Risk Management Procedure

1. The purpose of our procedure

Our procedure sets out a consistent methodology for identifying, assessing, managing and monitoring risk across Adelaide University. 

Please read this procedure in conjunction with the [Risk Management and Legal Compliance Policy]. 

2. Who our procedure applies to

This procedure applies to all members of the Adelaide University community and its controlled entities. 

[Controlled entities must either adopt this procedure or use it as a basis to adopt a similar procedure to Adelaide University’s reasonable satisfaction, that they have an equivalent and satisfactory approach to risk management that is fit for purpose for the controlled entity]. 

3. Responsibilities under this procedure

3.1 Adelaide University Council (Council) and its sub-committees are required to:  

• provide overall governance and oversight of risk management
• set Adelaide University’s risk appetite. 

3.2 Executive Leadership is required to:  

• implement Council’s [Risk Management and Legal Compliance Policy] and ensure Adelaide University is following good practices
• allocate sufficient resources for risk management
• report regularly to Council and Adelaide University’s Audit and Risk Committee on risk-related matters. 

3.3 Chief Risk Officer is required to:

• ensure risk management activities align with sector standards and regulatory expectations 
• drive consistent application of the [Risk Management and Legal Compliance Policy] and [Risk Management Procedure].

3.4 Managers are required to:  

• identify risks specific to their area and implement strategies outlined by senior management 
• monitor operational risk and take immediate action when required. 

3.5 Adelaide University community is required to:  

• follow risk management policies and procedures
• be vigilant and report potential risks encountered in the course of Adelaide University business
• follow day-to-day operational practices to mitigate risks.

4. Our Risk Management procedure

4.1 How we identify risk

• Adelaide University identifies risk by analysing its operating environment to establish context and identify potential risks that could impact the achievement of its objectives.
• A comprehensive Adelaide University risk register is maintained to record identified risks across categories. 

4.2 Our risk assessment process

• Adelaide University assesses risks using its risk matrix to determine inherent, residual and target risk ratings.
• Risks are assessed against Adelaide University’s risk appetite statement to determine the appropriate response.
• Each risk is assigned to an officer with the responsibility and expertise to manage it effectively.
• Risks beyond the decision-making authority of the risk owner are escalated to senior management or the appropriate governance body for resolution.
• Regular risk assessments are conducted within each area and the Adelaide University risk register is updated accordingly.

4.3 Our risk mitigation approach

• Adelaide University implements actions to reduce the likelihood or consequence of identified risks, and eliminates risks where possible.
• The University develops and regularly tests business continuity plans, disaster recovery plans and emergency management procedures for critical systems and processes. 
• Staff are trained, roles are clearly defined, and response protocols are regularly tested to ensure swift and effective responses to incidents.
• The University regularly reviews its insurance program to ensure it provides appropriate coverage for assets, people and operations, and aligns with the University’s risk appetite. 

4.4 Our risk monitoring and review approach

• The University monitors risks continuously and reviews mitigation strategies to ensure they remain effective in a changing external and operating environment.
• Regular meetings are held to review risks, discuss emerging threats and update the risk register; enterprise risks are reviewed at least quarterly.
• Senior leadership and governance bodies receive regular reports on the status of key risks, mitigation efforts and emerging threats; the University Enterprise Risk Profile is reviewed against the University’s risk appetite.
• Regular internal and external audits are conducted to assess the effectiveness of internal controls and compliance.

4.5 How we communicate and consult throughout the risk management process

• Relevant stakeholders are informed throughout all stages of identifying, assessing and managing risks.
• Communications plans are developed and implemented for specific risks where required.
• Existing guidelines for specific risk categories are referred to, where applicable.
• Regular risk training is delivered for staff, faculty, and students—for example, risk management fundamentals, fire safety drills, cybersecurity training and crisis communication.

4.6 Our documentation and record keeping approach

• All risk management activities must be documented, and clear records must be maintained to ensure accountability.
• The risk register must be kept up to date with all identified risks, their assessments, and corresponding mitigation actions.
• Risk mitigation action plans must be documented and their completion and effectiveness actively tracked.

4.7 Key risk management roles

• Risk Owners are responsible for monitoring specific risks, implementing mitigation strategies, and reporting on risk status.
• Risk Coordinators provide support to risk owners to ensure risk processes are implemented effectively.
• Control Owners are responsible for maintaining and monitoring controls to ensure they function properly.
• Treatment Owners oversee the planning, execution, and monitoring of risk treatment strategies (i.e. actions to reduce, eliminate, or control risks).

4.8 Our continuous improvement strategies

• Risk management procedures are continually improved to address emerging risks and enhance the effectiveness of mitigation strategies.
• Post-incident reviews are conducted to evaluate the effectiveness of existing controls and responses, and to identify opportunities for improvement.
• Lessons learned from scenarios, exercises, and incidents are documented; policies, procedures, and training are updated accordingly.
• Risk management procedures are benchmarked against industry standards and best practices.
• Other relevant circumstances that may inform ongoing improvements to risk management practices are considered as part of continuous improvement.

4.9 How risk is managed in controlled entities

• Controlled entities are required to manage risk locally. 
• Each controlled entity must assess their risk profile and report it annually to [Adelaide University’s Audit and Risk Committee].

4.10 Existing or externally required risk assessments

• Risk assessments are not required where activities are already governed by an existing internal or externally imposed risk management process.
• Staff must document each risk assessment and store it in an approved records management system to ensure it is readily available upon request. 

5. Definitions used in our procedure

Please refer to our Adelaide University glossary for a full list of our definitions.

Adelaide University community means a broad range of stakeholders who engage with Adelaide University and includes (but is not limited to) all students, staff, and non-staff members of Adelaide University including alumni, honorary title holders, adjuncts, visiting academics, guest lecturers, volunteers, suppliers and partners who are engaging with and contributing to the work of Adelaide University.

Business continuity plan means documented procedures that guide organisations to respond, recover, resume, and restore to a pre-defined level of operation following disruption 

Controlled entities mean the entities controlled by Adelaide University within the meaning of Section 50AA of the Corporations Act 2001 (Cth).  

Critical means a qualitative description used to emphasise the importance of a resource, process or function that must be available and operational constantly or at least at the earliest possible time after an incident, emergency or disaster has occurred. 

Risk appetite means the amount and type of risk that Adelaide University is willing to accept or retain in order to achieve its objectives.  

Risk management means a general term with broad meaning.  In this Procedure, risk management refers to the coordinated activities required to direct and control the risks that are relevant to Adelaide University.  

University risk register means the central repository / database used to store information about Adelaide University’s risks.  

6. How our procedure is governed

This procedure is categorised, approved and owned in line with the governance structure of Adelaide University and the offices and officers listed below.

7. Legislation and other documents related to this procedure

8. History of changes 

At the time of writing, Adelaide University’s organisational structure, position titles, and committee names have not been confirmed. Square brackets [ ] indicate placeholders for these details. Brackets are also used to identify policy elements that are subject to further decision-making or confirmation. These will be updated once final decisions are made.