Enterprise Risk Management Information

James Cook University has identified ten enterprise risks. It has done this through the completion of the University Level Risk Assessment in 2015 that was subsequently approved by the Audit, Risk and Compliance Committee of JCU Council.

The University level or enterprise risks are accessible to certain staff with access to the Enterprise Risk Manager section of Riskware.

The enterprise risks identified, relate to growth in the number of students, safety and wellbeing of staff and students, legal compliance, research and business continuity.

Causal factors and corresponding mitigation strategies have been developed and are linked to numerous University initiatives and Divisional plans. Progress to completion is tracked through the Riskware information system. The University Level Risk Assessment (ULRA) is reviewed annually or when risks are deemed to have changed sufficiently to trigger an earlier review.

Key Risk Indicators (KRIs) continue to be developed and refined to provide a predictive tool through which changes to key risks can be monitored, and fresh responses developed, if or when agreed risk limits are exceeded.

Information on various University initiatives can be accessed here:

Definitions

Key terms frequently used in Risk Management:

Communication and consultation

Continual and iterative processes that an organisation conducts to provide share or obtain information and to engage in dialogue with stakeholders regarding the management of risk.

Consequence

Outcome of an event affecting objectives.

Establishing a context

Defining the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria for the risk management policy.

Level of risk

Magnitude of a risk or a combination of risks, expressed in terms of the combination of consequence and their likelihood. A Risk Matrix is commonly used to determine the level of risk.

Likelihood

Chance of something happening.

Monitoring

Continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected.

Residual risk

Risk remaining after risk treatment.

Risk appetite

The amount and type of risk an organisation is prepared to accept in the pursuit of its organisational objectives.

Risk analysis

Process to comprehend the nature of risk and determine level of risk.

Risk assessment

Overall process of risk identification, risk analysis and risk evaluation.

Risk criteria

Terms of reference against which the significance of a risk is evaluated.

Risk evaluation

Process of comparing the results of risk analysis with risk criteria.

Risk identification

Process of finding, recognising and describing risks.

Risk limit

Threshold to monitor that actual risk exposure does not deviate too much from  the desired optimum; breaching risk limits will typically act as a trigger for corrective action at the process level.

Risk management

Coordinated activities to direct and control an organisation with regard to risk.

Risk management framework

Set of components that provides the foundations an organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management.

Risk management plan

Scheme within the risk management framework outlining the approach, management components and resources to be applied to the management of risk.

Risk Management Policy

Statement of the overall intentions and direction of an organisation related to risk management. See JCU Risk Management Policy.

Risk management process

Systematic application of management policies, procedures and practices to the activities of communicating, consulting establishing the context and identifying, analysing, evaluating treating , monitoring and reviewing risk.

Risk owner

Person or Entity with the accountability and authority to manage a risk.

Risk source

Element which alone, or in combination, has the potential to give rise to a risk.

Risk tolerance

Specific maximum risk that an organisation is willing to take regarding each relevant risk (sub-) category, often in quantitative terms.

Risk treatment

Process to modify risk through, avoiding, taking or increasing risk in order to pursue an opportunity, removing risk source, changing likelihood, changing consequence, sharing or retaining a risk.

Framework

A structured approach to risk management

A risk management framework ensures that information about risk derived from the risk management process is adequately reported and used as a basis for decision making and accountability at all relevant organisational levels. The necessary and interrelated components of the framework for effectively managing risk are shown below:

Process

The continual improvement cycle

The risk management process should be:

  1. An integral part of organisational management at all levels
  2. Embedded in organisational culture and practices, and
  3. Tailored to the business processes of the organisation.

The risk management process is shown below:

To facilitate the risk management process, JCU has implemented an enterprise risk management information system called Riskware. Further detail including online training modules can be accessed at Riskware.

The various risk areas identified by JCU include the following:

  1. Financial
  2. Academic
  3. Reputation
  4. Business Disruption
  5. People
  6. Compliance and Liability
  7. Workplace Health and Safety

The JCU Risk Criteria describes likelihood and consequence as well as control effectiveness ratings for each of the above risk areas. The same information can also be found in the Appendices section of the Risk Management Framework and Plan (PDF, 639 KB).

Risk level is determined using the JCU Risk Matrix.

Roles

Risk management decision making

Enhanced risk management includes comprehensive, fully defined and fully accepted accountability for risks and controls and risk treatment activities (ISO 31000:2009 Annex A.3.2). Designated individuals must fully accept accountability, have the appropriate skills and access to adequate resources. This will enable checking of control effectiveness, monitoring risks, improve controls and enable effective communication about risks and their management to a wide range of stakeholders.

At JCU, risk management responsibilities are shared across all levels of the organisation and include:

Council

Council is ultimately responsible for approving, and committing to, the risk management policy and setting and articulating the University’s attitude to risk.

Vice Chancellor

The Vice Chancellor is responsible for leading the development of an enterprise risk management culture across the University.

Audit, Risk and Compliance Committee

The Audit, Risk and Compliance Committee is responsible for approving and reviewing the University’s Risk Management Framework and Plan and overseeing the risk management process of the University as a whole in accordance with the Committee’s Charter.

Other Council Committees

The various University committees are responsible for monitoring the management of risk relating to their areas of responsibility. In particular the Futures Committee of Council will review the University Executive’s assessment of risks to the University as encapsulated in the University Level Risk Assessment.

University Executive

Members of the University Executive are responsible for ensuring that appropriate resources, systems and processes are in place to implement the Risk Management Framework across the organisation and that key University Level risks have been identified and are being managed appropriately.

Chief of Staff (Risk Management Coordinator)

The Risk Management Coordinator is responsible for ensuring that the Risk Management Framework and Policy are being effectively implemented across the organisation.

Risk and Compliance Officer

The Risk and Compliance Officer supports the Chief of Staff in promoting and developing staff capability in risk assessment and management, and assists risk champions and staff with risk responsibilities within the Divisions. The Risk and Compliance Officer also oversees the requirements of the University’s Compliance Framework, understanding legislative obligations relevant to the Higher Education Sector and the activities specific to JCU.

Risk Champions

Risk champions within each Division are responsible for coordination of risk management activities within that Division.

All Managers and Staff

Managers and staff at all levels may be risk owners and are responsible for developing an understanding of and becoming competent in the implementation of risk management principles and practices in their work areas.

Newsletters

The documents below provide concise summaries and updates on various risk activities undertaken across the University. This communication, forms one part of the the overall risk communication platform. Other communication and collaboration mediums such as Mediasite will be explored, in particular for presentations and risk training.

Over time, risk awareness throughout the University will grow, along with a deeper understanding of how Enterprise Risk Management can add and protect value. Improved engagement with this subject area is key to building a robust ERM program.

ERM at JCU Fact Sheet September 2017 (PDF, 436 KB)

ERM at JCU Fact Sheet July 2017 (PDF, 519 KB)