Policy Directory


Date first approved:

15 April 2005

Date of effect:


Date last amended:

1 December 2015

Date of next review:

1 December 2018

First approved by:

University Council

Custodian title & email address:

Manager, Business Assurance


Chief Finance Officer

Division & Unit:

Business Improvement & Assurance Division

Supporting documents, procedures & forms of this policy:

Risk Management Guidelines

Risk Register Templates

Risk Appetite Statement

Relevant Legislation


External Documents:

University of Wollongong Act, 1989 (NSW)
Commercial Activity Guidelines

Commercial Activity Risk Assessment Guidelines
Environmental Policy

Workplace Health and Safety Policy

Business Continuity Management Policy

AS/NZS ISO 31000:2009 Risk Management – Principles and guidelines

SA/SNZ HB 436:2013 Risk management guidelines – Companion to AS/NZS ISO 31000:2009


Public – accessible to anyone

Submit your feedback on this policy document using the Policy Feedback Facility.


1 Purpose of Policy

    • 1. Risk management is an essential component of the University’s governance arrangements. Effective risk management supports the achievement of the University’s objectives and provides assurance to the University Council, Risk, Audit & Compliance Committee and Vice-Chancellor that risks are being managed appropriately and in line with University objectives. Effective Risk Management enables:
      • a. Improved planning, performance and effectiveness;
      • b. Clear reporting and transparency of information;
      • c. Improved stakeholder relationships;
      • d. Improved information for decision making;
      • e. Accountability and assurance.
    • 2. As affirmed in Goal 5.3 of the Strategic Plan 2013-2018, the University is committed to managing “reputational, financial and operational risk prudently by facilitating clear lines of decision-making, authority and accountability in our structures and processes”.
    • 3. The purpose of this policy is to:
        • a. Define responsibilities and structures to ensure that risk management practices are incorporated into strategic, business and project planning and review processes;
        • b. Promote an environment where informed decisions to identify and manage the University’s risks are made in an open and transparent manner;
        • c. Create a risk intelligent culture at the workplace where all staff assume responsibility for managing risk in their day to day activities; and
        • d. Ensure a consistent approach to risk management is applied in all areas across the University.

2 Definitions



Commercial Activity

As defined in the Commercial Activities Guidelines


A measure that modifies a risk1

Emerging Risk Issue

A significant new risk issue or existing risk with a heightened potential exposure for the University

Level of Risk

The magnitude of a risk expressed as a combination of consequence and likelihood

Local Risk Register

A register of locally identified risks maintained by a faculty, institute or administrative division/unit or for a Major Project or Commercial Activity

Major Project

A large-scale project, as identified in the University’s Capital Management Plan

Organisational Risk Register

The central register of the University’s key risks developed through consolidation of locally identified risks that have an impact at an organisational level and risks identified through strategic risk assessment processes

Project Manager

For the purposes of this policy, Project Manager refers to staff members responsible for managing a Major Project, as per the University’s Capital Management Plan


The effect of uncertainty on objectives1

Risk Appetite

The level of risk the University is willing to accept in pursuit of its objectives

Risk Assessment

The overall process of risk identification, risk analysis and risk evaluation1

Risk Management

Coordinated activities to direct and control the University with regard to risk1

Risk Management Framework

The set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management1 throughout the University

Risk Management Process

The systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context and identifying, analysing, evaluating, treating, monitoring and reviewing risk1

Risk Owner

The position with the accountability and authority to manage a risk and any associated risk treatments. At UOW, Risk Owners will usually be a Director, Faculty Executive Manager, Project Manager (as defined by this policy), Executive Dean or a member of the Senior Executive (including the Vice-Chancellor)

Risk Treatment

A process to modify risk1

  • 1 Source: AS/NZS ISO 31000:2009

3 Application & Scope

    • 1. This policy applies to all Faculties, Institutes and administrative Divisions/Units and significant University activities. This policy should be read in conjunction with the Risk Management Guidelines.
    • 2. Specific risk management policies, procedures and/or guidelines covering specialised areas such as work health and safety, environmental, business continuity management and Commercial Activities may apply and will be consistent with the broad directions in this policy.

4 Risk Management Approach

    • 1. The University will apply a structured and consistent approach to risk management at all levels across the University, consistent with the Risk Management Standard AS/NZS ISO 31000:2009 Risk management – Principles and guidelines.
    • 2. The management of risk is the responsibility of all staff and will be incorporated into academic, strategic and operational planning and review processes at all levels across the University.
    • 3. In addition to managing the risks for normal University operational activities, risks for all Commercial Activities and Major Projects (as defined by this policy) will be assessed, prior to commencement, and managed in accordance with this policy.
    • 4. Risk management activities should be based on the best available information, which may include historical data, experience, stakeholder feedback, observation, forecasts and expert judgement.
    • 5. Although processes for identifying risks may vary across the University, all risks will be assessed using a standard methodology. (For guidance refer to the Risk Management Guidelines).
    • 6. Each risk will be assigned a risk owner who is responsible for managing and monitoring the risk. Risk owners must ensure that adequate controls are:
      • a. Applied so that risks are within pre-determined acceptable levels; and
      • b. Proportional to the risk consequence and likelihood.
    • 1. Monitoring and review processes will be undertaken regularly to ensure risks and controls remain relevant; information used by management is accurate and complete; and emerging risks are integrated into the risk management process.
    • 2. The University’s Risk Management Framework will be subject to independent audit and review to ensure ongoing currency, relevance and effectiveness and to facilitate continual improvement.

5 Local Risk Registers

    • 1. Each Faculty, Institute and administrative Division/Unit is required to develop and maintain a local risk register. Local risk registers will not take the place of existing risk registers for specific activities.
    • 2. Local risk registers and any associated mitigation plans will be regularly reviewed and updated.
    • 3. Emerging risk issues will be incorporated into the local risk register as they are identified. Any new high risk issue must be reported to the relevant Senior Executive or Executive Dean as soon as practicable after the risk is identified.
    • 4. Unless determined by the Senior Executive or Executive Dean that a risk may be accepted without implementing additional risk treatment, an appropriate mitigation plan must be implemented for any risk outside the University’s risk appetite. Refer to the Risk Management Guidelines - Appendix A.
    • 5. Local risk registers must be endorsed by the relevant Senior Executive or Executive Dean prior to being forwarded to the Business Assurance Manager for incorporation into the Organisational Risk Register.

6 Organisational Risk Register

    • 1. Business Assurance will develop and maintain the Organisational Risk Register which will:
      • a. Include details of current and emerging risk issues and how they are being managed;
      • b. Include details of mitigation plans for risks outside the University’s risk appetite; and
      • c. Form the basis of regular reporting to the Vice-Chancellor’s Advisory Group, the Risk, Audit & Compliance Committee and University Council. This reporting will include, but not be limited to:
        • i. any risk outside the University’s risk appetite including those risks the Senior Executive or Executive Dean determine can be accepted without implementation of additional risk treatment; and
        • ii. any risk where the targeted completion of an appropriate mitigation plan exceeds the agreed maximum timeframe for implementation, including those risks where increased timeframes have been agreed with the Senior Executive or Executive Dean.

7 Risk Registers for Commercial Activities and Major Projects

    • 1. Risk Registers will be maintained for new Commercial Activities and Major Projects (as defined by this policy) where high inherent risks or medium to high residual risks have been identified in accordance with the University Risk Management Guidelines.
    • 2. Risk Registers for Commercial Activities and Major Projects will be used to inform Local Risk Registers. If any identified risk falls outside the University’s Risk Appetite or presents a medium to high residual risk to a Major Project or Commercial Activity, then that risk should be incorporated into the Local Risk Register if approval is given for the project or activity to proceed.

8 Roles & Responsibilities

University Council

    • 1. The University Council and its Committees have responsibility under the University of Wollongong Act 1989 for overseeing Risk Management and Risk Assessment activities across the University.
    • 2. The University Council, via the Risk, Audit & Compliance Committee, is responsible for endorsing the University’s Risk Appetite.

Vice Chancellor & Principal

    • 3. The Vice-Chancellor & Principal is responsible for:
      • a. Ensuring that a risk management system is established, implemented and maintained in accordance with this policy in any designated functional area or activity;
      • b. Ensuring systems are in place so that risk owners are held responsible for implementing, monitoring and reporting risks that are within their area of responsibility;
      • c. Providing leadership on the University’s Risk Appetite and acceptable risk exposure.
    • 4. Assignment of responsibilities in relation to Risk Management is the prerogative of the Vice Chancellor & Principal.

Risk, Audit & Compliance Committee (RACC)

    • 5. The Risk, Audit & Compliance Committee is responsible for:
      • a. The oversight of the processes for the identification and assessment of the general risk spectrum, reviewing the outcomes of Risk Management Processes and monitoring Emerging Risks based on changes in the external environment;
      • b. Overseeing Risk reporting in all areas of University operations; and
      • c. Informing University Council of the adequacy and effectiveness of the University’s Risk Management Processes and internal control system as advised to RACC.

Senior Executives & Executive Deans

    • 6. Senior Executives and Executive Deans are accountable for Risk Management within their respective areas of responsibility, including the devolution of the Risk Management Process to operational managers. They are responsible for:
      • a. Championing a Risk Management culture and supporting the enhancement of Risk Management practices across the University;
      • b. Developing and reviewing, in conjunction with the Vice-Chancellor, the University’s Risk Appetite;
      • c. The formal identification of strategic risks that may impact upon the University’s objectives;
      • d. Allocation of priorities and allocation of resources;
      • e. The provision of Risk Management guidance;
      • f. Oversight of Local Risk Registers;
      • g. Monitoring the adequacy of controls and mitigation plans; and
      • h. Overseeing the management of Risk issues that have been escalated from within their respective areas of responsibility, including any treatments to mitigate adverse impacts or maximise opportunities.

Directors, Faculty Executive Managers, Directors of Research Institutes and Project Managers

  • 7. Directors, Faculty Executive Managers, Directors of Research Institutes and Project Managers are, within their respective areas of responsibility, responsible for:
      • a. Implementation of this policy;
      • b. Managing risks (including identifying, assessing, monitoring and reviewing, communicating and reporting) that may impact on objectives;
      • c. Ensuring a local risk register is developed and regularly reviewed and maintained;
      • d. Maintaining effective internal controls;
      • e. The development and implementation of appropriate and effective mitigation plans;
      • f. Regular reporting of risks and progress of mitigation plans; and
      • g. Reporting to their Senior Executive or Executive Dean any new high Risk issue as soon as practicable after the Risk is identified.
      • h. Ensuring that medium and high residual risks for Commercial Activities and Major Projects are registered and managed, and used to inform their Local Risk Register.

Director Business Improvement & Assurance Division, in conjunction with the Manager, Business Assurance

    • 8. The Director BIAD and Manager Business Assurance are responsible for:
      • a. Facilitating development and implementation, through the Risk, Audit & Compliance Committee, of the University’s Risk Management Framework and associated policies and guidelines;
      • b. Ensuring the review and continuous improvement of the University’s Risk Management Framework;
      • c. Maintaining the University’s Organisational Risk Register;
      • d. Coordinating reporting of Risk data to the Vice-Chancellor’s Advisory Group, and University Council via the Risk, Audit & Compliance Committee; and
      • e. Evaluating, through the University’s internal audit function, the design adequacy and operating effectiveness of controls in place to mitigate the risks associated with key University activities.

All Staff

    • 9. Every staff member of the University is responsible for the effective management of Risk including the identification and reporting of new and emerging risks.
    • 10. There is legislation in place for the management of specific risks such as, for example, Workplace Health and Safety, Equal Opportunity and Research Ethics. The Risk Management Policy does not relieve the University of its responsibility to comply with applicable legislation.
    • 11. Training and facilitation in relation to Risk Management practice will, in the first instance, be the responsibility of Business Assurance in conjunction with the Professional and Organisational Development Unit.

9 Version Control and Change History

Version Control

Date Effective

Approved By



15 April 2005

University Council

First version


6 May 2009

Vice-Principal (Administration)

Migrated to UOW Policy Template as per Policy Directory Refresh


9 March 2010

Vice-Principal (Administration)

Future review date identified in accordance with Standard on UOW Policy


26 August 2010

Vice-Principal (Administration)

Updated to reflect divisional name change from Personnel Services to Human Resources Division


3 September



Updated to reflect conformance with the spirit of the International Risk Management Standard ISO 31000


4 March 2013



Updated to reflect title change from Associate Director Financial Services to Director Financial Operations


22 August 2014

University Council

Complete review due to review of risk management framework


1 December 2015


Clarification of requirements related to Major Projects and Commercial Activities and update of titles and responsibilities

Here to Help

Need a hand? Contact the Governance Unit for advice and assistance on policy issues.