This manual outlines the policies that form the basis of Eastern College Australia’s Risk Management Plan and covers all activities within the college and its operations and entities, as well as defining ECA’s risk management objectives, framework, roles, responsibilities, communication, and process.
Eastern College Australia (ECA) undertakes teaching, research and community activities across a wide range of departments, disciplines and environments. This diversity of activity creates an equally diverse and complex range of risks and opportunities for the college. The overall aim of risk management is to understand and manage these risks whilst at the same time making the most of new opportunities in order to preserve and protect ECA’s values, reputation, resources, and standing in the local, national and international context.
ECA utilises risk management both within its day-to-day operations as well as more broadly at a Higher Education Provider’s facility level, which means that risk management is an integral component to running all aspects of the college in the most efficient and effective manner.
Accept | Informed decision to take a particular risk. |
Actions | The measures put into place to reduce and/or control the risk. |
Avoid | Not to proceed with the activity or choosing an alternative approach to achieve the same outcome. |
Control | Measure that is modifying the risk. |
Establishing the context | Defining the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria for the risk management policy. |
Event | Occurrence or change of a particular set of circumstances. |
Hazard | Source of potential harm. |
Impact | The consequences of an event affecting objectives using a scale of 1 (insignificant) to 5 (catastrophic) – Appendix 5. |
Inherent Risk | The initial risk, before risk treatment. |
Level of risk | Magnitude of a risk or combination of risks expressed in terms of their consequences and their likelihood. Also known as the risk rating. |
Mitigate | Use controls to reduce the probability or impact. |
Monitor | Continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected. |
Probability | The likelihood of a risk occurring using a scale of 1 (remote) to 5 (almost certain) – Appendix 5. |
Residual risk | Risk remaining after risk treatment. |
Responsibility | Person or entity with the accountability and authority to manage a particular risk. |
Review | Activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives. |
Risk | Effect of uncertainty on objectives. |
Risk analysis | Process to comprehend the nature of risk and to determine the level of risk. |
Risk appetite | Amount and type of risk that an organisation is willing to pursue or retain. |
Risk assessment | Overall process of risk identification, risk analysis and risk evaluation. |
Risk attitude | Organisation’s approach to assess and eventually pursue, retain, take or turn away from risk. |
Risk category | Risks are complex and diverse, necessitating groupings so that risks can be properly classified, evaluated and managed. |
Risk decision | How to immediately deal with the risk – either accept, mitigate, transfer or avoid. |
Risk description | Structured statement of risk usually containing four elements: sources, events, causes and consequences. |
Risk evaluation | Process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable. |
Risk identification | Process of finding, recognising and describing risks. |
Risk management | Coordinated activities to direct and control an organisation with regard to risk. |
Risk management framework | Set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization. |
Risk management policy | Statement of the overall intentions and direction of an organisation related to risk management. |
Risk management process | Systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context and identifying, analysing, evaluating, treating, monitoring and reviewing risks – Appendix 4. |
Risk matrix | Tool for ranking and displaying risks by defining ranges for impact and probability – Appendix 1. |
Risk owner | Person or entity with the accountability and authority to manage a risk. |
Risk profile | Description of any set of risks – Appendix 2. |
Risk rating | Defining the risk using the ECA Threat and Opportunity Matrix (Appendix 1) so that risks can be prioritised |
Risk register | Record of information about identified risks. |
Risk reporting | Form of communication intended to inform particular internal or external stakeholders by providing information regarding the current state of risk and its management. |
Risk source | Element which alone or in combination has the intrinsic potential to give rise to risk. |
Risk tolerance | Organisation’s or stakeholder’s readiness to bear the risk after risk treatment in order to achieve its objectives. |
Risk treatment | Process to modify risk. |
RMC | Risk Management Committee |
Transfer | Shifting responsibility of the risk, either as a whole or shared. |
A1 Objectives of Risk Management
The overall objectives of this policy are to provide a formal process to assist the college in:
- Defining and documenting responsibilities and processes.
- Encouraging understanding between management, faculty, staff and the student body of the implications of risk exposures, opportunities and their risk management, in their day-to-day work and in strategic and operational planning activities.
- Developing and implementing procedures to ensure that risks are identified, assessed against accepted criteria and that appropriate measures are implemented.
- Improving decision-making as risk management uses a commonsense approach that will help to better inform decision-making processes, improve forward planning, lead to more meaningful strategic & operational planning, and encourage critical thinking in formulating new initiatives, activities or relationships.
- Standardising reports, making it easier to keep track of risks, their associated controls & treatments and to monitor progress over time.
- Future planning, so that proposals are more convincing and better substantiated.
- Problems and issues by identifying what could threaten the achievement of your objectives you can more effectively allocate time & resources.
- Improving the management of activities so that risks are minimised (such as field trips, travel, new initiatives, lectures, and community/college events).
A2 Understanding Risk Management
Eastern College Australia has adopted the principles of risk management as set out in the International Risk Management Standard (AS/NZS ISO 31000:2009 Risk Management – Principles and guidelines) and continuously works towards applying these principles to ensure that risk management is effective.
A2.1 What is Risk?
All organisations face various challenging influences that make their operating environments uncertain. Risk is simply the impact this uncertainty has on the achievement of the college’s objectives.
It is important to note that risks are numerous and can arise from both external sources (for example political, natural and economic influences) and internal sources (for example new projects, new staff/faculty, infrastructure and capacity challenges).
A2.2 What is Risk Management?
Risk management refers to the coordinated activities that an organisation takes to direct and control risk. It is usually either value enhancing or value protecting, however sometimes it can be both.
Value enhancing risk management occurs when the actions, processes and controls set in place to manage the college’s risks increase the potential for achieving strategic outcomes that add value to ECA.
Value protecting risk management occurs when the actions, processes and controls set in place manage risks that have a negative consequence. This means that they protect the value of ECA by preventing or minimising the impact of negative events.
Overall, risk management helps organisations become more efficient and effective by improving forward planning and critical thinking, and enabling better-informed decision making.
Effective risk management generally goes unnoticed, however when risk management is absent or fails the consequences can be highly visible, far-reaching, publicly embarrassing, and can compromise the college’s brand and reputation. ECA is committed to incorporating and sustaining a risk management culture using the Standard so that risks are dealt with both efficiently and effectively.
In general, Risk Management:
Enhances: | Reduces: |
Good governance | Inconsistency |
Brand and Reputation | Embarrassment or Discredit |
Communication | Adverse events/ Negative consequences |
Reliability | Procrastination |
Decision making | Hasty, rash or poor decisions |
Ability and Confidence | Uncertainty |
A2.3 Principles of Risk Management
The eleven principles of risk management as outlined in the Standard must be implemented at all levels within the college in order to be effective.
Specifically, Risk Management:
creates and protects value
Risk management contributes to the achievement of objectives and improvement of performance in all aspects of the college (such as security, legal and regulatory compliance, public acceptance, project management, efficiency in operations, governance and reputation).
is an integral part of all organisational processes
Risk management is not and cannot be viewed as a separate activity as it needs to be implemented in all activities, processes and levels of the college.
is part of decision making
Risk management improves this process by assisting decision makers in prioritising actions, making informed choices, as well as recognising options and alternatives along with their consequences.
explicitly addresses uncertainty
Risk management analyses uncertainty including the nature of the uncertainty, and how it can be addressed.
is systematic, structured and timely
ECA’s approach to risk management must be systematic, timely and structured in order to ensure both effectiveness and efficiency so that results are consistent, comparable and reliable
is based on the best available information
Decision makers must use available information, experience, forecasts and feedback in order for optimum discernment and judgment.
is tailored for ECA
The risk management manual and profile must take into account both internal and external contexts so that the college’s needs are fully addressed and explored.
takes human and cultural factors into account
Risk management recognises the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the college's objectives.
is transparent and inclusive.
ECA engages with stakeholders and decision makers at all levels to ensure that risk management remains accessible, relevant and up-to-date
is dynamic, iterative and responsive to change
Risk management is a continually changing process that the college must frequently self-assess, including monitoring and reviewing its risk profile as well as identifying new and emerging risks.
facilitates continual improvement of the organisation
ECA is committed to developing and sustaining a risk management culture that will grow and meld into the structure and processes of the college across all areas and levels. The tasks carried out by the risk management team (Committee, Vice Principal, and Board) ensure that risk management improves and matures alongside all other aspects of the college.
SECTION B – Risk Management Framework
Eastern College Australia’s risk management framework integrates the process for managing risks into the college’s overall governance, strategy and planning, management, reporting processes, policies, values and culture.
The success of risk management depends on this framework to provide the foundations and arrangements that will embed it throughout the college at all levels. The framework assists in managing risks effectively through the application of the risk management process at varying levels and within specific contexts. The framework also ensures that information about risk derived from the risk management process is adequately reported and used as a basis for decision making and accountability.
B1 Roles and Responsibilities
Risks are an intrinsic aspect of everyday life, originating from both internal and external sources. This means that everyone who engages at ECA – including but not limited to visitors, volunteers, students, employees, and lease holders – are impacted in some way by risk and therefore need to take an active role in being ‘risk aware’.
Being ‘risk aware’ means:
- understanding and utilising ECA’s Risk Management Process (which involves identifying, assessing and managing risks and opportunities in everyday decision-making and planning).
- complying with ECA’s communication and reporting processes.
The college has certain people who will be more active in risk management than others, such as the Audit & Risk Committee (ARC) and the COO (Chief Operations Officer). However, all people who engage or work for ECA are encouraged to both identify and report risks.
The ARC, under the direction of the COO, will help staff and students to understand and adhere to any and all controls put into place by the college to mitigate certain risks. Additionally, it is not the role of the ARC or COO to manage risks on behalf of other parties. It is the responsibility of management and staff to manage risks and controls for which they are accountable, and everyone is expected to work individually and collectively towards actively promoting a positive risk management culture within and across the college and all its holdings.
B1.1 Eastern College Australia
Visitors, volunteers, students: |
|
Academic & professional staff: |
|
Senior academic & professional staff (inc. deans, managers and heads of department) |
|
Executive team: |
|
B1.2 ECA Lease Holders
(including but not limited to their employees, volunteers and visitors).
Visitors, volunteers, staff & employees of Leasees. |
|
Chief executives and/ or managers of Leasees |
|
B1.3 ECA Risk Management Specialists
ECA’s Risk Management Specialists are responsible for the college’s risk management culture, processes, reporting and framework. This specialist team is composed of the Audit & Risk Committee (ARC) and COO (Chief Operations Officer), and is overseen by the ECA Board.
The Executive Principal has delegated to the Chef Operations Officer responsibility for the establishment of an effective risk management framework throughout the college.
Each of these bodies are active in risk management and therefore have certain roles and responsibilities that are integral to both safe business practice and the sustainability of the college. The table below highlights their main purposes.
Risk Management Committee: |
|
Vice Principal (Community & Operations): |
|
ECA Board: |
|
B1.4 Internal Audit Responsibilities
Both the ARC and COO are responsible for reviewing the effectiveness of the college’s processes for managing particular areas of risk. This is to ensure that the college’s risk management program is being run at its most optimum level, and that all processes are effective, efficient, understood and implemented across the entire college.
This internal audit is to be completed annually, with the initial review to be completed by the ARC, the subsequent review completed by the COO, and the ECA board undertaking the final review.
SECTION C – Risk Management Process
Risk Management is a necessary aspect of decision making within the college. It is not optional or an after thought, but a vital consideration each time a decision is made so that positive outcomes are maximized whilst negative outcomes are minimised. This is risk management. In order to manage risk we apply the steps outlined in the Standard, which are discussed in this section and highlighted in the Risk Management Flowchart (Appendix 4).
The Risk Management Process
Step 1: Establishing the Context
Establishing the context sets the framework within which the risk assessment should be undertaken, ensures the reasons for carrying out the risk assessment are clearly known, and provides the backdrop of circumstances against which risks can be identified and assessed.
Risk management takes place within the goals and objectives of the college and must take into account both internal and external contexts. Internal risk identification involves analysing and investigating the college’s various capabilities, goals, objectives, strengths and weaknesses. This is also called the operational context and is different from the external, strategic context which involves the relationship between the college and the broad external community/environment.
When establishing the context of a risk it is important to consider both the strategic and operational contexts where possible, so that a complete picture can be obtained.
Internal context can include:
- governance, organizational structure, roles and accountabilities
- policies, objectives, and the strategies that are in place to achieve them
- capabilities, understood in terms of resources and knowledge
- the relationships with and perceptions and values of internal stakeholders
- the organisation's culture
- information systems, information flows and decision-making processes (both formal and informal)
- standards, guidelines and models adopted by the college
- contractual relationships
External context can include:
- the social and cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local
- key drivers and trends having impact on the objectives of the college
- relationships with, perceptions and values of external stakeholders
Step 2: Set the scope
- Identify what you are assessing.
- Define the broad objectives. Identify the reason for the risk assessment.
- Identify the relevant stakeholders. Identify the areas/people that are, or might be, impacted and seek their input. Make sure that appropriate delegations are being exercised even at this early stage.
- Gather background information. Ask the correct people and identify what information is needed, even if some information is not immediately available. This information may include business plans, audit reports, surveys, previous event reports, personal experience (of staff, students, others), etc.
Step 3: Risk Assessment
The Risk Assessment phase of the risk management process has three parts: (1. Identifying the risk, 2. Analysing the risk, 3. Evaluating the risk, 4. Prioritising the risk, 5. Treating the risk.
Step 3 - Part A – Identifying the Risk
Risk identification is a critical activity at both strategic and operational levels. This process identifies the risks that might have an impact on the objectives of the college or relevant faculty, department, area or entity.
This part aims to identify sources of the risk, areas of impact, events (including changes in circumstances) and their causes and potential consequences. It needs to include all significant sources of risk, including those beyond the college's control. If a risk/threat is not identified, there can be no strategy to defend against it.
Describe those factors that might create, enhance, prevent, degrade, accelerate, or delay the achievement of objectives. It is also important to identify the issues associated with not pursuing an opportunity; that is, the risk of doing nothing and missing an opportunity. The objective of this step is not to create an onerous and lengthy list of all possible risks, but to identify all significant risks that could impact the college.
Enterprise-wide risks to the college are identified and reviewed annually by the Audit & Risk Committee, Chief Operations Officer, and ECA Board. These risks form the basis of the overall risk profile for the organisation. The risk profile format is included in Appendix 3.
When identifying the risk, consideration should be given to these questions:
- What could happen? (Both positive and negative)
- How could it happen? (The likelihood of it occurring/occurring again)
- Where could it happen?
- Why might it happen?
- What might be the impact on the college?
- Who does/can influence this partnership, program, project or event?
Categories of Risk:
The following broad categories of risk are used to enable appropriate aggregation and to assist with the identification of systemic issues and trends across the college.
- Organisational
- Financial
- Governance & Legal
- Educational
- OH&S
- Operational
- Personal
Step 3 - Part B – Analysing the Risk
Risk analysis can be undertaken with varying degrees of detail, depending on the risk, the purpose of the analysis, and the information, data and resources available. Analysis can be qualitative, semi-quantitative or quantitative, or a combination of these, depending on the circumstances.
Once the risk has been identified and the context, causes, contributing factors and consequences have been described, look at the strengths and weaknesses of existing systems and processes designed to help control the risk. Knowing what controls are already in place, and whether they are effective, helps to identify what - if any - further action is needed.
The objectives at this step are to separate the minor risks from major ones. The level of risk is determined by measuring the probability of each event arising and the associated consequences (impact).
Risk Analysis Criteria
- Identify the existing controls – determine what controls are already in place to mitigate the impact of the risk. Controls may include legislation, policies or procedures, staff training, personal protective measures and equipment, and structural or physical barriers. They may be strong or weak and can be measurable and repeatable. Once the controls have been identified, and their effectiveness analysed, an assessment is made of the probability of the risk occurring and the impact if the risk were to occur. This produces an accurate, albeit subjective, assessment of the level of risk - or risk rating - and helps in the next step to determine whether risks are acceptable or need further treatment.
- Assess the probability – the likelihood of the risk occurring is described as either remote, unlikely, possible, likely, or almost certain to occur (refer to Appendix 5).
- Assess the impact – the consequences or potential impact if the risk event occurred are described as insignificant, minor, moderate, major or catastrophic (refer to Appendix 5). Impact is generally found using the consequence criteria of the college - potential financial loss, reputation impact, legal and regulatory compliance and management time and effort. Whilst most significant risks will relate to the direct financial and operational impact to the college, for some risks the most significant consequence is the impact on the college's reputation. For such risks, the direct financial consequence of a risk may be negligible, but continuing reoccurrences may result in significant damage to the college's reputation and standing.
- Rate the level of risk - use the ECA Threat and Opportunity Matrix (Appendix 1) to assess the probability and impact levels. The risk matrix then determines whether the risk rating is minimum (blue), low (green), moderate (yellow), high (orange) or extreme (red). This in turn identifies the management action required for the various risk ratings.
Step 3 - Part C – Evaluating the Risk
The purpose of risk evaluation is to assist in making decisions, based on the outcomes of risk analysis. This tells us which risks need treatment and the priority for treatment implementation.
Risk evaluation involves comparing the level of risk found during the analysis process with risk criteria established when the context was considered. Based on this comparison, the need for treatment can be considered.
Decide whether the risk is acceptable or unacceptable by using the information gathered during the Risk Assessment phase to make decisions about future actions. Decisions about future actions may include:
- not to undertake or proceed with the event, activity, project or initiative
- actively treat the risk
- prioritising the actions needed, if the risk is complex and treatment is required
- accepting the risk
Whether a risk is acceptable or unacceptable relates to a willingness to tolerate
the risk. The attitude, appetite and tolerance for risk is likely to vary over time, across the college as a whole and for individual faculties, departments, divisions, areas and controlled entities.
Decision Options:
Risk is acceptable - A risk is regarded as acceptable or tolerable if the decision has been made not to treat it. It is important to remember that designating a risk as acceptable does not imply that the risk is insignificant. In fact, these risks may still need to be monitored.
Risk is unacceptable – Risks in this category progress to the next step, Treating the Risk, where solutions are decided upon.
A risk may be acceptable or tolerable in the following circumstances:
- No treatment is available
- Treatment costs are prohibitive (particularly relevant with lower ranked risks)
- The level of risk is low and does not warrant using resources to treat it
- The opportunities involved significantly outweigh the threats
Step 3 - Part D – Prioritising Risk
The purpose of prioritising is to determine the level of action needed for the identified and analysed risks.
Risk Rating: | Management Action: | |
Extreme Risk | Immediate action required. | |
High Risk | Action plan required, senior management attention needed. | |
Moderate Risk | Specific monitoring or procedures required, management responsibility must be specified. | |
Low Risk | Manage through routine procedures. Unlikely to need specific application of resources. | |
Minimum Risk | Manage through routine procedures. Unlikely to need specific application of resources. |
Step 3 - Part E – Treating Risk
The objective of this step is to identify how the identified risks will be treated. Risk treatment involves identifying the options for treating each risk, evaluating those options, assigning accountability (for Extreme, High and Moderate residual risks) and taking relevant action. The following options are available for treating risks and may be applied individually or in combination, with due consideration of risk appetite:
Risk Decision | |
Mitigate the risk | Reduce the likelihood - Improving management controls and procedures. Reduce the consequence - Putting in place strategies to minimise adverse consequences, e.g. contingency planning, Business Continuity Plan, liability cover in contracts. |
Transfer the risk | Shifting responsibility for a risk to another party by contract or insurance. Can be transferred as a whole or shared. |
Accept the risk | Controls are deemed appropriate. These must be monitored and contingency plans developed where appropriate. |
Avoid the risk | Not to proceed with the activity or choosing an alternative approach to achieve the same outcome. Aim is risk management, not aversion. |
Risk Treatment Process
Work out what kind of treatment is desirable – mitigate, transfer, accept or avoid. Identify and design a preferred treatment option.
Mitigate
If the goal is to reduce the likelihood or possibility of the risk, then you may need to adjust what is happening or might be planned: successfully altering the approach will depend on identifying the causes of the threat and the causal links between the threat and its impact (identified in the risk assessment phase). If the goal is to reduce the consequence or impact of the risk, then contingency plans might be required to respond to a threatening event if it occurs. This planning may be undertaken in combination with other controls – that is, even if steps have been taken to minimise the likelihood of the risk, it may still be worthwhile to have a plan in place to reduce the consequences if the event actually occurs.
Transfer
If the goal is to share the risk, then involving another party may help. However, any such arrangement should be formally recorded whether through a contract or agreement or by letter. Sharing the risk does not remove obligations and does not avoid ECA suffering consequential damage if something unexpected happens or something goes wrong.
Accept
Sometimes, a decision is made to accept or tolerate the risk, due to the low likelihood or minor consequences of the risk event, or the fact that the cost of effectively controlling the risk is unjustifiably high or that the opportunity outweighs the risk. However, in these instances the decision to accept risk should be carefully documented, so that a record is available for future reference if the risk does eventuate. Thought should also be given to contingency planning in order to deal with and reduce the consequences, should they arise.
Avoid
If the risk is so significant that the goal is to eliminate or avoid it altogether then the options are limited to changing the project materially, choosing alternative approaches or processes to render the risk irrelevant or abandoning the activity or partner or program. It is not often that a risk can be eliminated completely and balance is an important part of the risk assessment.
Evaluate treatment options and assess their feasibility.
- Do the controls appear to have the desired treatment effect?
- Will the controls trigger any other risks?
- Are the controls beneficial or cost efficient?
- Is the cost of implementing the control reasonable for this risk?
The cyclical process of treating a risk, deciding whether residual risk levels are tolerable and assessing the effectiveness of that treatment are all case-by-case assessments that depend on a good understanding of the risk and a focus on the end objective of the activity being assessed.
Document the risk treatment – using the Risk Management Profile (Appendix 2). Treatment plans should identify responsibilities for action, time frames for implementation, budget requirements or resource implications, performance measures and review process where appropriate.
Implement agreed treatments - once any options requiring authorisation for resourcing, funding or other actions have been approved. The person assigned with the primary responsibility for the risk is accountable for the treatment of the risk.
Once the risk has been treated, assess the level of residual risk. Even when a risk has been treated and the controls are in place the risk may not be completely eliminated. The level of residual risk refers to the likelihood and consequence of the risk occurring after the risk has been treated. Once implemented, treatments provide or modify the controls. The residual risk rating is generally lower than the original risk rating otherwise the controls were not effective.
The residual risk should be documented and monitored and reviewed. Where appropriate, further treatment might be prudent. Having a good awareness of residual risk is important in monitoring and reviewing risk on an ongoing basis.
Appendices
Appendix 1 – ECA Threat and Opportunity Matrix
Appendix 2 – Risk Management Profile Template
Appendix 4 – Risk Management Process
Appendix 5 – Risk Evaluation Criteria
Likelihood Rating:
Use this table to determine how likely it is that ECA will be exposed to each specific risk after considering internal controls and considering factors such as:
- Anticipated frequency of occurrence
- The external environment (for example, competition, community expectations, the economy)
- The procedures, tools and skills currently in place
- History of previous events
Likelihood | Level | Description | Probability |
Remote | 1 | May only occur in exceptional circumstances | <20% |
Unlikely | 2 | Could occur during a specified period | 21-40% |
Possible | 3 | Might occur in 1-2 year period | 41-60% |
Likely | 4 | Will probably occur in most circumstances | 61-80% |
Almost Certain | 5 | Expected to occur in most circumstances | >80% |
Consequence Rating:
Use this table to guide the assessment of impact of each identified risk.
Impact | Level | Financial | Reputation | Legal | Management Time |
Insignificant | 1 | <$5000 | Isolated adverse Media reference Public complaint |
Minor breach Informal complaint | Requires minimal time and effort to resolve |
Minor | 2 | $5000-$50,000 | Repeated adverse coverage | Formal complaint | Causes some business disruption |
Moderate | 3 | $50,000-$250,000 | Sustained adverse coverage | Regulatory investigation | Causes business disruption |
Major | 4 | $250,000 – $1m | Extended adverse coverage | Penalties for breach of code Temporary closure | Requires concerted management effort for couple of months |
Catastrophic | 5 | > $1m | Permanent closure | Fines, prison sentence | Requires management for multiple months |
END