Enterprise Risk Management Information
James Cook University has identified ten enterprise risks. It has done this through the completion of the University Level Risk Assessment in 2015 that was subsequently approved by the Audit, Risk and Compliance Committee of JCU Council.
The University level or enterprise risks are accessible to certain staff with access to the Enterprise Risk Manager section of Riskware.
The enterprise risks identified, relate to growth in the number of students, safety and wellbeing of staff and students, legal compliance, research and business continuity.
Causal factors and corresponding mitigation strategies have been developed and are linked to numerous University initiatives and Divisional plans. Progress to completion is tracked through the Riskware information system. The University Level Risk Assessment (ULRA) is reviewed annually or when risks are deemed to have changed sufficiently to trigger an earlier review.
Key Risk Indicators (KRIs) continue to be developed and refined to provide a predictive tool through which changes to key risks can be monitored, and fresh responses developed, if or when agreed risk limits are exceeded.
Information on various University initiatives can be accessed here:
Key terms frequently used in Risk Management:
Communication and consultation
Continual and iterative processes that an organisation conducts to provide share or obtain information and to engage in dialogue with stakeholders regarding the management of risk.
Outcome of an event affecting objectives.
Establishing a context
Defining the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria for the risk management policy.
Level of risk
Magnitude of a risk or a combination of risks, expressed in terms of the combination of consequence and their likelihood. A Risk Matrix is commonly used to determine the level of risk.
Chance of something happening.
Continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected.
Risk remaining after risk treatment.
The amount and type of risk an organisation is prepared to accept in the pursuit of its organisational objectives.
Process to comprehend the nature of risk and determine level of risk.
Overall process of risk identification, risk analysis and risk evaluation.
Terms of reference against which the significance of a risk is evaluated.
Process of comparing the results of risk analysis with risk criteria.
Process of finding, recognising and describing risks.
Threshold to monitor that actual risk exposure does not deviate too much from the desired optimum; breaching risk limits will typically act as a trigger for corrective action at the process level.
Coordinated activities to direct and control an organisation with regard to risk.
Risk management framework
Set of components that provides the foundations an organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management.
Risk management plan
Scheme within the risk management framework outlining the approach, management components and resources to be applied to the management of risk.
Risk Management Policy
Statement of the overall intentions and direction of an organisation related to risk management. See JCU Risk Management Policy.
Risk management process
Systematic application of management policies, procedures and practices to the activities of communicating, consulting establishing the context and identifying, analysing, evaluating treating , monitoring and reviewing risk.
Person or Entity with the accountability and authority to manage a risk.
Element which alone, or in combination, has the potential to give rise to a risk.
Specific maximum risk that an organisation is willing to take regarding each relevant risk (sub-) category, often in quantitative terms.
Process to modify risk through, avoiding, taking or increasing risk in order to pursue an opportunity, removing risk source, changing likelihood, changing consequence, sharing or retaining a risk.
A structured approach to risk management
A risk management framework ensures that information about risk derived from the risk management process is adequately reported and used as a basis for decision making and accountability at all relevant organisational levels. The necessary and interrelated components of the framework for effectively managing risk are shown below:
The continual improvement cycle
The risk management process should be:
- An integral part of organisational management at all levels
- Embedded in organisational culture and practices, and
- Tailored to the business processes of the organisation.
The risk management process is shown below:
To facilitate the risk management process, JCU has implemented an enterprise risk management information system called Riskware. Further detail including online training modules can be accessed at Riskware.
The various risk areas identified by JCU include the following:
- Business Disruption
- Compliance and Liability
- Workplace Health and Safety
The JCU Risk Criteria describes likelihood and consequence as well as control effectiveness ratings for each of the above risk areas. The same information can also be found in the Appendices section of the Risk Management Framework and Plan (PDF, 379 KB).
Risk level is determined using the JCU Risk Matrix.
Risk management decision making
Enhanced risk management includes comprehensive, fully defined and fully accepted accountability for risks and controls and risk treatment activities (ISO 31000:2009 Annex A.3.2). Designated individuals must fully accept accountability, have the appropriate skills and access to adequate resources. This will enable checking of control effectiveness, monitoring risks, improve controls and enable effective communication about risks and their management to a wide range of stakeholders.
At JCU, risk management responsibilities are shared across all levels of the organisation and include:
Council is ultimately responsible for approving, and committing to, the risk management policy and setting and articulating the University’s attitude to risk.
The Vice Chancellor is responsible for leading the development of an enterprise risk management culture across the University.
Audit, Risk and Compliance Committee
The Audit, Risk and Compliance Committee is responsible for approving and reviewing the University’s Risk Management Framework and Plan and overseeing the risk management process of the University as a whole in accordance with the Committee’s Charter.
Other Council Committees
The various University committees are responsible for monitoring the management of risk relating to their areas of responsibility. In particular the Futures Committee of Council will review the University Executive’s assessment of risks to the University as encapsulated in the University Level Risk Assessment.
Members of the University Executive are responsible for ensuring that appropriate resources, systems and processes are in place to implement the Risk Management Framework across the organisation and that key University Level risks have been identified and are being managed appropriately.
Chief of Staff (Risk Management Coordinator)
The Risk Management Coordinator is responsible for ensuring that the Risk Management Framework and Policy are being effectively implemented across the organisation.
Risk and Compliance Officer
The Risk and Compliance Officer supports the Chief of Staff in promoting and developing staff capability in risk assessment and management, and assists risk champions and staff with risk responsibilities within the Divisions. The Risk and Compliance Officer also oversees the requirements of the University’s Compliance Framework, understanding legislative obligations relevant to the Higher Education Sector and the activities specific to JCU.
Risk champions within each Division are responsible for coordination of risk management activities within that Division.
All Managers and Staff
Managers and staff at all levels may be risk owners and are responsible for developing an understanding of and becoming competent in the implementation of risk management principles and practices in their work areas.
The documents below provide concise summaries and updates on various risk activities undertaken across the University. This communication, forms one part of the the overall risk communication platform. Other communication and collaboration mediums such as Mediasite will be explored, in particular for presentations and risk training.
Over time, risk awareness throughout the University will grow, along with a deeper understanding of how Enterprise Risk Management can add and protect value. Improved engagement with this subject area is key to building a robust ERM program.