Risk Management Policy

Document Number000601
Date Approved30 November 2007
Date Last Amended25 February 2010

1.      Introduction

The Australian New Zealand Risk Management Standard (AS/NZS ISO 31000:2009) defines risk management as the "coordinated activities to direct and control an arganisation with regard to risk”(1).  

Risk arises in all aspects of the University’s operations and at all stages within the life cycle of those operations. It offers both opportunity and threat, and must therefore be managed appropriately.

This policy confirms the University’s commitment to adopting a strategic, consistent and structured enterprise-wide approach to risk management in order to achieve an appropriate balance between realising opportunities for gains and minimising losses. The policy reflects the Australian Standard on Risk Management (AS/NZS ISO 31000:2009) which provides the overall framework for risk management at the University of Newcastle, and with the Universityof Newcastle Risk Framework.

Risk management involves establishing an appropriate risk management infrastructure and culture, and applying logical and systematic risk management processes to all stages in the life cycle of any activity, function or operation. By minimising losses and maximising gains, risk management enables the University to best meet its organisational objectives. 

2.      Policy Intent

Risk Management is an integral part of sound management practice and an essential element of good corporate governance, as it improves decision-making and enhances outcomes and accountability. 

The aim of this policy is to ensure that the University makes informed decisions with respect to the activities that it undertakes by appropriately considering both risks and opportunities.

2.1.     Policy Objectives

 The application of this policy and related framework will provide the basis for:

i.   more confident and rigorous decision-making and planning;

ii.  better identification of opportunities and threats;

iii.  pro-active rather than re-active management;

iv.  more effective allocation and use of resources;

v.   improved incident management and reduction in loss and the cost of risk, including commercial insurance premiums;

vi.   improved stakeholder confidence and trust;

vii.  a clear understanding by all staff of their roles, responsibilities and authorities for managing risk;

viii.  improved compliance with relevant legislation;

ix.   better corporate governance; and

x.    the development of a more risk aware organisational culture through enhanced communication and reporting of risk.


3.    3.  Definitions

The University will adopt a consistent terminology in relation to risk to ensure effective communication and stakeholder awareness of risk and risk management within the University.

In the context of this policy:

consequence means the outcome of an event;

control means the measure that is modifying risk;

Enterprise Risk Management System (ERMS) the system within which risk information will be contained and maintained;

likelihood means the chance of something happening;

monitoring means continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected;

level of risk means the magnitude of a risk or combination of risks, expressed in terms of the combination of consequence and their likelihood;

residual risk means the risk remaining after risk treatment;

review means the activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve the established objectives;

risk means the effect of uncertainty on objectives;

risk analysis means the process to comprehend the nature of risk and to determine the level of risk;

risk appetite means the amount of risk that the University is prepared to accept or be exposed to at any point in time;

risk assessment means the overall process of risk identification, risk analysis and evaluation;

risk evaluation means the process of comparing risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable;

risk identification means finding, recognising and describing risks;

risk management framework is the set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation;

risk management means coordinated activities to direct and control an organisation with regard to risk; 

risk management plan means scheme within the risk framework specifying the approach, the management components and resources to be applied to the management of risk;

risk management process means the systematic application of management policies, framework and practices to the activities of comminicating, consulting, establishing the context, identifying, analysing, evaluating, treating, monitoring and reviewing risk;

risk owner means the person or entity with the accountability and authority to manage a risk;

risk profile means the description of any set of risks;

risk rating means the rating resulting from the application of the University’s risk assessment matrix on the likelihood and consequence of a risk occurring; and

risk treatment means the selection and implementation of appropriate options for dealing with risk.


4.      Policy Principles

4.1.     Risk Overview

 i.      Risk management will be incorporated into the strategic and operational planning processes at all levels within the University.

 ii.     Risk and the management of risk will be identified and monitored according to the University organisational chart, and risk categories, as defined in the Risk Management Framework.

   iii.     Risk assessments will be conducted on all new commercial activities, ventures and  projects prior to commencement to ensure alignment with risk appetite and organisational objectives.

  iv.     Risks will be identified, reviewed and monitored on an ongoing basis at nominated   levels within the University.

   v.     Risks will be assessed against the University’s agreed risk assessment matrix according to agreed definitions of likelihood and consequence.

   vi.     All identified risks will be recorded in the University’s risk management system.

  vii.     All risks will be assigned an owner who is responsible for managing, monitoring and ensuring that adequate controls and treatments are being applied so that risks are brought within tolerable levels.

4.2.     Risk Management Approach

i.     Risks will be managed according to the University’s Risk Management Framework which is based on the AS/NZS ISO 31000:2009 Risk Management Process (AS/NZS 31000:2009) – displayed in Figure 1.1. 

Figure 1.1 AS/NZS ISO 31000:2009 Risk Management Process (2) (See Appendix 1)

4.3.     Roles and Responsibilities

i.    The University Council will “oversee risk management and risk assessment across the University”(3)

ii.    The Audit and Risk Management Committee will advise the Council in relation to its functions under section 16(1B) of the Act.

iii.   The University’s Executive Committee will advise the Vice-Chancellor on matters of strategic and operational significance related to the identification and management of risk.

iv.   Senior executives (4) will be responsible for championing the roll out of the Risk Management Framework into the University’s business operations; for ensuring that staff understand their responsibilities with respect to operational risk management; and for developing a risk aware culture within their area of responsibility.

v.   Managers and supervisors will ensure that staff within their areas, understand their responsibilities with respect to operational risk, and will assist in fostering a risk aware culture within their area.

vi.   The Risk and Assurance Services will coordinate and facilitate the University’s Risk Management Framework.

vii.  Roles and responsibilities for risk management at all levels of the University are described in the University of Newcastle’s Risk Management Framework.

4.4.     Reporting

i.    The Risk and Assurance Services will report to the Executive Committee and Council via the Audit and Risk Management Committee on strategic, operational and project risks, in accordance with the University’s Risk Management Framework. 


(1) Australian Standard on Risk Management (AS/NZS ISO 31000:2009)

(2) Risk Management Process. AS/NZS ISO 31000:2009, p14

(3) University of Newcastle Act 1989 No 68, 16 (1B) (e)

(4) Deputy Vice-Chancellors, Pro Vice-Chancellors, Chief Financial Officer, Directors, Associate Directors, Heads of School

5.      Essential Supporting Documents

University of Newcastle Risk Management Framework

Conflicts of Interest Policy 000934

 6.      Related Documents

AS/NZS ISO 31000:2009




AS/NZS ISO 31000:2009 Risk Management Process*

* Risk Management Process - Overview, "Risk Management Guidelines Companion to AS/NZS ISO 31000:2009"

1.   Establishing the Context means the University considers both external and internal factors when identifying and managing risks associated with the achievement of strategic and operational objectives.

2.   Risk assessment means the overall process of risk identification, risk analysis and risk evaluation.

3.   Risk identification means identifying risk sources, areas of impacts, events, causes and possible consequences to form a comprehensive list of risks based on those events that might create, enhance, prevent, degrade, accelerate or delay the achievement of objectives. 

4.   Risk analysis means considering the range of causes, sources of risk, consequences and likelihood to produce a risk rating. The rating can then be used to determine further management by the University.

5.   Risk evaluation means the level of risk identified during risk analysis can be ranked and prioritised according to a consistent overall ranking and rating system.

6.   Communicate and consult: Effective communication, consultation and education in risk management are necessary to achieve a successful integration of the risk processes into the business.

7.   Risk treatment means selecting one or more options for modifying risks including funding and other resource considerations.

8.   Monitoring and review: Continual monitoring and reviewing of risk profiles is essential to maintain the effectiveness and appropriateness of the university's risk management profiles, including more specifically, risk treatment plans, risk assessments and to identify emerging risks.

Approval AuthorityVice-Chancellor
Date Approved30 November 2007
Date Last Amended25 February 2010
Date for Review25 February 2013
Policy SponsorDeputy Vice-Chancellor (Services)
Policy OwnerAssociate Director Risk and Assurance
Policy ContactManager Risk Services
Amendment History

Amended links to new Conflicts of Interest Policy - 18 March 2011

Amendments to incorporate updating of the relevant Australian Standard, approved by Vice-Chancellor 25 February 2010.

Amended Policy Contact 24 March 2010

Approved Council 30 November 2007