Risk Management Policy
Application
All members of the University.
Purpose
To ensure that risk management is embedded in all University activities and members of the University understand their associated responsibilities.
Introduction
University activities, including research and learning and teaching, attract various levels of risk. Risk management must be a cornerstone of University culture for strategic objectives to be realised. To achieve this, members of the University need to follow all elements of the risk management framework.
Risk management needs engagement from all University members to foster a risk culture of awareness, transparency and inclusiveness.
This policy forms part of the University’s governance and internal control arrangements.
Policy
Principles
The guiding principles of risk management at the University are:
1. Risk management is critical for achieving strategy as an enabler of opportunity and underpins decision-making. It is integral to processes across all levels of the University and enables continuous improvement.
2. Risk management aims to protect the University’s people, property, finances, environment, information and reputation.
3. Risk management is agile and responsive to the University’s dynamic operating environment; there should be regular monitoring of the risk landscape and impact on strategy and objectives is to be identified, assessed and responded to.
4. The costs, either financial or non-financial, of risk and risk management should be considered, minimised and balanced against opportunities with reference to the University’s risk appetite.
5. Risk that is unable to be managed within risk appetite must be disclosed to consider further risk response or respective adjustments to risk appetite and/or risk tolerance.
6. Risk management is to be methodical, structured and follow the principles of ISO 31000:2018 and COSO - ERM - Integrating with Strategy and Performance, as integrated into the Risk Management Framework.
Risk management framework
7. The assessment, reporting and disclosure of risk is to be made in accordance with the Risk Management Framework (framework).
8. This framework has the status of procedures under the UoA Policy Framework Policy and is to be available to all staff members and affiliates on the University intranet site.
Note – the framework contains the following:
- Risk appetite and tolerance statements;
- Details of how risks are identified, analysed and evaluated;
- Details of how risk response plans are designed and prioritised; and
- Details of how risks are reported, escalated, and communicated.
Roles and Responsibilities
All members of the University have specific accountabilities for risk management:
| Audit and Risk Committee | Ensure all material risks are identified Monitor the management of material business risks, and ensure that appropriate procedures and controls are in place to mitigate or manage those risks Review the Risk Management Policy every three years Review the Risk Management Framework and endorse risk appetite and tolerance annually For further details refer UoA Audit and Risk Committee Terms of Reference |
| University Executive Committee | Endorse and champion the application of the Risk Management Policy and Framework Advocate awareness of interdependency between strategy and risk Take ownership of risks in area of responsibility and ensure such risks have response plans Establish risk appetite and tolerance |
| Head of Risk (CFO) | Lead development and application of risk management systems Implement the Risk Management Policy and Framework Promote awareness of interdependency between strategy and risk Design and implement an insurance strategy and programme |
| Risk Office | Develop risk management policy, framework, strategy and principles and deliver associated awareness programme Coordinate awareness of interdependency between strategy and risk Advise management on risk management and response plans Coordinate timely delivery of relevant risk management information to stakeholders Develop assurance programme to systematically evaluate and enhance risk management processes |
| Management | Manage risk effectively within business units Report on risk management activities Take ownership of risks in area of responsibility and ensure such risks have response plans |
| Staff members | Proactively identify and report risks Support to establish response plans for identified risks |
| Members | Proactively identify and report risks Support risk management practices at the University |
Definitions
The following definitions apply to this policy:
Member(s) includes all Council members, members of committees and boards, staff members, honorary and adjunct appointees, students, contractors, subcontractors, consultants, associates and business partners of the University.
Risk Office is the organisational unit which leads risk management coordination at the University.
Risk is the effect of uncertainty on objectives.
Risk appetite is the level of risk the University is prepared to accept in the pursuit of its strategic objectives.
Risk culture is the collective values, beliefs, knowledge, day to day operational activities and understanding regarding risk held by University members.
Risk management means the practices to:
- establish strategy and ensure alignment with vision and mission;
- enable increased opportunity; growth and activity;
- identify potential events that may impact strategy;
- administer risk within the endorsed risk appetite; and
- provide reasonable assurance on achieving strategy.
Risk management framework is a system of monitoring, learning and improving performance; it articulates a set of principles for building or integrating processes.
Risk response plan is the process of developing and documenting strategic options, and determining actions, to enhance opportunities and reduce vulnerabilities for achieving desired objectives.
Risk tolerance is the acceptable variability, or deviation from the expected level of risk that the University is prepared to accept to achieve its objectives.
Risk landscape is the full range of risks that could impact, either positively or negatively, on the ability of the University to achieve its strategic objectives.
Staff member refers to an individual employed by the University.
University means Waipapa Taumata Rau, University of Auckland and includes all subsidiaries.
University activity is activity that has been approved as being for University purpose and is either funded by the University or third party.
Key relevant documents
Include the following:
- Health and Safety Policy
- IT and Security Policy
- Risk Management Framework [available on Staff intranet]
Document management and control
Owned by: Chief Financial Officer
Content manager: Manager, Risk Office
Approved by: Vice-Chancellor
Date approved: 22 November 2019
Reviewed date: 15 November 2024
Next Review date: 15 November 2027