Red X iconGreen tick iconYellow tick icon
Skip to main content
Category Administration and Management
Type Policy
Approved by University Council, 1 December 2008
Date Policy Took Effect 1 January 2008
Last approved revision 9 December 2025
Sponsor Chief Operating Officer
Responsible officer Head, Office of Risk, Assurance and Compliance

Purpose

This Policy sets out the University’s commitment and approach to risk management. It requires that risk management be embedded in all University activities and decision-making.

The University Council and Senior Leadership Team (SLT) recognise risk management as integral to good governance and effective management practice. By identifying, assessing and managing both opportunities and adverse effects, risk management supports the achievement of the University’s strategic objectives and the continued quality of service to our students and communities.

In particular, this Policy aims to ensure:

  • University-wide commitment and accountability for risk management, with clear roles and responsibilities articulated.
  • Consistent and coordinated identification, prioritisation, treatment and monitoring of risks across the University.
  • A positive risk culture in which staff at all levels understand and actively manage risk as part of their roles.
  • A constructive approach to risk that encourages thoughtful innovation, informed risk-taking, and the pursuit of opportunities that advance the University’s Strategy and Vision.
  • Integration of risk management into planning, budgeting, project delivery, teaching, research, and day-to-day operations.
  • A continuous learning approach to risk management, where incidents are used as learning opportunities to unmanaged risks.

Organisational scope

This Policy applies to all areas of the University's operations, including its academic, research, administrative, projects, partnerships and commercial activities, and all staff, including contractors, honourary appointments and visitors.

Where more detailed risk management policies or procedures are developed to cover specific areas of the University's operations (i.e. insurance, health and safety, commercial activities), they should comply with the broad directions detailed in this Policy.

Definitions

Key Risks
The limited set of Organisation-level risks that most materially affect the University’s purpose and objectives. They are the primary focus of oversight by the Senior Leadership Team, Audit and Risk Committee, Council, and relevant sub-committees.
Risk
The effect of uncertainty on objectives. It is often expressed in terms of a combination of the impact of an event and the associated likelihood of occurrence.
Risk appetite
The level of risk the University is prepared to accept in the pursuit of its strategic objectives.
Risk assessment
The overall process of identifying, analysing, and evaluating risks.
Risk culture
The collective values, beliefs, knowledge, behaviour and understanding regarding risk held by University leaders, managers and staff.
Risk landscape
The full range of risks that could impact, either positively or negatively, on the ability of the University to achieve its strategic objectives.
Risk management
Coordinated activities to direct and control an organisation with regard to risk.
Risk Management Framework
The coordinated set of principles, structures, roles and processes that provide the foundation and arrangements for designing, implementing, monitoring, reviewing and continually improving risk management across the University. It includes the University’s Risk Appetite Statement and Risk Tolerance thresholds.
Risk Register
A document containing the results of the qualitative risk analysis, quantitative risk analysis, and risk response planning. The Register includes fields such as risk titles, descriptions, categories, likelihood, impact, controls and mitigation strategies, agreed risk responses (e.g., accept, avoid, transfer, or treat), owners, and status. The Risk Register facilitates standardised reporting of risks in accordance with the Risk Management Framework.
Risk tolerance
The acceptable variability, or deviation from the expected level of risk that the University is prepared to accept to achieve its objectives.
University
Refers to the University and, for risk oversight purposes, its subsidiaries and the Foundation Trust, to the extent that risks in those entities may materially affect the University’s interests, obligations or objectives.
University Community
Includes all University of Otago staff members (whether permanent, temporary, full or part time, emeriti or honorary), all members of the Council of the University, students (whether full time or part time), contractors, subcontractors, consultants, alumni, associates, business partners or official visitors or guests of members of the University.

Note: The above definitions are reproduced (in some instances, paraphrased) from the Risk Management Standard AS/NZS ISO 31000:2025.

Content

  1. Principles

    The guiding principles of risk management at the University are:

    1. Integrated and value-adding: Structured and comprehensive risk management creates and protects value and is integral to organisational activity – spanning strategy, planning, decision-making, and operations.
    2. Dynamic and forward-looking: Risks are reviewed regularly and updated as context changes; the approach anticipates, detects, and responds to emerging and changing risks in an appropriate and timely manner.
    3. Evidence-informed, inclusive, and transparent: Decisions draw on historic/current data and future expectations, acknowledging uncertainty and limitations. Information is timely, clear, and shared with relevant stakeholders, with open communication that builds shared ownership.
    4. Ownership, accountability, and exception-led escalation: Named owners are accountable for risks and controls. Breaches of risk tolerance, material changes, and emerging risks are escalated promptly. Periodic targeted reviews on key risks are led by the relevant SLT Risk Owner (or delegate).
    5. Proportional and appetite-aligned: Responses balance cost and benefit (financial and non-financial), consider opportunities as well as threats, and align to approved risk appetite and tolerances.
    6. Opportunity-enabled: Risk management supports the identification and responsible pursuit of opportunities that add value, enhance performance, or create positive impact for students, staff, partners, or communities.
    7. Whakamana i Te Tiriti o Waitangi: The University’s risk processes and processes honour and give effect to Te Tiriti o Waitangi.
    8. Consistent, systematic, and single source of truth: A common methodology and taxonomy are applied through the Risk Management Framework, supported by a single source of truth and concise, insight-rich reporting that avoids duplication.
    9. Assurance and continuous improvement: Control effectiveness is monitored; lessons are captured (e.g., through post-implementation reviews), and the risk management practices are periodically improved.
    10. Capability and resourcing: Appropriate people, skills, tools, and time are maintained so staff, managers and leaders can engage meaningfully in risk management.

  2. Risk Management Framework

    1. The University adopts methodology consistent with the Risk Management Standard (AS/NZS ISO 31000:2025) for identifying, assessing, managing and reporting risks. This methodology is the basis of the University of Otago's Risk Management Framework (the “Framework”). It applies to the whole University Community and considers a broad range of strategic, operational, legal and compliance, and environmental risks.

  3. Roles and responsibilities

    All members of the University Community have specific accountabilities for risk management:

    1. The University Council has overall responsibility for risk management and will:
      1. Set direction and tone by approving the Risk Management Policy and Framework.
      2. pprove the University’s risk appetite statements and tolerance bands.
      3. prove the Key Risks for oversight by the Senior Leadership Team, Audit and Risk Committee, Council, and relevant sub-committees.
      4. Receive regular, exception-led enterprise risk reporting on Key Risks, including status against tolerances, material changes, assurance results, and decisions required.
      5. Delegate oversight of risk management activities to the Audit and Risk Committee while retaining ultimate accountability.
    2. The Audit and Risk Committee will:
      1. Monitor and oversee the management of Key Risks, seeking assurance that controls and procedures are well-designed and operating, and that remedial actions are implemented where gaps are identified.
      2. Report at least quarterly to the Council on risk management and assurance matters.
      3. Detailed responsibilities are set out in the Audit and Risk Committee Terms of Reference.
    3. The Vice-Chancellor is responsible for:
      1. Reviewing regular risk reports from senior leaders and seek assurance on key exposures and controls.
      2. hampioning culture, ethics, and conduct consistent with University values (as articulated in Kā Mātāpono), and promoting a risk-aware culture.
      3. Communicating significant risk issues to the Council and the Audit and Risk Committee as appropriate.
      4. Delegating responsibility for ensuring that risk management practices are established and maintained in accordance with this policy to the Chief Operating Officer and Head of Risk, Assurance and Compliance.
    4. The Chief Operating Officer is responsible for:
      1. Implementing and maintaining risk management practices University-wide and provide support and guidance to the University community.
      2. Overseeing operational integration of risk management with planning, budgeting, project/change governance, and business continuity.
      3. In conjunction with the Head of Risk, Assurance and Compliance, working with teams across the University to ensure clear linkage and traceability between the University’s Key Risks and Divisional Risks.
    5. Senior Leaders (e.g., DVCs, PVCs, Deans, Head of Departments, Heads of Faculties, Heads of Schools, Directors) are responsible for:
      1. Ensuring compliance with the Risk Management Policy and Framework.
      2. Identifying, assessing, disclosing and managing risks and opportunities in their areas of responsibility, consistent with risk appetite and tolerances.
      3. In conjunction with the Divisional Service Manager (or delegate), maintaining and updating Divisional risk registers in accordance with University-wide framework and with clear links to University Key Risks.
      4. Taking ownership of risks in their area of responsibility, and designing, implementing and monitoring controls to manage risks.
      5. Reporting regularly on risk status, including immediately escalating significant new risks, tolerance breaches, or material incidents.
    6. The Head of Risk, Assurance and Compliance is responsible for:
      1. Maintaining and continuously improving the Risk Management Policy and Framework (including risk appetite and tolerances) and delivering the risk management work programme.
      2. Promoting and facilitating the implementation of formal processes to identify, assess, record and communicate risks that may impact on the University.
      3. In conjunction with the Chief Operating Officer, working with teams to ensure clear linkage and traceability between the Key Risks and Divisional Risks across the University.
      4. Monitoring the enterprise risk landscape, coordinating scanning for emerging risks, and escalating significant or emerging risks as appropriate.
      5. Tracking and verifying remediation of significant/emerging risks and issues.
      6. Developing clear and concise risk reporting to SLT, Audit and Risk Committee, Council and its sub-committees, to enable robust decision-making processes.
      7. Developing a risk-based Internal Audit programme to systematically evaluate and enhance risk management processes.
      8. Providing guidance and assistance to senior leaders and staff in fulfilling the responsibilities defined in this policy, including advising senior leaders on risk management and response plans.
    7. All staff are responsible for:
      1. Proactively identifying and reporting risks and issues.
      2. Identifying opportunities for improvement, innovation, or enhanced performance as part of normal risk identification.
      3. Support response plans and control implementation within their roles.
      4. Comply with relevant policies, procedures and escalation requirements.
    8. All other leaders and supervisory staff (i.e., those not specifically identified in (a)–(f) above) are responsible for providing timely, accurate information to risk owners and governance, to enable informed risk recognition, disclosure, and decision-making.

  4. Breaches of the Policy

    1. Failure to comply with this Policy may result in disciplinary action. All suspected breaches – and any breaches of approved risk tolerances – must be promptly reported and escalated in accordance with the Risk Management Framework.

  5. Policy Review

    1. This Policy should be reviewed every 2 years, or more frequently where significant changes in applicable guidance or standards necessitate an earlier review.

Related policies, procedures and forms

Contact for further information

If you have any queries regarding the content of this policy or need further clarification, contact:

Head, Office of Risk, Assurance and Compliance
Email hod.orac@otago.ac.nz

Back to top