Welcome to the University Policy Library.
If you are unable to find what you are looking for please use the 'search' function below.
Delegations of Authority Policy is the key document for who is responsible to exercise a delegation – Note: Policies and procedure documents may not reflect the current delegations. Please refer to the Delegations of Authority Policy to identify who the delegate is.
Resilience Management Framework
Purpose:
The University of Canberra regards effective risk and resilience management as an integral component of the University’s efficient operations. Therefore the University has adopted a consistent and structured approach to identify, assess and manage significant risks and to ensure efficient and effective utilisation of resources, informed decision-making and organisational resilience. The purpose of this Resilience Management Framework (Framework) is to:
The Vice-Chancellor and Council are committed to the implementation and maintenance of a formal resilience management system, including the integration of risk management, throughout all levels of the University. This is fundamental to achieving the University’s strategic and operational objectives, whilst protecting and enhancing the University’s reputation.
In its application of this Framework, the University is committed to:
This Framework applies to the UC Group (i.e. all members of the University of Canberra and controlled entities), unless otherwise agreed. Resilience management is a whole-of-University activity and as such, it is the responsibility of all members of the University community to contribute to the identification, management and reporting of risks. The University is committed to embedding this Framework into its organisational culture, governance and accountability arrangements, planning and reporting and improvement processes.
- provide the foundation to effectively manage risks involved in all University activities to an acceptable level
- ensure risk management processes are embedded consistently across all areas of the organisation
- contribute to strengthening management practices, while protecting our community’s interest, and maintaining trust and confidence
- provide assurance to stakeholders that the University is prepared and able to effectively manage a major or critical incident
- enable the University to embed a systematic and pro-active approach to risk as part of overall University governance.
The Vice-Chancellor and Council are committed to the implementation and maintenance of a formal resilience management system, including the integration of risk management, throughout all levels of the University. This is fundamental to achieving the University’s strategic and operational objectives, whilst protecting and enhancing the University’s reputation.
In its application of this Framework, the University is committed to:
- achieving its business objectives while minimising the impact of significant risks that the University can meaningfully and realistically control;
- the allocation of appropriate resources for the achievement of University business objectives and effective resilience management;
- behaving as a responsible and ethical organisation, protecting staff, students and the broader community from harm and protecting physical property from loss or damage;
- communicating and collaboration with key stakeholders, and providing appropriate training, to enable implementation of policies and procedures;
- deciding the criteria for accepting risks and the acceptable levels of risk;
- establish the right balance between the cost of control and the risks it is willing to accept as part of the environment within which the University operates;
- the promotion of excellence in regard to business management processes, record keeping, performance improvement and monitoring;
- protecting and enhancing the University’s reputation;
- ensuring privacy and confidentiality in accordance with legislative requirements and University policy; and
- conducting management reviews and audits of elements of the framework.
This Framework applies to the UC Group (i.e. all members of the University of Canberra and controlled entities), unless otherwise agreed. Resilience management is a whole-of-University activity and as such, it is the responsibility of all members of the University community to contribute to the identification, management and reporting of risks. The University is committed to embedding this Framework into its organisational culture, governance and accountability arrangements, planning and reporting and improvement processes.
Scope:
The University’s approach to resilience management is based on a holistic organisational-wide model in order to achieve effective governance and assurance. This Framework describes the arrangements of this model, including:
The Framework also identifies five key components that are critical to the successful implementation of resilience management at the University. These are:
- details of the main components resilience management framework;
- an outline of the principles of risk management which should be applied across the UC Group;
- an overview of the roles and responsibilities for managing risk; and
- details of internal and external communication and reporting mechanisms.
The Framework also identifies five key components that are critical to the successful implementation of resilience management at the University. These are:
- risk management
- business continuity management;
- critical incident management;
- emergency management
- IT disaster recovery
- fraud and corruption control
- health and safety.
Principles:
Risk Management
- All organisations face a variety of risks, either from internal or external sources (which may be largely out of the immediate control of the organisation). Risks arise both at the strategic (organisation-wide) level and at the operational (business process) level. The University will maintain processes and procedures to provide a systematic view of the risk faced in the course of its academic, administrative and business activities.
- The University of Canberra Risk Management Plan supports this Policy, detailing the processes and procedures, consistent with Australian and New Zealand Standard AS/NZS ISO 31000:2009 Risk Management – Principles and guidelines.
- The processes described in the Risk Management Plan are to be applied in all the University’s activities to ensure that risks associated with the University’s strategic and operational objectives are identified and effectively integrated with the University’s annual planning processes. Reviews of controls and mitigating strategies that link with University planning objectives will be detailed in the University’s strategic and operational risk registers.
- The administration of the risk management program component of this Framework is the responsibility of the Associate Director, Risk and Audit.
- The University will develop arrangements to prepare staff should a major unplanned and disruptive event occur which impacts the University’s operations. These arrangements will be consistent with the Australian and New Zealand Standard AS/NZS 5050:2010 Business continuity – Managing disruption-related risk and will be documented in the University of Canberra’s Strategic Business Continuity Plan (BCP) and supporting operational BCPs.
- The business continuity plans will enable key management staff to plan and manage both the immediate and longer-term consequence of incidents that impact on the University’s operations.
- The administration of the business continuity management component of this Framework is the responsibility of the Associate Director, Risk and Audit.
- A critical incident is any situation that affects University staff or students' its operations, environment. viability and /or reputation.
- The University will maintain a Critical Incident Management Team (CIMT) to control the University's response and provide executive decisions and strategic directions in relation to planning for and responding to critical incidents. This response will be in accordance with the procedures incorporated in the University's Business Continuity Plan and Critical Incident Management Team Plan.
- The University will develop arrangements and provide training to prepare staff to manage critical incidents should they occur, including critical student related incidents.
- The administration of the critical incident management component of this Framework is the responsibility of the Associate Director, Risk and Audit.
- The University will develop and implement systems and processes for appropriate, effective and speedy responses to, and management of, emergency situations.
- These systems and processes form part of the University’s emergency management system and will be developed in line with Australian Standard AS 3745-2010 – Planning for emergencies in facilities; Building Fire Safety Regulations 2008, and Work Health and Safety ACT 2011.
- The University will aim for best practice in incident management responses and procedures, which will be documented in the University’s Emergency Management Response Plan.
- The administration of the emergency management component of this Framework is the responsibility of the Chief Executive People and Diversity.
- The University will develop a documented process to recovery and protect the University’s IT infrastructure and business systems in the event of an incident.
- The IT Disaster Recovery Plan (DRP) will be a comprehensive statement of consistent actions that are to be undertaken before, during and after an event. These arrangements will be consistent with AS/NZS 5050:2010 Business continuity – Managing disruption-related risk.
- The primary objective of the IT DRP is to minimise the effects on the University including downtime and data loss, in the event that all or part of its operations and/or computer services are rendered unusable. The IT DRP will align with the University’s business continuity arrangements.
- The administration of the IT disaster recovery component of this Framework is the responsibility of the Director, Information Management Technology reporting through the VIce-President Finance and Infrastructure.
- The University will implement fraud and corruption preventative and detective processes to reduce the University’s exposure and vulnerability of fraudulent activity.
- These processes will be documented in the University’s Fraud and Corruption Control Plan and will align with Australian Standard AS 8001-2008 Fraud and Corruption Control. To support this Plan, a fraud risk assessment of the University’s operating environment will be conducted and documented in a fraud risk register. Control measures and treatment strategies will also be documented and reviewed periodically.
- The administration of the fraud and corruption control component of this Framework is the responsibility of the General Counsel and University Secretary.
- The University recognises health and safety as a critical component of the Resilience Management Framework, the requirements for which are managed under the University’s Health and Safety Policy and administered by the Chief Executive People and Diversity.
- The health and safety policy and procedures have been developed in line with the Work Health and Safety Act 2011 and associated regulations.
Responsibilities:
The Framework identifies four levels of key resilience management arrangements at the University:
Reporting Compliance
Under the Tertiary Education Quality and Standards Agency Act 2011 (TEQSA Act), the University is required to meet obligations for registered higher education providers in order to retain its accreditation.
Furthermore, the University of Canberra must report on their risk management and internal audit policies and practices in annual reports. The University is required to confirm that it understands, manages and controls key risk exposures and that a responsible body or audit committee verifies the University’s arrangements.
Monitoring and Reporting of Risk Management
The University is expected to report on risk management performance to the Council and Audit and Risk Management Committee. Regular monitoring and review must be a planned part of the risk management process to ensure that:
Systems for reporting and investigating incidents are fundamental to the management of disruptive events and incidents. The University is committed to ensuring appropriate effective reporting and investigation processes exist and are being followed accordingly.
Implementation Officer
The Associate Director, Risk and Audit is responsible for the promulgation and implementation of this procedure. Enquiries about the above process should be directed to the implementation officer by emailing risk.management@canberra.edu.au.
- Council has the overall fiduciary accountability to establish and maintain an appropriate Resilience Management Framework, with support and advice provided by the Audit and Risk Management Committee (ARMC)
- Vice-Chancellor and the Vice-Chancellor’s Group are accountable to the ARMC and Council for implementation of the Framework
- Senior management is responsible for developing and administering programs and systems to address key components of the Framework
- All management and staff, and wider University community, have a responsibility to be “risk aware”. They are required to comply with risk management processes and practices, cooperate with designated University risk management specialists, and identify, assess, manage and report risks and opportunities in day-to-day processes.
Role | Responsibilities |
---|---|
Council |
|
Audit and Risk Management Committee (ARMC) |
|
Vice-Chancellor |
|
Vice-Chancellor’s Group |
Provides advice to the Vice-Chancellor on:
|
Senior Management Group (Executive/Deans/ Directors) |
|
Critical Incident Management Team (CIMT) |
|
Risk and Audit, General Counsel and University Secretary |
|
Vice-President Finance and Infrastructure |
|
Chief Executive People and Diversity |
|
Managers and supervisors |
|
All staff |
|
Reporting Compliance
Under the Tertiary Education Quality and Standards Agency Act 2011 (TEQSA Act), the University is required to meet obligations for registered higher education providers in order to retain its accreditation.
Furthermore, the University of Canberra must report on their risk management and internal audit policies and practices in annual reports. The University is required to confirm that it understands, manages and controls key risk exposures and that a responsible body or audit committee verifies the University’s arrangements.
Monitoring and Reporting of Risk Management
The University is expected to report on risk management performance to the Council and Audit and Risk Management Committee. Regular monitoring and review must be a planned part of the risk management process to ensure that:
- supporting plans have been developed, endorsed and implemented as required under this Framework
- staff are aware of their roles and responsibilities in respect to resilience management
- controls are effective and efficient in design and operation
- lessons are learned from events, changes, trends, successes and failures
- changes in the external and internal context, including the risk criteria, are detected and revised
- emerging risks are identified and managed accordingly.
Systems for reporting and investigating incidents are fundamental to the management of disruptive events and incidents. The University is committed to ensuring appropriate effective reporting and investigation processes exist and are being followed accordingly.
Implementation Officer
The Associate Director, Risk and Audit is responsible for the promulgation and implementation of this procedure. Enquiries about the above process should be directed to the implementation officer by emailing risk.management@canberra.edu.au.
Legislation:
The University is required maintain a critical incident policy and procedures to ensure the interests of students (including international students and students under the age of 18) and their families are managed appropriately under the National Code of Practice for Providers of Education and Training to Overseas Students 2018 (National Code 2018).
Supporting Information:
List related documents:
This Framework will be reviewed every three years (or more frequently following a major change to business operations and/or priorities). The Governance unit will work with all areas across the University to ensure that the Framework, embedded policy and associated business processes continue to meet local needs as resilience management matures and improves.
References
- Risk Management Plan
- University Business Continuity Plan and supporting team plans
- Critical Incident Management Team Plan
- IT Disaster Recovery Plan
- Emergency Management Response Plan, policies and procedures
- Fraud and Corruption Control Plan
- Health and safety policies and procedures
- IT Policy Manual.
- Privacy Policy
- Security Policy
This Framework will be reviewed every three years (or more frequently following a major change to business operations and/or priorities). The Governance unit will work with all areas across the University to ensure that the Framework, embedded policy and associated business processes continue to meet local needs as resilience management matures and improves.
References
- Australian and New Zealand Standard AS/NZS ISO 31000:2018 Risk Management - Guidelines
- Australian and New Zealand Standard AS/NZS 5050:2010 Business Continuity – Managing disruption-related risk
- Australian Standard AS 8001-2008 Fraud and Corruption Control
- Australian Standard AS 3745-2010 Planning for emergencies in facilities
- Commerce and Works Directorate, ACT Government (2013) Risk Management Framework and Policy. Australian Capital Territory, Commerce and Works (v 1.0).
- Griffith University (2013) Risk Management Framework. Queensland.
- Griffith University (2014) Risk Management Policy. Queensland.
- University of Sunshine Coast (2013) Enterprise Risk Management and Resilience – Governing Policy. Maroochydore, Queensland.