Risk Appetite Statement

Approving authority Finance, Resources and Risk Committee

Approval date 23 September 2019
Advisor p.bryant@griffith.edu.au | Vice President (Corporate Services)
vpcorporateservices@griffith.edu.au | (07) 373 57343
Next scheduled review 2021
Document URL http://policies.griffith.edu.au/pdf/Risk Appetite Statement.pdf
Document Number 2019/0000099
Description This Statement sets out the amount and type of risk that the University is
willing to pursue, retain, accept, or tolerate in pursuit of its strategic and
operational objectives.
The University’s enterprise risk management is aligned to the principles set
out in the universally accepted standards; ISO 31000: 2018 Enterprise Risk
Management and 2017 COSO ERM – Integrating with Strategy and
Performance.
Related documents

Enterprise Risk Management Policy

Enterprise Risk Management Framework
Risk Management Standards (AS/NZ 31000:2018 Risk Management Guidelines and COSO Enterprise Risk
Management - Integrating with Strategy and Performance 2017.)

[1. Introduction] [2. Definition of Risk Appetite] [3. Core Principles] [4. Key Risk Appetite Concepts] [5.
Statements of Risk Appetite] [6. Risk Appetite Ratings] [7. Implementation of the RAS] [8. Reporting and
Monitoring] [9. Approval, Review and Updates] [Annexure A]

1. INTRODUCTION

The Enterprise Risk Management Policy and Enterprise Risk Management Framework (ERMF) provide the
structure for the University to effectively manage our risks. This Risk Appetite Statement (RAS) is essential to
the ERMF.

The objective of the RAS is to help us make decisions about risk. It provides guidance in terms of:
 The amount or level of risk that the University is willing to pursue, retain, accept or tolerate to achieve our
strategic and operational objectives
 Embedding risk management as part of our decision making
 Ensuring that an appropriate level of risk taking is being applied in our daily work

2. DEFINITION OF RISK APPETITE

Risk appetite refers to the amount and type of risk that the University is comfortable to accept to achieve our
objectives. It balances the benefits of change or innovation with the threats that the change may bring. It sets
the boundaries for the risks we can tolerate in our activities and helps us find the balance between risk taking
and risk avoidance.

1 Risk Appetite Statement

3. CORE PRINCIPLES

Overall, the University has a balanced approach to risk. Our risk appetite is based on our core values and
aligned to our strategic objectives.

It’s important to remember that risk management is not purely about avoidance of risk. Our vision and strategic
objectives require that we manage risk based on value. We accept that risk is commensurate with potential
reward such as growth, transformation and innovation.

The key aspects of achieving balance are:

 Ensuring ethical and effective governance practices, including responsible management of resources
 Capitalising on opportunities that promote growth, transformation and innovation, while avoiding
unnecessary negative impacts
 Preventing a culture that is risk averse and stifles growth, transformation and innovation
 Fostering a culture that supports value-based assessment and management of risks

The following core principles provide context for decision-makers in applying the RAS:
 The RAS is not an exhaustive list that addresses every situation but provides general guidelines
 Everyone is empowered to interpret the RAS to make pragmatic, risk-based decisions in the best interest
of the University and its stakeholders
 The RAS is a forward-looking expression of risk appetite. It reflects our tolerance for accepting new or
developing risks (in addition to current risks) in achieving the University’s strategic objectives
 Our risk appetite and risk tolerance are dynamic and will change over time in response to different drivers

 All decisions align with the University’s Strategy and Mission, Vision and Values

4. KEY RISK APPETITE CONCEPTS

Our risk appetite is a reflection of the University’s risk profile and capacity to take risks. We use the following
concepts in defining appetite:
 Risk profile — this is our overall position on risk. It considers the type and amount of risk the University is
exposed to across all risk categories
 Risk capacity —the maximum level or ‘ability’ of the University to accept risk in each risk category
 Risk appetite — the amount and type of risk the University is comfortable to accept to achieve its objectives

 Risk tolerance (upper and lower limits) — the level (generally quantitative) of risk which, if reached, would
require an immediate escalation and corrective action. A breach of tolerance is a breach of risk appetite

2 Risk Appetite Statement

The RAS sets boundaries for the University to identify and control our risk capacity, risk profile, and risk
appetite when evaluating and pursuing our strategic objectives

5. STATEMENTS OF RISK APPETITE

Risk appetite statements are aligned to categories of risk.

The table in Annexure A summarises the University’s risk appetite within each of our enterprise risk
categories. The categories capture Griffith’s activities and areas of engagement.

We recognise that our appetite for risk varies according to the activity undertaken. Our acceptance of risk is
always subject to ensuring that the potential benefits and risks are fully understood before activities are
authorised, and that sensible measures to mitigate risk are established where required.

Groups / Divisions and other areas of the University may have further sub-categories of risk appetite
statements within the key enterprise risk categories.

6. RISK APPETITE RATINGS

The following matrix outlines the levels of risk appetite, how they are characterised, and the University’s
tolerance levels and corresponding responses.

3 Risk Appetite Statement

 Risk Appetite Ratings Description of Criteria Risk Response

The University is not willing to accept risks, threats,

opportunities under any circumstances. All Unacceptable / No
Zero Appetite
reasonably practicable measures to eliminate the Tolerance
risk must be taken.

Cautious
Safe approaches should be taken, but the cost of
controls / mitigation should be carefully evaluated “OK to proceed, but only if
Low Appetite to ensure they achieve a reasonable outcome. A the likelihood and
strong preference for strategies and plans that consequence of the risk
present minimal risk. can be managed at
reasonable cost”

Can accept a degree of uncertainty to achieve an Tolerable / Conservative

intended outcome providing that effective
Moderate Appetite “OK to proceed, providing
measures are in place to monitor the risk and limit
that losses can be
adverse outcomes.
minimised”

Acceptable
Comfortable for risks to be taken even if there is a
High Appetite high-degree of uncertainty to gain highly-valued “OK to proceed, even if
reward/s. our ability to minimise
potential losses is limited”

7. IMPLEMENTATION OF THE RAS

The University’s appetite for and tolerance of risk as outlined in this RAS form the basis of our approach to
managing risk in our day-to-day activities. The RAS informs the Enterprise Risk Management Policy (the
Policy) and ERMF which provide the structure for our risk management processes.

Staff are responsible for managing their risk environment. This includes having appropriate controls in place
and monitoring their effectiveness. These risks are identified, assessed and managed at both enterprise level
(‘top-down’) and at operational level (‘bottom-up’). Risk registers are used to document the risks.

Risks outside the appetite or agreed tolerance levels should be managed in line with this RAS and should be
reported by the Executive Group to the Finance, Resources and Risk Committee (FRRC). (Refer to the Policy
for Roles and Responsibilities).

The Executive Group is accountable for compliance with this RAS. Risk appetite also needs to be articulated
for discussion at Council meetings and at the FRRC meetings, and any other governance committees when
seeking approval for key strategic and operational decisions.

8. REPORTING AND MONITORING

The Manager, Risk and Business Continuity Planning is responsible for facilitating the analysis and
measurement of our risk performance against risk appetite. The Vice President, Corporate Services and the

4 Risk Appetite Statement

Director, Audit, Risk and Compliance are responsible for reporting the RAS outcomes to the Executive Group
and to the FRRC.

9. APPROVAL, REVIEW AND UPDATES

The RAS is reviewed annually in parallel with the review of the University’s strategic plan and enterprise risks.
It is endorsed by the Executive Group and then approved by the FRRC.

Any proposed updates to this guidance will be communicated to the Council via the FRRC.

This document will be maintained by the Director, Audit, Risk and Compliance and the Manager, Risk and
Business Continuity Planning.

5 Risk Appetite Statement

 ANNEXURE A
UNIVERSITY STATEMENTS OF RISK APPETITE
Risk Appetite Statements/questions to
Sub-Risk
Risk Category Risk Appetite Description challenge/support the
Category Zero Low Moderate High proposed level of appetite

 Reputation should be assessed

We have a track record for world‐class international learning, teaching, in terms of our goals as a
research, and student experience. national and global leader in
There is a low appetite for activities that threaten to diminish our research and teaching and
Reputation reputation, ‘brand’, or ethical standing. learning.
There is a moderate appetite for activities that could potentially  Maintaining our international
maintain or increase the value of our reputational standing — i.e. events rankings is critical in attracting
that reinforce, sustain, or improve our reputation. funding, students and academic
Strategic Risk talent.
Strategic risks are potential One of our key strategic goals is to provide an excellent educational
events or circumstances that experience to attract and retain students who, regardless of their
affect or are created by the background, will succeed at university and become graduates and
University’s strategic vision, alumni of influence.  Is the University doing enough
priorities and goals. to attract and retain students?
There is a low appetite for activities that threaten to de-value or diminish
These activities may impact Students the quality of our students’ experience.  Are student experiences and
the University positively or outcomes, including
There is a moderate appetite for activities that have the potential to employability, improving?
negatively. maintain or increase the value of our students’ experience — i.e. events
Strategic activities are that reinforce, sustain, or improve the quality of student outcomes and
essential to meet our experience.
objectives of growth,
transformation and innovation. We have a strategic goal to continuously improve research performance,
engagement and impact through research that delivers social dividends.  Is the University building
Managing strategic risk enough research capability and
We aspire to be a leading research-intensive university.
protects value by avoiding capacity to deliver quality
adverse impacts. It also There is a low appetite for activities that threaten to diminish our research?
creates value by optimising Research research performance — e.g. through conduct that is unethical or non-
compliant with relevant legislation.  Is there appropriate guidance
positive outcomes.
and monitoring of research
We acknowledge that growth There is a moderate appetite for activities that could potentially ethics, contractual and
activities carry higher risk that maintain or increase the value of our research outcomes — e.g. build legislative compliance?
needs to be managed capability and capacity, increase quality, and improve social outcomes.
according to best practice.
Innovation, growth and commercialisation are central to increasing
income, research funding, attracting students and staff, and building  Is the University utilising
reputation. innovation and opportunities
Innovation,
There is a moderate to high appetite for activities that will potentially including building strategic
Growth & alliance partnerships?
optimise these elements across the University’s operations.
Commercial
-isation There is a low appetite for activities that deter the pursuit of these  Is the University investing in
elements — i.e. ignoring these factors is considered detrimental to our relevant projects and programs?
strategic goals.

6 Risk Appetite Statement

 ANNEXURE A

Risk Appetite Statements/Questions to

Sub-Risk
Risk Category Risk Appetite Description challenge/support the
Category Zero Low Moderate High proposed level of Appetite

It is important to the University that our activities and services operate  Does the University have a
efficiently, effectively, and consistently. clear resilience strategy, and
has it carried out periodic
Business There is therefore a low appetite for activities that threaten to diminish simulated testing of potential
Disruption our standards of operation or could lead to a loss of confidence by our disaster or crisis events?
stakeholders and communities.
and System  Does the University regularly
Failure There is a moderate appetite for activities that could potentially compare its business continuity
improve or enhance our business systems and standards of operation strategy to best practice
— e.g. system upgrades and enhancements to improve efficiency. standards?

 Are there sufficient measures in

It is imperative to maintain our physical assets in good operational place to prevent or reduce the
Operational Risk Damage to order. risk of damage to, loss of, or
Operational risk relates to Physical There is a low to moderate appetite for activities that threaten, or fail restricted use of facilities,
activities carried out in the Assets to protect our physical assets from damage, loss, or restricted use due buildings and office support due
day-to-day business of the to natural causes, fire, arson, inadequate security, etc. to weather damage, fire, arson,
University. They may be inadequate security, etc?
associated with structure,
systems, people, services or  Is the University investing
The University is committed to investing in strategies to attract, appropriately in recruiting,
processes. manage, motivate, develop and retain competent staff to achieve our
People / developing, rewarding and
Managing operational risk strategic objectives. retaining our people?
protects value by avoiding Human
Resources There is a low appetite for activities that threaten to diminish our  Is the University developing
adverse impacts. It also
ability to meet this commitment. strong leadership and a culture
creates value by optimising
of equity and transparency?
positive outcomes.
In accordance with the University’s Code of Conduct and Fraud and
The University places great
importance on adequate Corruption Control Framework all staff are expected to act with the
utmost integrity. The University recognises that there will be exposure  Are there sufficient controls in
internal controls, efficient place to avert any internal and
Fraud to attempted and actual fraud incidents.
business processes, talented external fraud attempts?
people and reliable systems. The University has zero appetite for activities that threaten our
integrity.

 Does the University have a

It is imperative that our information technology systems operate mature process for managing
efficiently and effectively. cyber threats and ransom
Information demands?
Technology The University has a low appetite for activities that may leave us
 Is the University proactively
/ Cyber susceptible to cyber threats which may lead to loss of strategic and
managing the level of cyber
Security critical systems or information relating to staff, students, research, or
threat exposures managed by
other University operations. its IT vendors for outsourced
systems and platforms?

7 Risk Appetite Statement

 ANNEXURE A

Risk Appetite Statements/Questions to

Sub-Risk
Risk Category Risk Appetite Description challenge/support the
Category Zero Low Moderate High proposed level of Appetite

 Is the University investing

We are committed to maintaining a safe and healthy environment sufficient resources in the
where staff, students and visitors are protected from physical and provision of mental health
psychological harm. support for students and staff?
Health,
Operational Risk There is zero appetite for activities that threaten the health and  The University supports a strong
Safety and safety culture and expects staff,
(Cont’d) wellbeing of our staff, students or visitors.
Wellbeing students, contractors and
There is zero appetite for any deviation from the University’s visitors to take personal
standards and legislative responsibilities in these areas. responsibility for their own
wellbeing.

 Are all key commercial

proposals thoroughly discussed
at the relevant committees and
the University Council?
We aim to maintain our long-term financial sustainability and financial strength, while  Are appropriate financial
recognising that achieving our strategic objectives is important to sustain long term techniques being applied to
financial growth. evaluate the financial
Financial Risk investment decisions?
There is a low to moderate appetite for the risks associated with growth and expansion,
such as capital expenditure and increased borrowings .  The University expects
management to act with
prudence and efficiency with the
consumption of resources for
both capital and operational
expenditure purposes.

The University may suffer legal or regulatory sanctions, material financial loss, or  The University has established
damage to our reputation because of a failure to comply with laws, statutes, regulations, Governance, Legal and Audit,
Legal, Compliance and professional standards, research and/or medical ethics. Risk and Compliance divisions
Regulatory Risk The University has zero appetite for activities that threaten our status of legal and and departments to manage
regulatory compliance. these risks.

8 Risk Appetite Statement