View Current

Enterprise Risk Management Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Introduction

(1) Charles Darwin University (‘the University’, ‘CDU’) is committed to the management of risk and fostering a culture of risk management. The University recognises that risk at the heart of everything it does and to be successful, the University must take risks knowingly and manage risk to an acceptable level.

(2) Enterprise risk management (ERM) is the process of identifying and addressing the potential events that represent risks to the achievement of strategic goals, or to opportunities to gain competitive advantage. ERM is an integral and inseparable part of good governance, management practice, performance culture and processes that are the core of University business.

(3) The University is committed to embedding enterprise risk management within its learning and teaching, research, operations and commercial activities.

Top of Page

Section 2 - Purpose

(4) The Enterprise Risk Policy (policy) communicates the University’s commitment to managing enterprise-wide risks and establishes clear expectations to ensure the CDU community are aware of their responsibilities for managing risk.

Top of Page

Section 3 - Scope

(5) The Enterprise Risk Management Policy (policy) applies to:

  1. all members of the University community, including Council members, Board and Committee members, staff, students, contractors and adjunct of the University; and
  2. all activities under the control of the University.
Top of Page

Section 4 - Policy 

Risk Management Principles

(6) In line with the International Standard ISO 31000:2018 Risk management - Guidelines, the University’s risk management principles are:

  1. Integrated: Risk management is an integral part of all University activities;
  2. Structured and Comprehensive: A structured and comprehensive approach to risk management contributes to consistent and comparable results;
  3. Customised: The risk management system and processes are customized and proportionate to the University’s external and internal context related to its strategic goals;
  4. Inclusive: The appropriate and timely involvement of stakeholders enables their knowledge, views and perceptions to be considered. This results in improved awareness and informed risk management;
  5. Dynamic: Risks can emerge, change or disappear as the University’s external and internal context changes. Risk management anticipates, detects, acknowledges and responds to those changes and events in an appropriate and timely manner;
  6. Best Available Information: The inputs to risk management are based on historical and current information, as well as on future expectations. Risk management explicitly takes into account any limitations and uncertainties associated with such information and expectations. Information should be timely, clear and available to relevant stakeholders;
  7. Human and Cultural Factors: Human behaviour and culture significantly influence all aspects of risk management at each level and stage; and
  8. Continual Improvement: Risk management is continually improved through learning and experience.

Enterprise Risk Management Framework 

(7) The key components of the University’s Enterprise Risk Management Framework are:

  1. the Enterprise Risk Plan;
  2. this policy;
  3. the risk management methodology and processes, as set out in the Enterprise Risk Management Procedure;
  4. the risk appetite statement and tolerances;
  5. the Strategic Risk Register;
  6. the Corporate Risk Register;
  7. the Emerging Risk Register;
  8. the Risk Assessment Criteria and Risk Matrix;
  9. the Risk Management Training Program (to be developed 2022);
  10. the Risk Management Communications Plan (to be developed 2022);
  11. the Risk Management Governance Structure – Council and relevant Boards and Committees;
  12. the Compliance Management Policy;
  13. the Internal Audit Plan;
  14. Compliance Plan;
  15. Insurance arrangements;
  16. Other University policies and procedures relating to specific areas of risk, including as health, safety and environment; emergency planning and business continuity; incident management; fraud and corruption; conflicts of interest; privacy and cyber / information security; and
  17. External Audit.
Top of Page

Section 5 - Risk Management Roles and Responsibilities

(8) The key risk management roles and responsibilities are:

  1. Council: Ultimately responsible for overseeing risk management across the University and articulating its willingness to take risk through the approval of risk appetite statements. Council is supported in the discharge of its risk management responsibilities by the Audit, Risk and Compliance Committee.
  2. Audit, Risk and Compliance Committee (ARCC): Responsible for ensuring that an appropriate Risk Management Framework is in place across the University that is fit for purpose, operating as intended and that key risks to the achievement of the strategic goals are managed within risk appetite. ARCC are supported in the discharge of their risk management responsibilities by the Finance and Infrastructure Development Committee and Academic Board.
  3. Finance and Infrastructure Development Committee: Responsible for the identification of risks to the University’s financial viability and sustainability.
  4. Academic Board: Responsible for maintaining oversight of academic risks, including academic and research integrity.
  5. Leaders: Responsible for ensuring that risks to the achievement of the strategic goals are identified, assessed and managed and for ensuring that all parts of the University implement the requirements of the risk management framework.
  6. Faculties and Business Areas: Responsible for identifying, assessing and managing risk within their own area of responsibility and for implementing the requirements of the risk management framework and for providing assurance to University executive management that it has done so.
  7. Vice-President Governance and University Secretary: Responsible for establishing and implementing high-quality governance practices, which includes risk management, to meet CDU’s compliance obligations.
  8. Director Risk and Assurance: Responsible for:
    1. oversight of risk management, including oversight and challenge of the University’s systems and controls in respect of risk management;
    2. ensure the adequacy of risk information, risk analysis and risk training provided to staff;
    3. report to the appropriate governing bodies on the University’s risk exposures relative to its risk appetite; and
    4. developing, implementing, maintaining and evolving the enterprise risk management framework and for challenging all aspects of decision making across the University from a risk perspective.
  9. All Managers: Have responsibility for identifying, assessing and managing risk within their own area of responsibility, for implementing agreed actions to manage risk and for reporting activities or circumstance that may give risk to new or changed risk.
  10. Risk Owners: Responsible for:
    1. complying with the risk management framework in respect of owned risk - identification, assessment, escalation, reporting and monitoring
    2. overseeing the delivery of key action plans agreed with action owners;
    3. documenting and keeping up to date the risk and control information in the relevant University risk register;
    4. monitoring the status of owned risks with a particular focus on monitoring circumstances that may alter the severity of assessed risks; and
    5. providing reports on owned risks to the Executive Team and the Audit Risk and Compliance Committee, on request.
  11. All Staff: Responsible for being aware of the requirements of the risk management framework; identify and escalate risk; and exercise a duty of care.
  12. Internal Audit: Responsible for developing a risk-based internal audit program to audit the risk processes across the University, receive and provide assurance on the management of risk, and report on the efficiency and effectiveness of internal controls in place and operating to manage risk.

(9) Specific risk management responsibilities of the Council and its Boards and Committees are defined in their respective terms of reference.

Top of Page

Section 6 - Non-Compliance

(10) Non-compliance with Governance Documents is considered a breach of the Code of Conduct – Staff or the Code of Conduct – Students, as applicable, and is treated seriously by the University. Reports of concerns about non-compliance will be managed in accordance with the applicable disciplinary procedures outlined in the Charles Darwin University and Union Enterprise Agreement 2022 and the Code of Conduct – Students.

(11) Complaints may be raised in accordance with the Code of Conduct – Staff and Code of Conduct - Students.

(12) All staff members have an individual responsibility to raise any suspicion, allegation or report of fraud or corruption in accordance with the Fraud and Corruption Control Policy and Whistleblower Reporting (Improper Conduct) Procedure.