Enterprise Risk Management

The international standard on risk management, AS ISO 31000:2018 Risk Management Principles and Guidelines defines risk as the "effect of uncertainty on objectives".

Risks that potentially impact organisations can have varying consequences in terms of financial performance, professional reputation as well as environmental, health, safety and societal outcomes. Therefore, managing risk effectively and holistically will allow the University to perform better in an environment full of uncertainty.

    Enterprise Risk Management (ERM) is defined by the Committee of Sponsoring Organizations (COSO) as:

"A process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."

The University’s Risk Management process complies with AS ISO 31000:2018 and is in line with JCU Risk and Compliance Management policies and performs the following key risk management activities:

  • Establish the context
  • Risk identification
  • Risk analysis
  • Risk evaluation
  • Risk treatment
  • Monitoring and review
  • Communication and consultation

Refer to the Risk Management Policy and Risk Management Framework and Plan for more information.

Compliance, whilst its own unique, overarching and yet specialised area, is part of Enterprise Risk Management because potential legislative non-compliance presents a risk to the University. See Compliance for further information.

Risk Management is the responsibility of all. The management of risk is an essential aspect of the overall management of the University. By implementing a risk management framework an organisation can realise the following benefits:

  • Achievement of business objectives
  • Awareness of key risks facing the University
  • Appropriate resource allocation
  • Supports planning and decision making
  • Internal and external communication
  • Ensures accountability of risk
  • Fosters proactive management, rather than reactive
  • Promotes early identification and treatment of risks
  • Encourages a positive risk culture

The Riskware Enterprise Risk Management (ERM) Register is a comprehensive record of all risks across the University landscape.

The ERM Register is a module available in Riskware that allows a Risk Owner to create, manage, review and report on risks. The ERM Register has an integrated workflow capability that offers users the ability to approve, review and assign tasks to mitigate risks.

The ERM Register provides a series of steps that, when undertaken in sequence, enable you to identify, assess, control, manage and report on potential impacts and opportunities:

  • The key risks to your business unit or area of operation
  • The consequences of the risk materialising
  • The impact and likelihood of the risk materialising
  • The management and control treatments for risk mitigation
  • Assignment of those responsible for managing and treating risks

Create a Risk

The creation of a risk is completed in the risk assessment form explained in this Quick Reference Guide. The Risk Assessment Form closely follows the International Risk Management Standard ISO 31000:2018 to help you perform your risk management responsibilities in a clear and consistent manner.

Approve a Risk

All new risk assessments will require approval from the supervisor/manager within your business unit or area of operation. Once a risk assessment has been submitted, an email will be forwarded to a Risk Approver who may make some edits before either approving or rejecting the new risk.

Review a Risk

Risks need to be continuously monitored and reviewed. The effectiveness of the controls currently in place to manage risks should be periodically assessed to ensure changing circumstances do not alter risk priorities.

Manage a Task

The Risk Owner can appoint a person responsible for the treatment of the risk is typically known as a Task Owner. A task is assigned to the Task Owner and usually requires some work/investigation/review/consultation to be done to mitigate a risk. Treatment plans can also referred to as controls.

Report a Risk

Riskware provides a comprehensive array of reporting analytics in the form of summarised reports, detailed risk registers and dashboards.

Click on the above link to log in to the Riskware system.

If you have been assigned access, you will see to the Enterprise Risk Management (ERM) Register module in the Home page.

Alternatively, use the following link to access the "What is Riskware" webpage.

Please contact riskmanagement@jcu.edu.au to inquire about training or for further information and support.