Risk Management Policy
Application
All members of the University.
Purpose
To ensure that risk management is embedded in all University activities and members of the University understand their associated responsibilities.
Introduction
University activities, including research and learning and teaching, attract various levels of risk. Risk management must be a cornerstone of University culture for strategic objectives to be realised. To achieve this, members of the University need to follow all elements of the risk management framework.
Risk management needs engagement from all University members to foster a risk culture of awareness, transparency and inclusiveness. The quality and integrity of the framework is paramount.
This policy forms part of the University’s corporate governance and internal control arrangements.
Policy
Principles
The guiding principles of risk management at the University are to be:
1. Risk management is critical for achieving strategy as an enabler of opportunity and underpins decision-making. It is integral to processes across all levels of the University and enables continuous improvement.
2. Risk management aims to protect the University’s resources (people, property, financial, environmental and information) and reputation.
3. The cost of risk, financial and non-financial, is to be minimised wherever possible.
4. Risk management is responsive to the University’s dynamic operating environment; there is to be regular monitoring of the risk universe and any impact on strategy is to be identified, assessed and treated.
5. Risk management is to be methodical, structured and follow the principles of ISO 31000:2018 and COSO - ERM - Integrating with Strategy and Performance.
6. To deliver strategic objectives the University must manage risk in in an agile manner and within the parameters of its risk appetite.
Risk management framework
7. The reporting and disclosure of risk is to be made in accordance with the risk management framework.
8. This framework has the status of procedures under the UoA Policy Framework Policy and is to be available to all staff members and affiliates on the University intranet site.
Note – the framework contains the following:
- Risk appetite statement:
- Details of how risks are identified, analysed and evaluated;
- Details of how risk response plans are designed and prioritised; and
- Details of how risks are reported, escalated, and communicated.
Roles and responsibilities
9. All members of the University have specific accountabilities for risk management:
| Member | Responsibility |
|---|---|
| Audit and Risk Committee |
Ensure all material risks are identified Monitor the management of material business risks, and ensure that appropriate procedures and conducts are in place to mitigate or manage those risks Review the Risk Management Policy and Framework annually Endorse risk appetite For further details refer UoA Audit and Risk Committee Terms of Reference |
| University Executive Committee |
Endorse and champion the application of the risk management policy and framework Advocate awareness of interdependency between strategy and risk Take ownership of risks in area of responsibility and ensure such risks have response plans Establish risk appetite |
| Head of Risk (CFO) |
Lead development and application of risk management systems Implement the risk management policy and framework Promote awareness of interdependency between strategy and risk Design and implement an insurance strategy and programme |
| Risk Office | Develop risk management policy, framework, strategy and principles and deliver associated awareness programme Coordinate awareness of interdependency between strategy and risk Coordinate timely delivery of relevant risk management information to stakeholders Advise management on risk management and response plans |
| Management | Manage risk effectively within business units Report on risk management activities Take ownership of risks in area of responsibility and ensure such risks have response plans |
| Staff members | Proactively identify and report risks Support to establish response plans for identified risks |
| Members | Proactively identify and report risks Support risk management practices at the University |
Definitions
The following definitions apply to this document:
Member(s) includes all Council members, members of committees and boards, staff members, honorary and adjunct appointees, students, contractors, subcontractors, consultants, associates and business partners of the University.
Risk Office is the organisational unit which coordinates risk management at the University.
Risk is the effect of uncertainty on objectives.
Risk appetite is the level of risk the University is prepared to seek or accept in the pursuit of its strategic objectives.
Risk culture is the collective values, beliefs, knowledge, day to day operational activities and understanding on risk held by University members.
Risk management means the practices to:
- establish strategy and ensure alignment with vision and mission;
- enable increased opportunity; growth and activity;
- identify potential events that may impact strategy;
- handle risk within the endorsed risk appetite; and
- provide reasonable assurance on achieving strategy.
Risk management framework is a system of monitoring, learning and improving performance, it articulates a set of principles for building or integrating processes.
Risk response plan is the process of developing and documenting strategic options, and determining actions, to enhance opportunities and reduce vulnerabilities for achieving desired objectives.
Risk universe is the full range of risks that could impact, either positively or negatively, on the ability of the University to achieve its strategic objectives.
Staff member refers to an individual employed by the University.
University means the University of Auckland including all subsidiaries.
University activity is activity that has been approved as being for University purpose and is funded by the University or third party.
Key relevant documents
Include the following:
- Conflict of Interest Policy
- COSO - ERM - Integrating with Strategy and Performance
- Emergency Management Statute
- Fraud and Corruption Policy
- Health and Safety Policy
- ISO 31000:2018
- Resilience Management Plan [to be refreshed with SRT Policy and BCP Policy in 2020/21]
- Risk Management Framework [available on Staff intranet]
- Travel Policy
Document management and control
Owned by: Chief Financial Officer
Content manager: Manager, Risk Office
Approved by: Vice-Chancellor, Deputy Vice-Chancellor (Operations) and Registrar
Date approved: 22 November 2019
Review date: 22 November 2024