Red X iconGreen tick iconYellow tick icon
Category Administration and Management
Type Policy
Approved by University Council, 1 December 2008
Date Policy Took Effect 1 January 2008
Last approved revision 11 July 2017
Sponsor Chief Operating Officer
Responsible officer Head, Office of Risk, Assurance and Compliance


To outline the University's commitment and approach to risk management; provide direction for the integration of risk management practices across the University; and foster an environment where staff assume responsibility for managing risk.

A structured risk management programme will provide a number of beneficial outcomes by: enhancing strategic planning through the identification of threats to the University's mission; encouraging a pro-active approach to issues likely to impact on the strategic and operational objectives of the University; and improving the quality of decision making by providing structured methods for the exploration of threats, opportunities and resource allocations.

The University's approach to risk management, the risk management process, and risk reporting procedures are detailed in the Risk Management Framework, which supplements this policy.

Organisational scope

This policy applies to all staff and all areas of the University's business including its academic, research, administrative, project and commercial activities.

Where more detailed risk management policies or procedures are developed to cover specific areas of the University's operations (i.e. insurance, health and safety, commercial activities) they should comply with the broad directions detailed in this policy.

The Boards of Related Entities are responsible for establishing their own risk management policy framework and processes and will provide reports on risk to the Vice-Chancellor and the Audit and Risk Committee on request and at the beginning of each calendar year.


Related entity
An organisation that is related to the University through partial or full control/ownership.
An uncertain event or condition that, if it occurs, has a positive or negative effect on objectives. It is often expressed in terms of a combination of the impact of an event and the associated likelihood of occurrence.
Risk appetite
The amount and type of risk that an organisation is willing to pursue or retain.
Risk assessment
The overall process of identifying, analysing, and evaluating risks. It may also be referred to as 'risk profiling' and may involve a qualitative and/or quantitative assessment.
Risk management
Co-ordinated activities to direct and control an organisation with regard to risk.
Risk management framework
The set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation.
Risk register
A document containing the results of the qualitative risk analysis, quantitative risk analysis, and risk response planning. The register includes identified risks, descriptions, category, cause, likelihood of occurring, impact on objectives, mitigation strategies, owners, and status. The risk register facilitates standardised reporting of risks within the approved University governance framework.
Risk profile
Description of any set of risks. It is a structured approach to the identification and assessment of risk. The output of the risk identification and assessment process is a completed risk profile i.e. a Risk Register or in a graphical/chart format.

Note: The above definitions are reproduced (in some instances, paraphrased) from the Risk Management Standard AS/NZS ISO 31000:2009.


1. Risk appetite

  1. In pursuing its vision, mission and strategic objectives the University will accept a level of risk proportionate to the expected benefits to be gained, and the impact or likelihood of damage.
  2. The University has a high appetite for risk in the context of:
    1. maintaining its reputation as a research-led university with international reach
    2. promoting critical thinking and intellectual independence.
  3. The University has a low appetite for risk where there is a likelihood of:
    1. significant reputational or financial damage
    2. harm to students, staff, collaborators, partners or visitors
    3. illegal or unethical conduct or outcomes.

2. Risk Management Framework

  1. The University adopts methodology consistent with the Risk Management Standard (AS/NZS ISO 31000:2009) for identifying, assessing and managing risks. This methodology is the basis of the University of Otago's risk management framework. It applies to both academic and service divisions and considers a broad range of operational, governance, quality, academic and financial risk.
  2. The framework ensures a consistent approach by different sections of the University. It also provides a structure for:
    1. communicating, mitigating and escalating risks, and
    2. incorporating risk management principles and objectives into strategic, operational and resource planning activities.
  3. As part of the framework the University shall carry out an ongoing programme of risk assessments across the University. The assessments are undertaken at operational and corporate levels on a quarterly basis and involve:
    1. an assessment of the extent, impact and likelihood of risk, and
    2. the development of risk mitigation strategies to address risk.

3. Responsibility for risk management

  1. The University Council has overall responsibility for risk management and in exercising this function delegates:
    1. responsibility for oversight of risk management activities to its Audit and Risk Committee, and
    2. responsibility for the implementation of the risk management framework to the Vice-Chancellor.
  2. The Audit and Risk Committee will:
    1. provide oversight to risk management activities across the University and its related entities and monitor the implementation of remedial actions to minimise or eliminate adverse risk, and
    2. report at least quarterly to the Council on the performance of risk management activities (this may form part of a broader report on the work of the Committee).
  3. The Vice-Chancellor is responsible for:
    1. communicating significant risk issues to the Council and the Audit and Risk Committee as appropriate, and
    2. delegates responsibility for ensuring that risk management practices are established and maintained in accordance with this policy to the Chief Operating Officer.
  4. The Chief Operating Officer has:
    1. delegated authority to ensure that risk management practices are established and maintained and that support and guidance is provided to the University community,
    2. responsibility for the operational management of risk management practices University-wide, and
    3. ensures governance mechanisms effectively monitor risks and the way in which they are managed.
  5. Senior Managers ( DVC s, PVC s, Deans, Head of Departments, Directors) are responsible for:
    1. Recognition and disclosure of risks in their areas of responsibility.
    2. Maintaining and updating a Divisional risk register in accordance with University wide framework and risk management systems.
    3. Reporting regularly to the Vice-Chancellor on risk – immediately in instances where a significant new risk is identified.
    4. Ensuring that all major proposals (involving significant financial or reputational risk for example) submitted to the Council or any of its Committees for endorsement, indicate if a risk assessment has been undertaken (and if so whether contingency plans have been developed for any significant risk issues identified).
    5. Implementation of this policy within their respective areas of responsibility, specifically:
      1. quarterly updates of Risk Registers,
      2. undertaking risk assessments for all major commercial ventures, research and teaching initiatives, investment/ borrowing schemes and capital projects, and
      3. making training opportunities in risk management available to staff as appropriate to their position and role.
    6. Specific responsibilities include:
      1. PVC s/ DVC s: Risks associated with Faculty-specific academic and research matters, strategic relationships and structural matters.
      2. Chief Financial Officer: Financial risks and providing high quality financial information to those such as PVC s, DVC s, COO , HODs and Directors who are responsible for assessing risks in particular contexts.
      3. Director of Human Resources: Risks associated with employment and payroll.
      4. Director of Property Services: Risks associated with the University's insurance portfolio, plant and buildings, maintenance and use of rooms and physical resources.
      5. Director of ITS : Risks associated with information and communications technology, core ICT infrastructure, information systems, and ITS related security.
      6. Director of Health, Safety and Wellbeing: Risks associated with Health and Safety of staff, students, visitors and contractors as well as risks associated with biological, chemical, animal welfare and radiation compliance.
  6. The Director of Risk, Assurance and Compliance is responsible for:
    1. promoting and facilitating the implementation of formal processes to identify, assess, record and communicate operational and strategic risks that may impact on the University,
    2. the ongoing development of the corporate risk profile for the University,
    3. continuously monitoring action undertaken by the University to address significant risk issues, and
    4. providing guidance and assistance to senior management and staff in fulfilling the responsibilities defined in this policy.
  7. All other management and supervisory staff are accountable for the timely and proactive provision of information to all those mentioned in (a) to (f) above which will allow those responsible for recognizing and disclosing risk in particular areas to carry out their tasks in the most informed manner possible.

Related policies, procedures and forms

Contact for further information

If you have any queries regarding the content of this policy or need further clarification, contact:

Mark Cartwright
Head, Office of Risk, Assurance and Compliance

Back to top