View Document

Risk Management Policy

This is the current version of this document. You can provide feedback on this policy document by navigating to the Feedback tab.

Section 1 - Purpose

(1) To set out the key principles and expectations to support the effective management and oversight of risks to the RMIT Group strategy, objectives, and activities, and promote transparency and integrity in the RMIT Group decision-making processes. 

Top of Page

Section 2 - Overview

(2) RMIT University is a public institution under Victorian law and stands on Aboriginal Country of the Kulin Nation. RMIT recognises and acknowledges the Bundjil Statement that helps all RMIT staff to respectfully work, live and study on Aboriginal Country.

(3) This policy outlines the RMIT Group’s approach to risk management, which is based on the international standard ISO 31000, and describes the key principles and responsibilities to facilitate the effective management and oversight of risk across the RMIT Group.

Top of Page

Section 3 - Scope

(4) This policy is Group-wide and applies to all RMIT Group entities, employees, contractors and third parties undertaking RMIT Group business in any location.

(5) The policy extends to all current and future activities of the RMIT Group.

Top of Page

Section 4 - Policy

Risk Management Objective

(6) The objective of risk management is to support the delivery of our strategic objectives, while taking advantage of potential opportunities and managing possible adverse effects, through the effective identification, measurement, prioritisation, treatment, and ongoing monitoring of risk.

Risk Management Principles

(7) Risk is inherent: Risk is inherent in all academic and administrative activities of RMIT Group, and in all markets where RMIT Group operates.

(8) Risk is aligned to strategy: Our risk appetite specifies the amount of risk the RMIT Group is willing to seek or accept in pursuit of its strategic objectives and delivery of its annual operating plans. 

(9) Clarity of accountability: RMIT Group risk management supports clear accountabilities for all stakeholders across the risk management lifecycle, and ensures those stakeholders are adequately equipped to exercise them.

(10) Evidence-based: RMIT Group approach to risk management is evidence-based and data-driven, supporting effective evaluation, prioritisation and decision-making.

(11) Positive risk culture: Risk is everyone’s responsibility and is embedded in the way work is conducted across all RMIT Group academic, research and non-academic operations. It encourages open and transparent discussion about risk and opportunity.

(12) Risk is a life cycle: Risks change over time. Risks are monitored, reviewed and assured to ensure RMIT’s position remains relevant and appropriate, and in line with our risk appetite.

Risk Management Framework

(13) This policy seeks to establish and maintain the culture, structure and processes to support the RMIT Group to take advantage of potential opportunities and manage possible adverse effects in line with the RMIT Group risk appetite.

(14) This policy is implemented through the RMIT Group Risk Management Framework. It consists of the following components:

  1. Risk Management Model (refer to diagram in Schedule 1)
    The Risk Management Model describes the key components of the RMIT Group Risk Management Framework. It sets out the overall risk management process, along with the supporting oversight, accountability and operating models.
  2. Risk Appetite Statement
    The Risk Appetite Statement specifies the amount of risk the University is willing to accept in pursuit of its strategic objectives and delivery of its annual operating plans (business objectives). The Risk Appetite Statement is set by Council and reviewed annually. It is considered during RMIT Group planning and decision-making processes.
  3. Risk Management Lines of Accountability
    The Risk Management Lines of Accountability provides detailed guidance, based on the Responsibilities section below, on the risk and assurance activities specific to key roles and committees across the RMIT Group.
  4. Supporting Risk Management Procedures, Systems, Processes and Training
    These are the supporting processes and tools that enable the effective implementation of the Risk Management Process.


(15) RMIT University Council (Council) is responsible for:

  1. overseeing and monitoring the assessment and management of risk across the RMIT Group, including commercial activities, in accordance with the Royal Melbourne Institute of Technology Act 2010
  2. setting the risk appetite for the RMIT Group
  3. ensuring a sound system of risk oversight and assurance, with appropriate policies and processes for management, internal control, and external oversight, in accordance with the RMIT Council Governance Charter.

(16) Academic Board is responsible for:

  1. oversight and monitoring of the academic affairs of the RMIT Group as required by the RMIT Act and Council’s establishment of Academic Board as the peak academic governance body within the RMIT Group.
  2. oversight of academic risks as specified in the Academic Board Regulations.

(17) Audit and Risk Management Committee is responsible for:

  1. acting on behalf of Council to monitor the audit and risk management of the RMIT Group and associated processes
  2. reviewing RMIT’s risk profile, risk framework, risk identification and risk management on a regular basis to ensure they are regularly updated, and material business risks of the RMIT Group are dealt with appropriately and on a timely basis.

(18) The Enterprise Risk Management Team is responsible for:

  1. developing and maintaining the Risk Management Policy and associated framework; this includes the risk management operating rhythm, processes, guidance and tools
  2. facilitating and coordinating the regular reporting of risks to Council and sub-committees, the Audit and Risk Management Committee, the Academic Board and Vice-Chancellor's Executive
  3. advising and supporting teams across RMIT in the implementation of the Risk Management Framework, and the effective identification of risks, assessment of risk exposure, and in the development of risk mitigation and monitoring strategies.

(19) Executive and Senior Management is responsible for:

  1. demonstrating risk leadership by taking accountability for risk management, dedicating appropriate resources to the management of risks, and implementing risk management processes within their area of responsibility, including executive management committee oversight
  2. promoting a strong risk culture by adhering to delegation thresholds, managing risk exposures, and enabling considered, transparent and risk-aware decisions to be made.

(20) All employees, including contractors and third parties are responsible for:

  1. identifying, understanding, owning, and managing any relevant or emerging risks related to their activities, role or area of responsibility
  2. developing appropriate treatment plans when they decide to manage a risk by reducing the risk exposure within risk appetite
  3. appropriately documenting risks, controls, action plans and risk decisions within their area of responsibility or influence 
  4. continuing to monitor and review risks within their area of responsibility or influence
  5. reporting and escalating any actual or perceived risks that may impact the RMIT Group as they become known.

(21) Specific responsibilities defined by role and leadership position are outlined in the Risk Management Policy – Schedule 2 - Lines of Accountability.


(22) This policy and the Risk Management Model demonstrate the RMIT Group commitment to managing risks and will be reviewed annually and aligned in accordance with:

  1. Royal Melbourne Institute of Technology 2010 Act
  2. ISO (the International Organization for Standardization) 31000 (2018)
  3. Victorian Government Risk Management Framework (VGRMF)
  4. Commonwealth Government Risk Management Policy. 


(23) Performance against this policy, including non-compliance with the schedules, statements, and procedures, are reported to Council, Audit and Risk Management Committee and Vice-Chancellor's Executive.

(24) Breaches of this policy will be managed in accordance with the relevant staff and student procedures and Code of Conduct.

Top of Page

Section 5 - Schedules

(25) This policy includes the following schedules:

  1. Risk Management Policy Schedule 1 – Risk Management Model Diagram
  2. Risk Management Policy Schedule 2 - Lines of Accountability 
  3. Risk Management Policy Schedule 3 – Risk Appetite Statement 
Top of Page

Section 6 - Procedures and Resources

(26) Refer to the following documents, which are established in accordance with this policy:

  1. Risk Management Procedure.