1. The purpose of our policy
Our policy sets out the principles under which Adelaide University manages risk and ensures legal compliance. It supports informed, accountable decision-making that protects our people, reputation, and operations.
Our policy provides authority to maintain our Risk Management Procedure and Legal Compliance Procedure.
2. Who our policy applies to
Our policy applies to all members of the Adelaide University community and its controlled entities.
[Controlled entities must either adopt this policy or use it as a basis to adopt a similar policy to Adelaide University’s reasonable satisfaction, that they have an equivalent and satisfactory approach to risk management and legal compliance that is fit for purpose for the controlled entity.]
3. Our risk management and legal compliance principles
Our risk management policy principles are:
3.1 Our approach to risk management assures stakeholders of our commitment to identifying and managing risks across our operations. We maintain robust systems and processes to support sustainable, responsible and integrated risk and compliance management.
3.2 Council defines our risk appetite in a formal document outlining the level of risk we are willing to accept to achieve our objectives across our activities and operations.
3.3 The Vice Chancellor determines the management of risk, including planning, resourcing, decision-making, reporting and accountability.
3.4 Management regularly monitors risk to ensure it remains within our risk appetite and risk tolerance, and reports findings to Council.
3.5 We identify, review and report material risks and controls to relevant governing bodies and management at appropriate intervals, having regard for the potential positive or negative impact on our strategic, business and operational plans.
3.6 Our university community actively identifies, assesses and manages risk, embedding effective risk management across our operations.
3.7 We consider risk in our current and proposed activities, projects, investments, relationships, business planning, and decisions. Risks must be documented in accordance with our established procedures, taking into account the organisational context and stakeholder perspectives. Risk assessments must demonstrate sound financial, commercial, and business judgment.
3.8 Where regulatory requirements meet the intent of this policy, risk assessment processes do not need to be duplicated. However, evidence must be provided.
3.9 Controlled entities are responsible for managing their own risks and operate under their own governing boards. Each controlled entity must assess their risk profile and report it annually to the Audit and Risk Committee.
3.10 Business continuity readiness is maintained by developing and managing a business continuity guideline and plan that enhances organisational resilience and sets clear priorities for restoring critical and non-critical business functions in the event of a disruption.
3.11 Business continuity plans, procedures and processes are regularly tested, maintained and updated to ensure they remain effective and support the evolving needs of the University.
3.12 Appropriate insurance coverage is maintained, ensuring it aligns with the University’s risk appetite and represents sound financial value.
3.13 Insurance is placed with reputable insurers who demonstrate strong ratings and financial stability.
Our legal compliance policy principles are:
3.14 We promote awareness and understanding of legal compliance risks across the University to build a culture that emphasises integrity in individual conduct and decision making.
3.15 Legislation and regulatory requirements are understood to identify appropriate controls and ensure we have appropriate measures in place to maintain compliance.
3.16 Our processes and procedures reflect current legislative and regulatory requirements and are updated promptly whenever legislative changes impact the University’s activities.
3.17 Understanding legal compliance responsibilities are the responsibility of individuals who remain accountable for meeting legal obligations.
3.18 The Adelaide University community must report legal compliance matters to the Audit & Compliance team.
3.19 Compliance monitoring must be incorporated into staff day-to-day responsibilities.
4. Definitions used in our policy
Please refer to our Adelaide University Glossary for a full list of our definitions.
Adelaide University community means a broad range of stakeholders who engage with Adelaide University and includes (but is not limited to) all students, staff, and non-staff members of Adelaide University including alumni, honorary title holders, adjuncts, visiting academics, guest lecturers, volunteers, suppliers and partners who are engaging with and contributing to the work of Adelaide University.
Business continuity plan means documented procedures that guide organisations to respond, recover, resume, and restore to a pre-defined level of operation following disruption.
Controlled entities mean the entities controlled by the University within the meaning of Section 50AA of the Corporations Act 2001 (Cth).
Critical means a qualitative description used to emphasise the importance of a resource, process or function that must be available and operational constantly or at least at the earliest possible time after an incident, emergency or disaster has occurred.
Critical business functions mean key business activities and processes that must be restored in the event of a disruption to ensure the ability to protect the organisation’s assets, meet organisational needs, and satisfy regulations.
Disruption means an incident that interrupts normal business functions, operations, or processes, whether anticipated or unanticipated (e.g. storm, political unrest, blackout, terror attack, earthquake).
Legal compliance means adherence with the laws, legislation and statutory obligations whether in the form of principal Acts, regulations, legislative instruments or mandated codes and rules
Material risks mean those that may adversely affect the University’s ability to deliver on its statutory objective or to deliver on its broader strategy and business plans. Material risks are risks that have a rating of high or extreme or have a consequence rating of major or catastrophic (as assessed in accordance with the University Risk Matrix.
Risk appetite means the amount and type of risk that the University is willing to accept or retain in order to achieve its objectives.
Risk management means a general term with broad meaning. In this Policy, risk management refers to the coordinated activities required to direct and control the risks that are relevant to the University. Managing risk is part of the second line roles in the Institute of Internal Auditors’ Three Lines Model.
Risk tolerance means the level of risk taking acceptable to the University to achieve a specific objective or manage a category of risk; that is, the readiness to bear the risk after the risk has been treated or controlled.
University risk register means the central repository / database used to store information about the University’s risks.
Please refer to our Adelaide University Glossary for a full list of our definitions.
5. How our policy is governed
Our policy is categorised, approved and owned in line with the governance structure of Adelaide University and the offices and officers listed below.
Policy category | Council |
Approving authority | Transition Council / Council |
Policy owner | Deputy Vice Chancellor (Corporate) |
Responsible officer | Chief Risk Officer |
Effective from | 1 January 2026 |
Review date | [3/4/5 years after date this version is approved, TBC] |
Enquiries | Interim Central Policy Unit / [Central Policy Unit] |
Replaced documents | None |
6. Legislation and other documents related to our policy
Category | Documents |
Associated procedures | Risk Management Procedure Legal Compliance Procedure |
Related policy documents |
|
Referenced legislation | Adelaide University Act 2023 |
External references | ISO 31000:2018 Risk management – Principles and Guidelines ISO 37301:2021 Compliance management systems – Requirements with guidance for use ISO 22301:2019 Business Continuity Management Systems AS/NZS 5050:2010 Business Continuity – Managing disruption-related risk |
7. History of changes
Date approved | To section/clauses | Description of change |
[DD Month Year] | N/A | New policy |
At the time of writing, Adelaide University’s organisational structure, position titles, and committee names have not been confirmed. Square brackets [ ] indicate placeholders for these details. Brackets are also used to identify policy elements that are subject to further decision-making or confirmation. These will be updated once final decisions are made.