13 May 2020Share
Managing risks is essential at ACU and the Office of Planning and Strategic Management has now rolled out a new enterprise risk management system, CARM.
The current COVID-19 pandemic is evidence that risks exist in our world and within our business, that can turn life upside down. Not all risks may be as fundamentally challenging as a global pandemic, but they can still have serious impact on ACU operations, and the quality of education and research we deliver.
ACU manages risks through:
We also maintain Enterprise Risk Registers (Organisational and Strategic) which help us identify risks and assess the threat they present. We can then develop strategies to respond to the risks and assign actions to reduce the threat as efficiently and effectively as possible.
CARM has been custom built by ACU and will add a new level of automation and sophistication to our existing risk management processes.
CARM is our new tool for capturing and managing risks in ACU’s Enterprise Risk Registers.
Enterprise Risk Registers are not to be confused with WHS risk reporting via Riskware or other function-specific systems.
In contrast, ACU’s Enterprise Risk Registers are prepared by the Senior Executives (Strategic Risk Register) and organisational units i.e., faculties, directorates etc (Organisational Risk Registers) and capture all the key risks faced by those parts of our business. Risks identified are captured in CARM, where they are assessed for likelihood and consequence with actions then assigned for mitigation and control.
The acronym CARM outlines the four key processes for managing risks - Capture, Assess, Respond and Monitor, and the system very simply and intuitively steps through each part of the risk management process, allowing users to construct and manage their Risk Register more effectively than ever.
Everyone should report risks. As with all risks, if they can be dealt with directly and immediately so that they no long present an issue, then all staff should respond accordingly. Risks that require more attention should be escalated to supervisors/managers. If risks are potentially material or recurring, they should be registered in the CARM Risk Management System.
If you have a risk which you think needs to be recorded in CARM, please escalate to your manager and or CARM team member for assessment.
Note: With regards to all WHS incidents and hazards, all risks should continue to be reported within the WHS Riskware system. Similarly, all cyber-related risks should be reported via Service Central, or to IT directly. For concerns regarding emails received, that potentially represent a threat to ACU’s system integrity or are perhaps fraudulently sent, report the email asap using the function key on the top right-hand side of the Outlook toolbar.
The CARM Risk Management System should be used for registering and managing risks that are have the potential to impact the success of ACU’s strategic plan and ultimately its mission and vision. They may be for example, once-off but potentially material, or smaller but recurring (therefore presenting an ongoing or larger aggregate threat to ACU’s operations or priorities).
ACU has identified 10 key categories of risk that should be recorded in CARM are:
|1||Community Wellbeing||Risks that threaten the wellbeing of our community – students, staff, environment etc|
|2||Culture and Principles||Risks that threaten or concern our Catholic identity, our principles or ethics|
|3||Education||Risks related to the delivery of quality education|
|4||Financial||Risks that threaten our financial viability or sustainability|
|5||Governance||Risk related to our framework of governance and control|
|6||Operational||Risks related to our operating capacity|
|7||Project||Risks relating to projects|
|8||Reputational||Risks that affect our reputation|
|9||Research||Risks relating to research|
|10||Strategic||Risks that cause a material impediment to the achievement of ACU’s Strategic Priorities and are identified and monitored the Senior Executive management team via OPSM|
Each organisational unit has its own Organisational Risk Register and the head of that organisational unit will be the Organisational Risk Register Owner responsible for managing the risk.
The Organisational Risk Register Owner will nominate members who have direct access to CARM and who will update and manage the organisational units’ risk register accordingly.
CARM has now rolled out across many areas of the university and areas are currently being trained to assist with the development of 2020 Organisational Risk Registers.