View Current

Enterprise Risk Management Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Introduction

(1) Charles Darwin University (‘the University’, ‘CDU’) is committed to the management of risk and fostering a culture of risk management. The University recognises that an integrated and balanced approach to risk supports the achievement of strategic and operational objectives.

(2) Enterprise Risk Management (ERM) is the process of identifying and addressing the potential events that represent risks to the achievement of strategic goals, or to opportunities to gain competitive advantage. ERM is an integral and inseparable part of good governance, management practice, performance culture and processes that are the core of University business.

(3) The University is committed to embedding enterprise risk management within its learning and teaching, research, operations and commercial activities.

Top of Page

Section 2 - Purpose

(4) The Enterprise Risk Policy (policy) communicates the University’s commitment to managing enterprise-wide risks and establishes clear expectations to ensure the CDU community are aware of their responsibilities for managing risk.

Top of Page

Section 3 - Scope

(5) The policy applies to:

  1. all members of the University community, including Council members, Board and Committee members, employees, students, contractors and adjunct of the University; and
  2. all activities authorised and conducted by or on behalf of the University.
Top of Page

Section 4 - Policy 

(6) Risk is defined as the uncertainty associated with the delivery of the strategic goals of the University, which could result in either a positive or negative outcome. The University will face risks to its business from both internal and external sources. Successful risk management will enable the University to effectively understand and manage the uncertainty to which the University is exposed.

Risk Management Principles

(7) In line with the International Standard ISO 31000:2018 Risk management - Guidelines, the University’s risk management principles are:

  1. Integrated: risk management is an integral part of all University activities.
  2. Structured and Comprehensive: a structured and comprehensive approach to risk management contributes to consistent and comparable results.
  3. Customised: the risk management system and processes are customized and proportionate to the University’s external and internal context related to its strategic goals.
  4. Inclusive: the appropriate and timely involvement of stakeholders enables their knowledge, views and perceptions to be considered. This results in improved awareness and informed risk management.
  5. Dynamic: risks can emerge, change or disappear as the University’s external and internal context changes. Risk management anticipates, detects, acknowledges and responds to those changes and events in an appropriate and timely manner.
  6. Best Available Information: the inputs to risk management are based on historical and current information, as well as on future expectations. Risk management explicitly takes into account any limitations and uncertainties associated with such information and expectations. Information should be timely, clear and available to relevant stakeholders.
  7. Human and Cultural Factors: human behaviour and culture significantly influence all aspects of risk management at each level and stage.
  8. Continual Improvement: risk management is continually improved through learning and experience.

Enterprise Risk Management Framework 

(8) The key components of the University’s enterprise risk management framework are:

  1. the Enterprise Risk Plan;
  2. this policy;
  3. the risk management methodology and processes, as set out in the Enterprise Risk Management Procedure;
  4. the risk appetite statement and tolerances;
  5. the Strategic Risk Register;
  6. the Corporate Risk Register;
  7. the Emerging Risk Register;
  8. the Risk Assessment Criteria and Risk Matrix;
  9. the Risk Management Training Program;
  10. the Risk Management Communications Plan;
  11. the Risk Management Governance Structure – Council and relevant Boards and Committees;
  12. the Compliance Management Policy;
  13. the Internal Audit Plan;
  14. the Compliance Plan;
  15. insurance arrangements;
  16. other University policies and procedures relating to specific areas of risk, including as health, safety and environment; emergency planning and business continuity; incident management; fraud and corruption; conflicts of interest; privacy and cyber / information security; and
  17. external audit.
Top of Page

Section 5 - Risk Management Roles and Responsibilities

(9) University Council: ultimately responsible for overseeing risk management across the University and articulating its willingness to take risk through the approval of risk appetite statements. Council is supported in the discharge of its risk management responsibilities by the Audit, Risk and Compliance Committee.

(10) Audit, Risk and Compliance Committee (ARCC): responsible for ensuring that an appropriate risk management framework is in place across the University that is fit for purpose, operating as intended and that key risks to the achievement of the strategic goals are managed within risk appetite. ARCC are supported in the discharge of their risk management responsibilities by the Finance and Infrastructure Development Committee and Academic Board.

(11) Finance and Infrastructure Development Committee: responsible for the identification of risks to the University’s financial viability and sustainability.

(12) Academic Board: responsible for maintaining oversight of academic risks, including academic and research integrity.

(13) Leaders: responsible for ensuring that risks to the achievement of the strategic goals are identified, assessed and managed and for ensuring that all parts of the University implement the requirements of the risk management framework.

(14) Faculties and Business Areas: responsible for identifying, assessing and managing risk within their own area of responsibility and for implementing the requirements of the risk management framework and for providing assurance to Senior Executives that it has done so.

(15) Vice-President Governance and University Secretary: responsible for establishing and implementing high-quality governance practices, which includes risk management, to meet CDU’s compliance obligations.

(16) Director Risk and Assurance, who is responsible for:

  1. oversight of risk management, including oversight and challenge of the University’s systems and controls in respect of risk management;
  2. ensuring the adequacy of risk information, risk analysis and risk training provided to staff;
  3. reporting to the appropriate governing bodies on the University’s risk exposures relative to its risk appetite; and
  4. developing, implementing, maintaining and evolving the enterprise risk management framework and for challenging all aspects of decision making across the University from a risk perspective.
  5. All Managers have a responsibility to identify, assess and manage risk within their own area of responsibility, for implementing agreed actions to manage risk and for reporting activities or circumstances that may give risk to new or changed risk.

(17) Risk Owners, who are responsible for:

  1. complying with the risk management framework in respect of owned risk - identification, assessment, escalation, reporting and monitoring;
  2. overseeing the delivery of key action plans agreed with action owners;
  3. documenting and keeping up to date the risk and control information in the relevant University risk register;
  4. monitoring the status of owned risks with a particular focus on monitoring circumstances that may alter the severity of assessed risks; and
  5. providing reports on owned risks to the Senior Executive Team and the Audit Risk and Compliance Committee, on request.

(18) All employees are responsible for being aware of the requirements of the risk management framework, identifying and escalating risk; and exercising a duty of care.

(19) Internal Audit are responsible for developing a risk-based internal audit program to audit the risk processes across the University, receive and provide assurance on the management of risk, and report on the efficiency and effectiveness of internal controls in place and operating to manage risk.

(20) Specific risk management responsibilities of the Council and its Boards and Committees are defined in their respective terms of reference.

Top of Page

Section 6 - Non-Compliance

(21) Non-compliance with Governance Documents is considered a breach of the Code of Conduct – Staff or the Code of Conduct – Students, as applicable, and is treated seriously by the University. Reports of concerns about non-compliance will be managed in accordance with the applicable disciplinary procedures outlined in the Charles Darwin University and Union Enterprise Agreement 2022 and the Code of Conduct – Students.

(22) Complaints may be raised in accordance with the Complaints and Grievance Policy and Procedure - Employees and Complaints Policy - Students.

(23) All staff members have an individual responsibility to raise any suspicion, allegation or report of fraud or corruption in accordance with the Fraud and Corruption Control Policy and Whistleblower Reporting (Improper Conduct) Procedure.