RISK MANAGEMENT PROCESS

1. OVERVIEW
Risk management is no longer special or optional: it is a necessary consideration each time we make a
decision – whether to develop a relationship, start a project or hold an event. It is required for good quality
outcomes. We must constructively align our activities and decision-making with objectives and outcomes that
help us reach our strategic goals or successfully execute our operational plans. This is risk management. To
manage risk we apply the standard in the way described here. It takes into account the unique and special
environments in which we work.

The risk management steps include:

Step 1: Establish the context:

• Define the scope of enquiry/objectives: ie
what activity, decision, project, program,
Establish the context issue requires analysis
• Identify relevant stakeholders/areas
involved or impacted
• Internal and/or external environment/
factors

Risk Assessment

Step 2: Identify the risk:

Identify / assess
• What could happen?
Risk identification • How and where it could happen?
• Why it could happen?
Communication and consultation

• What is the impact or potential impact?

Monitoring and Review

Step 3: Analyse the risk:

• Identify the causes, contributing factors
Risk analysis and actual or potential consequences
• Identify existing or current controls
• Assess the likelihood & impact/
consequence to determine the risk rating

Step 4: Evaluate the risk:

• Is the risk acceptable or unacceptable?
Risk evaluation • Does the risk need treatment or further
action?
• Do the opportunities outweigh the threats?

Step 5: Treat the risk:

• If existing controls are inadequate
Risk treatment identify further treatment options
• Devise a treatment plan
• Seek endorsement & support for
treatment
• Determine the residual risk rating once
the risk is treated

Communicate & consult: at all stages of the process Monitor & review: continually check
• Ensure those responsible for managing risk, and those • Effectiveness of risk controls and/or treatments
with vested interests, understand the basis on which • Changes in context or circumstances, and
decisions are made, why particular treatment options • Document & report this activity accordingly
are selected or why risks are accepted/tolerated

Page 1
2. Step 1: Establish the context
Establish the context by identifying the objectives of the activity, project, event or relationship and
then consider the internal and external parameters within which the risk must be managed.

The risk management process applies equally to risks that arise at an enterprise wide or strategic level, at an
operational or day-to-day business level or for new partnerships, projects and new initiatives.

Any proposed partnership, project or initiative should actively consider risk and document the assessment
formally. It is recognised that specific and ‘fit for purpose’ processes may be established to assess and
manage the specific risks of an individual project or initiative but that further risk management work is
required when the project moves to an operational level.

Identify the purpose and objectives right at the beginning; focus on this at the outset of the risk assessment
to avoid being overwhelmed by details and data.

The Process:
• Set the scope for the risk assessment by identifying what you are assessing – is it a new activity,
partnership, program, project or perhaps an event?

• Define the broad objectives. Identify the reason for the risk assessment – perhaps a change in law, a
request from an external auditor or regulator, an operational change or review.

• Identify the relevant stakeholders. Aim for an appropriately inclusive process from the outset: be sure
to identify the areas that are, or might be, impacted and seek their input. Make sure that appropriate
delegations are being exercised even at this early stage.

• Gather background information. Having proper information is important. Ask the right people and
identify the information that is available. Sometimes it is useful to identify information that is not available
(immediately) but may be necessary. Consider:
• Strategic & business plans
• Personal experience (of staff, students, others)
• Corporate knowledge & ‘institutional memory’
• Previous event investigations or reports
• Previous activities / visits – were there any issues that arose
• Surveys, questionnaires and checklists
• Insurance claim reports
• Local or international experience
• Expert judgment (internal University expertise &/or external expertise)
• Structured interviews
• Focus group discussion
• Historical records

Where possible, consider both the strategic context and operational context, so that a complete picture is
obtained.

Establishing the context sets the framework within which the risk assessment should be undertaken, ensures
the reasons for carrying out the risk assessment are clearly known, and provides the backdrop of
circumstances against which risks can be identified and assessed.

The next three steps – Identify the risk, Analyse the risk and Evaluate the risk - form the Risk Assessment phase of the of the risk
management process.

Page 2
3. Step 2: Identify the risk
Identify the risks that might have an impact on the objectives of the University or relevant Faculty,
School, Branch, area or entity or the activity.

Identify sources of the risk, areas of impact, events (including changes in circumstances) and their causes and
potential consequences. Describe those factors that might create, enhance, prevent, degrade, accelerate or
delay the achievement of your objectives. Aim also to identify the issues associated with not pursuing an
opportunity; that is, the risk of doing nothing and missing an opportunity.

Risk identification
In identifying the risk, consider these kinds of questions:
Involves identifying sources
of risk, areas of impact,
• What could happen: what might go wrong, or what might prevent the events and their causes and
achievement of the relevant goals or targets? What events or consequences.
occurrences could threaten the intended outcomes?

• How could it happen: is the risk likely to occur at all or happen again? If so, what could cause the
risk event to recur or contribute to it happening again?

• Where could it happen: is the risk likely to occur anywhere or in any environment/place? Or is it a
risk that is dependent on the location, physical area or activity?

• Why might it happen: what factors would need to be present for the risk to happen or occur again?
Understanding why a risk might occur or be repeated is important if the risk is to be managed.

• What might be the impact: if the risk were to eventuate, what impact or consequences would or
might this have? Will the impact be felt locally or will it impact on the whole University? Areas of impact
to consider include: education or research program/activity; human impact; service delivery; financial
consequences; compromise to legal or contract compliance; and adverse impact on brand and
reputation for failure to meet or achieve our strategic objectives.

• Who does or can influence this partnership, program, project or event? How much is within
the University’s control or influence? Make sure that those with delegations, control, influence,
resources and budgets are at least informed if not actively involved. This becomes more important
when considering the treatments for the risk (see below).

Wherever possible, provide quantitative and/or qualitative data to assist in describing the risk or to support the
risk rating. Sources of information may include past records, past activities & experiences, staff expertise,
industry practice, literature and expert opinion.

Page 3
4. Step 3: Analyse the risk
Develop a detailed understanding of the risk.

Once the risk has been identified and the context, causes, contributing factors and consequences have been
described, look at the strengths and weaknesses of existing systems and processes designed to help control
the risk. Knowing what controls are already in place, and whether they are effective, helps to identify what - if
any - further action is needed.

Process:
• Identify the existing controls – determine what controls are already in
Controls do not always
place to mitigate the impact of the risk. Controls are those systems,
require something
processes or procedures designed to stop things going wrong. Controls
special
may be strong or weak; they can be measureable and repeatable.
Controls may include legislation, policies or procedures, staff training,
Often, controls are already
segregation of duties, personal protective measures and equipment, present as a natural part
and structural or physical barriers (e.g. setting up IT firewalls or guards of the management of an
around machinery). issue or area, or can be
embedded into normal
• Once the controls have been identified, and their effectiveness management practices.
analysed, an assessment is made of the likelihood of the risk occurring
and the consequence if the risk were to occur. This produces an Example: Having a
accurate, albeit subjective, assessment of the level of risk - or risk rating supervisor in a student lab
- and helps in the next step to determine whether risks are acceptable session, having procedures
in place and ensuring
or need further treatment.
students have adequate
instruction on safety
• Assess the likelihood – the likelihood of the risk occurring is described issues, are all controls to
as rare, unlikely, possible, likely, or almost certain to occur. minimise the risk
associated with laboratory
hazards.
• Assess the consequence – the consequences or potential impact if
the risk event occurred are described as insignificant, minor, moderate,
major or extreme.

• The assessment of likelihood and consequence is mostly subjective, but can be informed by data or
information collected, audits, inspections, personal experience, corporate knowledge or institutional
memory of previous events, insurance claims, surveys and a range of other available internal and
external information.

• Rate the level of risk: use the University Risk Matrix to assess the likelihood and consequence levels;
the risk matrix then determines whether the risk rating is low, medium, high or extreme. The University
Risk Matrix also identifies the management action required for the various risk ratings.

Page 4
5. Step 4: Evaluate the risk
Decide whether the risk is acceptable or unacceptable. Use your understanding of the risk to make
decisions about future actions.

Decisions about future actions may include:

• not to undertake or proceed with the event, activity, project or initiative
• actively treat the risk
• prioritising the actions needed, if the risk is complex and treatment is required
• accepting the risk

Whether a risk is acceptable or unacceptable relates to a willingness to tolerate

Risk attitude
the risk; that is, the willingness to bear the risk after it is treated in order to achieve
the desired objectives. An organisation’s approach
to assess and eventually
The attitude, appetite and tolerance for risk is likely to vary over time, across the pursue, retain, take or turn
University as a whole and for individual Faculties, Schools, Divisions, Branches away from risk
and Controlled Entities.
Risk appetite
A risk may be acceptable or tolerable in the following circumstances:
• No treatment is available The amount and type of risk
• Treatment costs are prohibitive (particularly relevant with lower ranked that an organisation is
willing to pursue or retain
risks)
• The level of risk is low and does not warrant using resources to treat it
• The opportunities involved significantly outweigh the threats Risk tolerance

A risk is regarded as acceptable or tolerable if the decision has been made not to An organisation’s or
treat it (in accordance with the next step, Step 5 ‘Treating the risk’). stakeholder’s readiness to
bear the risk after risk
treatment in order to
It is important to remember that regarding a risk as acceptable or tolerable does
achieve its objectives
not imply that the risk is insignificant.

Risks that are considered acceptable or tolerable risks may still need to be
monitored.

When conducting a risk assessment, there are generally lots of potential consequences identified. This is not
necessarily a problem as a number of these can be addressed by the risk treatments, or they may not need
any specific action.

The previous three steps described – Identify the risk, Analyse the risk and Evaluate the risk - form the Risk
Assessment phase of the risk management process.

Page 5
6. Step 5: Treat the risk
Ensure that effective strategies are in place to minimise the frequency and severity of the identified
risk. Develop actions and implement treatments that aim to control the risk.

Once the risk assessment phase is complete, identify the options for treatment if there are any; otherwise
tolerate the risk. Where options for treatment are available and appropriate, record those treatment options as
part of the risk treatment plan.

Treatment options not applied to the source or root cause of a risk are likely to be
Risk treatment
ineffective and promote a false belief within the organisation that the risk is controlled. The process taken to
modify the risk
Process:
• Decide if specific treatment is necessary or whether the risk can be adequately treated in the course
of standard management procedures and activities; that is, embed the treatment into day-to-day
practices or processes. In assessing what treatments could be implemented, it is useful to consider
ways in which standard practices already serve as a control, or ways in which those standard practices
could be modified to adequately control the risk.
• Work out what kind of treatment is desirable for this risk – determine what the goal is in treating
this particular risk; is it to avoid it completely, reduce the likelihood or consequence, transfer the risk
(to someone else such as an insurer or contractor) or accept the level of risk based on existing
information? The type of risk treatment chosen will often depend on the nature of the risk and the
tolerance for that risk.
• Identify and design a preferred treatment option once the goal of treatment is known.
o If the goal is to reduce the likelihood or possibility of the risk, then you may need to adjust
what is happening or might be planned: successfully altering the approach will depend on
identifying the causes of the threat and the causal links between the threat and its impact –
both of which should have been identified in the risk assessment phase.
o If it is not possible to change the approach of the project or
activity, then it may be possible to take some other Treatment options
intervening action to mitigate the event’s occurrence or • Avoid the risk by not
reduce the likelihood of the threat. starting or continuing an
o Understanding the nature of the risk event and how it occurs activity
will make it easier to identify any possible intervening actions • Take or increase risk in
order to pursue an
that would operate to reduce the risk.
opportunity
o If the goal is to reduce the consequence or impact of the • Remove the risk source
risk, then contingency plans might be required to respond to • Change the likelihood
a threatening event if it occurs. This planning may be • Change the consequence
undertaken in combination with other controls – that is, even • Share the risk e.g.
if steps have been taken to minimise the likelihood of the through Insurance,
risk, it may still be worthwhile to have a plan in place to contracts, financing
reduce the consequences if the event actually occurs. • Retain the risk by
informed decision
o If the goal is to share the risk, then involving another party,
such as an insurer or contractor, may help. Risk can be
shared contractually, by mutual agreement, and in a variety of ways that meet all parties’
needs. Any such arrangement should be formally recorded – whether through a contract or
agreement or by letter.
Sharing the risk does not remove our obligations and does not avoid us suffering
consequential damage if something unexpected happens or something goes wrong.

Page 6
 o If the risk is so significant that the goal is to eliminate or avoid it altogether then the options
are limited to changing the project materially, choosing alternative approaches or processes
to render the risk irrelevant or abandoning the activity or partner or program. It is not often that
a risk can be eliminated completely and balance is an important part of the risk assessment
exercise (please note: this does not refer to safety type risks or hazards).
o Sometimes, a decision is made to accept or tolerate the risk, due to the low likelihood or
minor consequences of the risk event, or the fact that the cost of effectively controlling the risk
is unjustifiably high or that the opportunity outweighs the risk. The University acknowledges
that in pursuing its strategic objectives measured risk taking is both acceptable and
appropriate. However, in these instances the decision to accept risk should be carefully
documented, so that a record is available for future reference (or evidence) if the risk does
eventuate. Thought should also be given to contingency planning in order to deal with and
reduce the consequences, should they arise.
• Evaluate treatment options and assess their feasibility relative to the tolerance for risk. Do the
controls selected appear to have the desired treatment effect (that is, will they stop or reduce what
they are meant to stop or reduce)?
o Will the controls trigger any other risks? For example, a sprinkler system installed to counter
fire risk may cause water damage, presenting a different risk requiring consideration or
management.
o Are the controls beneficial or cost efficient? Does the cost of implementing the control
outweigh the cost that would flow from the event occurring without the control in place?
Overall, is the cost of implementing the control reasonable for this risk?
The cyclical process of treating a risk, deciding whether residual risk levels are tolerable and assessing
the effectiveness of that treatment are all case-by-case assessments that depend on a good
understanding of the risk and a focus on the end objective of the activity being assessed.
• Document the risk treatment plan. Once the treatment options have been identified, a risk treatment
plan should be prepared (NB. These can be easily generated through the University risk register once
a risk is recorded). Treatment plans should identify responsibilities for action, time frames for
implementation, budget requirements or resource implications, performance measures and review
process where appropriate. The review process should monitor the progress of treatments against
critical implementation milestones.
• Implement agreed treatments. Once any options requiring authorisation for resourcing, funding or
other actions have been approved, treatments should be implemented by those identified as having
the responsibility to do so. The person assigned with the primary responsibility for the risk, is ultimately
accountable for the treatment of the risk.
• Once the risk has been treated, assess the level of residual risk. Even when a risk has been
treated and the controls are in place the risk may not be completely eliminated. The level of residual
risk refers to the likelihood and consequence of the risk occurring after the risk has been treated. Once
implemented, treatments provide or modify the controls. The residual risk rating is generally lower than
the original risk rating otherwise the controls were not effective.
The residual risk should be documented and monitored and reviewed. Where appropriate, further
treatment might be prudent. Having a good awareness of residual risk is important in monitoring and
reviewing risk on an ongoing basis.

Page 7
7. Monitor and review
Monitor changes to the source and context of risks, the tolerance for certain risks and the adequacy
of controls. Ensure processes are in place to review and report on risks regularly.

To ensure structured reviews and regular reporting occurs each local area is
encouraged to identify a process that allows key risks within their area to be Monitoring & review is
monitored. a planned part of the
risk management
Given the diverse and dynamic nature of the University environment, it is process
important to be alert to emerging risks as well as monitoring known risks.
The University’s changing
and evolving environment
Process:
means the source and
• Continuous monitoring: once risks have been identified, recorded, context of risks, risk
analysed, and the agreed treatments have been implemented, an tolerance and risk controls
appropriate monitoring and reporting regime needs to be established to may change over time.
provide assurance that the treatment has been effective and now helps
to control the risk. Some risk treatments will of course become
embedded into daily practices and methods of work.
The frequency of review will depend on the risk rating, the strength of controls and the ability to
effectively treat the risk. Each of us has a role to play in continually monitoring known or emerging
risks and regularly checking or ensuring that controls are in place and are being used.
• Faculty/School, Division/Branch or Controlled Entity Management review: managers need to
ensure there is a process for reviewing risk profiles and activities in their area of responsibility.
Wherever possible, risk management should become an agenda item on management meetings or
committees and avoid the need for separate processes.
The aim of regular review is to identify when new risks arise, and to monitor existing risks to ensure
that treatments or controls are still effective and appropriate. How frequently a review process and
reporting cycle occurs will depend on the risk appetite and level of risk tolerance but local management
review is required.
• Internal audit: the University’s internal audit program provides for a review of systems, policies and
process assurance and compliance. The auditors apply a risk-based approach to the audit program
and help bring a measure of independence and external perspective to the University Risk
Management Framework.
• External audit: the University is audited annually by the South Australian Auditor General. That
external audit covers financial, governance, contracting, IT and risk management systems and
processes. Management and staff may be required to respond to the risk management activities
involved with these audits. Other audits occur from time to time and are imposed through contracts,
compacts, and Federal and State legislation.

Page 8
Formal Risk Reporting
Formal risk reporting is an important part of being able to demonstrate the effectiveness of the risk
management program. The University is required to report to various internal and external bodies and
stakeholders; to achieve this the University needs to be informed about risks in a timely manner and to be able
to access - and reproduce - those risk assessments easily.

Therefore, the Risk Policy requires Heads of School and Branch Managers to report, at least annually, to the
Executive Dean or Vice-President on, or against, the School/Branch risk profile.

This reporting process will enable: Risk management

records should be
• Executive Deans to report annually on extreme and high risks to the traceable
University Risk Management Committee;
• Vice-Presidents to report annually to the University Risk Management In the risk management
process, records provide
Committee on the Division’s risk management; and
the foundation for
• Board Directors/Chief Executives/General Managers of Controlled improvement in
Entities to report annually on the entities risk management to the methods and tools, as
nominated Standing Committee of Council. well as in the overall
process.

Formal risk reporting needs to occur via the University Risk Register or other
appropriate formal report. Formal reports should identify new risks, detail the progress with treating existing
risks and report outcomes from the monitoring and review process.

Annual risk reporting should confirm that all risks relevant to the area of responsibility are being adequately
and appropriately managed.

Page 9
Recording the Risk Management Process
To ensure that risk management is effective, and to provide evidence of a demonstrable risk management
system, it is important to have a documented formal record of the risk management process and outcomes.

A risk register is simply a documented record of the identified risks, their significance or rating, and how they
are managed or treated. The University’s risk register is an electronic web based tool that enables the
recording of risks and facilitates the printing of risk reports and summaries.

A risk profile is a
All areas of the University, and each of the Controlled Entities, are encouraged to description of any
formally record and document their risks within the risk register. In this way, a risk profile set of risks. Over
or description of the types and significance of risks will evolve. Risk profiles will vary time the types and
greatly by Faculty, School, Branch, Division or Controlled Entity and will evolve over significance of risks
time. will evolve.

There is value in each local area having, or compiling, a formal and consolidated risk profile, as it helps to
determine how much time and effort should be put into risk management and how frequently monitoring and
reviews should be conducted.

Even for areas in the University that might consider themselves to be ‘low risk’, the risk management process
can contribute significantly to business planning, improving the responsiveness of the area to crises or threats
and responding to opportunities in an informed and measured manner.

With all areas gradually contributing to and using the risk register an invaluable body of institutional knowledge
will grow, further strengthening the University’s demonstrable risk management processes and maximising the
University’s efforts and strategies.

What to record
When documenting a risk assessment record the following information within By formally recording risks
the risk register: we

• A description of the risk (setting the context) • commit to continuous

learning;
• Causes or contributing factors • obtain benefits for re-
using information for
• Consequences (impacts) of the risk – actual or potential
management purposes;
• Current controls in place that help manage the risk • minimise costs & efforts of
creating & maintaining
• An assessment of the likelihood and consequence based on current or records;
existing controls, to rate each risk • maximise access &
retrieval of information;
• Further actions or treatments needed to address the risk
and
• Any progress updates as the treatments are implemented • comply with retention
periods; and recognise the
• Results from monitoring and review, including effectiveness of controls sensitivity of the
information.
Printing risk records: the risk register can automatically generate Risk
Summary Reports. These reports, which reflect the risk profile for the area, can
be used for local area reporting and to supplement formal/annual reports.

The risk register also generates Risk Management Reports and Risk Treatment Plans for individual risks.

Page 10
8. Communicate and consult
Effective communication and consultation is essential to ensure that those responsible for implementing risk
management, and those with a vested interest, understand the basis on which decisions are made and the
reasons why particular treatment options are selected.

Communicate and consult with internal and external stakeholders during any and all stages of the risk
management process, particularly when plans are being first considered and when significant decisions need
to be made.

Risk management is enhanced through effective communication and consultation when all parties understand
each other's perspectives and, where appropriate, are actively involved in decision-making.

Methods of communication and consultation may include:

• meetings;
• distribution of minutes; Communicate and consult
• reports;
Use a variety of methods to
• on-line communication systems and learning packages; ensure that those responsible
for implementing risk
• induction packages; management are kept properly
• newsletters; informed.

• circulation lists;

• flow charts; and

• staff awareness and education sessions / staff training.

A collaborative and consultative team approach - through co-creation - is more likely to:
• Help establish the context appropriately;
• Ensure the interests of all stakeholders are understood and considered;
• Ensure that risks are adequately identified;
• Bring together different areas of expertise when assessing or analysing risks;
• Ensure that different, and sometimes opposing, views are appropriately considered when defining
risk criteria and in evaluating risks;
• Help secure endorsement and support for a treatment plan; and
• Enhance any change management processes associated with the risk.

Page 11
9. UNIVERSITY RISK MATRIX (LIKELIHOOD & CONSEQUENCE)

RISK RATING - MANAGEMENT ACTION REQUIRED

Score Description of likelihood
• Extreme risk = immediate attention & response needed; requires a risk assessment &
A management plan prepared by relevant senior managers for Vice-Chancellor; risk
Highly likely to happen, possibly frequently
Almost Certain oversight by Council or nominated Standing Committee or Management Committee
B
Will probably happen, but not a persistent issue
Likely • High risk = risk to be given appropriate attention & demonstrably managed; reported
C to Vice-Chancellor or other senior Executives / Management Committees as necessary
May happen occasionally
Possible
D • Medium risk = assess the risk; determine whether current controls are adequate or if
Not expected to happen, but is a possibility
Unlikely further action or treatment is needed; monitor & review locally, e.g. through regular
E business practices or local area meetings
Very unlikely this will ever happen
Rare
• Low risk = manage by routine procedures; report to local managers; monitor & review
locally as necessary

RISK MATRIX
CONSEQUENCE 1 2 3 4 5
LIKELIHOOD Insignificant Minor Moderate Major Extreme

A - Almost certain (frequent) M M H E E

B - Likely (probable) L M H H E

C - Possible (occasional) L M M H H

D - Unlikely (uncommon) L L M M H

E - Rare (remote) L L L L M

Page 12
 Area of impact - description of consequence
Generic impact
Score
description
Education & Research Human Service delivery Brand & reputation Finance Compliance
Event or • Huge loss / reduction in student • Serious injury or death • Cessation of major critical • Long term damage to • Huge financial loss • Serious breach of
5 circumstance with enrolments / retention • Loss of significant number of business systems or reputation or G08 status • Significant budget over- contract or legislation
Extreme potentially • Loss of a Faculty key staff impacting on skills, Education / Research • Sustained negative run with no capacity to • Significant prosecution &
disastrous impact • Serious reduction in research knowledge & expertise programs for an media attention; adjust within existing fines likely
on business activity / output • Staff industrial action intolerable period and / or • Brand / image affected budget / resources • Potential for litigation
or significant • Serious problems reaching a • Student unrest / protest / at a critical time in the nationally and / or • May attract adverse including class actions
material adverse number of student, teaching or violence University calendar internationally findings from external • Future funding /
impact on a key research targets regulators or auditors approvals / registration /
area • Irreparable impact on licensing in jeopardy
relationship with partners /
collaborators
Critical event or • Significant loss / reduction in • Serious injury • Cessation of major critical • Sustained damage to • Major financial loss • Major breach of
4 circumstance that student enrolment / retention • Dangerous near miss business systems or brand / image or • Requires significant contract, Act, regulations
Major can be endured • Loss of a key School • Loss of some key staff Education / Research reputation nationally or adjustment to approved or consent conditions
with proper • Major impact on research resulting in skills, knowledge & programs for an locally / funded projects / • Expected to attract
management activity over a sustained period expertise deficits unacceptable period and / • Adverse national or programs regulatory attention
• Major problems meeting • Threat of industrial action or at a critical time in the local media coverage • Investigation,
teaching or research targets • Threat of student protest / University calendar prosecution and / or
• Serious long term damage to activity major fine possible
partnership / collaboration
Significant event • Significant loss / reduction of • Staff injury, lost time or • Major service delivery • Significant but short • Significant financial loss • Significant breach of
3 or circumstance number of students in a course penalty notice due to unsafe targets cannot be met term damage to • Impact may be reduced contract, Act, regulation
Moderate that can be • Loss of a key academic course act, plant or equipment • Loss / interruption / reputation by reallocating or consent conditions
managed under • Significant impact on research • Short term loss of skills, compromise of critical • Student / stakeholder resources • Potential for regulatory
normal activity over a sustained period knowledge, expertise business systems or and / or community action
circumstances • Significant problem meeting • Severe staff morale or increase Education / Research concern
teaching or research targets in workforce absentee rate program for a protracted • Sustained / prominent
• Significant but short term • Student dissatisfaction period of time local media coverage
damage to partnership
Event with • Moderate reduction in student • Health & safety requirements • Local service or Education • Some short term • Some financial loss • Minor non compliances
2 consequences enrolments / retention compromised / Research program negative media • Requires monitoring & or breaches of contract,
Minor that can be • Minor impact on research • Lost time or potential for delivery problems coverage possible corrective Act, regulations, consent
readily absorbed activity public liability claim • Loss / interruption / • Concern raised by action within existing conditions
but requires • Temporary problems meeting • Some loss of staff members compromise of critical students / stakeholders resources • May result in
management some teaching / research targets with tolerable loss / deficit in business systems or infringement notice
effort to minimise skills Education / Research
the impact • Dialogue required with program for tolerable
industrial groups or student period but at an
body inconvenient time
Some loss but not • Minor reduction in student • Incident with or without minor • Negligible impact on • Minor damage to brand, • Unlikely to impact on • Unlikely to result in
1 material; existing enrolments / retention injury delivery of service image or reputation budget or funded adverse regulatory
Insignificant controls and • Negligible impact on research • Negligible skills or knowledge activities response or action
procedures activity or achievement of loss
should cope with teaching / research targets • Dialogue with industrial
event or groups / students may be
circumstance required

Page 13