Return to Policies page
Navigation
    Add a header to begin generating the table of contents

    Risk Management Policy

    Policy name Risk Management Policy
    Policy number COR008
    Date approved 24 April 2024
    Approving body Cairnmillar Council
    Responsible officer Chief Executive Officer & Provost
    Implementation officer General Manager
    Next review date April 2029
    Related policies
    • Occupational Health and Safety Policy
    • Critical Incident, Accident and Injury Policy
    Related forms and documents
    • Risk Management Strategy & Framework

    1. PURPOSE OFTHIS POLICY

    1.1. This policy outlines the expectations that the Council and Executive have with respect to risk management and ensures management can demonstrate that risks in all parts of the Institute are being identified and managed in a way that is appropriate for the business environment and objectives. The policy is to be read in conjunction with the Institute’s Risk Management Framework and other resources, directions and guides approved and published from time to time.

    1.2. The main policy objectives for managing risks are to:

    1. Assist the Cairnmillar Institute (‘the Institute’) in achieving its strategic objectives.
    2. Safeguard the Institute's assets – people, financial, property, information and reputation; and
    3. Create an environment where all staff members assume responsibility for risk management.

    2. SCOPE

    2.1. This policy applies to all of the Institute’s activities. It forms part of the Institute’s corporate governance framework and applies to all members of Council, staff, students, visitors, contractors and volunteers. The policy extends to all current and future activities, and new opportunities.

    2.2. Where necessary, more detailed risk management policies and procedures will be developed to cover specific areas of the Institute's operations, such as financial management and clinical risk management. Where this occurs, such policies and regulations will comply with the broad directions described in the Cairnmillar Risk Management Policy.

    3. DEFINITIONS AND ACRONYMS

    • Level of risk: magnitude of risk, expressed in terms of the combination of consequences and their likelihood.
    • Risk: effect of uncertainty on objectives.
    • Risk analysis: process to comprehend the nature of risk and to determine the level of risk.
    • Risk assessment: overall process of risk identification, risk analysis and risk evaluation.
    • Risk appetite: the amount and type of risk an organisation is prepared to accept in the pursuit of its organisational objectives.

    4. POLICY

    4.1. The Institute is committed to maintaining an effective, efficient and tailored risk management strategy & framework that consists of:

    1. This policy
    2. A risk management plan
    3. Supporting policies that complement risk management such as business continuity management, Workplace Health and Safety management systems and codes of conduct.

    4.2. Risk Governance

    4.2.1. The risk governance structure of the Institute includes:

    Council Responsible for approving and committing to the risk management policy, setting the Institute’s appetite for risk, and reviewing the risk register on an annual basis.
    Audit, Finance & Risk Subcommittee Responsible for reviewing and making recommendations to Council regarding the implementation of the Risk Management Policy and related procedures and reviewing the risk register on a quarterly basis.
    Cairnmillar Institute Executive Group Responsible for overseeing regular review of risk management activities
    Chief Executive Officer & Provost Responsible for driving the culture of risk management and signing off on annual risk attestation
    General Manager Responsible for continuously improving risk management
    policy, strategy and the related supporting framework including procedures
    Managers  Responsible for ensuring staff in their remit comply with
    the risk management policy and fostering a culture where risks can be identified and escalated
    Staff and Contractors Responsible for complying with risk management policies and
    procedures
    Compliance & Risk Committee Responsible for adding and removing risks from the risk register
    in consultation with the Chief Executive Officer. This is an
    internal committee of the Institute.

     

    4.3. Risk Management Process

    4.3.1. When undertaking a risk management process the following steps must be taken: establish the context, identify the risk, analyse the risk, evaluate the risk, treat the risk, monitor and review processes, and develop a process of continuous improvement in procedures to mitigate or eliminate the risk.

    4.4. Integration with other systems and processes

    4.4.1. This risk management policy is designed to be integrated at all organisational levels into the business, financial and operational planning. This policy and related procedures are integrated at the organisational level, for example through audits (including OH&S audits), project management and business case development (which has sections on understanding any possible risk) and at an individual level as seen by the inclusion of occupational health and safety into the performance appraisals of staff which are part of the annual employee lifecycle.

    4.5. Risk Register

    4.5.1. The purpose of the risk register is both operational and strategic and forms part of the risk reporting and monitoring. Adding and removing risks from the register will be conducted by the members of the Compliance & Risk Committee in consultation with the Chief Executive Officer. The Chief Executive Officer is responsible for reviewing the register on a quarterly cycle and reporting to the Audit, Finance & Risk Subcommittee of any significant changes when required.

    4.6. Risk reporting

    4.6.1. The purpose of risk reporting is to create awareness of key risks, improve accountability for the management of risk and the timely completion of risk treatment plans. Whether the risk is strategic, financial, environmental, safety, people and/or reputation, it needs to be determined and communicated to all relevant stakeholders. The General Manager and Chief Executive Officer will report to the Audit, Finance & Risk Subcommittee and to the Cairnmillar Council at least once per year, on key risks that have been identified and on the mitigation plans that are in place.

    4.7. Risk Management Performance

    4.7.1. Measuring performance is a key monitoring activity to assess how effective risk management is at supporting corporate objectives. Risk management performance indicators may include the number of internal audits completed annually, the number of internal audit findings accepted by management, the timeliness of remediating internal audit findings, and the reduction in the number of extreme risks in the risk register.

    5. RESOURCES AND REFERENCES

    Print a copy