Introducing CARM - the Risk Management System

Managing risks is essential at ACU and the Office of Planning and Strategic Management has now rolled out a new enterprise risk management system, CARM. 

The current COVID-19 pandemic is evidence that risks exist in our world and within our business, that can turn life upside down.  Not all risks may be as fundamentally challenging as a global pandemic, but they can still have serious impact on ACU operations, and the quality of education and research we deliver.

ACU manages risks through:

• risk assessments for projects, placements, events and activities
• documentation and management of work health and safety hazards
• policies and procedures
• checks and balances built into processes. 

We also maintain Enterprise Risk Registers (Organisational and Strategic) which help us identify risks and assess the threat they present. We can then develop strategies to respond to the risks and assign actions to reduce the threat as efficiently and effectively as possible.

Introducing the CARM Risk Management System

CARM has been custom built by ACU and will add a new level of automation and sophistication to our existing risk management processes. 

CARM is our new tool for capturing and managing risks in ACU’s Enterprise Risk Registers.

Enterprise Risk Registers are not to be confused with WHS risk reporting via Riskware or other function-specific systems.

In contrast, ACU’s Enterprise Risk Registers are prepared by the Senior Executives (Strategic Risk Register) and organisational units i.e., faculties, directorates etc (Organisational Risk Registers) and capture all the key risks faced by those parts of our business.  Risks identified are captured in CARM, where they are assessed for likelihood and consequence with actions then assigned for mitigation and control.

The acronym CARM outlines the four key processes for managing risks - Capture, Assess, Respond and Monitor, and the system very simply and intuitively steps through each part of the risk management process, allowing users to construct and manage their Risk Register more effectively than ever. 

Key features of the CARM system include:

• 10 key categories of risk are identified to group risks together across ACU.
• For each key category of risk, tolerances limits are set to determine acceptable levels of risk.
• 'Baselines' for likelihoods and consequences of risks are defined for each key category to make assessing the impacts of risks more consistent.
• The system will track and monitor whether actions are complete and send notifications and report to senior management if risks go unattended.
• Risks can be monitored through dashboards and reports which allow granular filtering to support detailed risk analysis.
• CARM can be updated at any time so risk registers can be a dynamic tool for managing risks on a ‘live’ and ongoing basis.

Who should report a risk and how?

Everyone should report risks. As with all risks, if they can be dealt with directly and immediately so that they no long present an issue, then all staff should respond accordingly. Risks that require more attention should be escalated to supervisors/managers. If risks are potentially material or recurring, they should be registered in the CARM Risk Management System.

If you have a risk which you think needs to be recorded in CARM, please escalate to your manager and or CARM team member for assessment.

Note:  With regards to all WHS incidents and hazards, all risks should continue to be reported within the WHS Riskware system.  Similarly, all cyber-related risks should be reported via Service Central, or to IT directly.  For concerns regarding emails received, that potentially represent a threat to ACU’s system integrity or are perhaps fraudulently sent, report the email asap using the function key on the top right-hand side of the Outlook toolbar.

What risks should be registered in CARM?

The CARM Risk Management System should be used for registering and managing risks that are have the potential to impact the success of ACU’s strategic plan and ultimately its mission and vision. They may be for example, once-off but potentially material, or smaller but recurring (therefore presenting an ongoing or larger aggregate threat to ACU’s operations or priorities). 

ACU has identified 10 key categories of risk that should be recorded in CARM are:

Who are the Risk Register Owners?

Each organisational unit has its own Organisational Risk Register and the head of that organisational unit will be the Organisational Risk Register Owner responsible for managing the risk.

The Organisational Risk Register Owner will nominate members who have direct access to CARM and who will update and manage the organisational units’ risk register accordingly.

CARM has now rolled out across many areas of the university and areas are currently being trained to assist with the development of 2020 Organisational Risk Registers.

Who should I contact for more information?

Carol Anne Rainbird - National Manager Risk

Maria Fernandes - Risk Officer