restrictions - chc management.pdf · it is guided by advice provided by the ceo, the ... succession...

Policy: Risk Management of 17 Author: CHC CRICOS Provider Name: Christian Heritage College Reference: H2/0412.1-0313 Authorised by: Council CRICOS Provider Number: 01016F www.chc.edu.au M:\Policy and Procedures\Approved Policy This is not a version-controlled document when printed

POLICY: Risk Management

Policy Group(s) Group H: Quality and Risk Management (Ref: H2/0412.1-0313)

Related Policy: Course Assurance Arrangements

Critical Incident Policy for Overseas Students

Deed of Guarantee

Delegations

Financial procedures and Internal Controls

Guide to Workforce Planning

Risk Management Framework

Risk Management Plan

Risk Register

Commencement Date: April 2012 Review Date: March 2013, July 2017

POLICY STATEMENT

Intent:

CHC recognises that the application of risk management is an important element of good

governance and assists CHC in achieving its mission and vision, ensuring that risks are mitigated.

Council is committed to the implementation and maintenance of a formal risk management

framework, which supports the analysis of risk in strategic and operational planning, day-to-day

management and decision making at all levels of CHC.

Scope:

All students and staff

Restrictions: Overseas students

Exclusions: Nil

Objectives:

1. To ensure a consistent approach to risk management is adopted across all levels of operation at

CHC.

2. To ensure Council and senior management can make informed business decisions based on

appropriate risk assessment.

3. To ensure CHC is compliant with legislation.

4. To ensure CHC’s resources (e.g. people, finance, property and reputation) are safeguarded.

5. To provide a risk management framework to identify, prioritise and manage risk in a

coordinated manner across CHC.


Policy Provisions:

1. General

1.1. This policy was developed with reference to the Risk Management Standard (ISO 31000:

2009).

1.2. Risk is defined as any event which is likely to adversely affect the ability of CHC to

achieve its defined objectives.

1.3. CHC manages risks as a routine part of its academic, administrative and business

planning processes. Identified risks will be planned for and managed, taking account of

broader CHC objectives and priorities.

1.4. Risks are managed operationally in accordance with this policy and with risk

management framework established by CHC.

2. Key responsibilities

2.1 Council is accountable and responsible for risk in that it oversees risk management

within CHC. It is guided by advice provided by the CEO, the Risk Management

Committee and senior management, particularly, Director, Corporate Services.

2.2 All staff are urged to take responsibility for the management of risk, including the

identification, assessment and reporting of potential risks to CHC’s key assets.

2.3 The CEO is responsible to Council through the Council’s Risk Management Committee

for implementing risk management.

2.4 The Director, Corporate Services has delegated authority to ensure a risk management

framework is established and maintained and to support the CEO in implementing the

risk management framework.

2.5 Deans and Heads of Department are responsible for the management of risk relevant to

their areas of responsibility. They in turn should create an environment where managing

risk is accepted as the personal responsibility of each staff member of CHC.

2.6 The CEO is responsible for overseeing CHC’s public relations activities, including crisis

management. The primary responsibility is to protect CHC’s reputation, brand and

coordinate responses to media and key external stakeholders.

3. Monitoring and reporting

3.1. The CEO and Risk Management Committee will report at least annually and as often as

necessary to Council on risk management and significant risks to CHC.

3.2. The Risk Management Committee monitors implementation of CHC’s risk management

strategies and makes recommendations to Council on risk management policy and

strategy.

4. Statutory requirements

4.1. CHC will be compliant with all risk related legislation and will ensure the health and

safety of the workplace and the general environment of CHC.

Supporting Procedures and Guidelines:

Risk Management Framework

Effective risk management requires a strategic focus, forward thinking and active approaches to

management, balance between the cost of managing risk and the anticipated benefits, and

contingency planning in the event mission critical threats are realised.


Risk management is the responsibility of all staff at CHC and is both a top-down and bottom-up

approach. It is not about avoiding risk but predicting the possibility of and minimising the impact of

the risk. Each risk situation will be different and will require its own management strategy.

This Framework serves several purposes as it reinforces CHC’s commitment to risk management and

safety to all stakeholders including:

Council;

students;

employees;

contractors;

suppliers; and

the wider community.

It comprises various components:

the process of risk identification, analysis, evaluation, treatment, communication and

review;

business continuity planning, including;

o contingency funding;

o disaster recovery and critical incident management;

o Information Technology (IT) continuity planning;

o workplace health and safety;

o academic continuity planning;

financial risk; and

succession planning.

1. Process

Risk management will therefore be implemented through the following key processes:

1.1 Establish the context

Establish the external, internal and risk management context in which the rest of the

process will take place.

1.2 Identify risks

Identify where, when, why, and how events could prevent, delay or degrade the

achievement of CHC objectives.

1.3 Analyse risk

Identify and evaluate existing controls. Determine consequences, likelihood and level

of risk. This analysis should consider the range of potential consequences and how

these could occur.

1.4 Evaluate risks

Compare estimated levels of risk against the pre-established criteria and consider the

balance between potential benefits and potential adverse outcomes. This enables

decisions to be made about the treatment required and about priorities.

1.5 Treat risk

Develop and implement specific cost-effective strategies and action plans for reducing

potential hazards and associated costs thereby increasing potential benefits.

1.6 Communicate and consult (Appendix 2).

Records of communication and consultation will depend on factors such as the scale


and the sensitivity of the activity.

1.7 Monitor and Review

It is necessary to monitor the effectiveness of all steps of the risk management process.

This is important for continuous improvement (Appendix 3).

Each assessed risk will use the Risk Assessment form (Appendix 1). The form incorporates 1.1

– 1.5 above.

The records of such processes are an important aspect of good corporate governance.

The following diagram provides an overview of the risk processes to be undertaken to

effectively manage risks.

Fig 1 RISK MANAGEMENT PROCESS – OVERVIEW (AS/NZS 4360 2004)

2. Business continuity planning

Business continuity planning is necessary in order to consider the legal responsibility of CHC,

the possibility of financial loss and the impact of an event which may interrupt the operations

of CHC and the provision of its services.

Management has a legal responsibility to protects its corporate resources and information.

Any interruption to the normal operations of CHC can be damaging to CHC’s reputation and

future relationships with students and other stakeholders, including regulators.

The Business Continuity Plan (BCT) is designed to complement CHC’s procedures guiding

safe practices for staff, regular maintenance of buildings and facilities and evacuation

procedures in case of emergency. It incorporates contingency funding, disaster recovery and

critical incident management, Information Technology (IT) continuity planning, workplace

health and safety, and academic continuity planning. The BCT will identify and assess risks

which could give rise to disruptions to critical services.

2.1 Contingency funding

The Strategic Plan 2011 – 2017 mandates the retention of substantial cash reserves, of 5%

surplus on annual operating revenue, to undergird long term financial sustainability and

ensure the ready availability of funds to meet a range of contingencies. CHC recognises the

calls upon these contingency funds to maintain business continuity at an institutional level.

ESTABLISH CONTEXT

MO

NIT

OR

AN

D R

EVIE

W

CO

MM

UN

ICA

TE A

ND

CO

NSU

LT

IDENTIFY RISKS

EVALUATE RISKS

ANALYSE RISKS

TREAT RISKS


These contingency arrangements are separate from Course Assurance and Tuition Assurance

arrangements required under the HESA (2003).

2.2 Disaster recovery and critical incident management

CHC’s plans for disaster recovery as an aspect of the Business Continuity Plan.

A critical incident refers to a particular incident, episode or crisis that may result in an

‘extreme’ level of risk, directly or indirectly impacting the core operations of CHC. A critical

incident triggers the activation of the Disaster Recovery and Critical Incident Management plan

(Appendix 4).

An ‘extreme’ level of risk would be determined using the analysis process, as outlined in the

Risk Assessment form (Appendix 2).

In accordance with the National Code 2007, critical incidents as they apply to overseas students

at CHC are catered for under separate cover of the Critical Incident Policy for Overseas Students.

Within the context of that policy a critical incident is either an event that impacts CHC’s

ability to operate or an event that impacts the individual student.

In the event of a disaster or critical incident which rendered CHC’s campus unusable,

Citipointe Church (COC) has undertaken to provide facilities for CHC’s use.

2.3 IT continuity planning

CHC plans for IT continuity as an aspect of the Business Continuity Plan. This plan includes

the backup procedures for all CHC information systems including data, student management

system, accounting management system and email system, access to backup servers and the

ability to mitigate server failure through multiple servers.

2.3 Workplace health and safety

CHC seeks to provide the safest practicable workplace in order to achieve its mission and

goals, Under the Workplace Health & Safety Act (Qld) 1995, CHC has an obligation to ensure

that employees are safe when at work. In order to do so, CHC provides and maintains plant

and equipment and systems of work that are safe. All CHC employees have an obligation to

ensure the implementation of safe work practices appropriate to their operational

responsibility. CHC provides information, instruction, training, and supervision to enable

employees to perform their work safely.

2.4 Academic continuity

A quality student experience is central to all management concerns at CHC. Part of this

experience is the continuity of arrangements which ensure that students’ learning is not

adversely affected in those instances when academic staff are unable to fulfil their teaching

commitments.

The emphasis of CHC’s academic continuity is based on the following elements and is

supported through the Risk Management: Teaching Continuity policy.

Ensure the continuity of teaching, within semesters and across semesters.

Stimulate confidence within the student body that their learning needs are met in

appropriate ways.

To provide guidelines for the replacement of academic staff.

Should CHC cease to operate or cease to offer a course of study in which domestic students

are enrolled CHC has contingency plans in place. Course Assurance Arrangements in

accordance with the Higher Education Support Act 2003 (Cth) make provision for students to

complete their awards with full credit at a second higher education institution. CHC’s


domestic students are protected against the risk of CHC ceasing to operate through the

Tuition Assurance Scheme which is underwritten by the parent company Christian Outreach

Centre Australia and administered through Council of Private Higher Education (COPHE).

Both the Course Assurance Arrangements and the Tuition Assurance Scheme are approved

by the Commonwealth Government.

CHC’s overseas students are protected by the Tuition Protection Service (TPS) which is

established under the Education Services for Overseas Students Act 2001 (Cth). The TPS ensures

that overseas students are able to complete their studies in another course or with another

higher education provider or to receive a refund of their unspent tuition fees.

3. Financial risk management

The Council monitors all financial matters and the main source of advice concerning financial

risk is the Finance Committee. CHC mitigates financial risk through:

careful monitoring of financial activities through regular reporting processes to Council;

financial delegations through the Delegations policy; and

through the Financial Procedures and Internal Controls policy.

4. Succession planning

CHC is cognisant of the risk of loss of key staff and this is mitigated through succession

planning. Council is engaged in succession planning for the Chief Executive Officer and the

Succession Planning and Restructure Committee has developed a plan to mitigate against the

risk of either the planned vacancy of this senior position through retirement and/or

unplanned vacancy through ill health, critical injury or death of the CEO.

Other succession planning for staff is provided under the cover of CHC’s Workforce Planning

Guidelines. Furthermore, in the instance of a Dean or Head of Department taking leave for a

period longer than three working weeks, the practice of secondment of another staff member

to the position ensures that contingency plans can be activated in the instance of ill health,

critical injury or death of a member of the senior management.


POLICY FURTHER INFORMATION

Relevant Commonwealth/

State Legislation

Workplace Health and Safety Act

ISO31000:2009

ACCOUNTABILITIES

Implementation: Chair, Christian Heritage Council, Principal and Chief Executive

Officer

Compliance: Chair, Christian Heritage College Council

Monitoring & Evaluation: Principal and Chief Executive Officer

Development/Review: Principal and Chief Executive Officer

Approval Authority: Christian Heritage College Council

Interpretation & Advice: Principal and Chief Executive Officer

WHO SHOULD KNOW THIS POLICY?

CHC Council

Members of the Executive

Full time and fractional staff

Members of the CHC community

EFFECTIVENESS OF THIS POLICY

Performance Indicators: Nil

Other: Nil

Definitions and Acronyms: CHC – Christian Heritage College

Risk – any event which is likely to adversely affect the ability of CHC

to achieve its defined objectives.

Business continuity planning – a medium- to long-term activity

undertaken to foresee, mitigate and provide planning for events

which might threaten the on-going operations of CHC.


APPROVAL – section maintained by the Registrar

Reference No. Approved Date Committee/Board Resolution No. /

Minute Ref.

H2/0412.1 Approved 16/04/2012 CHC Council

REVISION HISTORY – section maintained by the Registrar

Revision

Reference No. Approved/Rescinded Date Committee/Board

Resolution No. /

Minute Ref.

0313 Approved 04/03/2013 Council 3.1


Appendix 1: Risk Assessment Form

1. Establishing the Context

The context includes CHC’s external and internal environment and the purpose of the risk

management activity.

In assessing risk, the WH&S committee considers the following:

Step 1 – Context Establishment Form

Description of activity

Intended outcomes of activity

Critical factors in environment Political

Social

Economical

Legal

Technological

Environmental

Other

Stakeholders Internal

External

Risk evaluation criteria

2. Identifying the Risks

Identification of risk should include whether or not the risks are under the control of CHC.

Identification involves three important questions: What can happen? When and where?

How and why? Each risk should be considered from the perspective of both internal and

external stakeholder.

Approaches used to identify risks include:

Looking at the records of previous activities

Examining the results of personal, local or overseas experience

Conducting safety audits and physical inspections

Analysing specific scenarios

Directly observing the activity

Checklists

Discussions with stakeholders


Step 2 – Risk Identification Form

Source of Risk Risk Event – internal, external, or random

Human Behaviour

Building Structure

Landscape

Electrical

Toxins

Furniture

Property

Equipment

Natural events

Other

3. Analysing the risks

Risk analysis is about developing an understanding of the risk and deciding which risks

need to be treated and the most appropriate, cost-effective risk treatment strategies. This

involves making a decision about the relationship between the likelihood of harm resulting

from a risk and the consequences that may arise.

Step 3 – Risk Analysis Sheet

INSTRUCTIONS:

1. Evaluate the likelihood of a risk occurring.

2. Evaluate consequences if the incident occurred. .

3. Calculate level of risk by finding the intersection between likelihood and

consequence.

CONSEQUENCES

LIKELIHOOD Insignificant Minor Moderate Major Catastrophic

Almost certain High High Extreme Extreme Extreme

Likely Moderate High High Extreme Extreme

Possible Low Moderate High Extreme Extreme

Unlikely Low Low Moderate High Extreme

Rare Low Low Moderate High High


KEY:

Extreme Potentially devastating consequences – Immediate action required.

High Potentially damaging – Action required.

Moderate Implement monitoring or response procedures.

Low Treat with routine procedures.

Australian/New Zealand Standard for Risk Management AS/NZS 4360:1999

INFORMATION SHEET

Scenario:

NO: # RISK LIKELIHOOD CONSEQUENCE LEVEL OF RISK

1

2

3

4

5

6

©Queensland Government

4. Evaluating the Risks

The purpose of risk evaluation is to make decisions, based on the outcomes of risk analysis,

to determine how the risk is addressed.

Step 4 – Risk Evaluation Form

ACCEPTABLE RISKS

Identified risk Level of Risk: Extreme,

High, Moderate, Low

Reason for acceptance



UNACCEPTABLE RISKS

Identified risk Level of Risk: Extreme,

High, Moderate, Low

Order of priority


Risk may be deemed as acceptable when:

The risk level is so low that it does not warrant spending time and resources to treat it.

The risk level is low and the benefits presented by the risk outweigh the cost of treating

it.

The opportunities presented by the risk are much greater than the threats.

5. Treating the Risks

Risk treatment involves identifying the range of options for treating a risk, assessing

these options and the preparation and implementation of a treatment plan. Risk

treatment options should consider the values and perceptions of stakeholders and the

most appropriate ways to communicate with them.

If, after treatment has been successfully completed, the risk will be reassessed followed

with an appropriate procedure plan of action.

According to the Australian Standards for Risk Management the purpose of treatment

plans is to document how the chosen options will be implemented. The treatment plans

should include: proposed actions, resource requirements, responsibilities, timing,

performance measures, and reporting & monitoring requirements. A treatment plan

should be integrated with the management and budgetary processes of CHC.

Step 5 – Treatment Instruction Sheet

CONSEQUENCES

LIKELIHOOD MAJOR MODERATE MINOR

LIKELY A - Avoid or Transfer D - Avoid or Transfer G - Control

MODERATE B - Avoid or Transfer E - Transfer of Control H - Control

UNLIKELY C- Transfer F - Transfer of control I - Control



KEY:

Avoid Decide not to proceed with the activity or choose another way to achieve the same

outcome

Transfer Shift all or part of the responsibility of the risk to another party who is best able to

control it

Control Reduce either the likelihood of the risk occurring or the consequences of the risk

or both.

Retain Accept the risk and decide how you can cover costs if a loss occurs

RISK TREATMENT FORM

Risk event

Source of risk

Priority

Likelihood

Consequences

Level of risk

Risk treatment

Responsibility

Resources required

Performance measures

Timetable


KEY:

Source of risk: How can the risk arise?

Risk event: What can happen?

Priority: What priority does this risk have in relation to other risks?

Likelihood: Likely, moderate, or unlikely?

Consequences: Major, Moderate, or Minor?

Level of risk: Extreme, high, moderate, or low?

Risk treatment: What will be done to avoid/control/transfer/retain the risk?

Responsibility: Who will implement the risk treatment option?

Resources required: What resources are needed to implement the risk treatment?

Performance measure: What indicators will reveal that the risk treatment is working?

Timetable: When will the treatment option be implemented?


Appendix 2

Communicate and Consult

It is important to develop a communication plan for both internal and external stakeholders

in the early stage of the process. This plan should address issues relating to both the risk

itself and the process to manage it.

Internal

Employees of CHC are informed of location and accessibility of the relevant

notification forms, i.e.; Hazard Notification Forms, Incident Report Forms, and

Maintenance Request Forms.

WH&S has a dedicated email address and pigeon-hole clearly labelled.

The WH&S policy is displayed in public places around the campus.

All new employees are informed of WH&S process as part of their induction to CHC.

External

Reports to CHC council

External financial audits

Professional development conduced with external organisations

School advisory boards

WH&S audit conducted by external party


Appendix 3

Monitor and Review

The strategies used to manage risk must be regularly monitored and evaluated. Ongoing

reviews are essential to ensure that the management plan remains relevant.

A review of the risk management plan will:

Monitor existing risks

Identify new risks

Identify any potential hazards

Evaluate the effectiveness of current risk treatment or its management strategies.

CHC model, based on the Queensland government risk management guide, suggests plans

can be reviewed by the following methods:

Observations

Physical inspections

Incident reports

Questionnaires

Interviews with stakeholders

Regular review of risk treatment procedures, and

Repeat of the risk management process.

Risk management processes should be recorded appropriately. Assumptions, methods, data

sources, analyses, results and reasons for decisions should all be recorded.


Appendix 4: Disaster Recovery and Critical Management Plan

This Disaster Recovery and Critical Incident Management plan is designed to complement

procedures concerning safe practices for staff, regular maintenance of buildings and facilities

and evaluation procedures in case of emergency. It is activated when a critical incident

occurs.

A critical incident is distinguished from a significant incident in that a critical incident:

has the potential to significantly disrupt the operations of CHC, or a major part of

it, putting at risk CHC’s ability to effectively and efficiently continue its teaching

and learning activities;

may bring CHC into disrepute;

may impact on critical IT service availability to CHC, with a potential down time of

greater than 24 hours;

may bring negative media coverage to CHC;

may incur a significant cost to rectify the situation promptly; and/or

may result in critical injuries or death to staff, students or members of the public.

Critical Incidents may include:

Direct Critical Incidents, such as:

loss of a building (fire, earthquake, storm, etc);

bomb threats;

a pandemic outbreak;

extreme climatic conditions causing closure of CHC;

major demonstration or protest;

telecommunications failure, server and Local Area Network failure of greater than

24 hours; and/or

serious industrial action, strikes or riots.

Indirect Critical Incidents to individuals, such as:

serious accident or injury;

acts of self-harm;

serious sexual assault;

serious assault, robbery, and armed hold-up;

event or threat that causes extreme stress, fear or injury; and/or

kidnapping or attempted kidnapping.

The emphasis of CHC’s DRP is based on three major elements:

Reaction

Recovery & Restoration

Review

Reaction

Key campus staff must be notified. In all disaster or emergency situations the primary

objective is the safety of people lives. Any salvage and disaster recovery operations will

take place only when the affected area is declared safe.


When a disaster occurs notify:

1) Director, Corporate Services;

2) the CEO.

The Director, Corporate Services will notify the key campus staff of Citipointe Christian

College and Citipointe Church and will be the coordinator of the emergency response and

will activate the Disaster Recovery Team (DRT) and contact the relevant emergency services

or other personnel as required.

Recovery & Restoration

Upon the activation of the DRT the Director, Corporate Services will:

notify all key personnel and assign tasks as required;

notify students to minimise panic or concern;

recall backups;

organise alternate facilities in order to continue operations (NOTE: Citipointe Church

COC has undertaken to provide facilities to CHC in the event a disaster which

renders CHC’s campus or parts thereof unusable. A formal agreement is held by the

Director, Corporate Services); and

provide counselling opportunities and support for staff and students.

Review

After a critical incident has been dealt with it is essential that CHC undertakes an

evaluation. Evaluation of the DRP and the roles and functions of the coordinators and the

relevant support staff are an essential part of the process.

restrictions - chc management.pdf · it is guided by advice provided by the ceo, the ... succession...

Documents