University of Technology Sydney UTS: Rules, Policy and Legislation

The information in this site is maintained by Governance Support Unit

by classification
What's new in policies?
Standing Orders
Faculty Management
Controlled Entities and Commercial Activities
Legislation, Rules
and Policies home

GSU home
Risk Management Policy




Policy statements

Policy ownership and support


Approval information

PDF version


1. Purpose

1.1 The Risk Management Policy (the policy) and the Risk Management Procedures (PDF, staff only) (the procedures) outline the university’s strategy, objectives and approach to managing its business risks by:

  • establishing the principles by which UTS will identify, assess and manage risk
  • establishing the framework to embed risk management into UTS business processes and functions
  • enhancing the university’s ability to seize opportunities while understanding, managing and reducing the impact of business risks to a practical level within the university’s risk appetite
  • aligning risk management with the university’s strategic objectives and corporate plan
  • promoting a risk-aware culture
  • protecting and enhancing the university’s assets and reputation
  • contributing to more efficient use and allocation of resources within UTS
  • encouraging pro-active rather than re-active management
  • strengthening decision making, prioritisation and planning, and
  • assigning accountability and responsibility for risk within UTS.

2. Scope

2.1 This policy applies to:

  • the university, its staff, emeritus professors, honorary appointees and contractors, and
  • all activities conducted by or on behalf of UTS.

3. Principles

3.1 Risk management is recognised as an essential governance arrangement and supports the achievement of the university’s strategic objectives.

3.2 This policy has been adopted by UTS in recognition that:

  • the effective management of risk is vital to the continued growth and success of UTS
  • the risks inherent in the university’s operating environment need to be considered and managed in an informed way
  • by understanding and managing risk, UTS provides greater certainty and confidence to all stakeholders
  • explicit and effective risk management is a source of insight and competitive advantage, and
  • risk arises in many forms and can have positive or negative impacts on the university’s ability to achieve its strategic objectives.

3.3 UTS is committed to well-managed risk taking in pursuit of its strategic objectives within the boundaries defined in the UTS Risk Appetite Statement.

4. Policy statements

Risk management framework

4.1 The university has adopted the risk management framework (the framework) set out in figure 1 below.

4.2 The framework clarifies the relationship between the principles guiding risk management (defined in section 3 above) and the university’s processes for assessing and managing risk (as outlined in the procedures) by building and encouraging the implementation of risk management activities into the university’s:

  • business as usual activities and processes
  • operational, strategic and planning activities, and
  • project activities (including research).

Figure 1. Risk management framework and process

Figure 1. Risk management framework and process

4.3 This framework is designed to:

  • identify potential risk impacts that could affect UTS
  • enable the consistent management of risk within a defined risk appetite
  • identify the potential opportunity impacts within projects to provide a balanced view for decision making purposes, and
  • provide reasonable assurance on the achievement of strategic objectives.

4.4 All UTS business processes and functions will adopt a risk management approach in line with the framework and the procedures.

4.5 The risk management framework is consistent with the International Standard (ISO 31000:2018, Risk management — Guidelines).

4.6 Performance and a commitment to risk management will form part of the annual performance and review process for key management positions.

UTS strategy — risk inputs

4.7 The Deputy Vice-Chancellor (Resources) is responsible for analysing and reporting on the wide range of internal and external risks that could impact UTS focusing on global, international, regional, country and sector specific themes.

4.8 This risk analysis will be used to inform the development of the university’s long-term strategy and its supporting assumptions.

UTS risk appetite

4.9 The university’s risk appetite defines the level of risk that UTS is prepared to accept in pursuit of its objectives to guide leaders in their management of strategic and enterprise risks (before any risk reduction activity is deemed necessary).

4.10 The Deputy Vice-Chancellor (Resources), in consultation with the senior executive, will establish the UTS risk appetite as it relates to the strategic objectives on an annual basis.

4.11 Risk appetite statements will be drafted using the template provided in appendix 3 of the procedures and will be articulated in three parts:

  • risks for which there is no appetite
  • risks UTS is willing to manage
  • risks UTS is willing to take.

4.12 These statements will be subject to bi-annual monitoring and reporting to the senior executive to check whether risks taken are in line with the appetite articulated.

4.13 The university’s risk appetite will be reflected in the consequence and likelihood tables (refer to appendices 4, 4A, 4B and 4C within the procedures), which each faculty, unit and division will utilise within their own risk assessment processes.

4.14 The university’s risk appetite will also inform review and application of the delegations.

Identifying, analysing, evaluating and treating risk

4.15 All faculties and business units will follow the approach for identifying, analysing, evaluating and treating risks as set out in the procedures.

UTS risk universe

4.16 The risk universe will be utilised to inform the risk assurance mapping exercise and considered as part of Internal Audit planning activities annually.

4.17 The Deputy Vice-Chancellor (Resources) and the Director of Risk are responsible for the development and maintenance of the UTS risk universe based on:

  • a consideration of all the risk and opportunity assessments completed within the framework as outlined in this policy and the associated procedures
  • a wide range of external and internal reports to identify emerging or new risks
  • information publically available on emerging and key risks in the university sector both domestically and internationally, and
  • engaging external consultancy as appropriate to horizon scan for emerging or developing risks.

4.18 The risk universe will be reviewed and revised on an annual basis, with engagement from senior executive and the revised risk universe data will be updated within RiskConnect.

Risk management framework monitoring, review and improvement

4.19 The Deputy Vice-Chancellor (Resources) and Director of Risk will, in consultation with senior executive, undertake an annual review of the framework in order to identify any required operational changes, regulatory changes, risk management standards amendments and other improvements.

4.20 The Audit and Risk Committee will be informed of any updates or changes to the framework resulting from this exercise in accordance with the Audit and Risk Committee Charter (PDF).

Reporting requirements

4.21 All staff must report risks in accordance with this policy, the framework and the procedures.

4.22 The Deputy Vice-Chancellor (Resources) and Director of Risk must report to the Audit and Risk Committee in accordance with the Audit and Risk Committee Charter.

5. Policy ownership and support

A list of the following:

5.1 Policy owner: The Deputy Vice-Chancellor (Resources) has primary oversight of the operation of this policy and is responsible for approving the Risk Management Procedures (procedures) and other documents to support its implementation. The Deputy Vice-Chancellor (Resources) is also responsible for:

  • overall risk management and compliance across the university
  • committing to, providing and overseeing the allocation of resources to enable effective risk management
  • raising risk management issues with the senior executives where appropriate, and
  • reporting to the Audit and Risk Committee on key risks and risk management generally.

5.2 Policy contact: The Director of Risk is responsible for the implementation of the framework and acts as the primary point of contact for advice on implementing its provisions including:

  • the general administration of this policy
  • establishing, maintaining and facilitating the embedding of the framework across the university
  • providing training across UTS on applying the framework, and facilitate discussions, and solutions on areas of risk uncertainty across the university
  • reporting key risks to the senior executive and the Audit and Risk Committee
  • advising senior executive on emerging or significant risk exposures and on the risk management culture across the university.

Other responsibilities

5.3 UTS Council retains responsibility for the management of risk at UTS, on advice from the Audit and Risk Committee, the Vice-Chancellor and other committees of Council within their terms of reference. More specifically Council will:

  • assess and approve this policy
  • monitor key risks and, where applicable, approve major decisions affecting the university’s risk exposure, and
  • approve the risk appetite settings for UTS on advice from the Vice-Chancellor.

5.4 The Audit and Risk Committee assists Council by:

  • reviewing and reporting to Council on the framework, including the ongoing risk management program, policies and procedures, regular auditing and remedial action in areas of weakness, and
  • evaluating the adequacy and effectiveness of the monitoring and reporting and control systems associated with financial, strategic and operational risk management in accordance with its Charter.

5.5 The Vice-Chancellor is responsible for the assignment of responsibilities in relation to risk management (via the Deputy Vice-Chancellor (Resources) and:

  • providing timely and adequate information to Council on the status of the university’s key risks
  • proposing, in consultation with senior executive, the tolerance of the university in accepting certain risks (ie risk appetite), and
  • the risk management culture across the university.

5.6 The Provost is responsible for:

  • promoting a responsible risk management culture across their portfolio and all academic units of the university, and
  • receiving and acting on reports of risk management issues from faculties and schools

5.7 Deputy vice-chancellors, deans and directors are responsible for:

  • overseeing the operation of this policy and the supporting procedures within their areas of responsibility
  • promoting a responsible risk management culture within their areas of responsibility, including building awareness of the framework and ensuring compliance with this policy and the supporting procedures
  • the management of risk within their areas of responsibility, including the identification of strategic and operational risks and actions that mitigate these risks, and
  • meeting reporting requirements set out in the supporting risk management procedures or as otherwise required.

5.8 Associate deans, heads of school, supervisors and managers (including project and contract managers) are expected to:

  • understand the risk management framework in place at UTS
  • adopt a risk-based approach in their management
  • lead by example in their risk management behaviour in the workplace, and
  • ensure risk assessments are conducted for all key risks in their area, and mitigated within their control or appropriately escalated.

5.9 The Director, Internal Audit is responsible for:

  • validating the effectiveness of the risk management framework
  • providing assurance over the control environment managing critical and high risks within the university’s risk universe, and
  • maintaining and reporting on the UTS assurance map, highlighting any significant gaps in coverage or over review to relevant stakeholders.

5.10 The Director, Human Resources is responsible for:

  • developing and administering policy and strategy for managing health and safety risks across the university, and for overseeing the development and implementation of the safety management system
  • ensuring the requirement for risk management responsibilities are appropriately reflected in position descriptions, contracts of employment and performance management systems.

5.11 All staff, contractors and affiliates are responsible for:

  • understanding the risk management framework in place at UTS
  • identifying, assessing and managing risks in their activities in line with this policy and supporting procedures, and
  • reporting and escalating to their manager (or direct report) any significant identified risk that is not addressed to date.

6. Definitions

These definitions apply for this policy and all associated procedures. These are presented in addition to the definitions outlined in Schedule 1, Student Rules.

Opportunity (or opportunities) means a favourable uncertain beneficial event, return, outcome or condition.

Risk is the effect (both positive and negative) of uncertainty on objectives as defined by the ISO 31000:2018, Risk management — Guidelines.

Risk analysis is a process undertaken to understand the nature of a risk and to determine the level of risk (including the risk’s probability and possible consequences).

Risk appetite is the level of risk that UTS is prepared to accept in pursuit of its objectives and before action is deemed necessary to reduce the risk. It represents a balance between the potential benefits of innovation and the threats that change inevitably brings.

Risk assessment means the overall process of risk identification, risk analysis and risk evaluation.

Risk assurance map is a visual representation of assurance activities to demonstrate breadth and depth of assurance coverage across the risk universe and associated processes at UTS.

RiskConnect is the software used to complete risk assessments and manage the actions to mitigate risks or address internal audit recommendations.

Risk identification means the process of finding, recognising and describing risks.

Risk management means the principles, framework and processes in place to manage risk effectively.

Risk management framework means the set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management at UTS.

Risk management process means the systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk.

Risk universe means all the risks that UTS face or might face.

Approval information

Policy contact Director, Risk
Approval authority Council
Review date 2021
Version 1.0
File number UR18/783
Superseded documents Risk Management Policy 2011 (UR03/154)

Version history

Version Approved by Approval date Effective date Sections modified
1.0 Council (COU 18-2/28) 18 April 2018 22 May 2018 New policy.

PDF version

Risk Management Policy (PDF)


Audit and Risk Committee Charter (PDF)

Business continuity plans

Commercial Activities Policy


Emergency management plan

Fraud and Corruption Prevention and Public Interest Disclosures Policy

Health and Safety Policy

Offshore Policy

Records Management Policy

Risk Management Procedures (PDF, staff only)

External references

International Organisation for Standardisation:

Audit Office of NSW:

NSW Treasury policy guidelines:

Universities Australia: