A1      Objectives of Risk Management

The overall objectives of this policy are to provide a formal process to assist the college in:

• Defining and documenting responsibilities and processes.
• Encouraging understanding between management, faculty, staff and the student body of the implications of risk exposures, opportunities and their risk management, in their day-to-day work and in strategic and operational planning activities.
• Developing and implementing procedures to ensure that risks are identified, assessed against accepted criteria and that appropriate measures are implemented.
• Improving decision-making as risk management uses a commonsense approach that will help to better inform decision-making processes, improve forward planning, lead to more meaningful strategic & operational planning, and encourage critical thinking in formulating new initiatives, activities or relationships.
• Standardising reports, making it easier to keep track of risks, their associated controls & treatments and to monitor progress over time.
• Future planning, so that proposals are more convincing and better substantiated.
• Problems and issues by identifying what could threaten the achievement of your objectives you can more effectively allocate time & resources.
• Improving the management of activities so that risks are minimised (such as field trips, travel, new initiatives, lectures, and community/college events).

A2      Understanding Risk Management

Eastern College Australia has adopted the principles of risk management as set out in the International Risk Management Standard (AS/NZS ISO 31000:2009 Risk Management – Principles and guidelines) and continuously works towards applying these principles to ensure that risk management is effective.

A2.1    What is Risk?

All organisations face various challenging influences that make their operating environments uncertain. Risk is simply the impact this uncertainty has on the achievement of the college’s objectives.
It is important to note that risks are numerous and can arise from both external sources (for example political, natural and economic influences) and internal sources (for example new projects, new staff/faculty, infrastructure and capacity challenges).

A2.2    What is Risk Management?

Risk management refers to the coordinated activities that an organisation takes to direct and control risk. It is usually either value enhancing or value protecting, however sometimes it can be both.
Value enhancing risk management occurs when the actions, processes and controls set in place to manage the college’s risks increase the potential for achieving strategic outcomes that add value to ECA.
Value protecting risk management occurs when the actions, processes and controls set in place manage risks that have a negative consequence. This means that they protect the value of ECA by preventing or minimising the impact of negative events.
Overall, risk management helps organisations become more efficient and effective by improving forward planning and critical thinking, and enabling better-informed decision making.
Effective risk management generally goes unnoticed, however when risk management is absent or fails the consequences can be highly visible, far-reaching, publicly embarrassing, and can compromise the college’s brand and reputation. ECA is committed to incorporating and sustaining a risk management culture using the Standard so that risks are dealt with both efficiently and effectively.
In general, Risk Management:

Enhances:	Reduces:
Good governance	Inconsistency
Brand and Reputation	Embarrassment or Discredit
Communication	Adverse events/ Negative consequences
Reliability	Procrastination
Decision making	Hasty, rash or poor decisions
Ability and Confidence	Uncertainty

 

A2.3    Principles of Risk Management

The eleven principles of risk management as outlined in the Standard must be implemented at all levels within the college in order to be effective.
Specifically, Risk Management:

creates and protects value
Risk management contributes to the achievement of objectives and improvement of performance in all aspects of the college (such as security, legal and regulatory compliance, public acceptance, project management, efficiency in operations, governance and reputation).

is an integral part of all organisational processes
Risk management is not and cannot be viewed as a separate activity as it needs to be implemented in all activities, processes and levels of the college.

is part of decision making
Risk management improves this process by assisting decision makers in prioritising actions, making informed choices, as well as recognising options and alternatives along with their consequences.

explicitly addresses uncertainty
Risk management analyses uncertainty including the nature of the uncertainty, and how it can be addressed.

is systematic, structured and timely
ECA’s approach to risk management must be systematic, timely and structured in order to ensure both effectiveness and efficiency so that results are consistent, comparable and reliable

is based on the best available information
Decision makers must use available information, experience, forecasts and feedback in order for optimum discernment and judgment.

is tailored for ECA
The risk management manual and profile must take into account both internal and external contexts so that the college’s needs are fully addressed and explored.

takes human and cultural factors into account
Risk management recognises the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the college's objectives.

is transparent and inclusive.
ECA engages with stakeholders and decision makers at all levels to ensure that risk management remains accessible, relevant and up-to-date

is dynamic, iterative and responsive to change
Risk management is a continually changing process that the college must frequently self-assess, including monitoring and reviewing its risk profile as well as identifying new and emerging risks.

facilitates continual improvement of the organisation
ECA is committed to developing and sustaining a risk management culture that will grow and meld into the structure and processes of the college across all areas and levels. The tasks carried out by the risk management team (Committee, Vice Principal, and Board) ensure that risk management improves and matures alongside all other aspects of the college.
 
 

SECTION B – Risk Management Framework

Eastern College Australia’s risk management framework integrates the process for managing risks into the college’s overall governance, strategy and planning, management, reporting processes, policies, values and culture.
The success of risk management depends on this framework to provide the foundations and arrangements that will embed it throughout the college at all levels. The framework assists in managing risks effectively through the application of the risk management process at varying levels and within specific contexts. The framework also ensures that information about risk derived from the risk management process is adequately reported and used as a basis for decision making and accountability.

B1      Roles and Responsibilities

Risks are an intrinsic aspect of everyday life, originating from both internal and external sources. This means that everyone who engages at ECA – including but not limited to visitors, volunteers, students, employees, and lease holders – are impacted in some way by risk and therefore need to take an active role in being ‘risk aware’.
Being ‘risk aware’ means:

• understanding and utilising ECA’s Risk Management Process (which involves identifying, assessing and managing risks and opportunities in everyday decision-making and planning).
• complying with ECA’s communication and reporting processes.

The college has certain people who will be more active in risk management than others, such as the Audit & Risk Committee (ARC) and the COO (Chief Operations Officer). However, all people who engage or work for ECA are encouraged to both identify and report risks.

The ARC, under the direction of the COO, will help staff and students to understand and adhere to any and all controls put into place by the college to mitigate certain risks. Additionally, it is not the role of the ARC or COO to manage risks on behalf of other parties. It is the responsibility of management and staff to manage risks and controls for which they are accountable, and everyone is expected to work individually and collectively towards actively promoting a positive risk management culture within and across the college and all its holdings.

B1.1    Eastern College Australia

Visitors, volunteers, students:	Comply with risk management processes and practices in accordance with the ECA Risk Policy (QM-020). Co-operate with ECA’s risk specialists - ARC & COO. Report risks through the ECA Risk Register.
Academic & professional staff:	Understand and comply with the processes in this Risk Management Policy. Co-operate with ECA’s risk specialists - ARC & COO. Report risks through the ECA Risk Register. Ensure that the principles and practices of risk are communicated and embedded into strategic and operational practices and planning processes.
Senior academic & professional staff (inc. deans, managers and heads of department)	Understand and comply with the processes in this Risk Management Policy. Co-operate with ECA’s risk specialists - ARC & COO. Report risks through the ECA Risk Register. Foster and encourage an environment where managing risk is accepted as each person’s day-to-day responsibility. Ensure that the principles and practices of risk are communicated and embedded into strategic and operational practices and planning processes. Notify extreme risks to the COO. Update progress on risks as requested. Report quarterly (every March, June, September & December), to the ARC or COO, on their department’s risks by filling out/updating their Risk Management Profile (Appendix 1).
Executive team:	Understand and comply with the processes in this Risk Management Policy. Co-operate with ECA’s risk specialists - ARC & COO. Report risks through the ECA Risk Register. Foster and encourage an environment where managing risk is accepted as each person’s day-to-day responsibility. Manage risks within the faculty, staff and departments they oversee. Ensure that adequate resources are available for both the implementation of the Risk Policy and so that risks are monitored and reviewed in accordance with this Handbook. Notify extreme risks to the COO. Update progress on risks as required by the ARC and COO. Report annually to the ARC or COO, on their faculty/staff/department’s risks by filling out/updating their Risk Management Profile (Appendix 1).

 

B1.2    ECA Lease Holders

(including but not limited to their employees, volunteers and visitors).
 

Visitors, volunteers, staff & employees of Leasees.

Comply with risk management processes and practices in accordance with this Handbook and Policy. Co-operate with ECA’s risk specialists - ARC & COO. Report risks through the ECA Risk Register.

Chief executives and/ or managers of Leasees

Understand and comply with the processes in this Risk Management Policy. Co-operate with ECA’s risk specialists - ARC & COO. Report risks through the ECA Risk Register. Manage risks within their Lease Holding. Implement the Risk Policy and monitor/review risks as in this Handbook. Notify extreme risks to the COO. Report to the COO on their Lease Holding’s risks by filling out/updating their Risk Management Profile (Appendix 1), and in a time and manner agreed to by both parties.

 

B1.3    ECA Risk Management Specialists

ECA’s Risk Management Specialists are responsible for the college’s risk management culture, processes, reporting and framework. This specialist team is composed of the Audit & Risk Committee (ARC) and COO (Chief Operations Officer), and is overseen by the ECA Board.

The Executive Principal has delegated to the Chef Operations Officer responsibility for the establishment of an effective risk management framework throughout the college.
Each of these bodies are active in risk management and therefore have certain roles and responsibilities that are integral to both safe business practice and the sustainability of the college. The table below highlights their main purposes.
 

Risk Management Committee:	Understand and comply with the processes in this Risk Management Policy. Co-ordinate the college’s Risk Management program in accordance with best practice and this Handbook and Policy. Manage the ECA Risk Register. Facilitate the reporting process. Advise on risk strategy, policy and operations. Identify and monitor the exposure of ECA to all types of risks (financial, operational, fraud, safety, environmental, etc) in a comprehensive Risk Management Plan. Update the Risk Management Plan annually, using the quarterly reports from all areas/departments of ECA and Lease Holders. Provide risk reports to the COO as required.
Vice Principal (Community & Operations):	Understand and comply with the processes in this Risk Management Policy. Oversee the college’s Risk Management program in accordance with best practice and this Handbook and Policy. Oversee the ECA Risk Register. Facilitate the reporting process. Advise on risk strategy, policy and operations. Oversee the ARC and the college’s Risk Management Plan. Provide risk reports to the ECA Board as required. Ensure ECA operates within its legal and regulatory obligations. Ensure ECA can continue to function in the face to major disruptions. Ensure major policies keep abreast of any material changes in the operating environment.
ECA Board:	Review the processes and procedures within this Risk Management Policy to ensure that risk is being managed efficiently and effectively across the college. Oversee and monitor the assessment and management of risk across the college.

 

B1.4    Internal Audit Responsibilities

Both the ARC and COO are responsible for reviewing the effectiveness of the college’s processes for managing particular areas of risk. This is to ensure that the college’s risk management program is being run at its most optimum level, and that all processes are effective, efficient, understood and implemented across the entire college.

This internal audit is to be completed annually, with the initial review to be completed by the ARC, the subsequent review completed by the COO, and the ECA board undertaking the final review.
 

SECTION C – Risk Management Process

Risk Management is a necessary aspect of decision making within the college. It is not optional or an after thought, but a vital consideration each time a decision is made so that positive outcomes are maximized whilst negative outcomes are minimised. This is risk management. In order to manage risk we apply the steps outlined in the Standard, which are discussed in this section and highlighted in the Risk Management Flowchart (Appendix 4).
 
The Risk Management Process

Step 1: Establishing the Context

Establishing the context sets the framework within which the risk assessment should be undertaken, ensures the reasons for carrying out the risk assessment are clearly known, and provides the backdrop of circumstances against which risks can be identified and assessed.

Risk management takes place within the goals and objectives of the college and must take into account both internal and external contexts. Internal risk identification involves analysing and investigating the college’s various capabilities, goals, objectives, strengths and weaknesses. This is also called the operational context and is different from the external, strategic context which involves the relationship between the college and the broad external community/environment.

When establishing the context of a risk it is important to consider both the strategic and operational contexts where possible, so that a complete picture can be obtained.
Internal context can include:

• governance, organizational structure, roles and accountabilities
• policies, objectives, and the strategies that are in place to achieve them
• capabilities, understood in terms of resources and knowledge
• the relationships with and perceptions and values of internal stakeholders
• the organisation's culture
• information systems, information flows and decision-making processes (both formal and informal)
• standards, guidelines and models adopted by the college
• contractual relationships

External context can include:

• the social and cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local
• key drivers and trends having impact on the objectives of the college
• relationships with, perceptions and values of external stakeholders

Step 2: Set the scope

• Identify what you are assessing.
• Define the broad objectives. Identify the reason for the risk assessment.
• Identify the relevant stakeholders. Identify the areas/people that are, or might be, impacted and seek their input. Make sure that appropriate delegations are being exercised even at this early stage.
• Gather background information. Ask the correct people and identify what information is needed, even if some information is not immediately available. This information may include business plans, audit reports, surveys, previous event reports, personal experience (of staff, students, others), etc.

Step 3: Risk Assessment

The Risk Assessment phase of the risk management process has three parts: (1. Identifying the risk, 2. Analysing the risk, 3. Evaluating the risk, 4. Prioritising the risk, 5. Treating the risk.
 

Step 3 - Part A – Identifying the Risk

Risk identification is a critical activity at both strategic and operational levels. This process identifies the risks that might have an impact on the objectives of the college or relevant faculty, department, area or entity.
This part aims to identify sources of the risk, areas of impact, events (including changes in circumstances) and their causes and potential consequences. It needs to include all significant sources of risk, including those beyond the college's control. If a risk/threat is not identified, there can be no strategy to defend against it.

Describe those factors that might create, enhance, prevent, degrade, accelerate, or delay the achievement of objectives. It is also important to identify the issues associated with not pursuing an opportunity; that is, the risk of doing nothing and missing an opportunity. The objective of this step is not to create an onerous and lengthy list of all possible risks, but to identify all significant risks that could impact the college.

Enterprise-wide risks to the college are identified and reviewed annually by the Audit & Risk Committee, Chief Operations Officer, and ECA Board. These risks form the basis of the overall risk profile for the organisation. The risk profile format is included in Appendix 3.

When identifying the risk, consideration should be given to these questions:

• What could happen? (Both positive and negative)
• How could it happen? (The likelihood of it occurring/occurring again)
• Where could it happen?
• Why might it happen?
• What might be the impact on the college?
• Who does/can influence this partnership, program, project or event?

Categories of Risk:
The following broad categories of risk are used to enable appropriate aggregation and to assist with the identification of systemic issues and trends across the college.

• Organisational
• Financial
• Governance & Legal
• Educational
• OH&S
• Operational
• Personal

Step 3 - Part B – Analysing the Risk

Risk analysis can be undertaken with varying degrees of detail, depending on the risk, the purpose of the analysis, and the information, data and resources available. Analysis can be qualitative, semi-quantitative or quantitative, or a combination of these, depending on the circumstances.

Once the risk has been identified and the context, causes, contributing factors and consequences have been described, look at the strengths and weaknesses of existing systems and processes designed to help control the risk. Knowing what controls are already in place, and whether they are effective, helps to identify what - if any - further action is needed.

The objectives at this step are to separate the minor risks from major ones. The level of risk is determined by measuring the probability of each event arising and the associated consequences (impact).
 
Risk Analysis Criteria

1. Identify the existing controls – determine what controls are already in place to mitigate the impact of the risk. Controls may include legislation, policies or procedures, staff training, personal protective measures and equipment, and structural or physical barriers. They may be strong or weak and can be measurable and repeatable. Once the controls have been identified, and their effectiveness analysed, an assessment is made of the probability of the risk occurring and the impact if the risk were to occur. This produces an accurate, albeit subjective, assessment of the level of risk - or risk rating - and helps in the next step to determine whether risks are acceptable or need further treatment.
2. Assess the probability – the likelihood of the risk occurring is described as either remote, unlikely, possible, likely, or almost certain to occur (refer to Appendix 5).
3. Assess the impact – the consequences or potential impact if the risk event occurred are described as insignificant, minor, moderate, major or catastrophic (refer to Appendix 5). Impact is generally found using the consequence criteria of the college - potential financial loss, reputation impact, legal and regulatory compliance and management time and effort. Whilst most significant risks will relate to the direct financial and operational impact to the college, for some risks the most significant consequence is the impact on the college's reputation. For such risks, the direct financial consequence of a risk may be negligible, but continuing reoccurrences may result in significant damage to the college's reputation and standing.
4. Rate the level of risk - use the ECA Threat and Opportunity Matrix (Appendix 1) to assess the probability and impact levels. The risk matrix then determines whether the risk rating is minimum (blue), low (green), moderate (yellow), high (orange) or extreme (red). This in turn identifies the management action required for the various risk ratings.

 

Step 3 - Part C – Evaluating the Risk

The purpose of risk evaluation is to assist in making decisions, based on the outcomes of risk analysis. This tells us which risks need treatment and the priority for treatment implementation.
Risk evaluation involves comparing the level of risk found during the analysis process with risk criteria established when the context was considered. Based on this comparison, the need for treatment can be considered.
Decide whether the risk is acceptable or unacceptable by using the information gathered during the Risk Assessment phase to make decisions about future actions. Decisions about future actions may include:

• not to undertake or proceed with the event, activity, project or initiative
• actively treat the risk
• prioritising the actions needed, if the risk is complex and treatment is required
• accepting the risk

Whether a risk is acceptable or unacceptable relates to a willingness to tolerate
the risk. The attitude, appetite and tolerance for risk is likely to vary over time, across the college as a whole and for individual faculties, departments, divisions, areas and controlled entities.
 
Decision Options:
Risk is acceptable - A risk is regarded as acceptable or tolerable if the decision has been made not to treat it. It is important to remember that designating a risk as acceptable does not imply that the risk is insignificant. In fact, these risks may still need to be monitored.

Risk is unacceptable – Risks in this category progress to the next step, Treating the Risk, where solutions are decided upon.
A risk may be acceptable or tolerable in the following circumstances:

• No treatment is available
• Treatment costs are prohibitive (particularly relevant with lower ranked risks)
• The level of risk is low and does not warrant using resources to treat it
• The opportunities involved significantly outweigh the threats

 

Step 3 - Part D – Prioritising Risk

The purpose of prioritising is to determine the level of action needed for the identified and analysed risks.
 

Risk Rating:		Management Action:
	Extreme Risk	Immediate action required.
	High Risk	Action plan required, senior management attention needed.
	Moderate Risk	Specific monitoring or procedures required, management responsibility must be specified.
	Low Risk	Manage through routine procedures. Unlikely to need specific application of resources.
	Minimum Risk	Manage through routine procedures. Unlikely to need specific application of resources.

 

Step 3 - Part E – Treating Risk

The objective of this step is to identify how the identified risks will be treated. Risk treatment involves identifying the options for treating each risk, evaluating those options, assigning accountability (for Extreme, High and Moderate residual risks) and taking relevant action. The following options are available for treating risks and may be applied individually or in combination, with due consideration of risk appetite:
 

Risk Decision
Mitigate the risk	Reduce the likelihood - Improving management controls and procedures. Reduce the consequence - Putting in place strategies to minimise adverse consequences, e.g. contingency planning, Business Continuity Plan, liability cover in contracts.
Transfer the risk	Shifting responsibility for a risk to another party by contract or insurance. Can be transferred as a whole or shared.
Accept the risk	Controls are deemed appropriate. These must be monitored and contingency plans developed where appropriate.
Avoid the risk	Not to proceed with the activity or choosing an alternative approach to achieve the same outcome. Aim is risk management, not aversion.

 

Risk Treatment Process

Work out what kind of treatment is desirable – mitigate, transfer, accept or avoid. Identify and design a preferred treatment option.

Mitigate
If the goal is to reduce the likelihood or possibility of the risk, then you may need to adjust what is happening or might be planned: successfully altering the approach will depend on identifying the causes of the threat and the causal links between the threat and its impact (identified in the risk assessment phase). If the goal is to reduce the consequence or impact of the risk, then contingency plans might be required to respond to a threatening event if it occurs. This planning may be undertaken in combination with other controls – that is, even if steps have been taken to minimise the likelihood of the risk, it may still be worthwhile to have a plan in place to reduce the consequences if the event actually occurs.

Transfer
If the goal is to share the risk, then involving another party may help. However, any such arrangement should be formally recorded whether through a contract or agreement or by letter. Sharing the risk does not remove obligations and does not avoid ECA suffering consequential damage if something unexpected happens or something goes wrong.

Accept
Sometimes, a decision is made to accept or tolerate the risk, due to the low likelihood or minor consequences of the risk event, or the fact that the cost of effectively controlling the risk is unjustifiably high or that the opportunity outweighs the risk. However, in these instances the decision to accept risk should be carefully documented, so that a record is available for future reference if the risk does eventuate. Thought should also be given to contingency planning in order to deal with and reduce the consequences, should they arise.

Avoid
If the risk is so significant that the goal is to eliminate or avoid it altogether then the options are limited to changing the project materially, choosing alternative approaches or processes to render the risk irrelevant or abandoning the activity or partner or program. It is not often that a risk can be eliminated completely and balance is an important part of the risk assessment.

Evaluate treatment options and assess their feasibility.

• Do the controls appear to have the desired treatment effect?
• Will the controls trigger any other risks?
• Are the controls beneficial or cost efficient?
• Is the cost of implementing the control reasonable for this risk?

The cyclical process of treating a risk, deciding whether residual risk levels are tolerable and assessing the effectiveness of that treatment are all case-by-case assessments that depend on a good understanding of the risk and a focus on the end objective of the activity being assessed.

Document the risk treatment – using the Risk Management Profile (Appendix 2). Treatment plans should identify responsibilities for action, time frames for implementation, budget requirements or resource implications, performance measures and review process where appropriate.

Implement agreed treatments - once any options requiring authorisation for resourcing, funding or other actions have been approved. The person assigned with the primary responsibility for the risk is accountable for the treatment of the risk.
Once the risk has been treated, assess the level of residual risk. Even when a risk has been treated and the controls are in place the risk may not be completely eliminated. The level of residual risk refers to the likelihood and consequence of the risk occurring after the risk has been treated. Once implemented, treatments provide or modify the controls. The residual risk rating is generally lower than the original risk rating otherwise the controls were not effective.

The residual risk should be documented and monitored and reviewed. Where appropriate, further treatment might be prudent. Having a good awareness of residual risk is important in monitoring and reviewing risk on an ongoing basis.
 
 

Appendices

 

Appendix 1 – ECA Threat and Opportunity Matrix

 

Appendix 2 – Risk Management Profile Template

 

Appendix 4 – Risk Management Process

 

Appendix 5 – Risk Evaluation Criteria

Likelihood Rating:

Use this table to determine how likely it is that ECA will be exposed to each specific risk after considering internal controls and considering factors such as:

1. Anticipated frequency of occurrence
2. The external environment (for example, competition, community expectations, the economy)
3. The procedures, tools and skills currently in place
4. History of previous events

 

Likelihood	Level	Description	Probability
Remote	1	May only occur in exceptional circumstances	<20%
Unlikely	2	Could occur during a specified period	21-40%
Possible	3	Might occur in 1-2 year period	41-60%
Likely	4	Will probably occur in most circumstances	61-80%
Almost Certain	5	Expected to occur in most circumstances	>80%

 

Consequence Rating:

Use this table to guide the assessment of impact of each identified risk.
 

Impact	Level	Financial	Reputation	Legal	Management Time
Insignificant	1	<$5000	Isolated adverse Media reference Public complaint	Minor breach Informal complaint	Requires minimal time and effort to resolve
Minor	2	$5000-$50,000	Repeated adverse coverage	Formal complaint	Causes some business disruption
Moderate	3	$50,000-$250,000	Sustained adverse coverage	Regulatory investigation	Causes business disruption
Major	4	$250,000 – $1m	Extended adverse coverage	Penalties for breach of code Temporary closure	Requires concerted management effort for couple of months
Catastrophic	5	> $1m	Permanent closure	Fines, prison sentence	Requires management for multiple months

 
END