Charles Sturt University
Charles Sturt University

Levels of risk management within the University

The following example illustrates the difference between strategic risks which include: external environmental influences, operational risks at the organisational level and Management-level risks which impact on the ability to implement strategies.  Risk may be short-term, medium or long-term over the life cycle of a project or in relation to corporate planning objectives.

Strategic objective:Ensure the ongoing commitment to the Metropolitan Transport Plan.
Strategic risks:Amendment to strategic transport planning policies alters the emphasis of the plans, changing the nature of impacts on planned transport improvements and in turn changing the type and nature of foreseen imbalances in the transport network.
Management risks:Previously undisclosed asbestos identified on the node worksite causes closure of site, amendment of site safety plan and engagement of suitably qualified contractor. This results in further impacts on project outcomes in terms of cost and schedule.
Operational risks:Contract works to improve the key transport node fall behind schedule causing extended commuter disruption and dissatisfaction.

Whole of Organisation Context

ORM must be carefully planned and managed to ensure that the process produces results that help the organisation to being continually sustainable.

In order for this ORM Framework to be effective, integration with the universities strategy and with the annual planning exercises for all Divisions and Areas is essential.  To gain the best results from the Whole of Organisation context, the university will do the following:

a)     Initiate communication, consultation and participation

ORM is not just a technical process or methodology, but is, more significantly, a cultural process.  Meaningful participation from the stakeholders and effective collaboration with a wide range of participants is required to manage risks effectively and efficiently.

Communication and consultation are essential in ensuring participation and collaboration.  Therefore, management at all levels should approach the implementation of ORM as an opportunity for cultural change within the organisation.

b)    Continue the improvement of the framework and the policy

Risk is a journey upon which all staff should embark.  Once we are sure that our processes are robust and embedded throughout all that we do, we need to look further ahead to enhance our level of ORM maturity.  This includes the realignment of our existing processes with the current standard of risk management.

c)     Lead by example, empower staff to assist a change in culture

The ORM process for Risk Assessment has the ability to highlight issues of change.  However, the challenge for managers is to support and encourage ORM by:

  • Acknowledging, rewarding and publicising good ORM practices
  • Creating ownership by trusting and empowering staff to manage risks as prescribed in this framework
  • Ensuring that ORM is a positive experience by making it a safe environment for mistakes to be made, by not focusing on errors
  • Discussing options for avoiding re-occurrence of problems by implementing appropriate controls and treatments
  • Learning from unexpected outcomes

d)    Develop and improve tools and reporting

  • Develop documentation that is easily understandable and reduces, where possible, the use of jargon
  • Develop reports that are clear, uncluttered, provide clear measures and guidance
  • Develop tools that are efficient and easy to use
  • Develop templates for the Risk Assessment process, redevelop the Risk Register template

e)     Train and educate staff staff

Training provides a common language that is used which further helps general understanding of ORM in the university, but it also provides for better collaboration between divisions and organisational units.

  • Training and education should be provided for all new staff in the form of ORM Induction and on-going in the form of ORM Refresher Training.

Management Context

As a means to link the Whole of Organisation level to the Operational level, Risk Assessments should be completed for each division/office/area Annual Operational Plan prior to, or at the beginning, of the Financial Year.  As part of this process, each team will identify the key inputs, processes, stakeholders and outputs to their area.

These Risk Assessments should be then given to the Manager Risk and Assurance, who will create a Management Level oversight report of these risks for presentation to the Finance, Audit and Risk Committee (FARC).  This creates the link between Operational, Management and Whole of Organisation levels.

Operational Context

Risk Assessments should be used for all major processes, events and activities at the operational level.  These risks and opportunities will be entered into the Universities Risk Register and categorised as Operational Risks.

Project or Event-based Context

Most business units, at one time or another, may have the need to complete an ad-hoc project or event. It is important to apply risk and opportunity management processes to these projects or events in the same manner that we do at all of the above levels of the University.


Risk Assessments should also be completed at the inception stage for the project (at the idea stage).  The Risk Assessment, if done correctly, should help inform the Project Team and the University as to whether or not:

  • The Project should continue as the risk level is low
  • The Project has some risks, but can be mitigated through appropriate Treatment actions
  • The Project has too many high level risks and falls outside the Universities Risk Appetite.

However, the main difference between the two is that the risk and opportunity management tool may not necessarily be completed by a member of staff.

Example(s) of where a Risk Assessment should be done:

  1. If a contractor is engaged for the provision of a professional service, then the staff member should ensure that, as a minimum standard, a Risk Assessment must be supplied prior to the works commencing.  The analysis should be closely scrutinized by the Project Team/Manager to ensure that as many as possible of the risks and opportunities have been identified and that any risks that are outlined as High or Very High or any opportunities that are outlined as High or Outstanding should be elevated to the appropriate levels of the organization for a decision to be made as to how they should be managed.
  2. The University would like to construct a new Agricultural Park facility. A builder has won the tender for the construction. The Project Manager/Team will request an analysis of the risks on the design of the building be supplied by the builder.  Assessment of risks during the construction phase of the project should be supplied by the contractor in the form of formal Risk Assessment, SWMS, other WHS documentation, or a combination of these.

Any Risk Assessment that is completed should be supplied to the Risk Management Advisor and a copy should be filed immediately in HPE Records Manager in the following folder:

17/219  GOVERNANCE AND GENERAL ADMINISTRATION - Risk Management - Plans - 2017 Charles Sturt University Risk Management Plans (Assessments)