View Document

Risk Management Policy Schedule 2 - Lines of Accountability

This is the current version of this document. You can provide feedback on this policy document by navigating to the Feedback tab.

Section 1 - Context

(1) Risk is everyone’s responsibility and embedded in the way RMIT Group conducts its activities across academic, research, and professional operations. It encourages open and transparent discussion about risk and opportunity.

(2) The purpose of the Lines of Accountability (Schedule) is to provide to our RMIT Group staff and other stakeholder groups clarity on the risk, oversight, and assurance accountabilities specific to roles, Council, Boards, and Council and management committees across the risk management model (refer appendix B). 

(3) This Schedule:

  1. references the key risk management activities and is not meant to replace the Council, Boards and Council committee's terms of reference or staff individual position descriptions. 
  2. highlights the shared responsibilities and collaboration required at different levels of the RMIT Group to effectively identify, assess, mitigate, and monitor risks.
  3. defines and assigns the relevant accountabilities, and when applied will foster a strong risk management culture, promoting resilience in the face of uncertainties, and effectively taking risks when exploring opportunities.
  4. will be used as a reference for determining and reviewing roles and responsibilities for risk management and assurance activities across the risk management model.
  5. is supported by the risk management procedure which details how the activities will be performed and a key enabler of the Risk Management framework (refer appendix A)
Top of Page

Section 2 - Authority

(4) Authority for this document is established by the Risk Management Policy.

Top of Page

Section 3 - Scope

(5) This Schedule applies to all RMIT Group entities, employees, contractors and third parties undertaking RMT Group activities in any location.  

Top of Page

Section 4 - Delegation

(6) Delegation of risk management accountabilities cannot be transferred to another person. Specific tasks, however, can be delegated.

(7) Where specific risk management tasks are delegated, these must be documented and communicated to the responsible person/s. This may be documented through job descriptions and/or workplans.

(8) More than one person can have the same risk responsibilities detailed in the Schedule at the same time.

(9) The level of risk management authority is commensurate with the level of responsibility within a role. This will depend on the level of control a role has to influence outcomes.

(10) The authority for risk management will be outlined in position descriptions, namely:

  1. Vice-Chancellor for all RMIT
  2. Executive Leaders (VCE members) for their respective college, portfolio, and controlled entities
  3. Operational Leaders for their respective school or department
  4. Supervisor for their respective area, project, laboratory, or workshop.
Top of Page

Section 5 - Application of the Schedule

(11) In the context of risk management, establishing clear lines of accountability is crucial to ensure that responsibilities are well-defined, and that individuals or groups are aware of their roles and held responsible for managing specific aspects of risk. The lines of accountability help create a structured and organised approach.

(12) To appropriately manage risk in day-to-day operations we are all expected to (including relevant stakeholders) understand our role within the Schedule: 

  1. who owns and manages risks and is responsible for implementing, and monitoring controls to keep risks within the appetite of the organisation.
  2. who owns and supports the risk management framework and its implementation, including through challenge and review of management of risks and controls, oversight of the risk profile, and independent escalation of issues.
  3. who provides assurance and oversight on the effectiveness of governance, risk management and internal control.

(13) The Schedule is applied across the lines of accountability defining the key roles and is supplemented by a RACI table (based the principles of RACI: R (Responsible) A (Accountable) C (Consulted) I (Informed) and aligned to the activities in the Risk Management Model (refer Appendix B). Refer to the definitions table for RACI definitions.

(14) Key Role Descriptions: This is consistent with the information in the Risk Management Policy and the Risk Management Procedure and where relevant further information is provided for clarity. The Council, Boards and committee accountabilities reference the key risk management activities and is not meant to supersede the details in the committees Terms of Reference but to provide clarity and avoid duplication of the risk management oversight activities.

(15) Key Activities: This is consistent with the information in the Risk Management Policy and the Risk Management Procedure and where relevant further information is provided for clarity. The Council, Boards and committee accountabilities reference the key risk management activities and is not meant to supersede the details in the applicable committee Terms of Reference but to provide clarity and avoid duplication of the risk management oversight activities.

Table 1 – Key Roles: Council, Boards and Committees

Council, Boards, and committees
 
Role – Oversight
 
 
University Council
RMIT University Council (Council) is responsible for:
• overseeing and monitoring the assessment and management of risk across the RMIT Group including commercial activities, in accordance with the Royal Melbourne Institute of Technology Act 2010 (Vic).
• setting and approving the risk appetite for the RMIT Group.
• ensuring a sound system of risk oversight and assurance, with appropriate policies and processes for management, internal control, and external oversight, in accordance with the RMIT Council Governance Charter.
Audit and Risk Management Committee
 
Audit and Risk Management Committee is responsible (as per Terms of Reference) for all committees of the RMIT Group:
• acting on behalf of Council to monitor the audit and risk management of the RMIT Group and associated processes.
• reviewing RMIT Group risk profile, risk framework, risk identification and risk management on a regular basis to ensure they are regularly updated, and material business risks of the RMIT Group are dealt with appropriately and on a timely basis.
• oversight over all Risk Domains and Risk Appetite Tolerances.
Academic Board – supported by Sub Committees:
- Research Committee
- Higher Education Committee
- Vocational Education Committee
- Programs Committee
 
 
The Academic Board is responsible for:
• monitoring and providing oversight of academic quality, standards and outcomes, academic and research integrity, innovation and risk, and academic freedom.
• specific risk oversight over the education related risk domains as defined.
Infrastructure & Information Technology Committee
 
 
 
Infrastructure & Information Technology Committee is responsible to Council for:
• monitoring, identification, and analysis of risks to the RMIT Group infrastructure and information technology assets and the development of appropriate mitigation strategies to support resilience and operational effectiveness.
Nominations Renumeration & People Committee
 
 
 
 
The Nominations Renumeration & People Committee is responsible to Council for:
• monitoring, identification, and analysis of risks to the RMIT Group People, Health, Safety and Wellbeing risk domains and the development of appropriate mitigation strategies to support resilience and operational effectiveness.
Controlled Entities (Boards, Members Councils)
- Vietnam Members Council
- RMIT University Pathways (RMIT UP) Board
- RMIT Online Board
- RMIT Europe Board
 
 
 
 
 
All Controlled Entities must comply with policies, procedures and guidelines of the University unless otherwise authorised in writing by the Vice-Chancellor's Executive and Chair of the policy approval authority. 
The Controlled Entities must follow the RMIT Risk Management framework, which includes the Risk Management Policy, Model, Appetite Statement, Lines of Accountability and supporting procedures, systems, processes and training.
 
Controlled Entities are included in all risk reporting but in addition must provide the following to Council or its nominated Boards in relation to risk matters:
• safety, risk, insurance, audit, and operations report (quarterly)
• audit and risk report in a form required by the Director, Risk Management (annual)
• assurance statement as defined by the Director, Risk Management (annual)

Table 2 – Key Roles: Executive Management College, Portfolio and Controlled Entities

Executive Management College, Portfolio and Controlled Entities
Role: Management and Assurance
The Vice-Chancellor
 
 
The Vice-Chancellor (via the Director, Risk Management) is responsible for the assignment of responsibilities in relation to risk management and: 
• providing timely and adequate information to Council on the status of Risk Domains 
• proposing, in consultation with the senior executive, the tolerance for accepting certain risks (that is the RMIT Group risk appetite) 
• assessment and analysis of key strategic risks within universities operating environment to inform the development, review and maintenance of the strategy, and 
• the risk management culture across the University.
Senior Executives (VCE Members) of College, Portfolio and Controlled Entities.
Vice Chancellors Executive Meeting (VCEM)
Management Committees with oversight over specific Risk Domains:
- Information Governance Board
  • Data Governance Risk Domain
- Sustainability Committee
  • Sustainability Risk Domain
 
 
 
 
Senior executives (VCE members): support and advise the Vice-Chancellor on operational policy and administrative matters relating to their portfolio areas of responsibility, which are supported by a number of executive management committees.
VCEM: As RMIT’s principal executive management group, the Vice-Chancellor's Executive (VCE) advises and supports the Vice-Chancellor and President (Vice-Chancellor) in managing the affairs of the University. The VCE Meeting (VCEM) is a committee established to facilitate senior executive accountability, advice, consultation, collective responsibility, and formal executive decision-making across the RMIT Group.
Members of the Vice-Chancellor's Executive are accountable for:
• demonstrating risk leadership by taking accountability for risk management, dedicating appropriate resources to the management of risks, and implementing risk management processes within their area of responsibility, including executive management committee oversight.
• promoting a strong risk culture by adhering to delegation and thresholds, managing risk exposures, and enabling considered, transparent and risk-aware decisions to be made.
• implementing the Risk Management framework and associated, statements, procedures, and resources within their areas of responsibility.
• assigning appropriate resources for management of risk and assurance with subject matter expertise who have the appropriate operational control and delegated authority.
• providing information, advice, and assurance over the risk management for their areas of accountability.
• tabling and presenting College and Portfolio and Controlled Entities Risk Profile reports as required by the reporting cadence.
• embedding risk management as part of their business-as-usual activities the annual planning, funding, and strategy review process.
• appointing a Risk Champion for their respective College, Portfolio and Controlled Entities.
Management (Individual and Teams) 
Role: Management and Assurance
College, portfolio and controlled entities executive leadership, chief executive, officers, senior management, team Leaders, Executive Directors, Executive deans, Pro vice-Chancellors.
 
Nominated or Delegated
- Domain owners (Includes Risk Appetite Statements)
- Tier 1 and tier 2 risk owners
- Controls owners
- Treatment owners
 
This is defined in the risk management policy (section 18.2) as all employees, academics, researchers and professional staff, contractors and third parties to whom this policy applies.
 
 
 
 
 
 
All employees, including contractors and third parties (as defined in section 20 of the Risk Management Policy) who are nominated or delegated the following are generally responsible for:
•    Domain Owners
•    Tier 1 and Tier risk owners
•    Control owners. 
•    Treatment Owners
• identifying, understanding, owning, and managing any relevant or emerging risks related to their activities, role or area of responsibility.
• developing appropriate treatment plans when they decide to manage a risk by reducing the risk exposure within risk appetite.
• appropriately documenting risks, controls, action plans and risk decisions within their area of responsibility or influence.
• continuing to monitor and review risks within their area of responsibility or influence.
• reporting and escalating any actual or perceived risks that may impact the RMIT Group as they become known.
Specific accountabilities when risk management activities are nominated or delegated:

Risk domain owners (includes risk appetite statements) are accountable for:
• operationalisation of the risk appetite statement for their specific domains by
- defining the key risk measures and metrics to support the overall tolerance measure/s and associated risk appetite statements approved by Council.  
- monitoring and transparently reporting that the business continues to operate within the Council's approved risk appetite.  
- recording the risk appetite statement in the respective Risk Domain in the risk capture system and update annually as part of the review process.
• endorsement of the addition/retirement of risk domains which will be approved by the VCEM and informed to the ARMC via the Director of risk report.
• approval of any amendments to risk domain titles or descriptions which will be informed via the Director of Risk report to the VCE and ARMC.
• performing the risk assessment of the risk domains using the risk exposure tool.
• Identification of loss history, incidents, complaints, and breaches
• recording and documenting the risk domain in the risk capture tool.
• engaging with the Enterprise Risk Management Team to ensure the treatment plans to remediate ineffective controls and / or risks which are outside of appetite and / or tolerance are in place. 
• providing and obtaining assurance on controls in the areas of their responsibility and influence. 
 
Tier 1 Risk owners are accountable for:
• establishing, updating, and reviewing their respective risks on a periodic basis in the risk capture system. It is the intention that risk management is embedded as part of a business-as-usual management activity, instead of a separate process.
• understanding the risks, they are charged with and be empowered to influence their management.
• performing the risk assessment of the risks using the risk exposure tools.
• setting and monitoring the current and target state levels of control for all tier 1 risks which will be approved by the domain owner of the respective risk domains.
• understand and interpret the RMIT Group risk appetite and tolerance as it applies to their risks.
• actively monitoring the risk context to understand and respond to any changes.
• understanding and challenging the effectiveness of controls. This can be achieved through proactive collaboration with control owners.
• handing over risks to appropriate individuals in the event of a change in Risk Ownership and ensure risk ownership has been accepted by both.
• ensuring the output of internal audit reports and actions are incorporated into relevant tier 1 risks.  
• tabling tier 1 risk reports as defined in the risk management procedure to the VCEM, ARMC and another delegated committee.
• the design, implementation, and monitoring of any risk treatments.

Tier 2 risks owners are accountable for:
• establishing, updating, and reviewing their respective risks on a periodic basis in the risk capture system. It is the intention that risk management is embedded as part of a business-as-usual management activity, instead of a separate process.
• understanding the risks, they are charged with and be empowered to influence their management.
• performing the risk assessment of the risks using the risk exposure tools.
• understand and interpret the RMIT Group risk appetite and tolerance as it applies to their risks.
• actively monitoring the risk context to understand and respond to any changes.
• understanding and challenging the effectiveness of controls. This can be achieved through proactive collaboration with control owners.
• handing-over risks to appropriate individuals in the event of a change in Risk Ownership and ensure risk ownership has been accepted by both.
• ensuring the output of internal audit reports and actions are incorporated into relevant tier 2 risks.  
• tabling tier 2 risk reports as defined in the risk management procedure to the VCEM, ARMC and another delegated committee.
• the design, implementation, and monitoring of any risk treatments.
• linking the most relevant Tier 2 risks in the risk capture system to provide the tier 1 risk owner and risk domain owner visibility over areas of specific exposure within operational portfolios, colleges and/or controlled entities. It is the responsibility of the tier 2 Risk owner to confirm with the relevant tier 1 risk owner that the linkage is appropriate.

Control owners are accountable for:
• ensuring the controls are designed and operating effectively, putting in place an assurance program whereby they can measure the effectiveness, the key performance indicators against that control.  
• designing, implementing, assessing, and monitoring controls to mitigate tier 1 and tier 2 risks.
• recording and documenting the controls in the risk capture system.
• maintaining controls and contributing to relevant treatment programs.
• actively monitoring and the continued viability, relevance, and effectiveness of the controls
• informing the relevant risk owner when the effectiveness of the control is at risk.
• reporting as required by the risk reporting process to the VCEM, ARMC and other delegated committees. 
• providing and obtaining assurance on controls in the areas of their responsibility and influence.
• ensuring team capacity and capability to manage controls. 

Treatment owners are accountable for:
• determining, obtaining agreement, recording, and monitoring implementation of related treatment to manage risks and or controls assigned to them, in alignment with the requirements of the risk management procedure.
• implementation of the treatments that have been designed as part of the management for that risk, above and beyond the controls that are already in place.
• for making sure that the treatment is completed and actioned within the allocated time frames and to the performance standard that is required.
• implementing and monitoring risk treatments where the current level of risk is outside of the risk appetite tolerance. (this usually occurs post control implementation where the controls in place are ineffective and further mitigation activity is required)
• Informing the relevant risk and domain owner when the implementation of the treatment is at risk.
• obtain the relevant approvals when extending agreed treatment dates.
• recording and documenting the treatments in the risk capture system.
• reporting as required by the risk reporting process to the VCEM, ARMC and other delegated committees. 
• ensuring team capacity and capability to execute risk mitigation initiatives. 
Risk Champions
 
 
 
 
 
College, portfolio, and controlled entities risk champions are responsible for:
• coordinating the adoption of risk management activities within each college, portfolio, school, and group namely
- Risk profile - risk domain, tier 1 and tier 2 maintenance and refresh
- Risk Appetite updates and the associated tolerances and metrics
- Risk domain assurance
- Risk reporting, including writing reports
• promoting risk activities in their area (e.g. seek opportunities for risk management effort, prompt actions and connect to the Enterprise Risk Management team.
• Translating risk tools to align to the nature of activities in their area and integrate into business processes and forums and provide training.
• Identifying opportunities for improvement in risk management in their areas and support initiatives to address this.
Central Compliance, Enterprise Risk Management, and Internal Audit
Role: Governance, Oversight and Assurance
Central Compliance
 
 
 
 
 
 
Central Compliance are accountable for:
• developing and maintaining the Compliance Management Program. This includes the maintenance of the Compliance Policy and associated procedures and resources.
• overseeing the identification and classification of legislative obligations relevant to the University.
• advising and facilitating responsible compliance owners and contacts in the effective management of compliance obligations.
• monitoring and reviewing legislative compliance performance across the University.
• liaising with the Enterprise Risk Management Team on compliance matters identified through the Risk Domain, Tier 1 and Tier 2 risk process.
• facilitating and coordinating regular reporting to governance bodies and management committees, and external agencies where required.
Enterprise Enterprise Risk Mgt Team
 
The Enterprise Enterprise Risk Mgt Team is accountable for:
• developing and maintaining RMIT’s Risk Management Policy and associated framework; this includes the risk management operating rhythm, processes, guidance, and tools.
• facilitating and coordinating the regular reporting of risks to Council and sub committees, the Audit and Risk Management Committee, the Academic Board and Vice-Chancellor's Executive.
• advising and supporting teams across RMIT Group in the implementation of the risk management framework, and the effective identification of risks, assessment of risk exposure, and in the development of risk mitigation monitoring and assurance strategies and processes.
• facilitating the Risk Champions Forum.
The Enterprise Risk Management Team is also accountable for the following specific activities in the Risk Management Model:
• Risk domains (includes risk appetite statements):
- coordinating an annual review of each risk domain’s Risk Appetite Statement. 
- informing the Vice-Chancellor's Executive and Audit and Risk Management Committee via the Risk Management Report the addition, retirement, and amendment of any risk domains.
• Tier 1 Risks:
- coordination of the formal review of tier 1 risk ratings, including level of control for each cause every 12 months
- sample checking on a periodic basis to confirm tier 1 risks have been rated accurately and adequate rationale is documented in Riskware to support the rating.
• Tier 2 Risks:
- coordination of the formal review of tier 2 risk ratings every 12 months
- sample checking on a periodic basis to confirm that tier 2 risks have been assessed accurately and adequate rationale is documented in Riskware to support the rating.
• Controls
• Provide an assurance map template, which details:
- Key controls to mitigate risks (replicated from Riskware)
- Control owner (replicated from Riskware)
- Assurance provider for each control and level of assurance being provided.
• Treatments
- sample checking on a periodic basis to confirm that treatment plans linked to low and medium rated risks have been closed in line with the above requirements and mitigate the identified risk.
• Reporting and Monitoring -report (via the Risk Management Report) to relevant governance committees on the following:
- Any changes to the current risk ratings for risk domains or tier 1 risks
- Any risk domains or tier 1 risks which are outside of appetite and the proposed treatment plans and timeframes to bring these within appetite.
- Number of due date extensions per risk domain, tier 1 risk and tier 2 risks, the average length of these extensions and the impact of extensions on enterprise risk exposure
- Overdue Treatment Plans that are linked to risks rated medium or above.
Internal Audit
 
Internal Audit are accountable for:
• providing independent review and assurance of the effectiveness of the risk management framework. 
• developing a risk-based Internal Audit Plan annually in collaboration with Risk Enterprise Risk team that is consistent with RMIT’s strategic plan, areas of delivery and risk profile and will draw on the risk domains and tier 1 and tier 2 risks.
• conducting planning activities to develop an Internal Audit Scope for every audit or review and will consult with the Enterprise Risk Management Team on the scope.
• drafting an internal audit report based on the work performed, outlining the audit findings and risks, root causes and linkage to RMIT’s risk domains and tier 1’s, where applicable.
• liaising with the Enterprise Risk Management Team on findings of Audits and progress of agreed management actions to ensure that findings and actions are mapped against the appropriate risk domains and tier 1’s.
• reviewing management’s detailed management actions to ensure that they address the audit findings and mitigate the associated risks.
• with input from Enterprise Risk team, will assess the impact of deferral of actions on associated risk. That assessment may include a measure of current/existing risk compared to when the action was originally raised.
• aligning internal audit reports to the Risk Reporting to the VCEM and ARMC
• performing a level of assurance as appropriate across the Risk Domains

(16) Key Activities:  This is consistent with the information in the Risk Management Policy and the Risk Management Procedure and where relevant further information provided for clarity. The Council, Boards and committee accountabilities reference the key risk management activities and is not meant to supersede the details in the applicable committee Terms of Reference but to provide clarity and avoid duplication of the risk management oversight activities.

(17) The activities associated with managing risk are detailed in the following tables (Table 3 - Risk Appetite, Table 4 - Risk Domains, Table 5 Tier 1 Risks, Table 6 Tier 2 Risks). The RACI has been ordered in terms of RMIT's organisational and procedural hierarchy.

Table 3 – Risk Appetite

Risk Appetite
Council
Academic Board
Council Committees
Executive Management College, Portfolio and Controlled Entities
Risk Domain Owner
Risk Champions
Enterprise Risk Management
 
1. Ownership (Annual review)
 
 
A
 
I
 
(C – ARMC) - I
 
R
 
C
 
C
 
R
 
2. Setting/amending
 
A
 
 
I
 
(C – ARMC) - I
 
R
 
C
 
C
 
R
 
3. Operationalisation (Metrics and measures)
 
I
 
 
I
 
(C – ARMC) - I
 
 
A
 
R
 
C
 
R
 
4. Monitoring & reporting
 
I
 
 
I
 
 
(C – ARMC) - I
 
 
A
 
R
 
C
 
R

Table 4 – Risk Domains

Risk Domains
Council
Academic Board
Council Committees
Executive Management College, Portfolio and Controlled Entities
Risk Domain Owner
Risk Champions
Enterprise Risk Management
Internal Audit
 
1. Ownership assigned
 
 
I
 
I
 
(C – ARMC) - I
 
A
 
C
 
C
 
R
I
 
2. New, amending and retiring
 
I
 
 
I
 
(C – ARMC) - I
 
C
 
A/R
 
C
 
C
I
 
3. Risk assessment
 
I
 
 
I
 
(C – ARMC) - I
 
 
C
A/R
 
 
C
 
C
I
 
4. Identification of loss history, incidents, complaints, and breaches)
 
I
 
 
I
 
 
(C – ARMC) - I
 
C
 
A/R
 
C
 
C
 
I
5. Monitoring & reporting I I
(C – ARMC) - I
C A/R C R I
6. Oversight I I
(C – ARMC) - I
C A C R I
7. Assurance I I
(C – ARMC) - I
C A C R R

Table 5 – Tier 1 Risks

Tier 1 Risks
Council
Academic Board
Council Committees
Executive Management College, Portfolio and Controlled Entities
Risk Domain Owner
Tier 1 Risk
Owner
Control Owner
Treatment Plan Owner
Risk Champion
Enterprise Risk Management
 
1. Ownership assigned
 
I
 
I
 
I
 
C
 
 
A
 
C
 
I
 
I
 
C
 
R
 
2. Risk identification – new, amending and retiring 
 
I
 
I
 
I
 
A
 
C
 
R
 
I
 
I
 
C
 
I
 
3. Risks – Setting of levels of control
 
I
 
I
 
I
 
A
 
C
 
R
 
I
 
I
 
C
 
I
 
4. Risk - Assessment (risk rating)
 
I
 
I
 
I
 
A
 
C
 
 
R
 
I
 
I
 
C
 
I
5. Control ownership
Design
Implementation
Performance
Closure
 
 
I
 
 
I
 
 
I
 
 
A
 
 
 
I
 
 
R
 
 
R
 
 
C
 
 
C
 
 
I
6. Treatment ownership
Development
Changes e.g., timelines
Closure
 
 
I
 
 
I
 
 
I
 
 
A
 
 
 
I
 
 
R
 
 
C
 
 
R
 
 
C
 
 
I
7. Monitoring and reporting of risks controls, and treatment 
 
I
 
I
 
I
 
A
 
 
I
 
R
 
R
 
R
 
C
 
I
 
8. Oversight – of risks, controls, and treatment
 
I
 
I
 
I
 
A
 
I
 
        R
 
R
 
R
 
C
 
I
 
9. Assurance – of risks, controls, and treatment
 
I
 
I
 
I
 
A
 
 
I
 
        R
 
 
R
 
R
 
C
 
I

Table 6 – Tier 2 Risks

Tier 2 Risks
Council
Academic Board
Council Committees
Executive Management College, Portfolio and Controlled Entities
Risk Domain Owner
Tier 1 Risk Owner
Tier 2 Risk Owner
Control Owner
Treatment Plan Owner
Risk Champion
Enterprise Risk Management
 
1. Ownership assigned
 
I
 
I
 
I
 
A
 
 
C
 
I
 
R
 
I
 
I
 
C
 
I
 
2. Risk identification – new, amending and retiring 
 
I
 
I
 
I
 
A
 
C
 
I
 
R
 
I
 
I
 
C
 
I
 
3. Risk - Assessment (risk rating)
 
I
 
I
 
I
 
A
 
C
 
 
I
 
R
 
I
 
I
 
C
 
I
4. Linking Tier 2 risks to Risk Domains and Tier 1 Risks
 
I
 
I
 
I
 
I
 
C
 
C
 
 
         R
 
I
 
I
 
C
 
I
5. Control ownership
Design
Implementation
Performance
Closure
 
 
I
 
 
I
 
 
I
 
 
A
 
 
 
I
 
 
I
 
 
R
 
 
R
 
 
C
 
 
C
 
 
I
6. Treatment ownership
Development
Changes e.g., timelines
Closure
 
 
I
 
 
I
 
 
I
 
 
A
 
 
 
I
 
 
I
 
 
R
 
 
C
 
 
R
 
 
C
 
 
I
7. Monitoring and reporting of risks controls, and treatment 
 
I
 
I
 
I
 
A
 
 
I
 
I
 
R
 
R
 
R
 
C
 
I
 
8. Oversight – of risks, controls, and treatment
 
 
I
 
I
 
I
 
A
 
 
I
 
         I
 
      R
 
R
 
R
 
C
 
I
 
9. Assurance – of risks, controls, and treatment
 
I
 
I
 
I
 
A
 
 
I
 
        I
 
 
      R
 
 
R
 
R
 
C
 
I
Top of Page

Section 6 - Definitions

Terminology
Definition
Executive leaders
•    Vice-Chancellor
•    Deputy Vice-Chancellors (DVCs) and Vice-Presidents
•    Chief Officers (Operations, Financial, People and Experience)
•    Associate DVCs.
Senior leaders
•    Executive Deans, Deans and Associate Deans
•    Executive Directors, Deputy and Associate Directors
•    General Managers and Managers
Operational leaders/supervisors
Any staff member with direct reports or supervision over a cohort, including:
•    Executive Deans, Deans and Associate Deans
•    Directors, Deputy and Associate Directors
•    General Managers and Managers
•    Coordinators and Supervisors
•    Teachers.
Third parties
•    Contractors
•    Industry partners.
Members of the public/visitors
• People who are not formally employed or engaged by RMIT or are not a student
Risk domain
Risk categories that help manage risks impacting RMIT’s objectives. Risk domains are used to scope or frame risk causes that should be validated and controlled in an ever-changing risk environment.
Tier 1 risk
Subcategories of risk domains for which causes, and thresholds are identified. Tier 1 Risks are enterprise wide (where applicable) and owned at the Director level.
Tier 2 risk
Specific risk events at the college / portfolio level. Tier 2 risks will be owned by the accountable personnel within the specific college / portfolio
Risk appetite statement
The amount of risk the RMIT Group is willing to seek or accept in pursuit of its strategic objectives and delivery of its annual operating plans (business objectives).
Treatment plan
Formal documentation detailing actions to be taken and responsibilities for implementing controls or processes to reduce the likelihood or impact of risks.
Control
Any action taken by management to manage risk and increase the likelihood that established objectives and goals will be achieved’.
A control is not a meeting, a policy or a procedure. However, there may be certain requirements of a policy or a procedure which are a control. 
RACI
[R] Responsible: Assigned to perform the task, action, or deliverable.
The roles, Council, Boards, and Council and management committees who perform the risk management activity and is responsible for the task, action, or deliverable.  Several roles, Council, Boards, and Council and management committees can be jointly responsible.
[A] Accountable: Makes the ultimate decision and has the ultimate ownership.
The roles, Council, Boards, and Council and management committees who are accountable for the risk management activity being undertaken and completed and are ultimately, accountable. This group frequently also falls under the informed category. There is only one roles, Council, Boards, and Council and management committees accountable.
[C] Consulted: Is consulted before any decision.
The roles, Council, Boards, and Council and management committees who are consulted as the risk management activity is being undertaken and completed and their opinions and guidance are crucial, and their feedback needs to be considered at every step.
[I] Informed: Is informed of a decision after a decision or action is made.
The roles, Council, Boards, and Council and management committees who are informed as the risk management activity is being undertaken and completed.  This group do not have to be consulted or be a part of the decision-making, but they should be made aware of the activities. This group often also falls under the accountable group.
Risk assurance
Each risk domain maintains an assurance map that defines the layers and appropriate levels of management assurance, oversight and independent assurance.
Each risk domain maintains and executes an annual assurance plan to assess the design and effectiveness of key controls.
Risk oversight
Oversight accountability is defined based on the applicable charters for Council, Academic Board and sub committees (ARMC, NRPC, and IITC)
Committees have oversight for risk domains within their scope of operation.
Executive oversight is quarterly via the VCEM.
Top of Page

Section 7 - Appendix A: Risk Management Framework

(18) Appendix A – Risk Management Framework is available as a PDF.

Top of Page

Section 8 - Appendix B: Risk Management Model

(19) Appendix B – Risk Management Model is available as a PDF.