Risk Management Framework

1 1 Risk Management Framework Version Approved by Approval date Effective date Next full review [to be completed] XX Month Year XX Month Year Month Year Framework Purpose The risk Management Framework details the requirements for identifying, managing and monitoring uncertainty to maximise upside and minimise the downside of risk Scope The Framework applies to all UNSW business, including those of its Controlled Entities. Are Local Documents on this subject permitted? Yes, however Local Documents must be consistent with this University-wide Document. No Framework 1. Executive Summary Effective risk Management is critical to sound governance1, building a consistent appetite for and robust culture in risk, improving decision making and enhancing outcomes and accountability. When adopted and integrated by an organisation, risk information provides insights into and transparency over material operational, change/growth, disruptive and emerging risks .

2 Aligning to ISO 31000:2018 Risk Management - Guidelines2, UNSW s risk Management Framework ( Framework ) will measure its success against the value creation principles (Refer to Figure 1) and its ability to support the University in identifying and consistently analysing risks and opportunities inherent in the updated Strategy 2025 and in all University operations. Risk at UNSW will be defined as the effect of uncertainty on objectives. The process of risk assessment outlined in this Framework has been designed to support and build efficiency in decision making, ensuring alignment to objectives and integration of principles into existing processes, analysis of key factors that influence decisions and the take up of opportunities. A key output is the University s enhanced capability to focus resourcing and effort on priority endeavours, matching scarce resources to achieve the Strategy 2025.

3 This Framework is the foundation for building the value of risk Management ; empowering people to effectively manage and / or leverage off uncertainty. 2. Objectives Objectives The Framework details the requirements for identifying, managing and monitoring uncertainty. It clarifies how risk and opportunity are considered in strategic planning, review, approval and execution of University, (and controlled entities [the University]) initiatives and the monitoring of operational performance. The Framework , adopting the ISO 31000:2018 principles (Figure 1), addresses how we will embed the Management of risk into our culture and practices and, by doing so, support the Executive and Council in making informed decisions and provide assurance that a robust risk Management approach is adopted across the University. Framework objectives include: Enhanced decision making; evidenced by adoption and integration of the Risk Appetite into strategic decision making and operational monitoring processes.

4 Strong engagement in and ownership of risk by our people evidenced by a maturing risk culture. This culture will support clarity over the roles and responsibilities of people and 1 ASX Corporate Governance Principles and Recommendations, ed 4, Feb 2019 2 ISO 31000:2018 Risk Management Principles and guidelines 2 governance forums, enable consistent review of and discussions regarding potential risks and co-ordination of people and activities. Integrated risk assessment process that adds value to the University, evidenced by the tailoring and integration of the assessments into existing processes and for context relevance, people are competent in carrying out the process and Management seek to review and understand the output of risk assessments Maturing risk culture that embraces risk Management principles into our cultural norms, evidenced by the consideration of risk as part of doing business and reflected in discussions and questions regarding activities and initiatives.

5 Figure 1 ISO 310000 2018 Value Creation and Protection Principles: 3. Framework Architecture Our Framework has been designed to align with the governance Framework practices and reporting, to accommodate the organisational structure and to meet the requirements of ISO 31000:2018 Risk Management Guidelines. This Framework will inform other specialist risk functions, such as Compliance, IT, Cyber, Treasury, Insurable Risk and Safety, so they can conform to it whilst also ensuring compliance with the applicable standards and regulations related to their discipline. Five elements make up the Framework : 1. The Risk Management Statement and strategic Risk Appetite (Section 6) 2. The Risk Management Process (Section 7) 3. Communicating and Reporting Risk Information (Section 8) 4. Risk Accountability across the University (Section 9) 5.

6 Monitoring and Review of the Framework (Section 10) To ensure the ongoing relevance of our Framework , four continuous improvement activities are integrated into the design and review components. They are: 1. Continual review of risk tools and practices by seeking feedback from users , champions and sponsors following the conduct of risk sessions. 3 2. Annual review of the Framework and its objectives against industry standards and innovations 3. Annual review of stakeholders to ascertain how the adoption of risk practices has added value to University strategic , change/growth and operational performance 4. Annual confirmation of the University s commitment to the Risk Management Strategy and aspirational targets 4. Application The University (including controlled entities) will be supported by the Risk Function to enable them to embrace and adopt the Framework s requirements.

7 Newly established or acquired operations will be required to comply with the requirements within 12 months of being established or acquired. This Framework applies to the Management of all types of risk at all levels across the University. All specialist risk frameworks will be informed by and conform to this Framework , including, but not limited to: Project Risk Management , including strategic Initiative Feasibility and Business Case risk analysis and Infrastructure Risk Management Health and Safety Risk Management , including safety research approvals Academic Risk Management Insurable Risk Management Treasury Risk Management Fraud and Corruption Prevention Incident and Crisis Management / Business Resilience Compliance Risk Management IT Risk and Cyber Security Procurement Risk Management Event Risk Management A key design focus has been the ability for Faculties and Divisional Portfolios to apply a consistent risk assessment approach whilst enabling tailoring of forms to align to their Faculty/Portfolio and unique activity requirements.

8 Risk Management Calendar To support the Risk Committee in executing its charter and the University in implementing industry leading practice a series of activities are required. These are outlined in the Risk Management Calendar, Figure 2. Not listed in the calendar are the risk assessments and capability building activities that will occur as and when projects and/or initiatives are identified and those scheduled to support the enterprise risk profile updates. Requirement: All University and its controlled entities will adopt the requirements of the University s Risk Management Framework . 4 Figure 2 The Risk Management Annual Calendar of major activities 5. Responsibilities Throughout the University, key roles and governance forums will take on responsibilities for actioning the requirements of this Framework .

9 This includes. Council, Sub-Committees and Governance Structures, that set the University s tone, will be responsible for setting the risk appetite, reviewing the enterprise risk profiles and adequacy of controls, and approving the risk Management Framework Faculties, Divisions and Executives will be responsible for monitoring their strategic and operational risk performance and ensuring the capability to execute risk mitigation initiatives The Risk Function will be responsible for ensuring the Risk Management Framework captures and translates leading risk practices to the activities of the University, competency to manage risk is appropriate throughout the University and risk information is accurate, mature and comprehensive to support the University Executives and Council and its Sub-Committees in decision making and the Management of risk Internal and external audit will provide independent reviews, the output of which will contribute to risk information and evaluation of control effectiveness The interplay of the above groups is reflected in COSO: the three lines of defence3, Figure 3.

10 Figure 3: University s Three Lines of Defence 3 Leveraging COSO across the three lines of defence, The Institute of Internal Auditors, 2015 Qtr 1 Confirm risk review schedules and risk maturity action plan with Faculty, Divisions and Controlled the Annual Joint Committee Risk Workshop Complete a deep dive into an agreed material strategic risk or potential disruptor for presentation to the RCPrepare and submit the required RC reportsConduct project and strategic initiative risk reviews as requiredConduct scheduled risk trainingPresent to the Senior Leadership Group on an agreed Risk Leadership TopicQtr 2 Update the University Risk Profile with a focus on control effectiveness, secure endorsement from Senior Leadership Group and Management Board prior to RC a deep dive into the effectivess of a sub-set risk Framework Fraud and Corruption PreventionPrepare and submit the required RC reportsConduct project and or strategic initiative risk reviews as requiredConduct scheduled risk trainingQtr 3 Participate in the Insurance Program renewalPrepare and submit the required RC reportsConduct project and or strategic initiative risk reviews as requiredPresent to the Senior Leadership Group on an agreed Risk Leadership TopicConduct scheduled risk trainingContribute to the development of the IA planQtr 4 Annual review of the Risk Management Framework , the Risk Appetite and related sub-speciality risk areas.