Risk management


DATE: 4 May 1998, Resolution 98/3/40 

AMENDMENTS: 1 August 2001
December 2010 Council Resolution 2010/7/9
Minor amendment 2020 Academic Organisational Transformation 2020/4/6


CROSS REFERENCES: University of South Australia Act 1990; Guidelines for Managing Business Risks; ISTS Guidelines for Risk Management; Legislative Compliance System; Strategic Crisis Management Framework


Risk is inherent in all our activities, and we continuously manage risks. Formal and systematic approaches to managing risk have been implemented and continuously improved in the University over a number of years. Risk management is regarded by the University as sound business practice, which enhances decision-making, performance and accountability.

This version of the policy has been updated to reflect a recently released International Standard on Risk Management, and incorporates recent improvements in the University's risk framework.

This policy should be read in conjunction with the Guidelines for Managing Business Risks. Further information is available from the Manager Strategic Projects: Quality, Assurance and Risk.

Policy statement

The University will maintain a framework and supporting procedures that provide it with a systematic view of the risks it faces in the course of its activities. Where appropriate, these procedures will be consistent with the International Risk Management Standard ISO 31000.


Risk: The effect of uncertainty on objectives
Risk management: Coordinated activities to direct and control an organisation with regard to risk


For risk management to be effective, the University at all levels should comply with the following principles:

  1. Risk management creates and protects value in the University, demonstrably assisting in the achievement of objectives and improvements in performance.
  2. Risk management is an integral part of all processes; it is part of the responsibilities of management.
  3. Risk management helps decision makers make informed choices and prioritise actions.
  4. Risk management is systematic, structured and timely.
  5. Risk management activities are transparent and inclusive.
  6. Risk management facilitates continuous improvement of the University.


1. Responsibility

1.1    General 

Everyone in the University is responsible for the effective management of risk. All staff are responsible for identifying and communicating potential risks. Management is responsible for engaging their staff in risk management processes, and for developing and implementing risk management action plans. Risk management processes should be integrated with other planning processes and management activities.

1.2    Vice Chancellor 

The Vice Chancellor is responsible for ensuring that a risk management framework is established, implemented and maintained in accordance with this policy. Assignment of responsibilities in relation to risk management is the prerogative of the Vice Chancellor.

1.3    Council 

Under the provisions of the University of South Australia Act, Council has as one of its primary responsibilities overseeing and monitoring the assessment and management of risk across the University, including commercial undertakings. The Audit and Risk Management Committee (ARMC) assists Council in exercising due care, diligence and skill in discharging oversight and monitoring responsibilities. The ARMC will report to Council on the implementation of this policy and related framework, and the outcome of any external or internal reports received on risks and the effectiveness of risk management.

1.4    Manager, Strategic Projects: Quality: Assurance & Risk

The Manager, Strategic Projects: Quality, Assurance & Risk will be responsible to the ARMC and the Vice Chancellor for the maintenance and continuous improvement of the risk management framework, including maintenance and appropriate distribution of the Guidelines for Managing Business Risks.

1.5   Senior Managers

Senior Managers are responsible for ensuring that this policy and the related framework is effectively implemented and a risk management culture is embedded in the unit/portfolio through demonstrating appropriate risk leadership, and engagement of management and other staff in risk management process and communications.
Senior Managers listed in the Guidelines for Managing Business Risk are responsible for maintaining a risk register for their area of responsibility.

1.6     Directors of Recognised Research Institutes, Directors of Units and Executive Deans

Directors of Recognised Research Institutes, Directors of Units and Executive Deans are responsible for ensuring that this policy is effectively implemented and a risk management culture is embedded in their areas of responsibility through demonstrating appropriate risk leadership and the engagement of management and other staff in risk management process and communications.
Directors of Recognised Research Institutes, Directors of Units and Executive Deans listed in the Guidelines for Managing Business Risk are responsible for maintaining a risk register in their area of responsibility.

2.    Risk Management Framework

The principles described previously include the notion that risk management is integral to all processes. Accordingly, this policy document cannot describe all instances and applications of risk management in the University. What it seeks to do is to describe key aspects of the risk management framework within UniSA.

2.1.1 Risk registers

Risk registers contain an overview of the significant business risks facing each level or organisational unit, and facilitate structured management, communication and overview of the relevant risks. Risk registers are the primary evidence of a robust risk culture, and as such should be the outcome of a sound approach. They are also the primary source of information on risk, and should be integrated (conceptually if not physically) in strategic planning and budgeting processes.

Risk registers are required for Academic Units, Central Units, stand-alone Recognised Research Institutes and other entities as specified in the Guidelines for Managing Business Risk. All high and high+ risks from these risk registers must be communicated to the ARMC. At least once a year, a University-wide risk register will be provided to Council by the Vice Chancellor.

2.1.2 Project risk

There is a requirement that all projects undertaken in the University will incorporate a systematic risk management approach, noting the following principles:

  • New project and contract level risk assessments which fall under the Project Management Quality system require attention to risk management matters which are integrated into the system and its approval processes.
  • Project activity that is monitored at the level of Council, a Council subcommittee or a committee chaired by a Deputy Vice Chancellor, Pro Vice Chancellor or the Chief Operating Officer requires a formal project risk management process to be implemented. The risk management process should be adapted for the specific needs of the project. Advice on the development of a relevant process is available in the Guidelines for Managing Business Risk, or by contacting Assurance Services.
  • Risk management approaches for project activity monitored at the local level will be determined by local management.
  • All project risk management processes must include an understood process for the escalation and communication of high risk issues.

2.1.3 Legislative compliance

Given the wide range of commonwealth and state legislation that impact on University operations, the Legislative Compliance System has been developed to provide a systematic approach to the assessment or our exposures and the continuous improvement of our compliance efforts.

The system requires regular input from identified Responsible Officers, as well as a range of managers across the University to assist in the identification of risk exposures and appropriate treatments. Where appropriate, this will be coordinated through the risk register update process.

The Legislative Compliance System outlines reporting requirements for Responsible Officers through to the ARMC.

Legislation and regulation relating to Occupational Health, Safety and Welfare (OHSW) requires a high level of activity, management, monitoring and reporting at all levels. While OHSW broadly forms part of the legislative compliance framework, it also has its own policy and guidelines framework.

2.1.4 Controlled, associated and related entities

The University is exposed to risks through its association and engagement with a range of other entities in which it has an ownership interest, or to which it may be seen as closely related. Council has previously approved a process for the identification and communication of these risks through the ARMC.

2.1.5 Crisis management

The ability to react effectively at an operational and strategic level to crisis events forms a subset of the University’s risk management framework. The University’s approach is outlined in the Crisis Management Framework. It incorporates emergency response, strategic response, disaster recovery, and business continuity planning.

The framework includes annual reporting to Council to ensure oversight and monitoring of the continuous improvement of the University’s crisis management capability.

2.1.6 Other specific risks

From time to time processes will be introduced to enhance the University’s understanding of particular risk exposures and the effectiveness of their management. An example of this is Fraud Risk. Fraud was previously the subject of a self assessment and awareness raising workshop activity.

2.2 Risk assessment

The University has adopted a standard methodology consistent with the International Risk Management Standard ISO 31000 for identifying, analysing and evaluating risks. The standard methodology will be applied in the preparation of all risk registers. This methodology assesses the consequences and likelihood of each risk event. The standard methodology is documented in the Guidelines for Managing Business Risks, which will be available to all staff. While use of this standard methodology is encouraged for measurement where possible, different components of the risk management framework will adopt different approaches. Risk measurement approaches must be relevant to the scope and purposes of the risk management issue which is being addressed.

3. Review

The Audit and Risk Management Committee will provide Council with an annual report on the performance of the framework as a basis for improvement. This may form part of a broader report on the system of internal control. On a five year cycle, the Vice Chancellor shall arrange for a review of the policy and its supporting framework.