: Name of the existing control – The title the control in known by; Type of existing control – The type of function the control performs (Types of Existing Controls); Document reference – A published control’s document name and record reference number; Authority over the control – Business area that administers and enforces the control; and Responsibility for the control – Position responsible for applying the control to the corporate risk. Not all existing controls have published documentation. Published documentation refers to documented guidance that is known by, and readily accessible to, those who are to apply the control. Types of Existing Controls Type Definition Rule procedure Documented procedure under an approved Council Rule. Policy procedure Documented procedure under an approved Vice-Chancellor Policy, or Documented procedure under an approved Academic Board Policy. Business unit control Ad hoc control Monitoring process Review process Benchmarking Business unit controls are measures that are pre-defined and have procedural reference documentation. NOTE: Business unit controls are measures for the conduct of operations within the set annual business unit budget and staffing allocation. Ad hoc business unit controls are measures that are not pre-defined and have no procedural reference documentation. NOTE: Ad hoc business unit controls are measures for the conduct of operations within the set annual business unit budget and staffing allocation. Documented process for monitoring a business activity, during the conduct of that activity. NOTE: Monitoring processes that are defined in the procedures under a Rule or Policy should be identified for control type purposes as a “Monitoring process”. Documented process for the review of a business activity, after the completion of that activity. NOTE: Review processes that are defined in the procedures under a Rule or Policy should be identified for control type purposes as a “Review process”. Survey of UNE business activity performance measured against similar assumed or known industry performance. 4.3 Step Three: Assess Control Performance and Level of Corporate Risk Exposure The University’s exposure to a corporate risk is influenced by the risk’s existing controls. A control’s purpose is to reduce or contain the most significant aspects of our risk exposure. The most efficient controls manage our exposure to consequences we want to avoid, that arise from a risk occurring. Page 14 of 45 Corporate Risk Management Rule Framework aaaaaa Rating an Existing Controls Performance Before assigning a rating to the performance of an existing control, use your knowledge of the control and good judgment to determine: Is the existing control appropriate for its purpose in managing this risk? To determine if a control is appropriate you will need to establish if the control has the capacity to reduce or contain the consequences that we want to avoid, to an amount we think is suitable, given the effort and cost of applying the control. How well is the control currently performing it purpose relative to its potential to perform its purpose at UNE? The input a control receives and the way a control is executed, will influence its maximum potential capacity to function. When assessing how well a control is performing, assess its current performance compared to its maximum capacity to perform within the University’s operating environment. Once you have decided how appropriate an existing control is, and you have assessed the controls performance, assign the control a performance rating: Control Performance Ratings Rating Definition Effective The existing control is appropriate for the corporate risk, and is achieving the majority of its intended capacity to modify exposure to the corporate risk. The existing control is appropriate for the corporate risk, and is achieving some of its intended capacity to modify exposure to the corporate risk. Sound NOTE: The existing control has the capacity to perform better. Corporate risk treatments should be targeted at increasing the controls capacity. The existing control is not currently appropriate for the corporate risk, or is only achieving a small amount of its intended capacity to modify exposure to the corporate risk. Minimal NOTE: The existing control requires alteration to perform better. Corporate risk treatments should be targeted at reengineering the control into a more appropriate controlling measure. The existing control is inappropriate for the corporate risk. Unsatisfactory NOTE: The existing control should be removed from this risk’s control environment. Corporate risk treatments should be targeted at replacing the control with more appropriate controlling measures. No existing controls are in place to modify our exposure to the corporate risk. Non-existent NOTE: Used as an assessment of the overall existing control environment only. NOTE: Corporate risk treatments should be targeted at implementing and activating appropriate controlling measures. Rating the Performance of the Overall Control Environment The control environment is the accumulative influence of all existing controls on our exposure to a corporate risk. This singular assessment is used to communicate the status of a corporate risk’s overall control environment for evaluation and reporting purposes. Using good judgment and your knowledge of the existing controls, assign a single overall control performance rating to the risk’s control environment (See section 4.3.1). This control environment performance rating should be based on the performance of the most important or relied on controls, Page 15 of 45 Corporate Risk Management Rule Framework aaaaaa as well as being an average rating of all controls. If there are no identifiable existing controls for a corporate risk, the control environment is non-existent and receives a rating of “non-existent”. Rating the Likelihood of a Corporate Risk Occurring The likelihood of a corporate risk reflects the potential frequency of the corporate risk occurring. To determine the likelihood you need an understanding of what’s influencing the University’s exposure to the risk. These influences will come from: The predominance of the cause of the corporate risk. (see section 4.1.1) Is the University experiencing an increase or decrease in the prevalence of this cause, or is it always present? Does experiencing the cause, always lead to the corporate risk occurring or only sometimes? and The University’s existing control environment’s ability to prevent the corporate risk occurring. (See sections 4.2 and 4.3.1) Do any of the existing controls influence or stop the cause, or the risk, from occurring? How well are these preventative controls performing their purpose? Assign a likelihood rating to the risk based on the predominance of the risk’s cause, and the ability of the risk’s control environment to prevent the risk occurring: Corporate Risk Likelihood Ratings Rating Definition Almost Certain This corporate risk is being actualised or it is expected to occur in the current control environment: Multiple times within a 12 month period; or More than 80% of the time. Likely In the current control environment the corporate risk is expected to occur: Once within a 12 month period; or 61% – 80% of the time. Possible In the current control environment the corporate risk will probably occur: Within a 5 year period; or 31% – 60% of the time. In the current control environment the corporate risk may occur: Unlikely Almost Never Within a 10 year period; or 5% – 30% of the time. In the current control environment the corporate risk will only occur in exceptional or unforeseen circumstances. Rating the Impact of a Corporate Risk Occurring A corporate risk’s impact is the effect on the objective from the consequences, if the corporate risk occurs. To determine the impact rating you need an understanding of the objective’s vulnerability to the effect of the risk’s consequences. What will experiencing the consequences mean for the University’s ability to achieve the objective? (See section 4.1.1) Page 16 of 45 Corporate Risk Management Rule Framework aaaaaa Do any of the existing controls soften the blow to the objective, from the consequences of the risk occurring? (See sections 4.2 and 4.3.1) Assign an impact rating to the corporate risk based on the vulnerability of the objective to the effect of the consequences, and the ability of the existing controls to soften the consequences effect: Corporate Risk Impact Ratings Rating Definition Severe The impact from the consequences of the corporate risk, if they were to occur, would result in the objective being unachievable. Major The impact from the consequences of the corporate risk, if they were to occur, would render a significant proportion, or component, of the objective unachievable. Moderate The impact from the consequences of the corporate risk, if they were to occur, would significantly obstruct our ability to achieve the objective. Minor The impact from the consequences of the corporate risk, if they were to occur, would significantly delay or impair our ability to achieve the objective. Insignificant The impact from the consequences of the corporate risk, if they were to occur, can be managed by the University so as to not impede the achievement of the objective. Identify the Level of Corporate Risk Exposure Faced by the Objective The exposure level provides an indicator of a corporate risk’s influence on the University’s ability to achieve its objective. As a risk increases in potential frequency or effect, the magnitude of the University’s exposure to the corporate risk increases. Corporate Risk Exposure Heat Map Impact Rating Likelihood Rating Identify the level of risk exposure an objective faces to a corporate risk, by plotting the risk’s likelihood and impact ratings on the set matrix (See sections 4.3.3 and 4.3.4). The intersection of the likelihood column and impact row indicates the risk exposure level: Page 17 of 45 Corporate Risk Management Rule Framework aaaaaa Matrix of Corporate Risk Exposure Levels Impact Likelihood Almost Never Unlikely Possible Likely Almost Certain Severe High High High Critical Critical Major Medium Medium High High Critical Moderate Low Medium Medium High High Minor Low Low Low Medium Medium Insignificant Very Low Very Low Low Low Low Evaluating Whether the Exposure to a Corporate Risk is Acceptable Whether a corporate risk is acceptable or unacceptable depends on the University’s perception of its current ability to manage the risk. As a rule accepting the risk means finding the current circumstances acceptable, not accepting the risk indicates the University needs to improve the current situation. Factors that affect whether a corporate risk is deemed acceptable or unacceptable include: The corporate risk appetite approach assigned to achieving the objective being risk assessed; The level of risk exposure the University objective has to the corporate risk (this is dependent on the performance of the risks control environment); and The strategy for achieving the objective, including the influence of operational constraints. Using good judgment and your knowledge of the objective being risk assessed, provide a corporate risk evaluation rating for the risk: Corporate Risk Evaluation Ratings Rating Definition The current level of exposure the objective faces from the corporate risk is acceptable, or manageable within current standard business operations. Acceptable The current level of exposure to the corporate risk is acceptable in regards to the corporate risk appetite approach to the objective; or The University has made an educated decision to accept the burden of the current exposure to our objective from the corporate risk. Risk treatments do not need to be applied to the risk. The control environment should be enforced and monitored, and changes in our exposure to the risk communicated. The University’s ability to achieve its objective is unacceptably exposed to the influence of the corporate risk. Our current management of the risk needs to be improved. Unacceptable The current level of exposure the objective faces to the corporate risk is unacceptable given the corporate risk appetite approach to the objective; or Page 18 of 45 Corporate Risk Management Rule Framework aaaaaa The University needs to act to reduce our objective’s future exposure to the corporate risk to enable the objective to be achieved. Risk treatments should be applied in line with resource allocation to reduce the objective’s future exposure to this risk. Where treatments cannot be applied, a full explanation of why this is the case needs to be provided. The control environment should be enforced and monitored, and changes in our exposure to the risk communicated. 4.4 Step Four: Identifying Corporate Risk Treatments Not all corporate risks need risk treatment. Treatments are proposed measures, undergoing development, implementation, or activation which once in place will reduce or contain our future exposure to a risk. Risk treatments treat deficiencies in the University’s current ability to manage risk, if no changes are needed in our management of risk, no treatments are needed. Where treatments are needed, they are to be identified, monitored and reported alongside (but separate from) a risk’s existing controls. Treatments should be targeted to make the largest possible difference to our risk exposure, given the effort and cost of applying the treatment. A treatment’s target should reflect the cause of the corporate risk, the performance of the risk’s existing control environment and the University’s ability to influence both. Information used to document risk treatments is as follows: Name of the risk treatment – The title the treatment in known by; Purpose – The purpose of a treatment, and how the treatment is to accomplish this purpose. This framework provides rating based indicators for a treatment’s purpose (Indicator of Treatments Purpose). Detail on how the treatment will go about changing the control environment, or the cause of a risk, should also be documented; Approvals – Statement of whether all approvals needed to develop, implement and activate the treatment has been officially provided / received (Indicator of Yes, No or Partially). Funding - Statement of whether all funding needed to develop, implement and activate the treatment has been officially allocated to the treatment (Indicator of Yes, No or Partially). Due date – The timeframe in which the treatment is expected to be implemented and activated; Status – The status of progress towards treatment implementation and activation (Indicator of Treatment Status); Authority over the treatment – Business area that is implementing and will activate the treatment; and Responsibility for the treatment – Position responsible for aligning the treatment’s purpose with reducing our future exposure to the corporate risk. Indicator of Treatments Purpose Indicator Enhance existing controls Definition An enhancement to the control environment performance, to further reduce the likelihood or impact of consequences we want to avoid occurring. The prevailing circumstances are such that: The current level of exposure to this risk is deemed unacceptable; and Page 19 of 45 Corporate Risk Management Rule Framework aaaaaa It is a more efficient use of resources to enhance the corporate risk’s control environment, over changing strategy to avoid the cause of the risk; and Operational constraints allow for the enhancement of the control environment for this corporate risk. Changing strategy to avoid the cause of the corporate risk and remove our objectives exposure to the impact of the consequences occurring. The prevailing circumstances are such that: Avoid a cause The current level of exposure to this risk is deemed unacceptable; and It is a more efficient use of resources to change strategy and avoid the cause of the corporate risk, over enhancing the risk’s control environment; and Operational constraints will allow for implementation of an alternative strategy to achieving the objective, which avoids the cause of this risk. Sharing the burden of the consequences impact with another party or parties (i.e. contract, insurance etc.). Share the impact from a consequence The prevailing circumstances are such that: The current level of exposure to this risk is deemed unacceptable; and It is a more efficient use of resources to share the burden of the consequences impact, over changing strategy or applying other enhancements to the risk’s control environment; and Operational constraints will allow for corporate risk sharing to be applied. Indicator of Treatment Status Indicator Definition Promoted The treatment is implemented, activated and is modifying our exposure to the corporate risk. As Planned Progress towards implementation and activation of the corporate risk treatment is on track as planned. Delayed There is a delay in implementing or activating the corporate risk treatment. The delay is being addressed, the treatment is expected to be implemented and activated in full at a later time than originally planned. Large setbacks have occurred in the implementation or activation of the corporate risk treatment; or Off Track A significant component of the treatment is not likely to be implemented or activated. Not Started As planned, implementation of the corporate risk treatment has yet to commence. No Status No status update has been provided on this corporate risk treatment. Promoting a Risk Treatment on Implementation and Activation Once an enhancing or sharing treatment has been implemented and is active, it is absorbed into the corporate risk’s existing control environment. Where a treatment’s purpose was to improve an existing Page 20 of 45 Corporate Risk Management Rule Framework aaaaaa control, it may increase the existing control’s performance rating. If its purpose was to form a new control, the new control is to be added to the risk’s existing controls. Where a treatment’s purpose is to avoid the cause of a risk, the treatment could change the corporate risks faced by the University. This may mean the University’s objectives are no longer exposed to an original risk, or the consequences of a risk occurring may be significantly different. Regardless of the purpose of a risk treatment, a treatment’s implementation, activation and promotion should prompt a corporate risk review. 4.5 Step Five: Communicating & Reviewing Corporate Risk Information and Exposure For corporate risk management to fulfil its purpose in benefiting decision making, up-to-date risk information needs to be available to the decision makers. To achieve this, risk information needs to be communicated and updated in a timely and effective manner. A guide to the flow of corporate risk communication is available in Appendix 3 of this framework. Communicating Corporate Risk Information Corporate risk information is best communicated using a table based risk report accompanied by a brief executive summary. All corporate risk reports at the University must use the Mandated Corporate Risk Management Language prescribed in this framework (See section 3.2 or Appendix 1). Communication should reflect the objective being assessed and the nature of the risk faced by the University. Significant risks faced by University objectives whether strategic, operational or project, are to be reported through the Audit & Risk Committee to the University Council (See sections 2.2 & 2.3). Reporting of corporate risks to the University’s key governance committees (University Council and Council Committees or the Academic Board and Academic Board Committees), must: Be in the form of the mandated Corporate Risk Governance Report (See Appendix 2), or be generated from the Corporate Risk Management Database; Be backed up by a corporate risk assessment (See optional template available in Appendix 2), which may be requested by the Committee or Committee Secretariat; Use the Mandated Corporate Risk Management Language prescribed in this framework (See section 3.2 or Appendix 1); and Where information required for the mandated Corporate Risk Governance Report is unknown or unassessed, the associated report fields are to be left blank. Corporate Risk Management Database The corporate risk management database houses key corporate risk management data for aggregated management and reporting purposes. The database does not replicate the corporate risk management process and is used to document the outcomes of the process rather than replace it. For advice on using the Corporate Risk Management Database contact the Audit & Risk Directorate (ARD) at [email protected]. Updating Corporate Risk Information A review of corporate risk information should: Follow on from changes that have influenced or impacted the objective, corporate risk, existing controls or treatments; Precede and inform the review of strategic, operational or project objectives; and / or Page 21 of 45 Corporate Risk Management Rule Framework aaaaaa Precede and inform significant strategic, operational or project decision making. Corporate risk reviews need to capture important changes in risk exposure and reflect the results of existing control and risk treatment monitoring. Corporate risk monitoring and review should focus on: Identifying changing exposure to objectives, and management priority of existing risks; Identifying newly emerging risks; Ensuring existing controls are operating and performing as expected; and Detecting changes that influence the feasibility of proposed risk treatments. Once a review of corporate risk information has been conducted, the outcome of the review is to be communicated. Risk review reports should indicate the trend the University is experiencing in its risk exposure. Trends are a reflection of changes that have influenced a corporate risk since it was last reported. This will include the University’s changing ability to manage each risk as well as significant changes in external forces. Trend in Our Exposure to a Corporate Risk Trend Symbol* Definition Increasing Exposure Our exposure to the corporate risk has increased since it was last reported Decreasing Exposure Wingdings:241 in red Wingdings:242 in green Is Occurring No Change Wingdings:171 in red Wingdings:243 in black Initial Assessment Wingdings:159 in black Our exposure to the corporate risk has decreased since it was last reported This corporate risk has been actualised and is a live issue for the University Our exposure to the corporate risk has not changed since it was last reported This is the first report on a new addition to the corporate risk register * The language used in the Trend in Our Exposure to a Corporate Risk Use table is mandatory, but use of the symbols is not. If you use the symbols for reporting purposes, the report must include a legend that aligns the symbol to the mandated trend term. An example of this is provided below: Symbol 5. Trend in Our Exposure to a Corporate Risk Increasing Exposure Decreasing Exposure Is Occurring No Change Initial Assessment Framework Development and Guidance The Audit & Risk Directorate (ARD) continually advances the University’s corporate risk management towards a mature and business appropriate process. ARD works with business units and University representatives to tailor application of the corporate risk management framework to suit the needs Page 22 of 45 Corporate Risk Management Rule Framework aaaaaa of each business unit. Along with generalised corporate risk management training material, ARD also provides targeted advice and guidance to business units and University representatives as requested or required. ARD’s role is to support corporate risk management practices and communication throughout the University. For advice on corporate risk management contact ARD at [email protected]. 6. Administration Data Document Type: Framework Rule Administrator: Director Audit and Risk TRIM reference: Original D13/69292, TWEEK D15/7574 Date approved: 24/09/2015 Due for review: 3 years from approval Responsible party for review: Director Audit and Risk Pre-approval requirements: Audit & Risk Committee endorsement of the Corporate Risk Appetite Statement and Framework on the 23rd October 2014. Council approval of the Corporate Risk Appetite Statement on the 20th November 2014. Approved by: Signature appears on the PDF version of this document (D15/106210) Dave Tanner - Director Audit & Risk Related Policies or other documents: University of New England Act 1993 Tertiary Education Quality Standards Agency Act 2011 ISO 31000:2009 Risk Management – Principles and Guidelines Policy on the Role and Function of Council Functions of the Vice-Chancellor Rule Controlled Entity Rules Controlled Entity Guidelines Compliance Policy Corporate Risk Management Rule Organisational Resilience Rule Audit and Risk Committee Charter and Terms of Reference Page 23 of 45 Corporate Risk Management Rule Framework aaaaaa Appendix 1: Mandated Corporate Risk Management Language Identifying Corporate Risks Corporate Risk Types Strategic Operational Project Corporate Risk Appetite Approaches Risk averse Balanced Positive Risk taking Identifying and Assessing the Control Environment for a Corporate Risk Types of Controlling Measures Existing control Risk treatment Types of Existing Controls Rule procedure Policy procedure Business unit process Ad hoc process Monitoring process Review process Benchmarking Control Performance Ratings Effective Sound Minimal Unsatisfactory Non-existent Assessing the Level of Corporate Risk Exposure Corporate Risk Likelihood Ratings Almost Certain Likely Possible Unlikely Almost Never Corporate Risk Exposure Levels Critical High Medium Low Very Low Corporate Risk Impact Ratings Severe Major Moderate Minor Insignificant Corporate Risk Evaluation Ratings Acceptable Unacceptable Implementation and Activation of Corporate Risk Treatments Indicator of Treatments Purpose Enhance Avoid Share Indicator of Treatment Status Promoted As Planned Delayed Off Track Not Started No Status Reporting on the Review of Corporate Risk Exposure Trend in Our Exposure to the Corporate Risk Increased exposure Decreasing exposure Is occurring No change Initial Assessment Page 24 of 45 Corporate Risk Management Rule Framework Appendix 2: Corporate Risk Documentation Templates Corporate Risk Assessment Last amended: <Date> Risk No. : <#> <Description of the corporate risk> University objective at risk: <Identify if the objective is strategic, operational or project> <Provide a description of the objective> Causes responsible for exposing the University to this risk: <Cause 1> Consequences we want to avoid if the risk was to occur: <Consequence 1> Risk Owner: <Enter the risk owners position> Risk appetite approach to achieving this objective: <Enter the risk appetite approach> Name of existing control: Control performance: Control type: Authority over the control at UNE: Responsibility for applying the control: <Name of an existing control for this risk> <Enter rating> <Enter type> <Enter business unit> <Enter staff position> Overall control environment performance rating: Likelihood: Impact: <Enter rating> <Enter rating> Risk exposure level: Trend in our exposure to this corporate risk: Are There Proposed Treatments? ☐ Yes ☐ No Explanation for untreated exposure to an unacceptable risk: <Enter rating> <Enter level> <Enter trend> Exposure to this level of corporate risk ☐ Is acceptable ☐ Is unacceptable <Enter explanation> Page 25 of 45 Corporate Risk Management Rule Framework Corporate Risk Assessment – Proposed Treatments to Reduce Future Risk Exposure Risk No. : <#> <Description of the corporate risk> Risk Owner: <Enter the risk owners position> Risk Exposure Level: <Enter level> Corporate Risk Treatment No. : <#.1> <Name of the treatment for this risk> Purpose of the corporate risk treatment: ☐ Enhance ☐ Avoid ☐ Share Last amended: <Date> Overall control environment performance rating: <Enter rating> Trend in our exposure to this corporate risk: <Enter trend> <Identify the existing control the treatment is improving; or the new control the treatment will become; or the cause the treatment will avoid> <Provide detail on how the treatment will fulfil its purpose> Are all approvals in place? <Yes, No, Partially> Due date: Is all the funding in place? <Yes, No, Partially> Authority over the treatment at UNE: <Enter business unit> Responsibility for applying the treatment to this risk: <Enter staff position> Status: <Enter status> <Enter date> Corporate Risk Treatment No. : <#.2> Purpose of the corporate risk treatment: ☐ Enhance ☐ Avoid ☐ Share Are all approvals in place? Due date: Is all the funding in place? Authority over the treatment at UNE: Status: Responsibility for applying the treatment to this risk: Corporate Risk Treatment No. : <#.3> Purpose of the corporate risk treatment: Are all approvals in place? ☐ Enhance ☐ ☐ Avoid Share Due date: Is all the funding in place? Authority over the treatment at UNE: Status: Responsibility for applying the treatment to this risk: Page 26 of 45 Corporate Risk Management Rule Framework Corporate Risk Governance Report Objective Objective at Risk: <Description of the objective> Last amended: <Date> Risk Exposure Objective’s Risk Appetite: <Enter the risk appetite approach> Corporate Risk Description: <Description of the corporate risk> Future Treatments Control Environment Performance: Risk Exposure Level: Evaluation of Exposure Level: <Enter rating> <Enter rating> <Acceptable, Unacceptable > Comment by Risk Owner: <Enter risk owners comment> Are There Proposed Treatments? Are All Treatments Fully Approved? Are All Treatments Funded? <Yes, No> <Yes, No, Partially> <Yes, No, Partially> <Enter the risk owners position> Corporate Risk Register Log of Key Dates Last amended: <Date> Risk Identification Key Dates Risk no: Risk Description: Risk owner: Date of Last Risk Review: Date Risk Was Added: Date Risk Was Retired: Staff Position with Authority Over Addition & Retirement: <#> <Enter the corporate risk description> <Enter position> <Enter date> <Enter date> <Enter date> <Enter position> Page 27 of 45 Corporate Risk Management Rule Framework aaaaaa Appendix 3: Authority, Responsibility and Communication Guides Guide to Identifying Authority & Responsibility Authority Authority over over an an Objective Objective && Responsible Responsible for for aa Risk Risk Who? Executive or Manager in charge of the: Business Unit; UNE function; or realisation of the project objective; that is being risk assessed. This position has authority over setting the objective, owns the risks to that objective, and has responsibility for those risks. Objective Risk to the Objective Authority Authority over over aa Control Control Who? The Business Unit that administers and enforces the existing control. This Business Unit has authority over setting UNE’s methodology for this control. Control Against Risk Exposure Who? Position responsible for applying this control to reduce or contain exposure to this risk. Responsible Responsible for for aa Control Control Authority Authority over over aa Treatment Treatment Who? The Business Unit that will implement and activate the treatment. This Business Unit has authority to set UNE’s operational environment for this treatment. Treatments for the Control Environment Who? Position responsible for aligning the treatments specifications with its purpose to reduce our future exposure to this risk. Responsible Responsible for for aa Treatment Treatment School Resource/HR manager Controls: 1. Process to ensure the timely submission of timesheets by School staff. 2. Fortnightly review of School payroll reports. Responsible Responsible for for aa Control Control DVC/PVCA Representative Treatment: Ensure the needs of Schools are addressed by the changes to the updated policy procedure. Responsible Responsible for for aa Treatment Treatment An Example of Assigned Authority & Responsibility Authority Authority over over an an Objective Objective && Responsible Responsible for for aa Risk Risk Authority Authority over over aa Control Control Head of School School business plan objective: Undertake teaching consistent with the Schools load and revenue forecast. A Risk to objective: Failure to manage academic teaching staff contracts to best fit required teaching load coverage. Human Resource Services Controls: 1. Web Kiosk and Alesco timesheet submission process. 2. Generate payroll reports. Objective Risk to the Objective Control Against Risk Exposure Deficiency identified in the control environment: Delayed submission of timesheets by staff is skewing fortnightly payroll report data. Authority Authority over over aa Treatment Treatment Human Resource Services Treatment: Update to the policy procedure regarding acceptable submission deadlines and impact. NOTE: This is a fictional example treatment Treatments for the Control Environment Page 28 of 45 Corporate Risk Management Rule Framework aaaaaa Guide to the Flow of Corporate Risk Communication This guide provides direction on how corporate risk management information is to be communicated. Not all UNE communication networks will be accurately represented by this guide. Where variations are evident, good judgement is to be used in assessing communication needs by those involved in corporate risk management. Authority Authority over over aa Control Control Authority Authority over over aa Treatment Treatment Responsible Responsible for for aa Control Control Risk information Corporate Risk Assessment 1 Management feedback Control Information Corporate Risk Governance Treatment Information Report Responsible Responsible for for aa Treatment Treatment Management Management Committee Committee Management Management 2 Governance Governance Committee Committee Authority Authority over over an an Objective Objective && Responsible Responsible for for aa Risk Risk Risk information Risk information Stakeholders Stakeholders NOTES: 1. A Corporate Risk Assessment template is provided in Appendix 2 (pages 24 & 25) of this Corporate Risk Management Framework (use of this template is optional). 2. Use of this frameworks Corporate Risk Governance Report template is mandatory for risk reporting to Council & Council Committees including Academic Board. This template is available in Appendix 2 (page 26) of the Corporate Risk Management Framework. All UNE corporate risk communication and reporting must use the Mandated Corporate Risk Management Language outlined in this Corporate Risk Management Framework. A summary of the mandated language can be found in section 3.2 (pages 9 & 10) or in Appendix 1 (page 23). Page 29 of 45 Corporate Risk Management Rule Framework aaaaaa Appendix 4: Project - Corporate Risk Management Cheat Sheet Project Objectives - Reasons for Conducting the Project What is the projects purpose? Why is it being undertaken? and What are the core outputs, benefits or changes the project has been instigated to achieve? This information forms the projects objectives which you will then risk assess. Risk Appetite towards Each Project Objective For each project objective, discern whether the objective is: Required to achieve a UNE strategic objective or enable continued UNE business as normal ~ Risk averse Required to achieve more sustainable UNE operations ~ Balanced Required to create a competitive advantage for UNE ~ Positive risk taking In discussion with the Project Owner and using good judgement, set the appetite for each project objective. Project Constraints and Management Strategies What are the constraints the project faces? What events or changes can you expect with some certainty will occur during the life of the project? What strategies are going to be used to manage achieving the objectives within or around the identified constraints, events or changes? Knowing the projects constraints and management strategies is essential for identifying risks to the objectives. Risks to the Project Objectives Risks are the implications of our choices regarding the Projects strategy and management. The risks you are identifying, are the risks of not making the best management choice for achieving the projects objectives. What is the constraint, or what is responsible for producing the event/change (cause)? What are the specific consequences of the constraint/change that we want to avoid (consequence)? What do you have to watch out for What effect does not making the best choice for managing or avoiding the consequences of this cause, have on our ability to achieve the project objective (corporate risk)? Existing Controls for Managing Risk Exposure What controls are already in place to manage this risk generally at UNE? Are any of these controls being applied to this project? If so these are the existing controls for this project risk. How are the controls performing collectively, as a control environment, to manage this risk? Identify the Risk Exposure Risk Likelihood Rating + Risk Impact Rating = Risk Exposure Level Is this exposure level acceptable, given the risk appetite and importance of the objective? Yes: accept the level of corporate risk to the objective. Monitor existing controls and review risk as needed. No: apply risk treatments if they are available. Monitor existing controls and review risk as needed. Treatments for the Control Environment Identify treatments to the risks control environment based on deficiencies in that control environment. Indicate the purpose of each treatment & how each treatment will accomplish its purpose. Monitor the treatments progress towards implementation and activation. Communicate the Risk Project Owner & Steering Committee Project Control Board Council Committee’s (High & Critical Risks) Review the Risk Register Reviews are prompted by: o Changes to the risk, the risks control environment, or finalisation of a risk treatment; o Changes to the project objectives; o Reaching major decision/authorisation points or stage gates within a projects life. Page 30 of 45 Corporate Risk Management Rule Framework Appendix 5: Corporate Risk Identification and Assessment Process Map Step One: Identify Corporate Risks In identifying corporate risks you identify the effects of our uncertainty around how to manage events or changes with potentially large implications, on our ability to achieve objectives. List your business or project objectives. Start Start (Corporate risks are risks to the University's objectives) See Advice 1 Identify the amount of risk the University will willingly accept in pursuit of each objective. (this is the risk appetite approach) See Advice 2 What are the events or changes that will potentially have large implications for our ability to achieve each of these objectives. What is responsible for producing the event or change? This is the cause of the corporate risk. What are the consequences of the event or change occurring that we want to avoid? 1 2 For each event or change identify: See Advice 3 3 These are the consequences of the corporate risk. What effect does not knowing if we can appropriately manage the implications of this event or change, have on our ability to achieve the objective? This is the corporate risk. See Advice 4 Stop Stop Page 31 of 45 Corporate Risk Management Rule Framework Step One Continued: Advice on Identifying Corporate Risks ADVICE 1: Key information you need to know ahead of beginning this process and detail on how to identify corporate risks, is outlined in the Corporate Risk Management Framework. ADVICE 2: The Framework consists of a corporate risk appetite statement that defines the University's attitude to corporate risk. Along with this statement, the Framework provides detail on how to identify a corporate risk appetite approach to achieving an objective. Relevant Framework Sections: 3.3 Key Information You Need to Know First including sub-sections; and Relevant Framework Sections: 1.2 Corporate Risk Appetite Statement; and 4.1 3.3.2 Step One: Identify Corporate Risks including sub-sections. ADVICE 3: The Framework encourages users to simultaneously establish a risk’s cause and consequence’s, as they identify the risk. This is because it is easy to confuse a corporate risk’s cause or consequence for the risk itself. What is the Corporate Risk Appetite Approach for the Objective? ADVICE 4: Corporate risk is the effect of uncertainty on the University's objectives, where this effect is a positive or negative deviation from what is expected. Uncertainty is the result of deficiencies in our information, knowledge or understanding, around our strategy for achieving an objective. Corporate risk management is managing the effects of this uncertainty, by reducing or containing it as much as possible. This is accomplished through risk assessing our strategy for achieving an objective. Page 32 of 45 Corporate Risk Management Rule Framework Step Two: Identify Existing Controls In identifying existing controls you are recording the measures or processes that are in place and that are actively modifying our exposure to the corporate risk. Start Start List the names of the existing controls for the corporate risk that you are reviewing. See Advice 5 For each existing control, identify the broad type of organisation function performed by the control. Indicate for each existing control if directions for applying the control are published or unpublished. Published Unpublished If an existing control has published directions provide the control document reference information. (i.e. Provide the document name and records reference number or file location) For each existing control indicate who has authority over the control? (Authority lies with the area that administers and enforces the control) For each existing control indicate who is responsible for ensuring that the control is being applied to this risk? Stop Stop Page 33 of 45 Corporate Risk Management Rule Framework Step Two Continued: Advice on Identifying Existing Controls ADVICE 5: All the existing controls for a corporate risk need to be identified to give a correct assessment of the control environment for a risk. An existing control is a measure that is in place and actively modifying (reducing or containing) the University's exposure to the corporate risk it is associated with. * If a control is in the planning, implementation or testing phase (not fully active), it is not an existing control; and/or * If a control is active in modifying a related risk, but is not directly involved in actively modifying exposure to the corporate risk you are reviewing, it is not an existing control on that risk. Relevant Framework Sections: 4.2 Step Two: Identify Existing Controls including sub-sections and table of: * Types of Existing Controls Page 34 of 45 Corporate Risk Management Rule Framework Step Three: Assess Control Performance and Level of Corporate Risk Exposure In assessing control performance and risk ratings you provide an indicator of how significantly the achievement of our objective is exposed to a corporate risk. Existing Control Performance Ratings Start Start Rate how well each existing control is performing, in modifying our exposure to the corporate risk. See Advice 6 Control Environment Performance Rating Rate the performance of the overall control environment, in modifying our exposure to the corporate risk. What is the likelihood of the corporate risk occurring in the existing control environment? Risk Exposure Level Risk Impact Rating Risk Likelihood Rating + What would be the impact of the consequences on the objectives, if the corporate risk did occur in the existing control environment? = Using the risk matrix, assign a risk exposure level to this corporate risk. Given your business or project objectives, appetite and constraints, is this level of corporate risk acceptable? See Advice 7 Yes No Accept the level of corporate risk. Go to Step Five Proceed to risk treatment. Stop Stop Page 35 of 45 Corporate Risk Management Rule Framework Step Three Continued: Advice on Assessing Control Performance and Level of Corporate Risk Exposure ADVICE 6: The Corporate Risk Management Framework contains rating tables to guide the assessment of our exposure to a corporate risk. It is important to refer to these tables and use the language from the tables in your assessment. Relevant Framework Sections: 4.3 Step Three: Assess Control Performance and Level of Corporate Risk including sub-sections and tables of: * Control Performance Ratings; * Corporate Risk Likelihood Ratings; * Corporate Risk Impact Ratings; * Matrix of Corporate Risk Exposure Levels; and * Corporate Risk Evaluation Ratings ADVICE 7: Whether a corporate risk is acceptable or unacceptable depends on the University’s perception of its current ability to manage the risk. As a rule accepting the risk means finding the current circumstances acceptable, not accepting the risk indicates the University’s need to improve the current situation. Relevant Framework Sections: 4.3.6 Evaluating Whether the Exposure to a Corporate Risk is Acceptable including the table of: * Corporate Risk Evaluation Ratings; and 1.2 Corporate Risk Appetite Statement including sub-sections; and 3.3 Key Information You Need to Know First including sub-sections Page 36 of 45 Corporate Risk Management Rule Framework Step Four: Identifying Corporate Risk Treatments Corporate risk treatments are proposed measures that will reduce our future exposure to a corporate risk by treating deficiencies in the University’s current ability to manage the risk. Start Start Is our management of this corporate risk, and our exposure to it, acceptable? No List the corporate risk treatments that are being developed, implemented or activated to help manage our future exposure to this risk. For each treatment, indicate the status of our progress towards implementing and activating the treatment, and gaining required approvals. See Advice 9 See Advice 8 Yes This risk does not need risk treatments. Indicate the purpose of each treatment and provide a brief statement of how each treatment is to accomplish it’s purpose. For each treatment, indicate who has authority over implementing and activating the treatment. Go to Step Five For each treatment, indicate the treatments due date. For each treatment, indicate who is responsible for aligning the treatment’s purpose with reducing our future exposure to this corporate risk. Stop Stop Page 37 of 45 Corporate Risk Management Rule Framework Step Four Continued: Advice on Identifying Corporate Risk Treatments ADVICE 8: Not all corporate risks need risk treatment. Risk treatments treat deficiencies in the University’s current ability to manage risk, if no changes are needed in our management of risk, no treatments are needed. As a rule finding a risk acceptable means finding our current management of, and exposure to, the risk as acceptable. Finding a risk unacceptable, indicates the University needs to improve its current situation through applying treatments. Relevant Framework Sections: 4.4 Step Four: Identifying Corporate Risk Treatments; and 3.3 Key Information You Need to Know First including sub-sections; and 4.3.6 Evaluating Whether the Exposure to a Corporate Risk is Acceptable including the table of: * Corporate Risk Evaluation Ratings. ADVICE 9: Risk treatments are proposed measures that will change: * How the University is managing a risk through its existing controls; or * The University's strategy for achieving an objective so as to avoid the cause of the risk. Risk treatments often effect other treatments, risks and existing controls. Due to this it is important to communicate the purpose of a treatment, how it will accomplish this purpose and its current status. Relevant Framework Sections: 4.4 Step Four: Identifying Corporate Risk Treatments including sub-sections and tables of: * Indicator of Treatments Purpose; * Indicator of Treatments Status Page 38 of 45 Corporate Risk Management Rule Framework Step Five: Review Corporate Risk Information and Exposure Corporate risk reviews update risk information so it can be communicated in a effective manner and considered in organisational decision making. A risk review is prompted by changes to a corporate risk. Start Start Have treatments for this corporate risk been implemented and activated since it was last reviewed? No Review and update the information for the risk from Step One: Identify Corporate Risks. See Advice 10 Review and update the information for the risk from Step Four: Identify Corporate Risk Treatments. Yes Evaluate the influence of the treatment on the corporate risk. Treatments that enhance controls, or share the impact of consequences, will be absorbed into the risk’s existing control environment. Treatments that avoid the cause of a risk can change the corporate risks faced by the University. Review and update the information for the risk from Step Three: Assess Control Performance and Level of Risk Exposure. Indicate the trend the University is experiencing in its exposure to this risk since it was last reported. Review and update the information for the risk from Step Two: Identify Existing Controls. Communicate corporate risk information to inform work prioritisation and decision making. Stop Stop Page 39 of 45 Corporate Risk Management Rule Framework Step Five Continued: Advice on Reviewing Corporate Risk Information and Exposure ADVICE 10: Changes to a corporate risk can have cascading effect and change a large proportion of the information previously identified for the risk. These changes can also effect other risks that share the same objective, cause, consequences or controls. As the University’s ability to manage each risk changes and/or external forces change, corporate risks need to be reviewed to remain accurate. Relevant Framework Sections: 4.5 Step Five: Review Corporate Risk Information and Exposure including sub-sections and table of: * Trend in Our Exposure to a Corporate Risk; and 3.3.4 How Will Communication and Consultation Occur? And 3.3.5 How Will Corporate Risk Information Be Updated? Page 40 of 45 Corporate Risk Management Rule Framework aaaaaa Appendix 6: Glossary of Corporate Risk Management Terms Term Definition Appetite The broad level of corporate risk the University will willingly expose itself to, in pursuit of an organisational objective. Appetite Approaches Direction and tolerances in the acceptable management of corporate risk based on the University's appetite for exposing an objective to the influence of risk. NOTE: The University has three defined corporate risk appetite approaches: • Risk averse approach to achieving a vital objective; • Balanced approach to achieving a sustainable growth objective; • Positive Risk taking approach to achieving a competitive objective. Appetite Statement The University Council approved statement expressing the University’s attitude towards exposing University objectives to the influence of corporate risk. Authority The power or jurisdiction to determine intention and direction. NOTE: • Authority over an objective lies with the Executive or Management position in charge of setting the objective. This position owns, and is responsible for, all corporate risks to the objectives they have authority over. • Authority over a control lies with the business area that administers and enforces the control. • Authority over a treatment lies with the business area that is implementing and will activate the treatment. Business units All units, including Schools, Directorates, Departments, Centres and institutes with financial operations under a University of New England cost centre. Cause The force responsible for producing an event or change that has potential implications for our ability to achieve an objective. Consequence Outcomes or implications to the University's ability to achieve an objective, that we want to avoid if an event or change occurs. Control Environment The accumulative or aggregated influence of all existing controls on a corporate risk. Control Performance The manner in which or efficiency with which existing controls fulfil their intended purpose. NOTE: An assessment of control performance is based on whether a control is appropriate for its purpose in managing a risk, and how well the control is performing its purpose, relative to its potential to perform its purpose at UNE. Control Types The broad organisational function performed by a control. Page 41 of 45 Corporate Risk Management Rule Framework aaaaaa Term Definition Corporate Risk The effect on the University’s objectives from uncertainty in organisational decision making and action. NOTE: Uncertainty is the result of deficiencies in our information, knowledge or understanding around our management of, and strategy for, achieving our objectives. Corporate risks are risks to the achievement of our objectives, these risks stem from our management choices. Corporate Risk Management Coordinated activities to direct and control an organisation with regard to corporate risk. Corporate Risk Management Rule A Council approved statement that outlines the University of New England's intentions and direction for corporate risk management. Evaluation Process of comparing the results of the analysis of a corporate risk with the appetite approach to the objective and organisational priorities and constraints, to determine whether the risk and/or its magnitude are acceptable or tolerable. Existing Controls Measures that are in place and actively modifying (reducing or containing) the University's exposure to the corporate risk it is associated with. • If a control is in the planning, implementation or testing phase (not fully active), it is not an existing control; and/or • If a control is active in modifying a related risk, but is not directly involved in actively modifying exposure to the corporate risk you are associating it with, it is not an existing control on that risk. Existing control measures can include procedures, practices, processes, technology, techniques, methods, or devices that modify the University’s exposure to a corporate risk. Exposure The magnitude to which a University objective is subjected to the influence of a corporate risk occurring. Good Judgment Using discretion and sound professional reasoning to make a decision or form an objective opinion. NOTE: Good judgment is to be used to ensure the following are in proportion to the University's efforts to achieve the associated objective: • The complexity and extent of the corporate risk management needed; and • The appropriate performance required from controlling measures. Hazard Risk The effect of uncertainty on the health, safety and wellbeing of humans, other organisms, or the environment. Page 42 of 45 Corporate Risk Management Rule Framework aaaaaa Term Definition Impact The effect to an objective from the consequences of corporate risk occurring. NOTE: This is based on an objective's vulnerability to the effect of the consequences, and the ability of a corporate risk's existing controls to soften the effect of the consequences. Likelihood The potential frequency for the corporate risk to occur. NOTE: This is based on the predominance of the risk’s cause and the ability of the corporate risk’s control environment to prevent the risk occurring. Objective University goals, targets or the purpose of which the University's efforts and actions are intended to attain or accomplish. NOTE: • Strategic objectives: The University’s targets for achieving strategic priorities and direction, as stated in the strategic plan; • Operational objectives: Operational targets for business units to achieve within a planning cycle, as stated in business unit operational plans; • Project objectives: Aim or purpose of a project, as stated in the project business case and/or plan. Operational Constraints An internal or external force that serves to constrain the function of the University. NOTE: Examples include resource limitations, compliance restrictions and operational incompatibilities. Operational Risk Corporate risks to the achievement of the University’s operational objectives. These risks are directly related to the operational priorities and targets for the University’s business units. Project A temporary endeavor undertaken to create a unique product, service or result. NOTE: Contact the Strategic Projects Group for information on project management practices and project classification. Email [email protected] Project Risk Corporate risks to the achievement of the University’s project objectives. These risks are directly related to the purpose and benefits of a project as set out in the project business case and/or plan. Responsibility Answerable or accountable for something within one's control or management. NOTE: • Responsibility for a corporate risk is linked with the authority for setting the objective that is exposed to the risk. Authority over an objective lies with the Executive or Management position in charge of setting the objective. This position owns, and is responsible for, all corporate risks to the objectives they have authority over. • Responsibility for a control lies with the position responsible for applying the control to a corporate risk. • Responsibility for a treatment lies with the position responsible for aligning the treatment’s purpose with reducing our future exposure to the corporate risk. Page 43 of 45 Corporate Risk Management Rule Framework aaaaaa Term Definition Risk Owner The UNE Executive or Manager in charge of the: • UNE function; • Business unit; or • Realisation of the project objective; that is being risk assessed. NOTE: • This position has authority over setting the objective, owns the risks to that objective and has responsibility for those risks. Risk Register A list or record of corporate risks and risk information for management and communication purposes. Risk Types Types of corporate risk based on the organisational objective being risk assessed. NOTE: The University has three types of corporate risk - strategic, operational and project. Significant Risk A corporate risk with significant potential to impede an important University objective. NOTE: The significance of a risk is a subjective assessment based on the nature of the objective being assessed and the objective's exposure to the risk. Strategic Project A project with a budget of over $250,000 or that effects a large proportion of the University. NOTE: Contact the Strategic Projects Group for information on project management practices and project classification. Email [email protected] Strategic Risk Corporate risks to the achievement of the University’s strategic objectives. These risks are directly related to strategic priorities, directions and targets set out in the University of New England’s strategic plan. Strategy The plan, method or series of manoeuvres the University is perusing to obtain or achieve an objective. NOTE: Strategy’s reflect operational constraints and the outcomes that make up an objective, and well as the plans to accomplish these outcomes. Treatment Proposed measure undergoing development, implementation, and/or activation which once in place will act to further reduce or contain our future exposure to a corporate risk. Treatment Purpose The intended benefit in doing or applying a treatment and how the treatment is to accomplish this benefit. Treatment Status An indicator of a treatments progress towards its planned implementation and activation. Page 44 of 45 Corporate Risk Management Rule Framework aaaaaa Term Definition Trend in Exposure The nature of the changing influences on the University's exposure to a corporate risk since the risk was last reported. UNE Representative A University employee (casual, fixed term and permanent), contractor, agent, appointee, UNE Council member and any other person engaged by the University to undertake some activity for or on behalf of the University. It includes corporations and other bodies falling into one or more of these categories. Page 45 of 45
© Copyright 2026 Paperzz